Remote Access Server

Previous Topic Next Topic

TCP/IP

To configure a TCP/IP-based remote access client with IPCP, the remote access server allocates an IP address and assigns the IP addresses of DNS and WINS servers.

IP Address Allocation

To allocate an IP address to a remote access client, the remote access server is either configured to use Dynamic Host Configuration Protocol (DHCP) to obtain IP addresses, or with a static IP address pool.

DHCP and Automatic Private IP Addressing

When the remote access server is configured to use DHCP to obtain IP addresses, the DHCP server instructs the DHCP client component to obtain 10 IP addresses from a DHCP server. The remote access server uses the first IP address obtained from DHCP for the RAS server interface, and subsequent addresses are allocated to TCP/IP-based remote access clients as they connect. IP addresses freed due to remote access clients disconnecting are reused.

When all 10 IP addresses are used, the remote access server uses the DHCP client component to obtain 10 more. You can modify the number of IP addresses obtained at a time by changing the value of the InitialAddressPoolSize registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess \Parameters\Ip

With the Windows NT 4.0 remote access server, the DHCP allocated addresses are recorded and reused when the remote access service is restarted. The Windows 2000 remote access server now releases all DHCP allocated IP addresses using DHCPRELEASE messages each time the service is stopped.

If the remote access server initially starts using DHCP-allocated addresses and the DHCP server becomes unavailable, then an IP address cannot be allocated to additional TCP/IP-based remote access clients.

If a DHCP server is not available when the Routing and Remote Access service is started, then the DHCP client returns 10 addresses in the range 169.254.0.1 to 169.254.255.254 to allocate to remote access clients. The address range 169.254.0.0/16 is used for Automatic Private IP Addressing (APIPA). APIPA addresses for point-to-LAN remote access connectivity work only if the network to which the remote access server computer is attached is also using APIPA addresses. If the local network is not using APIPA addresses, remote access clients are only able to obtain point-to-point remote access connectivity.

If a DHCP server does become available, the next time IP addresses are needed by the Routing and Remote Access service, DHCP-obtained addresses are then allocated to remote access clients that connect after the DHCP addresses were obtained.

The remote access server uses a specific LAN interface to obtain DHCP-allocated IP addresses for remote access clients. You can select which LAN interface to use from the IP tab on the properties of a remote access router in the Routing and Remote Access snap-in. By default, Allow RAS to select adapter is selected, which means that the Routing and Remote Access service randomly picks a LAN interface to use.

Static IP Address Pool

When a static IP address pool is configured, the remote access server uses the first IP address in the first address range for the RAS server interface, and subsequent addresses are allocated to TCP/IP-based remote access clients as they connect. IP addresses freed due to remote access clients disconnecting are reused.

If an address range in the static IP address pool is for off-subnet addresses, either enable an appropriate routing protocol on the remote access server or add the routes corresponding to the IP address ranges to the routers of your intranet. For more information, see "TCP/IP On-Subnet and Off-Subnet Addressing" earlier in this chapter.

DNS and WINS Address Assignment

As part of the IPCP negotiation, the remote access server assigns the IP addresses of DNS and WINS servers. Exactly which set of DNS and WINS server IP addresses are assigned to the remote access client depends on the following factors:

Prohibiting DNS and WINS IP Address Assignment

If you do not want the remote access server to assign DNS and WINS IP addresses, set the values of SuppressDNSNameServers and SuppressWINSNameServers in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess \Parameters\Ip to 1

Configuring Global DNS and WINS IP Address Assignment

To globally configure DNS and WINS server IP addresses for remote access clients, enter the IP addresses in the values of DNSNameServers and WINSNameServer in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess \Parameters\Ip

Multiple LAN Interfaces

If the DNS and WINS server IP address assignment is not prohibited or globally configured, then the remote access server allocates the DNS and WINS server IP addresses of a LAN interface on the remote access server to remote access clients. If there is only one LAN interface, which is the typical configuration of a dial-up remote access server, the remote access server allocates the DNS and WINS server IP addresses of the single LAN interface to remote access clients. If there is more than one LAN interface, the DNS and WINS server IP addresses of a specific LAN interface must be determined.

With multiple LAN interfaces, which is the typical configuration of a VPN remote access server, the remote access server by default picks one LAN interface randomly during startup and uses the DNS and WINS server IP addresses of the chosen LAN interface to allocate to remote access clients. To override this behavior, you can select the desired LAN interface through the IP tab on the properties of a remote access router in the Routing and Remote Access snap-in. By default, Allow RAS to select adapter is selected.

Static Configuration or DHCP

Once the LAN adapter for DNS and WINS server IP address assignment has been determined:

The way that the remote access server determines the set of DNS and WINS server IP addresses to assign to remote access clients during IPCP negotiation is illustrated in Figure 7.14.

Figure 7.14    DNS and WINS Server IP Address Determination
Enlarge figure

Figure 7.14 DNS and WINS Server IP Address Determination

Overriding IPCP-Allocated DNS and WINS Server IP Addresses with DHCPInform

After IPCP is completed, Windows 2000 and Windows 98 remote access clients send their remote access servers a DHCPInform message. DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message is sent after the IPCP negotiation is concluded.

The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent as discussed in the following section. The response to the DHCPInform message is forwarded back to the requesting remote access client.

If the DHCPInform response contains DNS and WINS server IP address options, then these new values override what was allocated during IPCP. When the remote access client is a Windows 2000 remote access client and the DHCPInform response contains a DNS domain name, the DNS domain name is used as the per-adapter DNS suffix for the remote access connection of the remote access client. For more information on per-adapter DNS suffixes, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide.

Remote Access Server and the DHCP Relay Agent

To facilitate the forwarding of DHCPInform messages between remote access clients and DHCP servers, the remote access server uses the DHCP Relay Agent, a component of the Windows 2000 remote access router. To configure the remote access server to use the DHCP Relay Agent, add the Internal interface to the DHCP Relay Agent IP routing protocol with the Routing and Remote Access snap-in.

If the remote access server is using DHCP to obtain IP addresses for remote access clients, then the remote access server uses the DHCP Relay Agent to forward DHCPInform messages to the DHCP server of the selected LAN interface, on the IP tab on the properties of a remote access router in the Routing and Remote Access snap-in.

If the remote access server is using a static IP address pool to obtain IP addresses for remote access clients, then the DHCP Relay Agent must be configured with the IP address of at least one DHCP server. Otherwise, DHCPInform messages sent by remote access clients are silently discarded by the remote access server.

© 1985-2000 Microsoft Corporation. All rights reserved.