RRAS Remote Access Policy

  • Article

I have seen a lot of queries related to remote access policy configuration - why, how, when...

Let me try to clarify few of these:

 

What is remote access policy? What is its usage?

Remote access policies are an ordered set of rules that define whether remote access connection attempts are either authorized or rejected. Each rule includes one or more conditions (which identifies the criteria), a set of profile settings (to be applied on the connection attempt), and a permission setting (grant or deny) for remote access.

This can be compared like a brain of the door-keeper (VPN server) which allows entry to your network from outside . Remote access policy decides who can access what resources from where using what tunnel settings. So configuring proper set of policies are important.

 

What are some common examples?

You may want to have different policies based upon one or more factors in different conditions:  

1) Who is accessing the network(Windows-Groups)

2) What tunnel type is getting used (Tunnel-Type)

3) What authentication type is getting used

4) What is the client's IP address (useful for site-to-site scenarios where the IP address of calling router remains same)

5) What time of day client is accessing (like you may want to block access at particular times)

6) etc

 

You may want to enforce following profile on a given policy:

1) Idle time after which the connection should be disconnected

2) Session time after which the connection should be disconnected

3) Inbound/Outbound filters that can be applied per PPP connection (or per user connection) - to restrict access of a given client/site to a given network (IP address, port number)

4) Encryption Type

5) Authentication Algorith Type

6) etc

 

How to configure the remote access policies?

It may look complicated at the start, but is pretty simple.

You need to first decide where the remote access policies reside - locally on RRAS server (called as Windows authentication in RRAS terminology) or remotely on a radius server (like IAS server on Windows 2000, 2003 server or any 3rd party radius server).

Then you need to decide what are the policy conditions and profile you need to segregate your users into. And then create different policies (note policies are ordered set of rules - try avoiding conflicts and if there is any first one will be selected).

Then create a test client, test your connection against different policies - it is better to test connections as you add/delete different policies - this way troubleshooting is simple.

 

How can I get more details:

Step by step guide for configuring RAP for RRAS: https://www.microsoft.com/downloads/details.aspx?FamilyID=8168740a-0c64-49e3-a6d8-dd6309111fca&displaylang=en

IAS Home page: https://www.microsoft.com/ias

RRAS Home page: https://www.microsoft.com/rras

You can also send in your queries in different newsgroups: microsoft.public.internet.radius, microsoft.public.windows2000.ras_routing

 

Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]