Deploying demand-dial routing
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Deploying demand-dial routing
In order to create a two-way, initiated demand-dial routing connection from a branch office router to a corporate office router, you must perform the following:
Configure the corporate office router to initiate and receive demand-dial connections with the branch office router.
Configure the branch office router to initiate and receive demand-dial connections with the corporate office router.
Initiate the demand-dial connection from either the branch office router or the corporate office router.
Notes
This deployment assumes a demand-dial connection between a branch office router and a corporate office router. You can also apply this deployment to the demand-dial connections between two corporate offices.
For maximum flexibility, the demand-dial connection is a two-way initiated connection that is initiated by either the branch office router or the corporate office router.
The following illustration shows elements of Routing and Remote Access that provide demand-dial routed connections.
Configuring the corporate office router
If you want your corporate office router to support two-way initiated demand-dial connections, complete the following steps:
Configure the connection to the corporate office intranet.
Configure the LAN and WAN router.
Configure ports to allow demand-dial connections.
Configure demand-dial interfaces.
Configure static routes.
Configure remote access policies.
Configuring the connection to the intranet
The connection to the intranet is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with your operating system. For more information, see Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
IP addresses of the corporate DNS and WINS servers.
Because the corporate office router will act as a router between the corporate office and the branch office, it must be configured with either static routes or with routing protocols so that all of the destinations on the corporate network are reachable from the corporate office router.
Configuring the LAN and demand-dial router
You can enable LAN and demand-dial routing by installing the Routing and Remote Access service and using the Routing and Remote Access Server Setup Wizard. For more information, see Enable the Routing and Remote Access service.
If you have already run the Routing and Remote Access Server Setup Wizard but did not choose the routing options, you can configure LAN and demand-dial routing through the properties of the router in Routing and Remote Access. For more information, see View properties of the remote access server.
To allow demand-dial connections, you need to either run the Routing and Remote Access Server Setup Wizard and choose the routing options, or configure the following settings manually:
General
Verify that the Router check box and LAN and demand-dial routing are selected for the server running Routing and Remote Access.
Security
Authentication Methods
Select the authentication methods that are supported by the router to authenticate the credentials of demand-dial routers. For servers running Routing and Remote Access configured as demand-dial routers, select either MS-CHAP v2 or EAP (if smart cards or machine certificates are available) authentication.
Authentication Provider
You can verify the credentials of demand-dial routers by using the security features of the Windows Server 2003 family or a RADIUS server. If RADIUS is selected, you need to configure RADIUS server settings for your RADIUS server or RADIUS proxy.
Accounting Provider
You can record demand-dial router activity for analysis or accounting purposes by selecting and configuring an accounting provider.
IP
Click Static address pool and configure the ranges of IP addresses that are dynamically allocated to demand-dial routers.
PPP
Select the Link control protocol (LCP) extensions check box.
Select the Software compression check box.
Configuring demand-dial interfaces
For each branch office router, you can create a demand-dial interface by using the Demand-Dial Interface wizard. In the wizard, enter the following:
Interface name
The name of the interface that represents the connection to the branch office and that has the same name as the user account used by the branch office router. For example, for a router in the New York branch office, enter NewYorkRouter.
Connection type
Click Connect using a modem, ISDN adapter, or other physical device.
Select a device
Click the device being used to create the connection.
Phone number or address
Because the corporate router can also initiate a demand-dial connection, the phone number of the branch office router is required.
Protocols and security
Select the protocols to route and the Add a user account so a remote router can dial in check boxes.
Dial-in credentials
Type the domain and password for the account that will be used to authenticate the branch office router. The Demand-Dial Interface wizard automatically creates the account and sets its remote access permission to Allow access. The name of the account is the same as the name of the demand-dial interface. For example, for the New York branch office router, the name of the account is NewYorkRouter.
Dial-out credentials
Because the corporate router can also initiate a demand-dial connection, the name, domain, and password are required. The user credentials that you enter are used to authenticate the corporate office router when it initiates a connection with the branch office router. For example, for the corporate office router, the name of the account is CorpHub.
Configuring static routes
You need to add static routes so that traffic to the branch office is forwarded by using the appropriate demand-dial interface. For each route of each branch office, configure the interface, destination, network mask, and metric. For interface, you need to select the demand-dial interface that corresponds to the branch office.
For example, the route that corresponds to the New York branch office is 192.168.25.0 with a subnet mask of 255.255.255.0. This route becomes the static route with the following configuration:
Interface: NewYorkRouter
Destination: 192.168.25.0
Network mask: 255.255.255.0
Metric: 1
Note
- Because the demand-dial connection is a point-to-point connection, the gateway IP address is not configurable.
For more information, see Add a static route.
Configuring remote access policies
By using the Demand-Dial Interface wizard, the dial-in properties of user accounts that are used by branch office routers are already configured to allow remote access.
If you want to grant remote access to the demand-dial-based branch office routers based on group membership, do the following:
For a stand-alone router, use Local Users and Groups and set dial-in properties to Allow access for all users.
For a router in a domain, use Active Directory Users and Computers and set dial-in properties to Control access through Remote Access Policy for all users.
Create a user group whose members can create demand-dial connections with the corporate office router. For example, create a user group named BranchOfficeRouters.
Add the appropriate user accounts that correspond to the accounts that are used by the branch office routers to the group.
Delete the default remote access policies.
Create a new remote access policy with the following properties:
Set Policy name to Demand-dial connection if member of BranchOfficeRouters (example).
Set the Windows-Groups attribute to BranchOfficeRouters (example).
Set the NAS-Port-Type condition to all except Virtual (VPN).
The default settings for encryption on the Encryption tab on the properties of a remote access policy profile are to allow no encryption and all levels of encryption strength. To require encryption for demand-dial connections, clear the No Encryption option and select the encryption strength you want to use.
For more information, see Configure encryption.
Configuring the branch office router
If you want your branch office router to support two-way initiated demand-dial connections, complete the following steps:
Configure the connection to the branch office intranet.
Configure the LAN and WAN router.
Configure ports to allow demand-dial connections.
Configure a demand-dial interface.
Configure static routes.
Configure remote access policies.
Configuring the connection to the branch office intranet
The connection to the branch office network is a LAN adapter installed in the computer. To verify whether the LAN adapter is compatible with your operating system, see Support resources.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
IP addresses of the branch office DNS and WINS servers.
Because the branch office router will act as a router between the corporate office and the branch office, it must be configured with either static routes or with routing protocols so that all of the destinations on the branch office network are reachable from the branch office router.
Configuring the LAN and demand-dial router
You can enable the LAN and demand-dial router by installing the Routing and Remote Access service and using the Routing and Remote Access Server Setup Wizard. For more information, see Enable the Routing and Remote Access service.
If you have already run the Routing and Remote Access Server Setup Wizard but did not choose the routing options, you can configure LAN and demand-dial routing through the properties on the router in Routing and Remote Access. For more information, see View properties of the remote access server.
To allow demand-dial connections, you need to either run the Routing and Remote Access Server Setup Wizard and choose the routing options, or configure the following settings manually:
General
Verify that the Router check box and LAN and demand-dial routing are selected.
Security
Authentication Methods
Select the authentication methods that are supported by the router to authenticate the credentials of demand-dial routers. For servers running Routing and Remote Access configured to act as demand-dial routers, select either MS-CHAP v2 or EAP (if smart cards or machine certificates are available) authentication.
Authentication Provider
You can verify the credentials of demand-dial routers by using the security features of the Windows Server 2003 family or a RADIUS server. If RADIUS is selected, you need to configure RADIUS server settings for your RADIUS server or RADIUS proxy.
Accounting Provider
You can record demand-dial router activity for analysis or accounting purposes by selecting and configuring an accounting provider.
IP
Click Static address pool and configure the ranges of IP addresses that are dynamically allocated to demand-dial routers.
PPP
Select the Link control protocol (LCP) extensions check box.
Select the Software compression check box.
Configuring a demand-dial interface
You can create a demand-dial interface by using the Demand-Dial Interface wizard. In the wizard, enter the following:
Interface name
The name of the interface is the name of the user account configured on the corporate server running Routing and Remote Access and used by the branch office router to connect to the corporate network. For example, enter CorpHub.
Connection type
Click Connect using a modem, ISDN adapter, or other physical device.
Select a device
Click the device being used to create the connection.
Phone number or address
Because the branch office router can also initiate a demand-dial connection, the phone number of the corporate office router is required.
Protocols and security
Select the protocols to route and the Add a user account so a remote router can dial in check boxes.
Dial-in credentials
Type the domain and password for the account that will be used to authenticate the corporate office router. The Demand-Dial Interface wizard automatically creates the account and sets its remote access permission to Allow access. The name of the account is the same as the name of the demand-dial interface. For example, for the corporate office router, the name of the account is CorpHub.
Dial-out credentials
Because the branch office router can also initiate a demand-dial connection, the name, domain, and password are required. The user credentials that you enter are used to authenticate the branch office router when it initiates a connection with the corporate office router. For example, for the branch office router in the New York branch office, the name of the account is NewYorkRouter.
Note
In order for two-way initiated demand-dial routing to work properly, the user name of the calling router must match the name of a demand-dial interface on both sides of the connection. The following table shows an example.
Router Demand-dial interface name User account name Corporate office router
NewYorkRouter
CorpHub
Branch office router
CorpHub
NewYorkRouter
Configuring static routes
You need to add static routes so that traffic to the corporate office is forwarded by using the appropriate demand-dial interface. For each route of the corporate office, configure the interface, destination, network mask, and metric. For interface, you need to select the demand-dial interface that corresponds to the corporate office previously created.
For example, the route that corresponds to the corporate office is 10.0.0.0 with a subnet mask of 255.0.0.0. To configure this route as a static route, set the following:
Interface: CorpHub
Destination: 10.0.0.0
Network mask: 255.0.0.0
Metric: 1
Note
- Because the demand-dial connection is a point-to-point connection, the gateway IP address is not configurable.
For more information, see Add a static route.
Configuring remote access policies
By using the Demand-Dial Interface wizard, the dial-in properties of user accounts that are used by corporate office routers are already configured to allow remote access.
If you want to grant remote access to the demand-dial-based corporate office routers based on group membership, do the following:
For a stand-alone router, use Local Users and Groups and set dial-in properties to Allow access for all users.
For a router in a domain, use Active Directory Users and Computers and set dial-in properties to Control access through Remote Access Policy for all users.
Create a user group whose members can create demand-dial connections with the branch office router. For example, create a user group named DemandDialRouters.
Add the appropriate user accounts that correspond to the accounts that are used by the corporate office router or other branch office routers to the group.
Delete the default remote access policies.
Create a new remote access policy with the following properties:
Set Policy name to Demand-dial connection if member of DemandDialRouters (example).
Set the Windows-Groups attribute to DemandDialRouters (example).
Set the NAS-Port-Type condition to all except Virtual (VPN).
The default settings for encryption on the Encryption tab on the properties of a remote access policy profile are to allow no encryption and all levels of encryption strength. To require encryption for demand-dial connections, clear the No Encryption option and select the encryption strength you want to use.
For more information, see Configure encryption.
Initiating the demand-dial connection
To connect the branch office router to the corporate office router, do one of the following:
From the branch office router
In Routing and Remote Access, right-click the demand-dial interface that connects to the corporate office (in this example, the CorpHub demand-dial interface), and then click Connect.
From the corporate office router
In Routing and Remote Access, right-click the demand-dial interface that connects to the branch office (in this example, the NewYorkRouter demand-dial interface), and then click Connect.
For information about troubleshooting demand-dial routing, see Troubleshooting demand-dial routing.