Connect Multiple Remote Sites
Applies To: Windows Server 2008, Windows Server 2008 R2
Many organizations have offices in different geographical locations, requiring remote site connectivity. You can use RRAS to deploy a cost-effective site-to-site solution.
In the past, organizations have used wide area network (WAN) site-to-site connection technologies, such as T-Carrier or Frame Relay, to connect remote sites across a private data network. However, these private lines can be expensive. For example, the prices for T-Carrier services are based on both bandwidth and distance, which makes the connections relatively costly. In addition, T-Carrier typically requires a dedicated infrastructure, including a Channel Service Unit/Data Service Unit (CSU/DSU) and line-specific routers at each end of the connection.
In contrast, you can integrate RRAS into your organization’s current network by using existing servers. With the site-to-site connections provided by RRAS, you have two alternatives to conventional WAN links: a site-to-site dial-up connection over the public phone network or a site-to-site VPN connection over the public Internet. If you deploy an RRAS solution to replace an existing WAN connection, or to implement a new connection, you can optimize cost savings by tailoring your connection type to your traffic volume. You can also customize security to fit your organization’s requirements.
Note
RRAS can support both site-to-site connections between remote offices and remote access connections for individual computers. This topic focuses on site-to-site connections.
The following illustration shows a typical remote network connectivity scenario.
The connection between the two servers can be persistent (always on) or on demand (demand-dial). A demand-dial connection, which only uses bandwidth when it is needed, can be configured to establish the connection only when certain network traffic types are sent. A demand-dial connection is typically configured as bidirectional, meaning that network traffic from either end can initiate the connection, but you can configure a connection to be one way, meaning that only traffic from one end can initiate the connection though once established, network traffic flows through it both ways.
In this topic:
What is demand-dial routing?
Components of a demand-dial connection
Types of demand-dial connections
What is demand-dial routing?
Demand-dial routing is the forwarding of packets between networks over Point-to-Point Protocol (PPP) links, such as analog telephone lines or Integrated Services Digital Network (ISDN). Demand-dial routing can also use broadband, though the economics of most broadband connections typically result in always-on connections, rather than connections that are only established when needed.
Although similar, demand-dial routing is not the same as remote access. Remote access connects a single user to a network. Demand-dial routing connects one network to another network. However, both remote access and demand-dial routing use PPP to negotiate and authenticate the connection and encapsulate data sent through the connection.
Because the routing service and the remote access service coexist on a RRAS server, both routers and remote access clients can call the same telephone number. The RRAS server that answers the call must be able to distinguish a remote access client from a router that is attempting to create a demand-dial site-to-site connection. To differentiate a remote access client from a demand-dial router, the user name in the authentication credentials sent by the calling router must exactly match the name of a demand-dial interface on the answering router. Otherwise, the incoming connection is assumed to be a remote access connection.
Components of a demand-dial connection
A demand-dial connection contains the following components:
- A calling router, which initiates the demand-dial connection.
Note
You can configure both routers to initiate the connection as needed, but during any given session, one router serves as the calling router, while for that session the other router serves as the answering router.
An answering router, which accepts the demand-dial connection initiated by the calling router.
The connection medium, which is either a physical medium or a tunnel medium. For more information about connection media, see Connection medium later in this topic.
Common components for routers
The following components are common to both the calling router and the answering router:
Routing and Remote Access
Port
Routing and Remote Access
RRAS on the calling router must be configured as a LAN and WAN router and configured for IP address allocation and authentication methods to support its incoming connections. IP addresses can be allocated either by using Dynamic Host Configuration Protocol (DHCP) or a static address pool.
Port
A port is a logical or physical communications channel that can support a single PPP connection. Physical ports are based on equipment installed in the calling router. VPN ports are logical ports.
Calling router components
In addition to Routing and Remote Access and a port, the calling router contains the following components:
Demand-dial interface
Route
Demand-dial interface
A demand-dial interface configured on the calling router represents the PPP connection and contains configuration information, such as the port to use, the addressing used to create the connection (such as a telephone number or IP address), authentication and encryption methods, and authentication credentials.
Route
An IP route in the routing table of the calling router is configured to use a demand-dial interface to forward traffic.
Answering router components
In addition to Routing and Remote Access and a port, the answering router contains the following components:
User account
Demand-dial interface
Route
Note
Two-way initiated and one-way initiated connections require different configurations for the answering router. For more information about two-way initiated and one-way initiated connections, see “Types of demand-dial connections” later in this topic.
User account
To authenticate the calling router, the credentials of the calling router must be verified by the properties of a corresponding user account. A user account for the calling router must be either locally present or available through Active Directory security. If the answering router is configured for Remote Authentication Dial-In User Service (RADIUS) authentication then the RADIUS server must have access to the user account of the calling router.
The user account for the calling router must have the following settings:
The user name of the account must exactly match the name of a demand-dial interface on the answering router. If the account name does not match a demand-dial interface, then the connection is interpreted as a user-based remote access connection instead of a server-to-server connection.
On the Dial-in tab, network access permission is set to either Allow access or Control access through NPS Network Policy.
On the General or Account tab, User must change password at next logon is disabled and Password never expires is enabled.
For a one-way initiated connection, configure static IP routes that are added to the routing table of the answering router when the demand-dial connection is made.
Demand-dial interface
For two-way initiated connections, a demand-dial interface configured on the answering router represents the PPP connection to the calling router. For a one-way initiated connection that uses static routes on the user account of the calling router, a demand-dial interface on the answering router does not have to be configured.
Route
For two-way initiated connections, an IP route in the routing tables of the calling router is configured to use a demand-dial interface to forward traffic.
For one-way initiated connections, you can configure the user account for the calling router with static IP routes.
Connection medium
The PPP link is established over either a physical medium or a tunnel medium. Physical media includes Public Switched Telephone Network (PSTN) and Integrated Services Digital Network (ISDN). Tunnel media includes Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP).
PPPoE
PPPoE is a method of encapsulating PPP frames so that they can be sent over an Ethernet network. By using PPPoE and a broadband modem, LAN clients can gain individual authenticated access to high-speed data networks.
Types of demand-dial connections
Demand-dial connections are characterized as either on-demand or persistent and as either two-way initiated or one-way initiated.
These characteristics determine the configuration of the demand-dial interface.
On-demand and persistent connections
Demand-dial connections are either on-demand or persistent.
On-demand connections
On-demand connections are typically used when the cost of using the communications link is time-sensitive. For example, the charges for long distance analog telephone calls are on a per-minute basis. On-demand connections make the connection when traffic is forwarded and terminate the connection after a configured amount of idle time.
Idle disconnect behavior can be configured on both the calling router and the answering router.
On the calling router, the idle disconnect time is set on the General tab of the properties of the demand-dial interface.
On the answering router, the idle disconnect time is set in the network policy being used by the demand-dial connection on the server that is running Network Policy Server (NPS).
Persistent connections
Persistent connections use a dial-up WAN technology when the cost of the link is fixed and there is no reason that the connection cannot be active 24 hours a day. Examples of WAN technologies for persistent demand-dial connections include local calls that use analog telephone lines, leased analog lines, and flat-rate ISDN. If a persistent connection is lost, the calling router immediately attempts to reestablish the connection.
Persistent connection behavior must be configured on the calling router and the answering router.
Two-way and one-way initiated connections
Demand-dial connections are either two-way initiated or one-way initiated.
Two-way initiated connections
With two-way initiated connections, either router can be the answering router or the calling router, depending on which router initiates the connection. Both routers must be configured to initiate and accept a demand-dial connection. Two-way initiated demand-dial connections require the following:
Both routers must be configured as LAN and WAN routers.
User accounts must be added to both routers so that the authentication credentials of the calling router can be accessed and validated by the answering router.
Demand-dial interfaces must be fully configured on both routers and include the telephone number of the answering router and user account credentials to authenticate the calling router.
Static routes must be configured on both routers.
For two-way initiated demand-dial routing to work correctly, the user account names of the calling routers on both sides of the connection must match the name of a demand-dial interface. The following table shows an example of this configuration.
Example of Two-Way Initiated Connection Configuration
Router | User Account Name | Demand-Dial Interface Name |
---|---|---|
Corporate office router |
CorpHub |
NewYorkRouter |
Branch office router |
NewYorkRouter |
CorpHub |
For a description of the two-way connection process, see Demand-Dial Connection Process in the Windows Server Technical Library.
One-way initiated connections
With one-way initiated connections, one router is always the answering router and the other router is always the calling router. In one-way initiated connections, the routing configuration is simplified because user accounts, demand-dial interfaces, and static IP routes do not have to be fully configured on both sides of the connection. Instead of configuring a demand-dial interface and static routes on the answering router, static routes are added to the dial-in properties of the user account of the calling router.
If your answering router is in a mixed-mode Active Directory domain, static routes on the user account are not available. In this case, one-way initiated connections require the following:
Both routers must be configured as LAN and WAN routers.
A user account must be added for the authentication credentials of the calling router.
A demand-dial interface must be configured at the calling router with the user credentials of the user account. A demand-dial interface is configured at the answering router with the same name as the user account that is used by the calling router. Because the demand-dial interface of the answering router is not used to dial out, it is not configured to use the telephone number of the calling router or with valid user credentials.