Guidelines for Designing Secure Demand-Dial Routing
Demanddial routing provides a secure method of MCSA Certification transferring data between two networks. Authentication, authorization, accounting, and encryption choices are the same as those for remote access VPNs. There are, however, some configuration choices for the demand-dial interface. Follow these guidelines to design a secure demand-dial routing infrastructure:
Do not make the VPN router computer a DHCP client on either the internal or external interface.
Where possible, dedicate the VPN router to demand dial-connections rather than allowing remote access connections. By default, both types of connec?tions are allowed. You can prevent remote access connections by clearing the Remote Access Server check box on the General tab of the VPN Servers Prop?erties dialog box.
If multiple connections with remote sites are required, use a separate remote access network interface (which can be done via a configuration choice in the remote access server console) and user account for each demand-dial connection required. This will help you monitor connections. This will result in fewer people knowing the password for an individual demand-dial microsoft exams user account. If you need to remove access for a specific location, you can do so by simply removing that site’s interface. Because no one at that site knows the password for any other interface, nobody can reconnect without your intervention.
To manage multiple demand-dial interface user accounts, create a Windows group for these accounts and use remote access policies to manage the connections.
When you set up each VPN server, use the interface name and the user account name as listed in the table. Notice that the demand-dial interface name matches the user account on the opposite VPN server. In this example, VPN1 will have a user account in its account database named DD_Wingtip. If VPN1 initiates the call, it will use this account for PPP authentication.
Processing your request, Please wait....
