Remote Access Policy Profile Settings

Remote Access Policy Profile Settings
You specify additional restraints on VPN connections associated with a remote access policy to limit how long VPN sessions can last, when and if to disconnect after a period of inactivity, limit the days and hours during which connections are allowed, limit which authentication methods are allowed and identify how IP addresses are assigned to VPN clients. Here are the dial-in profile settings you can specify. (You don't need to specify any options on the Multilink tab because they aren't relevant to VPN connections.)

Dial-in Constraints Tab
You can specify the number of minutes that the VPN connection can remain idle before it's disconnected, the number of minutes that the client can be connected, and the days and times on which the remote user can connect to the network. The day/time setting is similar to the day and time restrictions condition that you can specify in a remote access policy; however, the dial-in day/time setting specifically denies access except during the specified periods. The remote access policy's day/time condition lets you apply different policies according to day and time-for instance, you could specify different IP filters for different days and times.

The tab includes two additional options: Allow access to this number only, which isn't applicable to VPN connections, and Allow access only through these media, which lets you limit connections through specific media such as dial-up, Fiber Distributed Data Interface (FDDI), and wireless. (VPN connections are media type Virtual.)

IP Tab
You can specify how Windows assigns the IP address to the VPN client (e.g., server supplies an IP address from its own pool, server obtains IP address from a DHCP server or allows the client to request a specific IP address) and define inbound and outbound IP filters that control which packets the connection can send and receive.

Authentication Tab
You can specify the authentication methods you want to allow for this connection. It's important that you require strong authentication methods for PPTP connections. Strong authentication is less important for Layer Two Tunneling Protocol (L2TP) connections because user authentication takes place after an encrypted tunnel is already established. For VPN connections, specify MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2).

Encryption Tab
You can specify any combination of encryption that you want for an L2TP or PPTP connection. The choices are

  • Basic-Microsoft Point-to-Point Encryption (MPPE) 40-bit for PPTP or 56-bit Data Encryption Standard (DES) for L2TP
  • Strong-MPPE 56-bit for PPTP or 56-bit DES for L2TP
  • Strongest-MPPE 128-bit for PPTP or Triple DES (3DES) for L2TP
  • No encryption-not valid for L2TP
  • Advanced Tab
    You can specify that the Internet Authentication Service (IAS) server send custom Remote Authentication Dial-In User Service (RADIUS) attribute-value pairs back to RADIUS clients (i.e., the VPN server).

    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.