White Paper: Remote access using Windows NT

For organisations planning to migrate to Windows NT networks, there are a number of remote access options. But they require...

For organisations planning to migrate to Windows NT networks, there are a number of remote access options. But they require careful planning

As organisations migrate to NT, organisations are also being driven to implement an NT-compatible remote access solution. Once a technical "luxury" reserved for traveling executives, technical support staff and engineers working from home, remote access is now a necessity for supporting continually growing numbers of mobile users, telecommuters, workers dividing time among branch offices, and even selected suppliers and customers. In a business climate characterised by ever extending enterprises and ever increasing pressure to do more with less, remote access gives users low cost access to the high productivity resources of the LAN and promises tremendous strategic advantages for any organisation.

One key to maximising the strategic impact of remote access is to minimise its costs ( the initial cost of the new hardware and software required to implement the remote access solution and, more importantly, the continuing costs of maintaining the system. These continuing costs include:

The cost of additional administrative responsibilities ( managing the remote access server, maintaining remote access security, supporting remote users and maintaining any additional hardware added to the network

The wide area network (WAN) costs of remote access ( monthly phone service and usage charges ( and the cost of adding new hardware, phone capacity

Connections to other networks and data sources as the remote access community's size and information needs expand

In general, the easier the remote access server software and hardware is to manage and maintain, the lower the continuing administrative costs. Also, a remote access solution that is universally compatible with a number of communications protocols and low-cost, high-volume WAN solutions will result in lower costs over time.

There are three ways to implement remote access in Windows NT:

Running the remote access server that's built into NT ( called NT RAS ( on a PC running Windows NT servers

Adding a dedicated remote access server that's compatible with NT, but doesn't include management and security that's integrated with NT (such as a remote access server that uses UNIX for security and management)

Adding a dedicated, NT-integrated remote access server

Windows NT Server includes a built-in remote access server, NT RAS, that provides an extremely easy-to-manage and relatively low cost remote access solution for Windows NT. With NT RAS, all management takes place in the familiar, easy-to-use GUI Windows NT interface. NT RAS is tightly integrated with NT's native Domain authentication services; a simple point-and-click operation that authenticates any existing user or group for remote access. NT RAS provides a full range of security features, including data encryption and dial-back, and supports many, if not all, of the leading third-party remote access security products. In addition, a network manager using NT RAS can get technical support from Microsoft, the same company that supports the NT Server itself.

NT RAS also offers the significant start-up cost savings of running from the same Intel-based PC that's currently running the Windows NT server. But this savings comes with tradeoffs. Because NT RAS has to share system resources with NT's file, application and print serving, the performance of all network services ( including remote access ( slows down. And because remote access isn't isolated from file/application serving, if a problem with one service brings the server down, the other services are lost as well.

Furthermore, growth is somewhat limited and relatively expensive. While NT RAS technically can support 256 remote access ports, due to the performance limitations of even the fastest PCs, most network managers find system performance overcompromised. Anything beyond 30 or 40 concurrent remote access users results in slower response times for remote users. And interfacing the PC with cost-saving, multi-line phone solutions, such as T1 or Primary Rate ISDN (PRI), is even more complicated. Each additional user requires an additional modem and analogue phone line, which is both expensive and physically complex to manage.

Organisations migrating from UNIX to NT may consider a dedicated remote access server that's compatible with NT, but is configured and managed from a UNIX workstation. This remote access server eliminates the main drawbacks of PC server-based NT RAS. It separates remote access from NT file/application serving, so both functions run at top speed and problems with one do not affect the other. It adds enterprise-level scalability: most dedicated remote access servers have high-end solutions that accommodate more than 256 ports without performance sacrifice, and that support channelised T1 and PRI digital trunks. And it incorporates the modems within the chassis of the remote access server, eliminating a confusing tangle of external modem wires.

In addition, because the remote access server is configured from a UNIX workstation ( which the migrating organisation is likely to have on hand ( the network administrator can work with familiar and trusted command line administrative and security tools, and can continue to use existing UNIX-compatible third-party remote access security products.

However, in exchange for the familiarity of UNIX-based control, the administrator sacrifices the ease-of-use benefits of NT RAS's integrated remote access management ( and actually creates extra work for himself or herself. The UNIX-based remote access server requires a UNIX security server, such as RADIUS or ACP running under UNIX, which doesn't easily integrate with the NT Domain authentication; authentication information from the NT Domain must be manually re-entered into the UNIX security server database, and manually updated whenever that information changes. This significantly adds to the complexity of security management and overall administration ( which increases administrative costs and can potentially compromise network security.

For organisations in non-UNIX environments, the management costs ( both short and long-term ( of a UNIX-controlled remote access server are even higher. In addition to the issues described above, the manager must learn UNIX or hire knowledgeable personnel and, of course, purchase a UNIX workstation to configure and manage the remote access server. As an alternative, these organisations might consider a dedicated remote access server that can be configured and administered from a PC platform, but is not integrated with NT's Domain authentication. In this case, an administrator could manage both the local and remote access from a single, existing PC. However, remote access authentication would be entirely separate from NT's Domain authentication ( the two would have to be managed and monitored separately, and the two authentication databases would have to be updated manually.

A dedicated remote access server that's tightly integrated with NT combines the ease-of-use benefits of the NT RAS with the performance and scalability of a dedicated remote access server. In addition, a tightly-integrated remote access server can transparently take advantage of Windows NT's built-in features for automated recovery from server outages in a multi-server network environment.

Compiled by Ajith Ram

(c) 1997 Bay Networks, Inc

Read more on Mobile hardware