*The Golden Rule: a client is a client is a client ...
1. Communication Links and Protocols (Connectivity)
2. Remote Access Service - emphasis on RAS Server (Configuration)
3. Dial-up Networking - RAS client, DUN Monitor, Autolink feature (Configuration)
4. Multilink PPP (Performance)
5. Callback Security and Dial-in Permission (Security)
6. Password Encryption (Security)
7. Networking Essentials: RAS Server Service as a Gateway, Router, and Firewall (Connectivity)
8. Logs, Dial-Up Networking, Modems, Ports,  DUN Monitor ... (Troubleshooting / Configuration)
9. Interdependencies and Trivia - TAPI settings, Securing DUN for the Net (MISC.)

1. Public Switched Telephone Network (PSTN)
2. Integrated Service Digital Network (ISDN)
3. X.25 packet switching network  - transmits data with packet switching protocol. Relies on DCEs, data communication equipment, an elaborate worldwide network of pack forwarding nodes that participate in delivering an X.25 packet. DUN clients can access X.25 directly by using an X.25 packet assembler/disassembler (PAD). PAD does not require an X.25 line plugged into back of computer. Requirement: tele # and PAD service for the carrier.

1. SLIP - Serial Line Internet Protocol - primary function is to dial in to Unix Server.

• no support for NT to act as a SLIP Server
• only support for TCP/IP protocol - no support for NetBEUI or IPX/SPX.
• no support for DHCP or WINS as a client
• must have a statically assigned IP address
• no support for encrypted passwords
• *requires less system overhead than PPP.

2. PPP - Point-To-Point Protocol

• Client / Server support
• TCP/IP, IPX/SPX, NetBEUI, protocol support

3. MS RAS Protocol -proprietary MS protocol that supports the NetBIOS standard.

4. PPTP enables ?tunneling? of IPX, NetBEUI, or TCP/IP inside PPP packets to establish a secure link between a client/server over the Internet. PPTP connections establish Virtual Private Networks (VPNs) PPTP uses a encryption more secure than standard communications over the network itself. PPTP over the Internet is safe.

• PPP protocol required
• TCP/IP, IPX/SPX, NetBEUI, protocol support
• Connectivity requirements: RAS Server must have PPTP enabled adapter. If client is accessing Internet directly, client must have PPTP driver installed. If ISP provides connection for client, ISP's Point of Presence (POP) supports PPTP, and PPTP does not have to be installed on the client. Client established connection to ISP and calls NT RAS Server to establish PPTP tunnel. DUN must be configured to use data encryption.

1. TCP/ IP
2. IPX (NWLink)
3. NetBEUI
  > Bindings Tab > * Only one LAN protocol is used over the RAS connection. The first common protocol identified between the client and server is used. Binding order of protocols to the RAS dial-up adapter on the client is critical (most important MUST be located at the top).

RAS Configuration

• > Services Tab > Add > Remote Access Service.
• > Services tab > Remote Access Service > Properties >
• Add - a RAS device. Make sure your modem or or X.25 pad is installed. Note: Once the PPTP protocol is installed, VPN# - RASPPTM becomes an installable port to enable PPTP through RAS.
• Configure the port you will be using (Example: COM1)
  • Dial Out Only (dial-up networking only)
  • Receive Calls Only (server service only) If RAS is configured to receive calls, the port and modem cannot be used by any other application. RAS locks the port to maintain control to monitor for inbound calls.
  • Dial Out And Receive Calls (dial-up networking and server service).
• Remove - removes a port
• Clone - copies same modem setup from one port to another

Network (Configuration)

• Dial Out Protocols
  • TCP/IP.  Start > Programs > Accessories > Edit entry and modem properties ... > Server Tab to configure TCP/IP and dial up Server type.
  • NetBEUI
  • IPX / SPX
• Server Settings: Allow remote clients running > Select the LAN network protocols > Configure (settings apply to RAS operation on ALL RAS enabled ports).
  • TCP/IP - Allow Remote clients to access ... and DHCP settings. (See Routers, Gateways, Firewalls below) ... Allow remote clients to request a predetermined IP address Client specifies address by entry in Dial-Up Networking.
  • NetBEUI - Allow Remote clients to access ... NT RAS enables remote clients to access resources such as F&PS on a network. AKA, it enables clients running NetBEUI to access remote servers regardless of which protocol is installed on the remote server. NetBIOS gateway does this by translating NetBEUI packets into IPX or TCP/IP formats that can be understood by remote servers. (See Routers, Gateways, Firewalls below)
  • IPX/SPX - Allow Remote clients to access ... Allocate network numbers automatically ... Allocate network numbers ... Assign same network number to all IPX clients ... Allow remote clients to request IPX node number ... (See Routers, Gateways, Firewalls below)
• Encryption settings (see below)
• Enable Multilink PPP checkbox (see below)

Dial-Up Networking Client Configuration (Phonebook *.pbk)

• Start > Programs > Accessories >> More
• Edit Entry and modem properties
  • Basic Tab
  • Name for phonebook entry
    • Alternates button - sets second # to dial if first is unreachable
  • Telephone number you are dialing into
    • checkbox to use dialing features (good for long distance and using calling card)
  • Dial Using . Configure button
    • *Initial bps - speed
    • *Enable hardware flow control - whether or not the modem or software handles flow control between the modem and your computer. Default is hardware (XON/XOFF may not work with certain programs). Checking hardware prevents overrun errors and improves throughput.
    • *Enable modem error control - forces a reliable connection
    • *Enable modem compression - Do not check this. Check "software compression" on the Server tab. Software compression is faster and checking both may result in slower speeds.
    • *Disable modem speaker - modem dial tone sound
    • *Note: The settings in the  applet override the settings you have made in the  applet for your ports and in the  applet for your modems when using dial up networking.
  • Enable PPP MP by selecting "Multiple Lines" in the "Dial Using" box ; then click "Configure"
  • Server Tab
  • Dial Up Server type:  WAN protocol chosen here
  • Network Protocols  (allowable protocols should be enabled in Network > Services tab > Remote Access Service > Properties > Network > Dial Out protocols)
    • TCP/IP > TCP/IP Settings ... IP Address, DNS, Use IP header compression (may not work with older PPP servers), Use default gateway on remote network (must check this if you are using DUN and connected to a LAN).BY DEFAULT, YOUR ISP should assign you an IP address if you choose PPP as your dial up server type. IF you choose SLIP as your dial up server, you will likely have to manually assign an IP address here for your ISP.
    • IPX/SPX
    • NetBEUI
  • Enable software compression - check it for max. speed!
  • Enable PPP LCP extensions - enables newer PPP features (whatever they are :-)) Uncheck if connection problems are occurring if you are troubleshooting.
  • Script Tab
    • None. Script or terminal window can be initiated before and/or making RAS connection.
  • Security Tab
    • See password Encryption below
    • Unsave password - clears the auto saved password if you choose to do so
  • X.25 Tab
• Clone Entry and Modem properties - makes duplicate
• Delete entry
• Create Shortcut to entry
• Monitor status - launches 
• Operator assisted of manual dialing -  unchecked
• User preferences ...
  • Dial Tab (AutoDial) - maps network addresses to RAS phonebook entries.
    • at least one TAPI dialing location is required
    • (enabled by default) Remote Access AutoDial Manager service must be running for this option to work.
    • Uncheck the box if you want to disable AutoDial (you may want to disable AutoDial if you have multiple ISP's configured on computer at one location and want to use different providers at different times).
    • AutoDial does not support IPX connections, only TCP/IP and NetBEUI.
  • Number of redial attempts (on failure to connect) -
  • Seconds between redial attempts. Remote Access AutoDial Manager service must be running for this option to work.
  • Idle seconds before hanging up - Remote Access AutoDial Manager service must be running for this option to work.
  • Redial on link failure - Remote Access AutoDial Manager service must be running for this option to work.
  • Callback
    • See Callback Security below
  • Appearance
    • Preview phone number you are dialing from - not an edit option. Uncheck if you do not want to see the number displayed in "Show connection progress when dialing"
    • Select to edit location you are dialing from - (not able to get this to work - only by choosing User preferences > Sever Tab > Unsave password  have I been able to bring up the User name and password dialog back up again)
    • Start before dialing - (must be checked for settings to take effect, AKA so you can have status lights show up as an icon next to the system clock )
    • Show connection progress when dialing (onscreen window. Useful - gives you the cancel option so you can manually disconnect when you see your connection is going South)
    • Close on dial - (closes dialog box) upon connection so  does not appear on taskbar.
    • Use wizard to create phonebook entries - not!
    • Always prompt before auto dialing - Remote Access AutoDial Manager service must be running for this option to work.
• Logon preferences ...
  • same options as User preferences. Difference is, this entry is:  the checkbox "logon using dial up networking"  (at the logon screen) to log into the domain.

Dial-Up Networking Monitor

• Start > Settings > Control Panel > 
• Status - troubleshooting tool
• Summary - check if Multilink PPP connection is working
• Preferences
  • Play a sound when ...
  • Include in the task list - creates minimized Window on taskbar (lame)
  • Show status lights
    • as an icon next to taskbar clock (check this)
    • as a window on the desktop

• Combines two physical links (example: phone lines) into a logical "bundle," for increased bandwidth.
• Connectivity requirements - support must be installed by both the client and server systems
• TCP/IP, IPX/SPX, NetBEUI, protocol support
• Limitations: Cannot be used with the callback security feature. The server will call the client back; but to only one of the devices. Exception is ISDN. Callback will work.
• Limitations: Multilink PPP cannot use different types of links such as ISDN and PSTN (for the exam it can)

Multilink PPP Installation

• Server: > Services tab > Remote Access Service > Properties > Network > Enable Multilink
• Client:  MP is enabled through Dial-Up Networking?s Phonebook configuration windows where multiple modems and phone numbers can be defined. My Computer > DUN > More > Edit Entry and Modem Properties >Dial Using: <Multiple Lines> > Configure button.

1. Configuring Callback Security and Giving a User the ability to Dial-in to the Remote Access Server Service

• >  > Properties > Dialin button >
• > Users > Permissions

1a. Callback Options

• No Call Back Default setting - client will not be called back.
• Set By Caller Callback can be set by the user. Server calls the client back at the number set by the caller.
• Preset To You You configure the callback for a preset number. Strongest security because the user must call from a predetermined number. (Not functional for the mobile user).

2. Configuring Callback Security on the Client

• Start > Programs > Accessories > > More > ("User Preferences " for ISP?)("Logon Preferences" for logging into a domain?) > Callback Tab

2a. Callback Options

• No, skip callback
• Maybe, ask me when dial up server offers
• Yes, call me back at the number below > Edit > Add a phone number (best security for mobile Users)

3. Callback and Multilink PPP interdependency

• Limitations: Cannot be used with the callback security feature. The server will call the client back; but to only one of the devices. Exception is ISDN. Callback will work.

1. Configuring Password encryption in the Remote Access Server Service

• > Services tab > Remote Access Service > Properties > Network >
• Allow Any Authentication Including Clear Text most permissive. Use when user is not concerned about passwords. Option allows a connection using any authentication provided by the server; useful when connecting to a non-Microsoft server.
• Require Encrypted Authentication useful when transmission of clear text password is not desired and when you are connecting to a non-Microsoft server.
• Microsoft Encrypted Authentication (most secure)Microsoft Challenge Authentication Handshake Protocol (MS-CHAP) used; useful when calling a Microsoft server. If the Require Encrypted Authentication box is checked (only available when MS encrypt radio button selected) , all the data sent over the wire is encrypted (Rivest-Shamir- Adleman <RSA> Data Security Incorporated RC4 algorithm) If the data sent fails to encrypt, connection automatically is terminated.

2. Configuring Password encryption on the client

• Start > Programs > Accessories >> More > Edit Entry and Modem Properties > Security Tab >
• Allow Any Authentication Including Clear Text most permissive. Use when not concerned about passwords. Option allows a connection using any authentication provided by the server; useful when connecting to a non-Microsoft server.
• Require Encrypted Authentication useful when transmission of clear text password is not desired and when you are connecting to a non-Microsoft server.
• Microsoft Encrypted Authentication (most secure)Microsoft Challenge Authentication Handshake Protocol (MS-CHAP) used; useful when calling a Microsoft server. If the Require Encrypted Authentication box is checked (only available when MS encrypt radio button selected) , all the data sent over the wire is encrypted (Rivest-Shamir- Adleman <RSA> Data Security Incorporated RC4 algorithm) If the data sent fails to encrypt, connection automatically is terminated. When "Use current User name and password" check box is selected, your domain logon information is used.

A couple of Tran... questions have become the subject for great debate which no one seems to agree on, soooo, figure I'll add my two cents to it. In a nutshell, the question is this: does Allow Any Authentication Including Clear Text provide both data and password encryption by default when an MS client dials into NT Server? I have been unable to locate a single MS Source that says it doesn't. What may throw you off is the checkbox that enables you to select RSA data encryption "in addtion to" MS-CHAP. Look again! Look at the RAS Server. The setting on the Server reads "require data encryption" in addtion to "require ms encrypted authentication." On the client, it is "accept only" etc. What does this likely mean? It likely means if the client (or the server) can't produce it -- they ain't talking!

Second and probably the best evidence I have been able to find: it appears that RSA data encryption and MS-CHAP authentication as implemented by NT RAS are not seprate beasts afterall (Microsoft Help. Keyword = RSA. Title of document = Data Encryption):

• "...for data encryption, PPTP uses the Remote Access Server (RAS) "shared-secret" encryption process. It is referred to as a shared-secret encryption process because both ends of the connection share the encryption key. Under the Microsoft implementation of RAS, the shared secret is the user password."
• "... an encryption key is derived from the hashed password stored on both the client and server. The RSA RC4 standard is used to create this 40-bit session key based on the client password. This key is used to encrypt all data that is passed over the Internet, keeping the remote connection private and secure."

Well, that's my two cents. I say what the heck, it does! In the RL World, set your clients to MS-CHAP and require data encryption to be sure :-)

  Configuration

• > Services tab > Remote Access Service > Properties > Network > Server Settings > (NetBEUI; TCP/IP; IPX/SPX) > Configure > Allow remote (NetBEUI; TCP/IP; IPX/SPX) clients to access > This computer only  -  you are using RAS as a firewall; no access of any kind off the RAS server is permitted.
• Services tab > Remote Access Service > Properties > Network > Server Settings > (NetBEUI; TCP/IP; IPX/SPX) > Configure > Allow remote (NetBEUI; TCP/IP; IPX/SPX) clients to access > the entire network -- and you are using RAS to grant remote clients access to the resources on the network. For TCP/IP and IPX/SPX, you are using RAS as a router.
  • This means RAS can link LAN's and WAN's acting as a router
  • This means different network topologies can be connected such as Ethernet and Token Ring

 
Logging

• DEVICE.LOG for modem - DEVICE.LOG. This file only can be enabled through the Registry. The ?Logging? value located in \HKEY_LOCAL_  MACHINE\ SYSTEM\ CurrentControlSet\ Services\ RasMan\ Parameters - should be set to 1. *.log file located at  \%winntroot %\system32\ras folder
• PPP.LOG for PPP connections (sample)- The ?Logging? value located in \HKEY_LOCAL_  MACHINE\ SYSTEM\ CurrentControlSet\ Services\ RasMan\ PPP\ Logging should be set to 1. *.log file located at  \%winntroot %\system32\ras folder.
• Log > System (by default) - all server errors, user connect attempts, disconnects, and so on are logged.
• MODEMLOG.TXT (sample). Start > Settings > Control Panel > Modems > Modem > Properties > Connection > Advanced > Record a log file. Log file stored in \Winnt folder. Use this to monitor modem and for troubleshooting (records modem activities). Note: NT names "modemlog.txt" this way: "ModemLog_Sportster 28000-33600.txt"

Start > Programs > Accessories >> More

• Edit Entry and modem properties
• Basic Tab

• Dial Using . Configure button
  • *Initial bps - speed. First thing to do when having connection problems is to lower your maximum speed.
  • *Data gets lost during transfers - enable hardware flow control - whether or not the modem or software handles flow control between the modem and your computer. Default is hardware (XON/XOFF may not work with certain programs). Checking hardware prevents overrun errors and improves throughput.
  • *Enable modem error control - forces a reliable connection
  • *Enable modem compression - Do not check this. Check "software compression" on the Server tab. Software compression is faster and checking both may result in slower speeds.
• Server Tab
• Network Protocols  -  allowable protocols must be enabled in > Services tab > Remote Access Service > Properties > Network > Dial Out protocols
  • TCP/IP (TCP/IP Settings)
    • IP Address, DNS, Use IP header compression (may not work with older PPP servers), Use default gateway on remote network (must check this if you are using DUN and connected to a LAN).
• Enable software compression - check it for max. speed!
• Enable PPP LCP extensions - enables newer PPP features (whatever they are :-)) Uncheck if connection problems to older PPP servers are occurring.

Start > Settings > Control Panel >  > Modem > Properties > Connection Tab >
*Note: The settings in the  applet override the settings you have made in the  applet for your ports and in the  applet for your modems when using dial up networking.

• Connection Preferences
  • Data bits: either 7 or 8 (8 Default). Means 7 or 8 packets will be sent over wire at a time.
  • Parity: Method for error checking. None is default (occasionally if you are using 7 data bits, this setting might be "Even") Used to make sure info is sent across wire and received properly.
  • Stop bits: 1. Older network may use 2. Identifies end of a packet (in the past modems would only speak in one direction at a time).

• Call Preferences
  • Wait for dial tone before dialing, Cancel call f not connected within x seconds, Disconnect is idle for ...
• Advanced
  • Modem error control - forces a reliable connection
  • Modem flow control - Data gets lost during transfers ; whether or not the modem or software handles flow control between the modem and your computer. Default is hardware (XON/XOFF may not work with certain programs). Checking hardware prevents overrun errors and improves throughput.
  • Modulation Type:    must be the same on both modems in order for them to communicate. If you are having trouble connecting to an older modem, try a non-standard setting here
  • Extra Settings - ability to enter modem initialization settings here.
  • Record a log file (see above)

Start > Settings > Control Panel > > COMx > Settings

• Baud Rate - speed. First thing to do when having connection problems is to lower your maximum speed.
• Data bits: either 7 or 8 (8 Default). Means 7 or 8 packets will be sent over wire at a time.
• Parity: Method for error checking. None is default (occasionally if you are using 7 data bits, this setting might be "Even") Used to make sure info is sent across wire and received properly.
• Stop bits: 1. Older network may use 2. Identifies end of a packet (in the past modems would only speak in one direction at a time).
• Flow control - Data gets lost during transfers ; whether or not the modem or software handles flow control between the modem and your computer. Default is hardware (XON/XOFF may not work with certain programs). Checking hardware prevents overrun errors and improves throughput.
• Advanced
  • COM Port #
  • Base I/O Port Address
  • IRQ
  • FIFO enabled - enabled or not. Adds additional functionality to COM ports. Windows 95 Note: FIFO (first In First Out) buffers are used. These buffers are temporary storage areas for transmitting and receiving packet info through modems. You should set them at maximum levels for maximum throughput. There are two types of FIFO buffers:
    • 16550 UART (Universal Asynchronous Receiver/Transmitter) - standard 486 and later
    • 8250 UART allows maximum rate of 9600 bps.
  • Note: UART chips are found in many different places on your system. They can be located on your modem hardware, parallel port boards, hard disk controllers, and other locations where communications are taking place.

Start > Settings > Control Panel > 

• Status - troubleshooting tool
• Summary - check if Multilink PPP connection is working
• Preferences
  • Play a sound when ...
  • Include in the task list - creates minimized Window on taskbar (lame)
  • Show status lights
    • as an icon next to taskbar clock (check this)
    • as a window on the desktop

Hardware and MISC.

• Modem is dialing but not connecting:
  • try using a generic modem driver
  • check COM port configuration
• *Operating System cannot find your modem:
  • Make sure the modem is turned on and connected to the PC
  • other programs may be using the COM port
  • COM port is not active
  • incorrect IRQ
• Connection keeps getting dropped:
  • check modem cable ; phone line to modem
  • try using a different phone line
  • disable call waiting.

• TAPI Settings
  • Modem Control Panel Applet > Dialing Properties
  • Telephony Applet
    • My Locations Tab - Primary area where a dialing location can be defined and modified. A dialing location simply sets the area code, long distance dialing requirements, credit card calls, whether to disable call waiting, and tone or pulse dialing.
    • Telephony Divers Tab - lists the TAPI or communication drivers installed on the machine. This is usually not the place where new drivers for communication devices are installed ; however, by choosing "Properties" for the "Unimodem driver," you will effectively open up the Modems Applet.
• Notes on Securing Dial-Up Networking for Internet Access
• Maximum number of simultaneous connections: 256 FOR NT Server
• How can you speed up a slow RAS connection over TCP/IP? When you are using TCP/IP via a slow RAS connection, an LMHOSTS (WINS) / HOSTS (DNS) file might speed up network access and name resolution. Place an LMHOSTS file on the RAS client.  Be sure that LMHOSTS entries have the #PRE tag so that the IP addresses will be cached.