Your SlideShare is downloading. ×
  • Like
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply




  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Cumbria Lancashire Education Online Remote Access Pilot Schools Technical Guide Commencing Autumn Term 2004
  • 2. Cumbria Lancashire Education Online Distributed AAA through RADIUS As previously describe users accessing resources and services are to be authenticated against their home institution using RADIUS. The structure of the distributed RADIUS service is relatively straight forward, each institution maintains a RADIUS service running on one or two of there servers, normally the domain controllers (DC). Running Microsoft Internet Authentication Service (IAS), which is included with the all versions of the Windows 2003 Server license (except web server). The additional load on the DC is minimal and the security risk is considered low. If your institution runs a MS ISA server, then install IAS on this server instead. There are other steps specific to institutions running ISA server, see appendix A - ISA Server. In the core CLEO maintains a number of RADIUS proxy servers; these determine which institution a user originates from forwards the authentication request accordingly. Authentication realms For the proxy servers to be able to forward requests appropriately users provide an authentication realm, this takes the following form: <username>@<authentication-realm> To ensure uniqueness in the naming of authentication realms we are going use: Lancashire Schools: Cumbria Schools: CLEO office, etc… This realm need not match your windows 2003 domain, how to translate from one to the other is explained in the configuring IAS section of this guide.
  • 3. Cumbria Lancashire Education Online Microsoft Internet Authentication Service Microsoft Internet Authentication Service (IAS) is the Microsoft RADIUS service and is freely available as part of the Windows 2003 Server License (except web server edition). Installing IAS 1. Control Panel, Add or Remove Programs, Add/Remove Windows Components. 2. In the Windows Components Wizard, highlight Network Services in Components list and click Details… 3. In the Networking Services dialog check Internet Authentication Service and click OK. 4. In the Windows Components Wizard, click Next and Finish. Configuring IAS To manage your IAS configuration we recommend that you add the IAS snap-in to your usual Microsoft Management Console (MMC) profile. The headings below match groups of settings under the IAS MMC snap-in. RADIUS Clients The three CLEO RADIUS proxies being used for the remote access pilot will need to be configured within IAS as RADIUS clients. Under the Internet Authentication Service (IAS) snap-in within your MMC, right click on the RADIUS Clients folder and select new Radius Client from the pop-up menu. In the New RADIUS Client dialog enter the following details: Friendly name: Client Address Client-Vendor Shared secret/ (IP or DNS) Confirm shared secret CLEO Radius Proxy RADIUS 0 Standard CLEO Radius Proxy RADIUS a complex password 1 Standard See note CLEO Radius Proxy RADIUS 2 Standard Note: This secret should be a complex password (see Microsoft’s guidance notes on complex passwords), once you have set it needs to be supplied to your LEA support team with the rest of the details of your RADIUS servers. Remote Access Logging These settings allow you to configure how, what and where the remote access logs are generated. 1. Unless you have a SQL server you already use for system logs, it is recommended that Local File is selected.
  • 4. Cumbria Lancashire Education Online 2. Right click on this setting and select Properties. On the Local File Properties dialog, settings tab, it is recommend that the following are selected Accounting requests and Authentication requests. The Periodic status one is not really required. 3. On the Log File tab use the Browse button to locate a useful directory in which to store the log files. Under Format select Database-compatible, and under Create a new log file: selected Daily. Remote Access Policies It is recommended that a several different policies are created to manage different classes of user; these are discussed later in this guide under Managing Different Profiles. For now we will create a policy for allowing technicians and system administrators to connect. Using the Active Directory users and Computers MMC snap-in create a Global group called ‘VPN Administrator Access Group’ and make any technicians and administrators that you want to have VPN access members of the group. 1. In the Internet Authentication Service MMC snap-in, left click on the Remote Access Policies folder and delete any default policies. Right click on the Remote Access Policies folder and select New Remote Access Policy. 2. Click Next, select Use the wizard to set up a typical policy for a common scenario, in the Policy name: box enter ‘Administrator Access’ and click Next. 3. Select VPN and click Next. 4. Select Group and click Add. In the Select Groups dialog type ‘VPN Administrator Access Group’ and click OK. 5. On the New Remote Access Policy Wizard, click Next. 6. On the Authentication Methods page check that Microsoft Encrypted Authentication version 2 (MS-CHAPv2) is selected and click Next. 7. On the Policy Encryption Level page ensure all three encryption options are selected and click Next. 8. Click Finish. Connection Request Policies Only one policy is normally necessary for this option, by default it is name Use Windows authentication for all users. Right click on the policy, and click properties. 1. Policy conditions these are rules that will apply to any connection, regardless of the specific Remote Access Policy they have already been authenticated against. a. Click Add and select ‘NAS-Port-Type’ from the list on then click Add from list on the left select ‘Virtual (VPN)’, click Add >>, and then OK. NB If you wish to impose time based restrictions to ensure resources are not being accessed during network backups or similar they should be applied here. 2. Now click Edit Profile, edit the settings:
  • 5. Cumbria Lancashire Education Online 3. Authentication tab, Authenticate requests on this server should be selected. 4. Accounting tab, Nothing to set 5. Attribute tab, In the drop down list named Attribute select User-Name. Click Add in the Find box type the @<school>.<LEA> assigned as the RADIUS realm and in the Replace With box type the Windows Active Directory domain name. e.g. and @office.cleo.local. 6. Advanced tab a. Click Add select ‘Class’ and then click Add, in the Add Attribute dialog that appears. b. In the Attribute Information dialog select String and enter ‘CLEO-VPN’ in box, then click OK. 7. Repeat the process for the Attribute ‘Framed-Pool’ again selecting String and specifying the Remote Access Network address for your site. Remote RADIUS Server Groups This set of options is used for proxying RADIUS requests to other servers for the remote access pilot this set of options should not be necessary.
  • 6. Cumbria Lancashire Education Online Network/Server Firewall If you have IP based Network or server security in place (typically a firewall or IPSEC) then you will probably need to consider changing the trusted IP ranges to include your newly assigned Remote Access Network. This is the range of IPs assigned to remote access client that have successfully authenticated against your institution. The CLEO boundary routers ACLs are configured with a trust rule for that institution’s remote access network and for the CLEO RADIUS proxies to pass request to your institutions RADIUS (IAS) server(s). All CLEO RADIUS servers are within IP subnet of, for the remote access service pilot, the servers will be, and Any access control lists (ACLs) for the servers running ACL will need to be configured to allow UDP packets to ports 1812 and 1813 from the above IP addresses. allow UDP 1823,1813 inbound & outbound For remote access clients to be able to access services and resources on your network you will need to configure your network and server firewalls to trust the remote access network IP address range provide for you site. The level of a trust you give to this subnet is entirely up your institution but it is worth bearing in mind that restricting access to certain service such as local DNS, Kerberos, LDAP, WINS, etc... may create problems for clients connecting remotely.
  • 7. Cumbria Lancashire Education Online Ancillary Network Services For a remote user to be able find resources on the institution’s internal network a services need to be set-up and configured within the remote access profile (see Connection Manager Administration Kit later in this guide). These are as detailed below. DNS Required for domain log and locating essential local resource WINS Required to support NetBIOS Recommend for all applications institutions where NetBIOS of TCP/IP has not been disabled DNS In Windows network services are now heavily reliant on DNS, Active Directory (AD) in particular is entirely dependant on it for correct operation. So any client (local or remote) on your network needs to refer to your institutions local DNS servers. WINS In a LAN NetBIOS names can be resolve using a number of methods including broadcast, local host file and Windows Internet Name Service (WINS). However within a routed network the only option for NetBIOS name resolution is WINS. Installing WINS 1. Using the Manage Your Server tool, click Add or remove a role. 2. On the Preliminary Steps page, select WINS server, and then click Next. 3. On the Server Role page, select WINS server, and then click Next. 4. On the Summary of Selections page, click Next. 5. If prompted for the Windows Server 2003 CD, insert it. 6. On the This Server is Now a WINS Server page, click Finish. Managing WINS Start your MMC and the WINS snap-in, this allows you to monitor both the service and also the registrations.
  • 8. Cumbria Lancashire Education Online Monitoring usage & performance An important part of the pilot is to evaluate the level of use, periods of high demand, how the service is used, etc… This will hopefully provided meaning full data to evaluate the likely impact of providing this sort of service across CLEO. Use of the service will be monitored for security and performance purposes. All statistical information developed from monitoring will not identify individuals and will be made available to the pilot group via the pilot’s web site. The level of monitoring will be as follows: Recorded Purpose Stats Successful authentications Determine usage  Unsuccessful authentications Aid support groups, security  Client information (OS, etc…) Aid support groups  Duration, start, end of Determine usage  connection Key:  recorded not recorded User groups Careful consideration should be made of which users are provided with at a given stage in the pilot. For ease of support both within individual institutions and within the pilot as a whole it is recommended that access is provided in a stage fashion. This sort of rollout should allow any issues to be resolved with end users, who are have the motivation and experience to work through them with those providing technical support. A typical rollout might be as follows: a. School ICT Technicians and Network/System Administrators b. ICT Coordinators, IT motivated and experienced users c. Staff issued with machines maintained/managed by school d. Other staff, possibly using their own equipment NB Please consider this to be a recommendation not an instruction. Managing different profiles It is suggested that a separate remote access policy is used for different user groups, typically these might be: Technicians/Administrators For network/system administrative purpose, access anytime. Teacher Staff Access out of hours but not during system downtime. Students/Pupils (out of Access out of hours but not during system hours) downtime but not during vacations.
  • 9. Cumbria Lancashire Education Online Students/Pupils (any time) As above but also with access during school hours. These are examples of logical remote access groups and it is recommended that a global user group is created to represent each group and a remote access policy is created associated with this group (see earlier example). However for the pilot remote access is NOT to be made available to students/pupils, this restriction is for support, security and capacity reasons.
  • 10. Cumbria Lancashire Education Online Preparing a client PC Having prepared the servers within your institution to support remote access then the remote client PC need also to be prepared. Recommended PC/OS Specs It is recommended for this pilot project that PC should be broadband connected and be running Windows 98, 2000 or XP. To protect your institutions network and that of CLEO any PC being used for remote access must have comply with the following: Client Configurations These requirements will be defined within the CLEO Remote Access Acceptable Use Policy which is to be developed along side this pilot. How to in force such requirements when the PC in question is not on the premises of an institution is an added complication. As part of the pilot, methods for quarantining and inspecting remote PCs are to be examined, these are assist institution in enforcing these requirements. Quarantine and inspecting methods work by heavily restricting the access a remote PC has to the institutions network will a program or script is run that verifies that a predetermined set of conditions have been meet. If the remote PC passes this inspection then full access to an institutions network is given. However it fails the inspection then a browser is launched providing information on why it failed the inspection and recommended actions to take. The VPN connection is then dropped. Unfortunately quarantine solutions for RAS/VPNs are very currently very proprietary, often developed for specific client operating systems and VPN servers. Operating system updates Its operating system being patched and updated (Windows Update and Windows Software Update Service), to ensure it is protected against known exploits and ensure the most stable platform possible. See Windows Software Update Service guide. Anti-virus (installed and updated) Both LEAs have licensing deals with Sophos that allow teachers and support staff to install Sophos Anti-virus on the home PC at no additional cost. An install package configured to automatically update from outside of the CLEO network will be made available. See the Installing Sophos Anti-virus on a standalone PC guide. Personal Firewall (installed and active) It is recommend that all PC connecting to the internet through and ISP have a personal firewall installed. For Windows XP users this can be easily be achieved by apply Service Pack 2 and configuring the Windows Firewall. However the Windows Firewall is quite basic, it only inspects inbound packets and determines whether they are solicited or unsolicited. Solicited packets are allowed through, unsolicited are dropped. This is fine for protecting a system that is clean but if a Trojan or virus has already established itself on the system then it will still allow
  • 11. Cumbria Lancashire Education Online the virus to broadcast itself. There are many other firewall solutions available, with much more sophisticated features. Often these are available from Anti-virus vendors such as Symantec.
  • 12. Cumbria Lancashire Education Online Connection Manager Administration Kit The connection manager administration kit (CMAK) allows you to create a self installing VPN connection profile, which will add itself to target PC’s network connections (or equivalent) list. It is limited to Microsoft operating systems but does allow you to pre-configure most aspects of the connection and its behavior including reconfiguration of web caches within internet explorer (IE) and updating the routing table. Installing CMAK 1. Control Panel, Add or Remove Programs, click Add/Remove Windows Components. 2. In the Windows Components Wizard select Management and Monitoring Tools and click Details… 3. In the Management and Monitoring Tools dialog select Connection Manager Administration Kit, click OK. 4. In the Windows Components Wizard click Next and then Finish. Running CMAK These instructions provide a very basic connection profile, below is how to customize the connection further. 1. Control Panel, Administrative Tools, click Connection Manager Administration Kit, click Next. 2. Select New profile, click Next. 3. Type ‘Remote Access for <school name>’ in the Service name box. 4. type ‘<school name>’ in the file box. 5. On the Realm Name page, select Add a realm name to the user name, select Suffix (for example, and in the Realm Name (include separator character); box type ‘@<authentication realm>. e.g. ‘’. 6. On the Merge Profile Information page, click Next. 7. On the VPN Support page, select Phone book from this profile, select Always use the same VPN server, type the <Remote Access Server FQDN> in the VPN Server name or IP Address box and click Next. 8. On the VPN Entries page, click Next. 9. On the Phone Book page, deselect the Automatically download phone book updates and click Next. 10.On the Dial-up Networking Entries page, click Next. 11.On the Routing Table Update page, Next. 12.On the Automatic Proxy Configuration page, provide the click Next. 13.On the Logon Bitmap page, click Next. 14.On the Phone Book Bitmap page, click Next. 15.On the Icons page, click Next. 16.On the Notification Area Shortcut Menu page, click Next. 17.On the Help File page, click Next. 18.On the Support Information page, enter your support contact details, click Next. 19.On the Connection Manager Software page, click Next.
  • 13. Cumbria Lancashire Education Online 20.On the License Agreement page, browse to your institution’s remote access policy, where your institution has yet to develop their please use the CLEO remote access policy, click Next. 21.On the Additional Files page, click Next. 22.On the Ready to Build the Service Profile page, click Next. 23.Make a note of where the service profile has been stored and then click Finish. To make changes to your profile re-run CMAK but instead of selecting New profile, select Existing profile and click Next. Dial-up Networking Entries page 1. In the Dial-up networking entries: list on this page will be listed the Service name you specified in step 3. Highlight this and click Edit. 2. On the General tab, check the Enable clients to log on to a network option and where required use the Browse button to locate a logon script. 3. On the TCP/IP Setting tab, select All clients use these addresses: and proved the details of your servers (at least one DNS and one WINS server must be provided). 4. Uncheck the Make this connection the client’s default gateway. 5. Click OK Routing Table Update page On this page you can add a URL to a file on your web server, containing any routing table updates. This allows you to specify that only traffic relating to CLEO services and/or services maintained by your institution are directed through the VPN connection. In this way access to the remote users ISP service (email, etc…) are not effect when they have a remote access session open. By default all traffic is directed through the VPN connection. Example: ADD MASK default METRIC default IF default ADD MASK default METRIC default IF default The above would set a route that directs all CLEO private traffic and Cumbria web cache traffic to use the VPN connection and the default gateway will still point to the gateway defined by the end user’s ISP. Thus only CLEO traffic is directed down the VPN tunnel all other traffic will take the usual route out via the ISP. Automatic Proxy Configuration page On this page a can add a URL to a file on your web server, containing any web proxy configuration changes. This should be used in combination with the routing table updates and Dial-up Networking Entries as described above. Example: [Manual Proxy] ProxyEnable=1
  • 14. Cumbria Lancashire Education Online ProxyOverride=10.,<local> License Agreement page This allows a license agreement to be displayed to the end user as part of the installation process (which they must agreed to) so the connection can be installed. For the remote access service this should be either the institutions remote access acceptable use policy or the CLEO schools remote access acceptable use policy. This is statically included within the installer but should include a reference to where the latest version may be found (i.e. a URL).