Dear Microsoft

Perspectives

We upgraded a custom hosting client from NT4.0 SP6a to W2K SP2 SRP1 + hotfixes, and in the process decided to replace their means of remote access, which was previously Symantec's pcAnywhere, with Windows Terminal Services and FTP, both over IPsec. L2TP support was also desired, because of issues with NAT. My estimation of Microsoft's ability to write both a clean operating system and comprehensible documentation has fallen to a new low. I'm stymied in my implementation of L2TP by the RRAS snap-in's obscure message: "You do not have the required permissions to view the properties."

So I need to step back, take a few deep breaths, and look at this problem from another angle.

March 25, 2002: Haven't found an answer yet.

February 07, 2003: Steven Lefevre wrote on January 31, 2003, asking if I'd found an answer to my dilemma. The closest I came was to drop the L2TP requirement and begin to explore moving the tunnel endpoints upstream.

In between writing to me, and my response to him, he found that you cannot administer the Routing and Remote Access Service when the Remote Registry service is stopped. So, if you follow hardening procedures for the host, you can't use RRAS; and if you can't use RRAS, you can't use L2TP; and if you can't use L2TP, then you can't support IPsec between NATted hosts; so you don't harden the host — or you remove the NAT. Swell.

11:40:36 AM # Google It!
categories: Dear Microsoft, System Administration