Connection Manager Overview

Started by ganeshbala, Apr 19, 2008, 11:22 AM

Previous topic - Next topic

ganeshbala

 If you want to configure clients to connect to a RRAS server, you can use the Connection Manager to do this. Using the network connection properties to configure clients to connect to a RRAS server works well in situations where you need to configure a small number of clients, and when the default security settings are being utilized.

Connection Manager is a Windows application and client dialer included in Windows 2000, Windows XP Professional, and Windows Server 2003 that you can use to allow a client to establish virtual private network (VPN) connections and dial-up connections to a RRAS server. The advanced features of Connection Manager enable you to pass preconfigured connections to network users. These advanced features are evident in the Connection Manager Administration Kit (CMAK) and Connection Point Services (CPS). Both local connections and remote connections to the service provider through a network of access points are supported by Connection Manager. As mentioned, for secure connections over the Internet, VPN connections can be established using Connection Manager.

With the Connection Manager Administration Kit (CMAK), you can perform the following functions:

    * Configure a large numbers of clients by creating an executable file which can be deployed to your users by means of a distribution package.
    * Manage dial-up and VPN Connection Manager service profiles.
    * Customize Connection Manager to suit the requirements of your organization.
    * Configure system policies for connections.
    * Configure restrictions for connections.
    * Configure executable files that run automatically when a user attempts to establish a connection.
    * Import existing connection settings so that they can be modified, and then distribute these modifications.

When users run the distribution package, or executable file, a dial-up connection or VPN connection using the required authentication methods and security settings is established. It is even possible to automatically distribute the executable file by using a Group Policy object. Any modifies to security settings can be done at a later stage by running the Connection Manager Administration Kit (CMAK) once more, and then simply distributing the executable file for users to run.

The main advantages and features of Connection Manager are listed here:

    * Users can run more than one Connection Manager service profile at the same time.
    * Connection Manager can also be used when users share computers. A user does not need to provide user credentials for each connection.
    * You can customize the following components within Connection Manager so that it reflects the identity of the organization:
          o Icons and graphics
          o Help
          o Phone book information
          o Messages
    * Users can run more than one Connection Manager service profile at the same time.
    * The Connection Manager Administration Kit (CMAK) Wizard can be used to automatically create a service profile so that users can run Connection Manager to establish VPN and dial-up connections. The service profile takes the form of an executable file which can be distributed using either of the following methods:
          o Download to the client.
          o Distributed via compact disc.
    * You can include custom functionality or programs that execute during the connections process. For instance, you can run a program when the user logs on, and when the user logs off.
    * You can configure monitored applications to automatically disconnect once the application is closed.
    * Connection logging, terminal window support and enhanced ISDN support are a few additional features of Connection Manager.
    * Access points can be used to save commonly utilized connection settings. Connection Manager includes help for Access Points and Dialing Rules.

Planning for Creating New Connection Manager Service Profiles

The Connection Manager Administration Kit (CMAK) Wizard consists of a number of steps or pages that need to be completed to create a new Connection Manager service profile. You therefore need to plan upfront which items are going to be specified when you run the CMAK Wizard.

The online CMAK Guide specifies six phases for creating a new Connection Manager service profile. This process is detailed here:

    * Planning phase: Typical issues that should be determined in the planning phase are:
          o Determine the connection which should be established.
          o Determine which customizations you want – graphics, Phone book information, and so forth.
          o Determine which programs should be applied at the connection establishment process.
    * Developing custom elements phase: This is when you should create all custom graphics, icons, and all other elements which you want to include for the new Connection Manager service profile.
    * Running the CMAK Wizard phase: The Connection Manager Administration Kit (CMAK) Wizard is initiated and run to create the new Connection Manager service profile for the connection.
    * Preparing for delivery phase: The new Connection Manager service profile can be distributed via CDROM, floppy disk, Web site, or a network share. It can also be downloaded to the client.
    * Testing phase: It is important to test all new packages before users are allowed to download these packages.
    * Providing support phase: It is recommended that you define a support strategy once the new Connection Manager service profile is distributed to users.

Addressing Connection Manager Security Concerns

Because the Connection Manager Administration Kit (CMAK) Wizard enables Administrators to configure connection properties for creating connections to the network, a few a security loopholes can be accidentally created as well.

A few common Connection Manager security concerns are listed here:

    * There is the risk of an unauthorized user establishing a connection and using it. This can basically occur when a computer can be accessed by multiple users.
    * For users to run the existing installation of CMAK, they have to belong to the Power Users group. The service profiles created by the CMAK Wizard are text files. Because of this, a user that has access to the text files can simply use a text editor to change the text files created by the CMAK Wizard.
    * When a Connection Manager service profile includes confidential information, there is a threat that an unauthorized user can intercept this information and exploit it.

A few strategies that can be used to address Connection Manager security concerns are listed below:

    * You can require that users utilize the more current Windows operating systems that support the user certificates feature of Connection Manager.
    * Ensure that only those users who are authorized can download and obtain the Connection Manager service profile.
    * For a computer that is utilized by more than one user, ensure that users cannot utilize the Remember Password feature to store the password for the connection. To disable the Remember Password feature, configure the HideRememberPassword option. The HideRememberPassword option can be accessed in the last page of the CMAK Wizard by clicking Edit Advanced Options.

Using the Connection Manager Administration Kit (CMAK) Wizard

The Connection Manager Administration Kit (CMAK) is implemented through the CMAK Wizard. The CMAK Wizard is used to create an executable file which can be distributed to users so that they can establish virtual private network (VPN) connections and dial-up connections to a RRAS server. When a user runs the executable file, the security settings and other settings specified when the CMAK Wizard was run is used to establish the connection.

The information that you need to supply when you run the CMAK Wizard is summarized here:

    * Service Profile Source; indicate either of the following actions:
          o Create a new Connection Manager service profile
          o Modify an existing Connection Manager service profile
    * Service And File Names; provide the following details:
          o A name for the service profile.
          o A file name for the profile folder and files.
    * Realm Name; if required, provide a realm name. With Microsoft Internet Authentication Service Commercial Edition, realm names can be utilized for authentication.
    * Merging Profile Information; you can merge the settings of an existing service profile(s) into the new Connection Manager service profile which you are creating, or in the service profile which you are editing.
    * VPN Support; enables you to specify a VPN connection for the service profile which you are configuring. For client IP address assignment, the following methods exist:
          o Define a DNS server.
          o Define a WINS server.
          o Define that the server assigns IP addresses when the connection is established.
    * Phone Book; set whether a phone book is to be created with the service profile being created or edited.
    * Phone Book Updates; define the method which will be used to pass phone book updates to clients. You can specify a Connection Point Services server by means of a URL. The Windows Server 2003 Connection Point Services (CPS) feature can be used to create and update phone books.
    * Dial-Up Networking Entries; define the dial-up networking entries for the phone numbers in the address book.
    * Routing Table Update; to update the Routing Table. A file containing routing table information is then included.
    * Automatic Proxy Information; enables you to specify options which will be used to configure proxy settings.
    * Custom Actions; define actions to occur at the following events:
          o Prior to the connection being established.
          o Once the connection is established.
          o Before the connection is terminated.
    * Logon Bitmap; set the bitmap that should appear in the Logon dialog box.
    * Phone Book Bitmap; set the bitmap that should appear in the Phone Book dialog box.
    * Icons; set the icons which should be displayed for Connection Manager on your clients.
    * Notification Area Shortcut Menu; define the shortcut menu which is displayed when the status area icon is right-clicked by users.
    * Help file; define the Help file for users by:
          o Creating a custom Help file.
          o Using the default Help file.
    * Support Information; define the support information for the service profile being created or edited.
    * Connection Manager Software; for users to utilize the service profile they must have Connection Manager installed. For users that do not have the Connection Manager installed, you can specify that Connection Manager software be added with the service profile you are creating or editing. Here, the user will perform the following actions:
          o Download the package.
          o Install the Connection Manager.
          o Run the Connection Manager service profile.
    * License Agreement; you can require users to accept a license agreement by including it in a text file.
    * Additional Files; for adding any other files with the Connection Manager service profile being created or edited.

With the CMAK, custom actions are supported. Through custom actions, you can configure that certain programs should automatically run when the Connection Manager process occurs.

The different actions which you can specify to run during the Connection Manager process are summarized here:

    * Pre-init actions; run when the Connection Manager initiates.
    * Pre-connect actions; run prior to the connection being established.
    * Pre-dial actions; run prior to the connection being established.
    * Pre-tunnel actions; run prior to the connection being established.
    * Post-connect actions; run after the connection is successfully established.
    * On cancel actions; run when the user cancels a connection.
    * On error actions; run when there is an error during the connection establishment process.

How to install the CMAK

   1. Open Control Panel.
   2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
   3. The Windows Components Wizard starts.
   4. Click Management and Monitoring Tools, and then click Details.
   5. In the Management and Monitoring Tools dialog box, select the checkbox for Connection Manager Administration Kit.
   6. Click OK. Click Next. Click Finish.

To start the Connection Manager Administration Kit (CMAK) Wizard,

   1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to initiate the CMAK Wizard.

How to create a new Connection Manager service profile

   1. Click Start, Administrative Tools, and then click Connection Manager Administration Kit to initiate the CMAK Wizard.
   2. The CMAK Wizard starts.
   3. Click Next on the CMAK Wizard Welcome screen.
   4. On the Service Profile Selection page, click the New profile option. Click Next.
   5. On the Service And File Names page, enter a name for the service in the Service Name text box, and enter a file name in the File name text box. This name will be used for the connection and it will also be displayed in the various installation dialog boxes of Connection Manager. Click Next.
   6. On the Realm Name page, leave the default setting of Do Not Add A Realm Name To The User Name enabled. Click Next.
   7. On the Merging Profile Information page, you can merge information from other existing profiles to add to this profile. Click Next.
   8. On the VPN Support page, you can set that a VPN connection be established. Click the Phone Book From This Profile checkbox. In the Enter the VPN Server Name or IP Address section of the page, select one of the following options:

          * Always Use the Same VPN Server option OR
          * Allow The User To Choose A VPN Server Before Connecting option.

   9. Click Next.
  10. On the VPN Entries page, perform either of these actions:

    * Create a new VPN entry.
    * Specify an existing VPN connection for the profile

  11. Click Next.
  12. On the Phone Book page, disable the Automatically Download Phone Book Updates checkbox, and then click Next.
  13. On the Dial-Up Networking Entries page, perform either of these actions

    * Create a new dial-up networking entry.
    * Specify an existing dial-up networking entry for the profile.

  13. Click Next.
  14. On the Routing Table Update page, click Next.
  15. On the Automatic Proxy Configuration, set any settings for a proxy server that should be utilized with the connection, and then click Next.
  16. On the Custom Actions page, click Next.
  17. On the Logon Bitmap page, specify your own graphics or accept the default graphic and then click Next.
  18. On the Phone Book Bitmap page, specify your own graphic or select a default graphic, and then click Next.
  19. On the Icons page, select your icons for the connection or use the default settings. Click Next.
  20. On the Notification Area Shortcut Menu page, specify the items which should be displayed on the shortcut menu, and then click Next.
  21. On the Help File page, specify your custom Help file. Click Next.
  22. On the Support Information page, provide your support details in the Support Information text box, and then click Next.
  23. On the Connection Manager Software page, you can select the Install Connection Manager option if users do not have the Connection Manager installed. Click Next.
  24. On the License Agreement page, specify the text file that includes the license agreement, and then click Next.
  25. On the Additional Files page include all other files which should be added with the new service profile. Click Next.
  26. On the Ready To Build The Service Profile page, click Next to start the creation of the new service profile.
  27. The CMAK Wizard creates the new customized Connection Manager service profile.
  28. Click Finish.

How to deploy CMAK packages

When you have completed all the necessary pages of the CMAK Wizard, the Connection Manager service profile is created. The connection package is compressed as well. The final screen of the CMAK Wizard displays the location of your newly Connection Manager service profile.

The service profile is by default stored in the following directory:

    * C:\Program Files\CMAK\Profiles directory. The directory is automatically created for the service profile by CMAK.

To distribute the new service profile package files, use either of these methods:

    * Copy the files in the CMAK directory to a:
          o CDROM
          o Floppy disk.
          o Web site
    * Share the CMAK directory and provide users with the path information.