New Windows Enhances Off-Site Work

The task of establishing connections between large networks, small networks, and individual computers has always been a daunting one. As companies become geographically dispersed and data and services become more centralized, the need for reliable and secure communications has grown.

We looked at Microsoft Corp.'s Windows 2000 operating system to see how it addresses some of the common issues surrounding remote communications. Although it's not a perfect out-of-the-box solution for every scenario, Microsoft’s new offering is a well-thought-out and well-put-together package of services and features that handle a wide range of common needs.

For our examination, we set up a small, mixed Windows 2000 and Windows NT 4.0 workgroup connected through a larger corporate network to the Internet. Only one system in the workgroup, running Windows 2000, was given a public address accessible from the Internet. The other machines in the group -- running Windows 2000 Professional, Windows NT 4.0 Server, and Windows NT 4.0 Workstation -- were given private addresses communicating to the central Windows 2000 Server.

The Windows 2000 Server was set up as the target for remote virtual private network (VPN) connections. Connections were tested from workstations in other domains inside the corporate network, and from workstations located outside the network across the Internet.

General RRAS Enhancements

Microsoft has made a large number of improvements to the Routing and Remote Access Service (RRAS) in Windows 2000. From direct connection to the Windows 2000 Active Directory to new methods for handling bandwidth issues for dial-up connections, the plate is full of new goodies for the connection hungry. Some of these enhancements were available as add-ons to the RRAS for Windows NT 4.0, but they are better unified in Windows 2000.

At the highest level, Microsoft has tied remote access utilities into the Windows 2000 Active Directory structure. This allows administrators to define remote access policies at the global, group, or individual level. More than just providing a directory reference, though, this connection allows some fairly broad-based management strategy. Once defined, those policies can be consistently applied across the entire enterprise, even when multiple remote access servers are implemented in disparate locations.

Using these high-level facilities, it is possible to design a system that allows open access to low-level resources, such as a shared file library, while enforcing more stringent requirements to access sensitive areas, such as system files and configuration applications.

At a lower level, Microsoft added some nice touches to such things as dial-up connections. A multilink capability allows several dial-up connections to be combined into a single, wider connection. This support is provided in software rather than hardware, eliminating the need for special equipment. The only special requirement is that the systems at both ends must support multilink connection, something that is assured if Windows 2000 is at both ends.

Companion to the multilink capability is a feature called Bandwidth Allocation Protocol (BAP). This allows the server to automatically add or remove channels in a multilink connection to accommodate demand. If, for example, an ISDN connection is in place between a Windows 2000 remote access server and a satellite office, BAP can manage that connection so it meets the current need. During periods of low demand, perhaps only a single channel may be in use; an activity surge might cause the server to add another channel or two from a predefined pool of connection devices.

For users who must move large files across the Internet, the restartable file copy feature will be a big plus. Anyone who has found themselves three quarters of the way through transferring a 20-MB file over a slow link, only to have the connection drop, will appreciate the ability to pick up the transfer from the failure point once the connection is remade.

Microsoft also embedded advanced authentication services into the Windows 2000 package. Microsoft’s implementation of the Remote Authentication Dial-In User Service (RADIUS) server, named Internet Authentication Server (IAS), is part of the RRAS package. RADIUS client services are built into the Windows 2000 networking clients.

For branch offices and home or small office networks, Microsoft bundled Network Address Translation (NAT) into the router software as part of the Internet Connection Sharing concept. Users and administrators looking for an easy or inexpensive way to share a single network connection can use the native features of the operating system, rather than adding special purpose hardware or utility software.

VPNs Made Easy

The star of the show, and a feature that Microsoft is clearly enamored with, is expanded support for VPNs. But establishing a VPN can lead to some of the most Byzantine server and network configuration tasks, even for moderately experienced administrators. Factor in the difficulty of correctly setting up the remote systems intended to benefit from a VPN, and the prospect rapidly assumes an aura of "Why bother? Rebuilding the business from the ground up after we get hacked will be easier."

Microsoft addressed these issues in two ways. The first is a set of detailed white papers and walk-through documents that make the process of configuring a VPN server clear and concise. More importantly, white papers like "Connecting Remote Users to Your Network" and "Extending Your Network to Business Partners" make the reasons for installing a VPN clear, as well.

The other major difficulty of VPNs, and one that Microsoft has gone a long way toward solving, is the setting up of connections into the VPN server from external clients. Microsoft provides a tool called the Connection Manager Administration Kit (CMAK), which wraps most of the process into a neat little package. Any administrator who has ever had to talk a remote user through the process of configuring a dial-up networking connection, much less a VPN, will find CMAK to be a very handy tool indeed.

Through a series of simple wizard-steps, an administrator running CMAK describes the connection to be established, including the name and address of the target server, how to handle authentication, how and where to synchronize with share "phone books," and other similar settings. One extremely useful feature is the ability to define extra steps to be taken before, during, and after the connection process. Application programs can even be included in the prepared connection.

What results from this entire process is a single executable file, which can be delivered to an end user in any form desired: e-mail, diskette, CD, or other means. The user then executes this one file, configuring the entire connection on the remote machine. The inclusion of actions and referenced applications in the one connection means that an administrator can deliver an end-to-end experience to the Windows 2000 user, from dialing out to the Internet or dial-in server, establishing a connection to the target server, creating appropriate network shares, and starting end-user applications.

We used the CMAK to define a simple connection to our test server, without extra commands or embedded applications. We then distributed the executable, which weighed in at just about 123 KB, to workstations inside and outside the corporate network. Defining the connection took about 10 minutes the first time through the wizard -- which included lots of time for note taking and thought processes. Installing the defined connection took about 30 seconds from beginning to end. The installed connection at first did not seem to work. We quickly discovered that the test account we were using had an expired password. That solved, the same CMAK file produced the same results on several different workstations.

To compare, we manually defined a similar connection from a Windows NT system outside the network. Even after having just gone through the thought processes of building a connection with the wizard, the manual effort took about half an hour and a fair amount of applied expert knowledge just on the client end.

VPN Security Cloaks

VPN connections do more than just create a link between disparate systems across some other network. Data security, especially across the Internet, is a major reason for using a VPN. VPN schemes address this issue by using data encryption.

When the VPN connection is established, the remote client system is given an address to use that looks to the server like a local network address. To send information to the VPN, the client first creates information packets using that private address and the corresponding private address of the VPN server or other target resource. Then, those packets are encrypted and wrapped in a second packet using the real public addresses of the client and VPN server. That larger packet is transmitted across the public network to the VPN server. The server opens it, deciphers the inner packet with the private addresses, and sends the data to the local resource recipient. Communication to the remote client follows a simple reverse of this process.

A well-known encryption method, supported out-of-box by the Microsoft wizards, is the Point to Point Tunneling Protocol (PPTP). PPTP is in fairly wide use, and provides a basic level of security for most situations.

More complex and less broadly used is the Level Two Tunneling Protocol (L2TP), which is combined with another encryption protocol called IPSec. L2TP is a proposed standard developed by Microsoft and Cisco Systems Inc. (www.cisco.com), combining elements of PPTP and Cisco’s L2 protocol.

To support the level of encryption provided by IPSec, it is necessary to use certificates -- electronic signature cards that encode, decode, and validate transmissions. Microsoft provides a walk-through for certificates that enabled us to quickly configure a Certificate Authority (CA) on our server.

Once it was configured, we were able to use the CA to issue certificates for various users and computers in our test structure. Those certificates could then be used to validate and encrypt connections both inside and outside the test network.

The CMAK wizard fell short here. It is not, as delivered, designed to directly support generating connections that rely on L2TP/IPSec for security. Microsoft does provide instructions for modifying the underlying template files used by the wizard to create this support. These instructions were more cryptic than the other walkthroughs. Microsoft does plan to extend the CMAK tool to provide better support for L2TP/IPSec connections. No specific details or schedules have been announced.

Overall

The total RRAS suite of features and capabilities in Windows 2000 is impressive. If there is any problem, it is that there is almost too much that one can do, and too many places in which it can be done. The wizards work well for setting up and configuring many services, but their use risks leaving an inexperienced user puzzled about how to get back to a particular setting or feature later on.

Administration of system resources in Windows 2000 is typically done through the Microsoft Management Console (MMC). Even though all MMC snap-ins share a common look and feel, a good method has yet to emerge for finding the right snap-in to access a particular feature. In the case of remote access, which merges aspects of everything from network definitions to policies, encryption, and user data from Active Directory, this becomes readily apparent.

Even so, Microsoft appears well on its way to handing administrators and users a gift-wrapped bundle of what they need and want most.

Windows 2000 RRAS

Microsoft Corp., Redmond, Wash.

(800) 426-9400

www.microsoft.com

Price: Windows 2000 Professional, $319; Windows 2000 Server, $1,199; Windows 2000 Advanced Server, $3,999

Pros/Cons:

+ Wizards and walkthroughs for many complex tasks

+ Rich, flexible access configurability

+ Good mix of small user vs. big user tools

- Incomplete/missing wizards for high-security encryption/certificate services

- Feature set is so rich it is possible to drown in detail