NT Technical Support

Chapter 12

Implementing Remote Access Service

 

This is going to be a long one, but very important.  RAS (Remote Access Service) is covered on many of the exams, and something that Microsoft wants to make an impression on you about.

 

We'll see how RAS provides a gateway to your network, how it turns you modem into a NIC, and how it makes the whole process transparent to the user.  All they have to do is use their dial up networking capablities.

 

RAS and Dial-Up Networking

 

RAS allows:

1.      Incoming network connections via PPP or SLIP

2.      Allow low speed conections to connect to a RAS server or ISP

 

You can establish a RAS connection via:

1.      PSTN

2.      ISDN

3.      X.25

4.      Direct connect to Internet

You can use any of these ways to establish a connection to your private network.

 

When you connect via RAS, you are a member of the network that you connect to; just like an ethernet connected member, you can use:

1.      Printers

2.      Files/Folders

3.      Network Server based databases

4.      Mail and Scheduling programs

 

Clients use their phonebooks to include phone numbers for their RAS server.

 

WAN Connectivity

As you can see, you can use WAN connections to connect to your local private network.

 

Public Switched Telephone Networks and Modems

By using standard modems and PSTN lines, you have world wide connectivity and compatibility

 

Integrated Services Digital Network

For faster connections (up to 128kbps/s) you can use ISDN.  What you gain in speed, you lose in cost and compatibility.  That is, both sides of the connection need to be using ISDN.

 

X.25

Recall from your networking essentials class that the X.25 protocol is a "packet switched" protocol.  This protocol relies on DCEs (data communications equipment) which comprise a complex world wide network which allow packets to be forwarded to a designated address such as a modem.

 

X.25 Clients access the X.25 network via an X.25 packet assembler/disassembler.  By using the dial up PAD with dial up networking, you do not require an X.25 line connected to the computer.  You only need the phone number of the PAD service for the carrier.  (An example of this is the network AOL used to run on).

 

NOTE: An ISDN adapter and the X.25 adapter are treated as network adapter cards, and therefore give remote computers a direct data feed across a WAN to the LAN.

 

Point to Point Tunneling Protocol

PPTP is a protocol that supports multiprotocol Virtual Private Networks (VPNs).  When you use PPTP, you establish a "private" link to your network via a WAN connection, such as the public Internet.

 

You first establish a connection to the Internet using PPP as you would any other time, and then after the PPP connection is established,  you then establish the connection to your network server via PPTP to have a secure, encrypted connection.

 

PPTP Advantages

1.      PPTP connections are very inexpensive compared to having a dedicated WAN connection.  This, of course, depends on having an inexpensive local ISP to connect to.

2.      You decrease administrative overhead by managing WHO can connect via RAS by assigning RAS permissions in the RAS administrator

3.      Hardware costs are lower than having to install eqiupment for a dediated WAN connection such as Frame Relay

4.      PPTP provides a secure, encrypted connection over the WAN to your local network using any of the supported protocols, such as NetBEUI, IPX or TCP/IP

 

How PPTP Works

Any IP, IPX or NetBEUI packet can be "encapsulated" and sent over a TCP/IP network via PPTP.  This virutal WAN is supported over public networks such as the Internet.

 

PPTP Access Over the Internet

A client with the PPTP driver can connect by:

1.      Direct connection to the Internet

2.      Via an ISP connection

If there is a direct connection, the client must have the PPTP installed and enabled and the RAS server must have a PPTP enabled NIC.

 

If you connect via an ISP, if you POP supports PPTP you don't have to have the driver installed on the client.  You get this information by contacting your ISP to see if they support PPTP on their end.

 

Protocols

Protocols supported by RAS fit into two categories:

1.      Protocols supported by WANS

2.      Protocols supported by LANS

 

LAN protocols include:

TCP/IP

NetBEUI

IPX/SPX

 

WAN access protocols include:

PPP

SLIP

MS RAS

 

Microsoft RAS supports NetBIOS networks by acting as a "gateway" to the NetBIOS network.  Therefore, even though you might be connection over a WAN connection using TCP/IP (the Internet), you can still connect to and use resources on a NetBIOS based NetBEUI network.  Taking advantage of NetBT, NetBIOS over IPX/SPX and NetBEUI.

 

LAN Protocols

Since RAS supports IPX/SPX, NetBEUI, and TCP/IP via PPP, you can easily integrate NetWare, Microsoft, and UNIX networks via RAS.

 

Remote Access Protocols

The remote access protocols that you can use to dial into your RAS server include:

1.      PPP

2.      SLIP

Over a WAN link.

 

Serial Line Internet Protocol

SLIP is one of the older WAN protocols used to connect to the Internet.  It was developed specifically to optimize communications over a slow WAN link.

 

Windows NT Server RAS only supports outgoing SLIP connections; you CANNOT dialin to an NT RAS Server using the SLIP protocol.

 

There are some seriously limitations to the SLIP protocol which has lead to its virtual abandonment in the U.S. market today:

1.      SLIP does is not able to utilize WINS or DHCP

2.      SLIP is dependent on a text based logon routine, which requires most users to interactively logon to their WAN connection (although you can automate this process by creating scripts)

3.      SLIP does NOT support IPX/IPX or NetBEUI

4.      SLIP does not support encryption, and transmits username and passwords as clear text.

 

NOTE: NT RAS server does not have a SLIP server component, so it cannot be used as a SLIP server.

 

Point to Point Protocol

PPP was designed as an improvement over SLIP.  PPP supports the following protocols:

1.      Appletalk

2.      DECnet

3.      OSI

4.      NetBEUI

5.      TCP/IP

6.      IPX/SPX

 

PPP allows dial out for clients and dial in capabilities for RAS servers.  Using PPP, clients can run any combination of protocols and applications interfaces (such as WinSock for TCP/IP based applications.)

 

Applications requiring the IPX interface can utilize CSNW (which well learn about in the next lesson!) to access NetWare servers.

 

Also, if GSNW is installed on the Server, the client doesn't have to have CSNW installed, just as would be the case if the RAS client were actually part of the physical Ethernet network. In this case, even IPX is not required (because of the RAS gateway abilities).

 

RAS will automatically bind NetBEUI, TCP/IP and IPX if they are already installed on the computer when RAS is installed.  Each protocol will be configured to use RAS.

 

PPP Multilink Protocol

This is one of the really neat features of RAS.  You can increase transmission rates significantly using multilink.  What it is allow you to combine multiple physical links into a single virtual connection.  The catch is that your ISP has to support multilink, and of course, you have to have two phone lines.

 

For example, let's say that you have two 56k modems hooked up to two phone lines each with its own phone number.  If you ISP supports multilink, you will call two different numbers simultaneously with each of the modems, and it will give you an effective transfer rate of 112kbps (of course, the limit of transfer on 56k modems right now if 52k, so that actual possible thoughput is only 104kbps in this example.)

 

But, you don't have to use two connections of the same type!  You can mix:

1.      ISDN

2.      PTSN

3.      X.25

4.      ADSL

5.      Or whatever else you want!

 

If you're using a serial port connection, you might overwhelm its capabilities thought L

 

One last thing, both client and server must have multilink enabled.

 

Gateways and Routers

RAS can act as a gateway in several types of situations

 

NetBIOS Gateway

RAS can act as a NetBIOS gateway to RAS servers, regardless of what protocols are actually running on the server.  This means the client can be running only NetBEUI, but be able to access all network resources on a network that is not even running NetBEUI.  That's really cool.

 

Like all gateways, it does this by translating the NetBEUI packets in IPX or TCP/IP formats.

 

IP and IPX Routers

RAS can take advantage of the Router capabilities built into NT.  If the RAS server has router capabilities enabled, they can perform the following functions:

1.      Act as a router to link LANs and WANs

2.      Connect LANs that have different network topologies such as Ethernet and Token Ring

 

When configured, RAS servers will enable remote client to access NetWare file and print services, and to take advantage of Windows Sockets application.

 

RAS Security Features

A RAS client becomes a member of the network, just as if the client were "physically" attached to the network.  Just like in a local logon, you must have a valid username and password in order to be authenticated to access the domain and domain resources.

 

All authentication and transmission of username and passwords are encrypted by default.  However, should the need be required, you can change the authentication scheme to clear text, but then anyone with a network sniffer can see your username and password.  Clear text uses UUENCODE which is easily decipherable.

 

You can Audit activity on RAS connections like any other client can be audited.

 

Intermediary Security Hosts

You can add an intermediary security host, which is a device that the caller must get though in order to access the RAS server.  Typically, this security host will ask for its own name and password before letting you get to the RAS server.  The security host will have its own requirements for authentication, sometimes including things such as a "smart card" or fingerprint identification. This must be completed before accessing the RAS server.

 

Callback Security

Callback security allows you to dial in to a RAS server, and have the RAS server call you back.  Callback can be configured to call back a single number, or have the client designate what number the Server should call back.

 

PPTP Filtering

When using PPTP, the RAS server must have a direct connection to the Internet and a company's corporate network.  This is a definitely security risk because the entire network then could be accessed through the RAS server.  However, when PPTP is enabled, all protocls other than PPTP will be disabled on the selected network adapter card.

 

Telephony API

 

TAPI is an API that allows all programs that require a connection via a public network (such as PSTN) to use the same Interface, and have that interface manage use and access to the telephony adapter (usually a modem).

 

This does away with the nasty situation we used to have in Win 3.x when you might have a FAX program running all the time to get your faxes, but then if you wanted to fire up AOL, the contention for the modem between the AOL program and the FAX program usually brought the system to a halt, or at best, just prevented the program from being able to use the modem, giving you the message that the device "was in use".

 

TAPI Settings

The basic settings, such a local dialing parameters are set up during the installation of NT. 

 

Location Setup

TAPI uses the information about your present location to compare it to the number that you tell it to dial.  If the number is in a different area code, for example, it will dial a "1" first (much to the chagrin of those living in a city like Dallas).

 

However, these different locations do NOT have to be geographic locations.  For example, a location could be a hotel room, which requires a certain sequence of numbers to be dialed before getting an open line.

 

Location information includes:

Ø      Area Code

Ø      Country Code

Ø      Access Numbers

Ø      Calling Card Numbers

 

Calling Card

Yes, you can use your calling card to dial long distance numbers!  But, what if someone is listening in on your conversation and hears your card number?  Don't worry.  The numbers are scrambled and therefore not easily intercepted.

 

Drivers

TAPI drivers control access to TAPI devices (modems). 

 

Installing And Configuring RAS

 

RAS can be installed during the initial installation of NT, or afterward.  To install RAS you need to consider the following:

1.      The model of modem to be used

2.      The type of communications port to use for the RAS connection

3.      Whether this computer will be used to dial in, dial out, or both

4.      The protocols to be used

5.      Any modem settings such as baud or kbps rate

6.      Security settings including callback

NOTE: NT SERVER supports up to 256 inbound connections.  NT WORKSTATION supports a single inbound RAS connection.

 

Configuring a RAS Server

The only way to get to know how to use this, is to actually get into the RAS server setup and check it out.  The question is, how do you get there?  It's not that intuitive, so here goes:

1.      Go into the network control panel applet

2.      Click on Services tab

3.      Click on RAS, and then Properties

Some things to note:

Ø      Enable Multilink is only available in NT Server

Ø      Encryption options only work with Win95 or WINNT clients

Ø      Both client and server must have multilink enabled to use multilink

 

Configuring A RAS Server to Use TCP/IP

TCP/IP can support all Client PPP connections.  You can even allow the DHCP server to assign the remote client an IP address, or assign a custom range just for the RAS clients to use. There is also an option to allow the client to select his own IP address.

 

Clients can take advantage of HOSTS and LMHOSTS files just as local network clients do.  You would use them in the same way, to help the RAS client find the domain controllers and master browsers on the local and remote networks.

 

We will have some labs that will explain and demonstrate many of the concepts involved with setting up and configuring RAS.

 

Installing And Configuring Dial Up Networking

It is dial up networking that allows clients to connect to a RAS server, or to make any other kind of PPP connection.  If there's something that is always going to be different and complicated on any machine you work with, its getting the DUN to work correctly.  The only way to become skilled at this is to do it over and over on a number of different machines.

 

Configuring Phonebook Entries

You configure a phonebook entry for each connection to a RAS or PPP server that you want to connect to.  Each phonebook entry store your specific configuration settings that you use when you connect to a remote network.  There are two types of phonebooks:

1.      A Personal Phonebook
A personal phonebook is one that only the logged on user has access to and is specific for the individual logged on user

2.      A System Phonebook
A system phonebook is available to all users logged onto the local machine.

 

Logging on Through Dial Up Networking

You may have noticed on your own machines at home that when you get to the log in screen, there is a small checkbox that you can select that will allow you to log on via dial up networking.

 

If you check this, the phonebook will appear, and you will have the chance to choose what phonebook entry you want to use to dial into the log on server.

 

User Profiles with Dial Up networking

Remember, the log on process is the same whether it is local or remote.  Profiles work the same way, after a user logs off, a local copy of the user's profile is cached.  Since RAS connections tend to be slow, you might want to go to the System applet in the control panel and allow the use of a locally cached copy on slow network connections (there's a check box there that you can check which will default to the locally cached profile if a slow connection is detected).