Set Up Remote Access Policies to Secure VPN Access

In the Windows & .NET Magazine article, "A Secure Wireless Network Is Possible," May 2004, InstantDoc ID 42273, I show you how to use a Windows Server 2003 computer and your existing Windows 2000 Server Active Directory (AD) domain to set up a secure remote access VPN for remote users. In this article, I show you how to achieve granular control over which accounts in AD can remotely access your LAN through your Windows 2003 VPN server and how they can gain such access.

In Windows 2003 and Win2K Server, you can define remote access policies, which let you use criteria such as group membership to control who can access your network through a remote system. For instance, you can easily create a remote access policy that gives all members of the SalesReps group remote access without requiring you to modify each user account. Remote access policies also let you control access to specific parts of the network, depending on user characteristics such as group membership, client OS type, and media access control (MAC) address. For example, if your Oracle consultant needs remote access to your Oracle server, you can create a remote access policy that lets the consultant connect to your VPN server but restricts his or her communications to only the Oracle server.

Prerequisites
To use remote access policies to control remote access to your LAN, you need at least one VPN server, which can be a Windows 2003 system, a Win2K Server system, or a Windows NT Server system that has RRAS installed. If you want to use Layer Two Tunneling Protocol (L2TP) as your VPN protocol, your VPN server must run Windows 2003 or Win2K Server; if you want to use L2TP over a Network Address Translation (NAT) boundary, your VPN server must run Windows 2003. . . .