Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Configure and Troubleshoot Remote Access (part 1) - Remote Client Access Connections

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/18/2011 9:44:41 PM
Accessing networks remotely involves overcoming several problems when you are managing the remote clients. Most IT administrators usually list these problems as
  • Bandwidth of the connection

  • Types of connections

  • Authentication security

  • Data security

  • Administering the remote clients’ connection properties

There are others, of course, but the problems in the preceding list are the main issues of concern for the exam.

Remote Client Access Connections

In discussing remote access connections, the following sections cover both bandwidth and types of connections. Windows Vista–supported remote access connections can be broken down into four general categories of connections:

  • Dial-up

  • Wireless

  • Broadband (PPPoE)

  • Virtual Private Network (VPN)

These categories are also found one way or another through a myriad of wizards that are available for creating remote access connections. One type of remote access connection not listed here but slowly gaining ground is wireless broadband connections. At this time Windows Vista does not support out-of-the-box use of wireless broadband connections. Third-party software is needed to bring support to Windows Vista. Serial Line Internet Protocol (SLIP) has been dropped. The following sections discuss support that Windows Vista inherently supports.


The dial-up connection type has seen better days. Dial-up over an analog modem connection has seen a small bump in performance over the past few years with the introduction of the V.92 protocol. This was just an upgrade to the V.90 protocol, and support for it is included in Windows Vista.

There is not much else here to worry about because it appears that even Microsoft is leaving this service behind as far as the exams are concerned.

Windows Vista supports dial-up as most previous Windows operating systems have. Support for Point-to-Point Protocol (PPP) over dial-up and the usual list of Microsoft authentication and encryption services is included, with one notable exception: MS-CHAPv1. This service has been dropped from Windows Vista. The other security protocols supported by Windows Vista for dial-up are

  • MS-CHAPv2

  • Microsoft Point-to-Point Encryption (MPPE)

  • Various Extensible Authentication Protocol (EAP) methods

These services and protocols are discussed later. Bandwidth Allocation Protocol (BAP), which measures the bandwidth utilized on a PPP connection and uses a threshold to determine if another dial-up link should be connected to increase the overall throughput of the connection, has also been dropped.

Integrated Services Digital Network (ISDN) connections for dial-up are still supported in Windows Vista.


The previous discussions on wireless connections hit on just about every topic necessary for your purposes concerning this connection type. Wireless connections for remote access involve using a wireless local area network connection and then extending that connection using some type of broadband router to connect to the Internet. Wireless connections were covered previously, and issues relating to remote access connections are the same. The only difference is any added overhead of a VPN connection being initiated through a wireless connection. VPNs are discussed shortly.

Broadband (PPPoE)

Windows Vista now supports Point-to-Point Protocol over Ethernet (PPPoE) connections with supported network adapters. You are able to also use IPv6 over PPPoE connections.

Broadband connections using PPPoE are typically used over established Asynchronous Transfer Mode (ATM) circuit connections with a service provider using Digital Subscriber Line (DSL) services, although cable is also supported. A Windows Vista client is able to authenticate the PPPoE connection using an ordinary Ethernet adapter connected to a DSL modem. The DSL modem initially creates the ATM virtual circuit.

Virtual Private Network (VPN)

Windows Vista clients support the use of Virtual Private Network (VPN) connections using Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec).

PPTP is still supported and should be used only when environments include a mix of legacy operating system clients. If all the operating systems on the desktops are Windows 2000, Windows XP, or Windows Vista, the choice for the most secure tunneling protocol should be L2TP/IPSec. You can mix and match tunneling protocols to better suit the operating system of the remote access client, but questions on the exam often entail employing a single protocol service as a standard.

In addition, Microsoft has created an L2TP/IPSec VPN client for Windows 98, Windows Millennium Edition, and Windows NT 4.0. This VPN client must be downloaded and installed separately because it is not included in those base operating systems.

The following sections review what these protocols entail as far as setup and security settings.


PPTP is an old Microsoft favorite. Microsoft clients are the most prolific users of PPTP. PPTP places an encrypted PPP payload inside a Generic Routing Encapsulated (GRE) tunnel. The GRE tunnel is basically an IP-in-IP packet tunnel using IP protocol 47. PPTP also requires the use of a control packet run over another TCP session. The PPTP control session is maintained using TCP port 1723 to manage the PPTP process. (See Table 1 for protocol and port number details.) This extra TCP session causes many of the issues with firewalls. Windows Vista now includes support for PPTP over IPv6 (PPTPv6).

Table 1. Protocols and Port Numbers Used by L2TP and PPTP
VPN ProtocolProtocol/Port NumberProtocol/Port Use
PPTPTCP Port 1723PPTP tunnel maintenance traffic
PPTPIP protocol 47PPTP tunnel data
L2TPUDP Port 1701L2TP tunnel maintenance
IPSecUDP Port 500Used by Internet Key Exchange (IKE) to negotiate securing the tunnel, key exchange, and encryption keys
IPSecUDP Port 4500Passage through NAT/NAT-Traversal (NAT-T)
IPSecIP protocol 50IPSec ESP traffic
IPSecIP protocol 51IPSec AH traffic

Some advantages to using PPTP over L2TP are as follows:

  • PPTP does not require a certificate infrastructure.

  • PPTP does not require any modification when used with NAT through a firewall.

  • If stronger authentication is desired, you can use Extensible Authentication Protocol (EAP) to further secure the authentication process.

Windows Vista clients use the following authentication and encryption protocols to secure PPTP sessions.

  • Password Authentication Protocol (PAP)— PAP is an authentication session that provides no encryption of the authentication session. You should never choose this protocol in most circumstances unless another service is providing another layer of protection over this session.

  • Challenge Authentication Protocol (CHAP)— CHAP is a standardized authentication protocol. If Windows Vista clients use this protocol, they are not able to utilize Microsoft Point-to-Point Encryption (MPPE) for encryption. You should choose the CHAP protocol only if there are mixed clients that are non-Windows clients. Windows Vista clients support CHAP if the endpoint supports none of the two authentication protocols that follow.

  • MS-CHAPv2— This is an enhanced authentication protocol of the older and now-unsupported protocol MS-CHAP. MS-CHAPv2 provides for a secure authentication session between the tunnel origin (a Windows Vista client in this case) and the tunnel endpoint.

  • Extensible Authentication Protocol (EAP)— EAP provides additional protection of the authentication (EAP) session by allowing the use of certificates and SmartCards as well other devices and methods for added security. If used with PPTP, EAP requires a certificate infrastructure.

  • Microsoft Point-to-Point Encryption (MPPE)— Microsoft’s default encryption service is provided on PPTP connections and uses up to 128-bit encryption. MPPE provides for a relatively secure data connection. You can adjust settings to ensure the highest level of encryption is used with the remote access server.


L2TP is the preferred secure tunneling protocol native to Windows Vista. L2TP in itself provides only the tunnel service. IPSec is required to provide the encryption of the data. Microsoft recommends that L2TP be implemented with the use of a certificate infrastructure. A certificate is recommended to authenticate the client and the server creating the tunnel, although a preshared key option is available for this step of the authentication process.

L2TP tunnels PPP packets inside a UDP datagram using UDP port 1701 for source and destination. The tunneled PPP packet is encrypted with IPSec. IPSec comes in two flavors: Authentication Header (AH) or Encapsulating Security Payload (ESP). In addition to many of the previously discussed authentication protocols from the PPTP section, the following security protocols are added by the use of L2TP with IPSec:

  • IPSec AH— IPSec AH provides only for authentication of the data payload as well as portions of the original IP header. It does not encrypt or disguise in any way the actual data. IPSec AH uses IP protocol 51. Microsoft’s L2TP/IPSec implementation does not use IPSec AH.

  • IPSec ESP— IPSec ESP provides for authentication of the data payload as well as encryption of it. IPSec ESP uses the highest level of encryption available from Microsoft clients. Microsoft’s TechNet states that if the client is a Windows Server 2008 endpoint, the IPSec encryption protocol that can be chosen is the Advanced Encryption Standard (AES). AES is not included in the released versions of previous Windows Server operating systems, so DES or 3DES is used for those connections. IPSec ESP uses IP protocol 50. IPSec ESP is the protocol chosen by Microsoft’s L2TP/IPSec implementation.

L2TP/IPSec VPNs support IPv4 and IPv6 VPN connections.

Table 1 shows details on the protocol numbers and ports used for L2TP VPNs.

Other -----------------
- Configure and Troubleshoot Wireless Networking (part 3) - Troubleshooting Wireless Connections
- Configure and Troubleshoot Wireless Networking (part 2) - Wireless Security
- Configure and Troubleshoot Wireless Networking (part 1) - Managing Wireless Connectivity in the Enterprise
- Troubleshoot Resource Access and Connectivity Issues (part 2)
- Troubleshoot Resource Access and Connectivity Issues (part 1) - Troubleshooting TCP/IP Configuration
- Configure and Troubleshoot Network Services at the Client Level
- Configure and Troubleshoot Network Protocols (part 3) - Configuring TCP/IP Version 6
- Configure and Troubleshoot Network Protocols (part 2) - WINS & NAT
- Configure and Troubleshoot Network Protocols (part 1) - Configuring Internet Protocol Version 4
- Reliability and Performance Monitor
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Windows Vista
Windows 7
Windows Azure
Windows Server