|
20Using Remote Access ServicesOne of the most interesting elements of Windows NT for me has always been Remote Access Service, more commonly referred to as RAS. I have always loved the ability to remotely connect with my home network over a modem link and do anything I could normally do while sitting at one of my home machines, albeit at a slightly slower rate. With Windows 95 being the predominant operating system these days, it is simple and inexpensive to incorporate RAS into even the smallest of networks. Because Windows 95 comes with a built-in network dialer to connect to remote networks over modem links, no other software is needed for modem-linked network connections. When paired with an NT server that offers Remote Access dial-in ability, the combination is hard to beat in performance and flexibility. An Overview of RASRAS is often confusing to some people. Put plainly, it offers the ability to have a true network connection over a modem to link with a remote site. Some limitations do apply to RAS-based network connections, but they are few. As mentioned previously, both Windows 95 and Windows NT come with internal Remote Access features that work perfectly together. In Windows 95, use Dial-Up Networking, found in the Accessories folder, to make client-side connections to a remote RAS server. This element is not installed by default, so if it is not present, then it was not manually selected for installation when Windows 95 was originally installed. In Windows NT 3.51's remote access feature, both client and server sides are one component—simply called Remote Access—and are both contained in one folder called Remote Access Services. In Windows NT 4.0, Remote Access has been split somewhat to more closely adhere to the Windows 95 interface method. The client-side RAS element in NT 4.0 is now called Dial-Up Networking and can be found in the Accessories folder. The controlling application for the NT 4.0 RAS server-side element can be found in the Administrative Tools folder as Remote Access Admin. The interface for Dial-Up Networking in NT 4.0 is very different from the Dial-Up Networking interface in Windows 95. To clear up any confusion you may have about the terms client and server, let me clearly define them. A server-side application is any application or service that is executed by a network server to receive network traffic/data from remote workstations. A client-side application is any application that is executed by a workstation to connect with a companion application found on a network server. In this chapter, we discuss RAS for Windows NT as both a server- and client-side application, because it can perform both functions. In the vast majority of RAS cases, the network connection is made with a modem of some kind. However, keep in mind that Windows NT supports several other forms of RAS connections than just standard telephone lines and modems. It also supports X.25 lines (a form of packet switching data transfer—many smaller lines bundled together sending packets of data concurrently), ISDN lines (a form of digital communications that typically uses two digital data lines and one controlling line), and full digital lines (lines such as DDS, fractional T1, and full clear channel T1 lines—digital communication lines with a high rate of data transfer, comparatively speaking). The RAS element of Windows NT supports up to 256 concurrent sessions, either inbound or outbound. NT RAS is not a modem-pooling application, meaning that it does not offer network workstations the capability of using the modems attached to the NT RAS server as local, dial-out modems. RAS only allows for connections made from or to the NT RAS server itself. If you are considering using RAS, I'll assume that you are familiar with the basics of networking. You should understand what a network protocol is and what its main function is. All three major network protocols are supported by RAS: IPX, TCP/IP, and NetBEUI. RAS connections can support all three of these protocols on a single connection or any combination of them. Though these are the actual network protocols through which applications communicate, RAS uses two transport protocols to carry these network protocols over an asynchronous modem connection (a connection that is not rigidly controlled by timed packet transmissions): PPP (Point to Point Protocol) and SLIP (Serial Line Interface Protocol). Unlike the network protocols supported by RAS, only one type of transport protocol can be used over a connection. Figure 20.1 is a simple example of how dial-in networking can be done. A typical dial-in network arrangement.
An NT RAS server does not have to be an isolated server on the network. The PDC (primary domain controller) of the network can serve as the RAS server provided it has the computing strength to do so. The method of connection can also be something other than modems. ISDN, X.25, and full digital lines can also be used to connect to a RAS server, provided that the client side can interface with such lines. RAS Versus Remote ControlMany people think that RAS means remote control. This is not true. RAS and Remote Control are similar only in that they offer remote access to a system through some form of nondedicated channel (such as a telephone line). RAS offers standard access to resources of remote machines in the typical network fashion. This means that a client machine can access network drives, printers, fax broadcasters, and so on as though they were local resources (drive letters, printer ports, fax connections). The client machine does not actually see the display of the server machine as Remote Control programs such as Carbon Copy and PC Anywhere allow. When using Remote Control programs, the client sees a redirected output from the server-side machine exactly as the server-side display shows. The client basically looks through a "window" to the remote machine. Everything that might be executed through a Remote Control session is actually taking place on the remote machine; the client is simply being shown what is happening on the other side of the connection. The means that the only data being transferred over the modem link (or other form of link) is that of what is being displayed on the remote system. This form of remote control is handy if you want to have the remote system doing something rather than your own local machine. RAS, on the other hand, is a true network connection. When you connect to a RAS server, you can copy or delete files, execute programs, load documents, and so forth on the local machine, and the data will be transferred to the local machine from the server. RAS connections are not typically very good at running remote programs because the speed of the connection is prohibitively too slow for adequate performance. Consider this small example. Say you're connected by a RAS link to a remote machine. When connected, you link to the remote C: drive as your own J: drive, a typical network action. Now, on the J: drive (the remote C: drive) you want to compress a directory of files with PKZIP, a popular shareware compression program. So, you open up a DOS shell, hop over the J: in the directory you wanted and then run PKZIP as follows: pkzip *.* myfiles.zip Now, most of you are familiar with PKZIP and compressing files. If you executed it in this fashion, the entire contents of the directory would be sent over the RAS link to the local machine, compressed by the compression program and then resent back through the RAS link to the remote machine to be written to the remote C: as the target file myfiles.zip. It would be far more efficient to simply copy the files over the RAS link to the local C: drive and then compress them. That way, data would only be going through the RAS link once. Uses for RASNT RAS can offer more than just dial-in access to network resources. Because RAS offers remote users the capability to connect with the TCP/IP protocol, RAS can be used to serve out Internet-type connections to callers. TCP/IP-based applications such as Web servers, FTP servers, Telnet servers, and so on can all be executed on an NT RAS server machine. Then callers could connect to the RAS element and operate these applications as though they were connected to the actual Internet. In fact, NT can go much further than this and offer full-blown Internet Service Provider-type connections to remote callers. An NT server can be connected to the Internet through a dedicated channel and RAS callers can link to the RAS server and be granted pass-through Internet access. Consider the simple example shown in Figure 20.2. A dial-in network arrangement offering both LAN and Internet-type connections.
Obviously, many forms of security exist to ensure that your systems are not compromised in an arrangement such as this. As you can see, NT can be used to operate an ISP server as well as (and usually better than) any UNIX machine can. RAS can also provide network access to clients other than Windows clients. Netware clients can access a Microsoft Windows Network through RAS provided NT has the Netware gateway element properly installed in it. When the Netware gateway is installed, NT servers can be used to give Windows workstations that only have Microsoft Windows Network client software installed access to NetWare resources and vice versa. The function of the gateway software is to allow different platforms to communicate with each other without requiring any special software on the client side. Performance IssuesEven though I cover other forms of remote access, the primary discussion centers on modem access, because this is the most common form. When considering what types of modems to use for remote access, it's always better to think big. RAS links will always work more smoothly with more speed. 28.8-Kbps modems are the current speed demons of the modem world. (Yeah, yeah, US Robotics makes a 38.4 Kbps modem, but don't forget, they also came up with the HST modem protocol and where is that now, hmmmm?) Factors such as data compression and error correction will always make a RAS link operate better. Both software data compression (compression performed by the server and client software to reduce the size of the data to be transmitted) and hardware data compression (compression performed on the data stream by the modems themselves) will improve data transfer rates. Error checking can be performed by the transport protocol and/or the modems. The PPP transport protocol has built-in error-checking routines to ensure data quality, but the SLIP transport protocol does not. Therefore, SLIP should be used only in situations in which error-correcting modems and/or high-quality phone lines are used. When configuring modems for RAS use, keep in mind that the DTE (Data Terminal Equipment—that is, the computer) speed should be as high as possible for the hardware involved. DTE speed is the speed at which the data passes between the local computer and the local modem. When the modem talks to the computer it is installed in, it does so at the DTE or port speed at which it is configured. Usually, a port speed of at least 57.6 Kbps should be used for 28.8-Kbps modems. In this discussion, I assume 28.8-Kbps modems are being used. The DCE speed is the Data Carrier Equipment (that is, the modem) speed used between two connected modems. Many people ask why the port speed must be higher than the connect speed for efficient performance. Well, consider this. The data stream between the modems is normally compressed. Perhaps, if you're lucky, you might see a 2:1 compression ratio in the data stream. Because RAS links generally deal in uncompressed data (that is, manipulating normal files), a 2:1 compression ratio is not out of the question. When the data arrives at the other end of the link, it is uncompressed first by the modem (if hardware compression is used) and then by the software (if software compression is used). When a full stream of data is coming in and is being uncompressed, the result is more data than the actual connect speed could carry without compression, meaning that more than 28.8 Kbps worth of data is arriving at the remote end. So that the modems do not have to wait to offload incoming data, the computer must be able to grab the data from the modem faster than the modem is actually receiving it—hence the need for a higher port speed than a connect speed. The same is true in the reverse scenario. For the sending modem be as efficient as it can be, it must be fed the outgoing data at a faster rate than the connect speed because it is compressing it before it sends it out. Methods of ConnectionAs indicated previously, several forms of connection can be used with NT RAS. Modems are the cheapest and easiest to deal with. X.25 lines are bundles of smaller analog lines with a static transmission rate of 9600 bps per line. X.25 lines were more common during the 1980s but have fallen out of the main stream of communications with the onset of ISDN and full digital lines. ISDN and full digital lines are powerful communication lines but are the most expensive of the RAS connection methods. Using ModemsBy now, most people know how to use modems very well. Nearly all modems produced today are compatible with any other modem. However, some of the modems produced in the late 1980s, when standards for high-speed asynchronous communications were not developed, are not fit for NT RAS. Certain brands of Multi-tech and original Hayes modems relied on proprietary transmission protocols for their high-speed connections and as such will not work with today's modems. Modems communicate through transmission protocols. I know the word "protocol" pops up in many forms in this chapter, and it can get confusing because it"" seems to refer to many things. In its truest form in this context, it refers to how two devices or applications or network client/server companions communicate with each other. One protocol can be transported by another, as with network protocols being transported by a PPP or SLIP protocol. When I talk about modem protocols, I am referring to how they negotiate such things as baud rate, initial handshaking, error correction methods, and so on. Table 20.1 lists the protocols associated with the standard speed ratings you see with modems today. If you have a modem that does not adhere to these protocols for a given speed, your modem will not be compatible with the majority of modems produced today. Table 20.1. Standard modem protocols and their speeds.
* No standard was ever set for 19200-bps communications; however V.32terbo was the only one ever used on a large scale.
** Before the V.34 standard for 28800-bps communications was agreed on, V.FC was commonly accepted. V.FC modems will communicate with V.34 modems at 28800 bps. Multi-Port IO BoardsAs mentioned, NT RAS supports up to 256 connections. If you are unfamiliar with communications hardware, you may be wondering how 256 modems/ports can be installed in a single computer. Many manufacturers make multi-port IO boards that enable you to add many external modems onto a single computer without conflict. Rack-mount modem chassis are another solution to adding a large number of modems to a single computer. Mainstream modem manufacturers such as Hayes and US Robotics are now making such chassis. When considering which brand of multi-port IO board or rack-mount modem chassis to purchase for an NT RAS server, be certain to consult the hardware compatibility list. Out of the box, NT supports only a certain number of these kinds of devices. If you are considering buying a multi IO device for NT that is not listed in the hardware compatibility list, be absolutely certain to contact the manufacturer of the device and find out if they have the correct drivers needed for Windows NT. Multi-port IO devices sometimes work by sharing an IRQ for a single bank of modems that are attached to the card installed in the computer, though some multi-port IO cards produced today use no IRQs at all. Normally, IRQs cannot be shared on an ISA bus. This rule of thumb can be broken when the IRQ is being shared by a bank of devices chained off a card in a single slot. No two cards installed in an ISA bus computer can share the same IRQ and operate simultaneously, however. When installing a large number of modems in an NT RAS server, it is always best to find a multi-port IO device that supports the highest possible port speed. The higher the port speed set for all modems attached to a RAS server, the more efficient the entire operation will be. Support multi-port IO cards and devices are made by such manufacturers as Digiboard and Equinox. Setting Up the Phone Lines for a RAS ServerThe phone company in your area can set you up with something known as "a rotary" or "hunting groups" for the phone lines you have dedicated to your RAS server. A rotary or hunting groups are groups of lines linked together in a chain. If one line in the group is busy and a call comes in on it, the call will be rolled over the next line in the chain until the end of the chain is reached or a free line is found. (A fee is sometimes charged for this service, but in my area [Central Indiana], the phone company will configure a rotary group for you for free.) If you have a mixed lot of modems dedicated to a RAS server, it is best to put the fastest modems at the end of a rotary. That way, high-speed callers can call in at some point in the middle of the chain to connect only to the high-speed modems. If high-speed modems are placed at the head of a rotary, high-speed callers will be routed to the slower modems at the back end of the group if all the front-end high-speed modems are busy. If your users do not want the slower access, they should be given a busy signal when all the high-speed modems are in use. X.25 LinesX.25 lines are an old holdover from a time when modem communications were slow and unreliable. Today, X.25 lines are the old technology and should be avoided if possible. However, X.25 was a popular communication method in the 1980s and was in wide use. Therefore, X.25 access is still available in nearly all areas, inside and outside the United States. The basic premise behind X.25 communications is that an X.25 connects two points. At each point there is a PAD (Packet Assembler/Disassembler). The PAD takes the data being transmitted by the computer it is connected to, "packetizes" it into chunks, and then sends it out over the X.25 line. When the data reaches its destination, the packets are reassembled into their original data form. X.25 communications can take place in periodic (like normal modem dial-up sessions) connections or through dedicated connections with a provider (like digital lines). When dedicated connections are used, a smart X.25 card must be used. Smart X.25 cards behave like modems, making NT think that it is always connected to the X.25 network. Keep in mind that X.25 lines are metered service lines; you pay for the amount of data that travels along your lines because at every stop, the data is checked for accuracy, so some amount of effort is needed by X.25 hubs to manage your information. For the fees involved with X.25 communications, you can do much better with digital lines. ISDN ConnectionsISDN has been around now for a few years but has never really caught on like some thought it would. ISDN is a digital connection that comes in two forms: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI ISND relies on three digital channels—two data channels and one controller channel. The two data channels (The B channels) can each carry up to 64 Kbps of data. The third, known as the D channel, is used by the ISDN hardware to communicate with the other ISND hardware to which it is connected. PRI ISDN uses T1 lines (bundles of twenty-four 64-Kbps lines). Full T1 lines can carry up to 1.544 Mbps of data. One line is held out in PRI ISDN communications for controller signals between the ISDN hardware. Of the two forms, BRI ISDN is the more common. In my area, ISDN service can be installed for about $130, with a monthly charge of $95-$120.00. ISDN is not a metered service as of the writing of this chapter, meaning that there are no additional costs for the amount of data transferred of an ISDN connection. The two data channels in BRI ISDN can be used as inbound or outbound channels. It is not necessary for both channels to be doing the same thing. They can be split up or combined to increase data flow. In fact, one of the channels can even be used for voice communication while the other is transferring data. When you obtain ISDN service from a phone company, a typical phone number is assigned to that ISDN line and other ISDN locations can dial up your system in the traditional manner. Obviously, this means that the remote location must have ISDN access. This makes ISDN a poor candidate for RAS if the majority of RAS clients will be coworkers who travel a lot and need access to the office network from their laptops. You won't find many hotels with installed ISDN lines in each room. (I have yet to see a single one myself.) ISDN modems for BRI lines can be bought from retail places like CompUSA, Egghead, or Best Buy for $350-$500. The line costs and the hardware costs involved with PRI ISDN are considerably higher than those for BRI ISDN. In fact, if you need that level of RAS connection, you should jump up to a full digital T1 line, which has more flexibility and a greater level of compatibility with common hardware. If you are thinking about using NT RAS and ISDN to connect to the Internet, keep in mind that many ISPs do not currently offer ISDN connections, and it is unlikely that they will. I believe ISDN is destined to remain a novelty form of access that will be uncommon at best. Full Digital LinesFull digital lines are rarely used for actual RAS connections; they are more commonly found providing access to the Internet for an office full of workers. NT supports a wide range of digital connection solutions; Microsoft is really pushing NT into the Internet world. Many Internet providers are reselling T1 level access at a reasonable rate. Keep in mind that a T1 line should be able to support 75-100 people in an office who need periodic Internet access to the desktop. Connecting an NT server to the Internet through a dedicated line is not the focus of this chapter and does not involve RAS. But, I can briefly mention some of the costs involved in obtaining this level of Internet access for a LAN. The first items needed are a CSU/DSU and a Router. A CSU (Channel Service Unit) is the device that terminates the bare digital line pulled into an office from a provider (or phone company). The DSU (Digital Service Unit) connects to the CSU and converts the phone company signals carried along the line into a form that can be used by a computer that is running Windows NT or possibly UNIX. Between the computer and the CSU/DSU sits the Router. Its responsibility is to ensure that TCP/IP packets get to the right location. All told, a CSU/DSU and a Router capable of carrying a T1 load of data costs $5,000-$7,000 (although CSU/DSU and router equipment capable of full T1 capacity can often be found at half this cost when purchased outside of an ISP; in other words, don't be railroaded into buying equipment from your ISP). Costs may come down in the very near future as mainstream companies are getting into the CSU/DSU and Router markets, creating a much-needed price war. T1 lines cost between $1,000 and $2,000 monthly (though I have heard rumors by some that T1 capacity can be had for half this cost), depending on the provider used. Two elements are involved, although they are combined into a single cost: local loop access, the cost charged by the local phone company to link your site to the Internet provider you choose, and T1 Internet access, the fee charged by the Internet provider for getting your data onto the actual Internet. In my area, T1 level access costs about $450 for the local loop and $995 for the T1 Internet access monthly. Direct Serial ConnectionsRAS can be conducted over a serial link when necessary. The only logical reason for this approach to RAS is because you cannot afford network cards. RAS links over serial connections are much slower in performance but can be used with little or no additional cost. The only thing RAS needs for a serial connection is a null modem cable, which swaps around certain lines in a serial cable so that the receive and transmit lines are correctly routed to each machine. Null modem cables cost about $10. The standard performance of a serial connection is in the range of 115 Kbps. This is about 1/100 of the theoretical performance of a 10BaseT network connection. Client-Side ConnectionsNT RAS can be used to connect other types of clients, not just Microsoft Windows Network clients. It can be used to hand out simple TCP/IP connections rather than full network connections. If you are thinking about using NT RAS to provide Internet services to callers, RAS will work just fine with nearly any client-side dialer that conforms to standard PPP or SLIP transport protocols. NT RAS also supports clear text authorization through PAP authentication. (Whew, what a mouthful, eh?) PAP (Password Authentication Protocol) is the simplest form of user authentication. It involves the client sending an unencrypted user name and password strings to the host for validation. This form of authentication is shared by most dial-up network applications. Even if a client cannot make a network connection with NT through RAS, it can still make a protocol (TCP/IP or IPX) connection. Installing RASRAS is normally not installed by NT when NT is installed for the first time on a computer. However, if you indicate that your NT server will be participating in a network through a dial-up connection, RAS will be installed during initial installation of NT. One thing to keep in mind when deciding whether to include RAS when NT is installed for the first time is the communication ports situation. If you are using serial expansion cards set to nonstandard addresses and interrupts, NT will not know about these ports during initial installation, and therefore the RAS service cannot be set to use these ports immediately. The only way of using nonstandard ports (ports that do not conform to standard comm ports 1 through 4 settings) is to configure the ports in NT when NT is up and running. RAS relies on so many other NT services (such as network protocols, DHCP service, nonstandard ports, WINS service) that I always opt to install it last, after all other services are installed and confirmed to be working correctly. There is no drawback to installing RAS at a later point. It's a good idea to have a few things installed in NT before RAS is installed. It makes things go a lot smoother and may prevent you from having to reinstall RAS at a later time. The following is a list of suggested elements that should be installed prior to installing RAS:
Beginning the InstallationTo begin the installation, access the Network setup area of NT. This is done in one of two ways:
Both of these methods will get you to the same place, as shown in Figure 20.3 The Network Properties dialog box.
To begin installing RAS, click the Services tab, as shown in Figure 20.4. The Services section of Network setup enables you to see all the services that are installed and install new ones. The services section of the Network Properties dialog box.
Click the Add button to beginning installing a new service. NT will produce a list of services that can be installed. Use the Scroll bar of the dialog box to scroll down until you see Remote Access Services. Highlight that item and click OK, as shown in Figure 20.5. Selecting Remote Access Services for installation.
Depending on how you originally installed NT, you will be asked either to insert the Windows NT 4.0 CD into the CD-ROM drive or for a directory location where the setup files are kept. Enter the correct path if necessary and click OK. (Figure 20.6 shows the RAS installation progress.) Note that the correct subdirectory on the Windows NT CD for setting up new services is \i386 for the Intel processor version of NT. Installing Remote Access Services into NT.
When NT has installed all the necessary components for RAS, it will next ask you for connection devices it should use. If you already have a modem or modems set up in NT (through the Modem icon in Control Panel), they will be available to add to RAS as dial-in/out ports (shown in Figure 20.7). If you have not set up your modems, you can have RAS configure and/or detect them at this time. Adding a RAS device to Remote Access Services.
The drop-down list shows all currently configured modems. Selecting one from the list and clicking OK will add the modem to RAS. If you have already configured your system correctly for other devices such as X.25 Pads or ISDN devices, these will also be available in the drop-down list. The following buttons are available from the connection setup dialog box:
When a communication device has been selected and OK has been clicked, the next step of RAS configuration takes place. Don't worry, other connection devices can still be added to RAS before its installation is complete.Figure 20.8 shows the main RAS setup dialog box. It indicates the current devices that RAS will use and enables you to access other configuration aspects of RAS. This is the dialog you will see if you need to reconfigure RAS at a later time. The following buttons are available on this dialog box:
The main Remote Access setup dialog box.
When you have set up all connection ports, highlight a connection device and click Configure. Each device can be set as dial-in only, dial-out only, or both, as shown in Figure 20.9. By default, devices added to RAS are dial-in only. Unless you have specific security reasons for prohibiting users (or yourself as Network Administrator) from dialing out from the server, each port should be set as both a dial-in and -out port. You can configure a RAS device as dial-in, dial-out, or both.
Set all RAS devices as needed in this manner. The next configuration step is to set the network options for RAS by clicking the Network button in the main RAS Setup dialog box (Figure 20.10). The Network Setup dialog box for RAS.
The Network Configuration for RAS is pretty straightforward. If the upper selection is unavailable (grayed out), that means you have not selected any ports for dial-out access. The upper areas of this dialog box enable you to indicate the protocols you want to permit during RAS sessions for both outbound and inbound calls. By default, all the protocols you have installed will be checked. The Encryption Settings enable you to determine how NT will accept authentication requests from callers. By default, RAS will only accept clients that can perform Microsoft Authentication routines. Most likely, only other NT RAS, Windows for Workgroup, and Windows 95 callers will be performing this kind of authentication routine. You can further restrict this form of access by requiring encrypted data. The other two options are less rigid in their authentication requirements. Allow Any Authentication including clear text allows any form of authentication to be used by the client, including PAP. If clients other than Windows clients will be connecting to your RAS server, check this box. It reduces the level of security of authentication but offers higher flexibility. Require Encrypted Authentication sets RAS to accept any authentication method except PAP. The Enable Multilink checkbox sets RAS to allow multiple RAS ports to be used to connect to the same server concurrently. This merging of ports allows an increase in data throughput without having to invest in high-speed lines. Each of the protocols permitted for dial-in access can be configured. The NetBEUI protocol is simple; only two setting can be altered. RAS NetBEUI-only clients' access can be restricted to the local dial-in computer only, or they can have access to the entire network, depending on which radio button is selected in the NetBEUI Configuration area. IPX configuration (Figure 20.11) is slightly more involved. Like NetBEUI-only clients, IPX clients' access can be restricted to the dial-in computer, or they can be permitted to access the entire network. IPX protocol setup for RAS.
Allocate Numbers Automatically tells RAS to assign any available IPX network number to a RAS client. Allocate Network Numbers (range) enables you to indicate where RAS should begin looking for available IPX network numbers. RAS will calculate how many are available from the starting point you enter. IPX network numbers are 8-position hexadecimal numbers. Assign Same Network Number to all IPX Clients tells RAS to use the same IPX network number for all RAS clients. This cuts down on the routing table information used by NT. RAS will only enter one IPX network number in the routing table for all RAS IPX clients. Allow Remote Clients to Request IPX Node Number tells RAS that IPX clients can request an IPX number if it is available. This could pose a security risk because it is possible (but unlikely accidentally) for an IPX RAS client to request an IPX network number that has recently been used. Should this prove to be the case, the IPX client may be granted the same access as the previous owner of the IPX network number. RAS TCP/IP Network ConfigurationBy far, the most flexible network protocol for RAS use is the TCP/IP protocol. It permits routing of network packets and is used by a wide range of platforms. Figure 20.12 shows the TCP/IP Network Configuration dialog box for RAS. The TCP/IP protocol setup for RAS.
As with NetBEUI and IPX, TCP/IP clients' access can be restricted to the local dial-in computer, or they can have access to the entire network. Use DHCP to Assign Remote TCP/IP Client Addresses tells RAS to consult the DHCP server of the network when handing out IP addresses to RAS clients. The DHCP server of a network can give all needed TCP/IP settings to RAS callers if their end is configured to accept setup instructions from the server into which they are dialing. This is the simplest way of handling TCP/IP RAS clients. It ensures that they have the correct IP address and related settings to correctly communicate on the network into which they are dialing. If you do not want the network DHCP server to hand out IP addresses, you can manually configure a range of addresses that RAS itself will hand out to RAS clients by checking the Use Static Address Pool checkbox. When that is checked, you can indicate the address range that RAS should use and any exclusions that may be necessary to keep the address pool from intruding on other TCP/IP clients. If Allow Remote Clients to Request Predetermined IP Addresses is checked, TCP/IP RAS clients will be permitted to request a specific IP, and RAS will grant that request if the IP address is available and within the RAS pool or DHCP scope of addresses. This enables RAS clients to have a reliable static IP address. If you administer a small network in which you have enough IP addresses to go around, it is very convenient to use static IP addresses. Dynamic versus static IP addresses, that is the question. If you plan on using NT to run some form of ISP service, you will most certainly have to stick with dynamic addresses because you will likely have more RAS users than available IP addresses. When you have all ports configured with the correct devices, clicking Continue finalizes the RAS installation process. When it has been installed, you are informed that you must use Remote Access Admin to grant dial-in permission to the users of your network. You may be asked to answer a few minor questions, depending on which other services you have installed in your NT system. Questions relating to RIP for IPX or RIP for TCP/IP are required to be answered. These involve how NT will handle broadcast packets that come across these protocols. Broadcast packets can be propagated by NT, meaning that NT will forward broadcast packets on said protocol lines to every segment to which NT has access. Normally, broadcast packets are not rebroadcast by servers to ensure the network does not have redundant information passing through it. However, RIP for IPX and for TCP/IP allow for the repropagation of broadcast packets. For example, if a RAS client is sending broadcast packets through the TCP/IP protocol, NT will not rebroadcast them to the rest of the network unless RIP for TCP/IP is installed and enabled. This means that other physically connected network clients will not hear the RAS client broadcast packets. However, most IPX and TCP/IP network packets are not broadcast packets; they are directed packets that NT does forward to the appropriate client. RIP for IPX and RIP for TCP/IP add more overhead to the network tasks NT must perform. After NT reads from the installation CD a little more, RAS should be completely installed, as shown in Figure 20.13. RAS installation is complete.
From this point on, unless you do something like install a new network protocol, all of your control of NT RAS is done through Remote Access Admin, found in the Administrative Tools folder.. This is the main control application for RAS services and is also the application that enables you as Network Administrator to see who is currently connected to the server through RAS. Reboot the server, and the RAS element will be automatically started when the computer boots up. Networking IssuesSeveral things must be considered when setting up an NT RAS server. The following section covers some of the issues relating to RAS. The Difference Between PPP and SLIPThe two transport protocols used by RAS—PPP and SLIP—both perform the same functions: encapsulating the network protocols so they can be transmitted through an asynchronous communication link. Now, NT supports both types of connections without any special configuration on the server side; if a SLIP connection comes in, RAS establishes a SLIP connection, and if a PPP connection comes in on the same channel at a later point, NT establishes a PPP connection. RAS as a client can be configured for SLIP or PPP for each entry you add to the RAS phone guide. The transport protocol is not a RAS-wide setting. It can be set for each entry in the phone guide when RAS is used as a client. PPP is the newer of the two protocols and the one that is most commonly used today. By default, the Windows 95 network dialer is set to make PPP connections. SLIP is not supported in the basic Windows 95 installation; you need the Plus pack to add SLIP as a valid transport protocol for the network dialer. PPP has several advantages over SLIP. First, it has incorporated error-checking methods to ensure the quality of data that is transferred over a PPP connection. (PPP has other features such as flow control that help to ensure an efficient transfer of data.) PPP uses an error-checking method known as checksum. This form of error checking is not the most advanced, but it is better than nothing if you have noisy telephone lines. Checksum works by adding up the binary bits in a data packet and tagging the end of the packet with that checksum total. The receiving end does the same addition on the packet bits, and if it comes up with the same total as the sending side, it considers the packet to be without errors and keeps it. If the checksum totals do not match, it does not acknowledge the reception of the packet and the other side, having not received an ACK for the packet within the allotted time frame, will resend it. Checksum is one of the slowest forms of error checking, because it must add up a string of thousands of bits. CRC error checking, in contrast (used by terminal transfer protocols like Zmodem) is a faster, more reliable error checking method because it performs a calculation on certain sections of the data bits rather than simply adding them up. CRC is not used by RAS or any other standard form of Internet connection. SLIP, on the other hand, is a bare-bones transport protocol that has few extraneous elements to slow it down. SLIP can oftentimes be faster than PPP just because it doesn't do any of the error checking that can slow PPP down. With error-correcting modems being so commonplace these days, data flow over phone lines is a pretty stable thing. If you are using RAS as a client to connect to an Internet provider and you and the provider have error-correcting modems, SLIP may be the better choice for you. However, PPP supports other connection elements that make it a strong choice over SLIP when available. Routing over a RAS LinkA RAS connection works much the same way a routing connection does. RAS will not, by default, forward broadcast data packets from one LAN to another LAN, meaning that RAS cannot be used by itself to link two LANs into a WAN (wide area network). RAS simply does not have this capability. So, you cannot link two NT RAS servers on different LANs and let the workstations on each network have access to the other network's resources. Access to the remote network resources is available only from the NT RAS servers that are connected directly with a RAS link. With some tweaking, though, and some third-party RAS software such as Shiva, it is possible to perform LAN to LAN routing using the TCP/IP protocol. (NetBEUI is a broadcast-based protocol, and IPX is not NT's primary protocol of choice.) Microsoft has written an excellent Knowledge Base article on this subject, and recounting it here in its entirety would take too many pages. (The Knowledge Base article number is Q121877 and can be downloaded at no cost from CompuServe or the Internet at www.microsoft.com. Routing between a LAN and the Internet is an easier thing to accomplish. For that to take place, your network must meet the following criteria:
Class C subnets are issued by the Internic, the governing body for the Internet. Most of the time, however, you will work through a local provider to apply for a valid class C subnet on the Internet. When you have all the physical elements in place, you can make two alterations to Registry parameters:
It is always a good idea to reboot your server after editing any Registry parameter. Some parameters will be enabled immediately upon editing the Registry, and others require a reboot before they become active; it's hard to tell which is which. Also, be careful when editing the Registry. Altering the wrong things in the Registry can cause your server to become unstartable and a reinstallation of NT might be the only thing that can get you back up and running. Chapter 18 covers issues relating to editing Registry values. Other applications are available that allow proxy access to the Internet. By this, I mean that even though workstations on your network may not have valid Internet IPs, they can still access the Internet through a machine that does have a valid Internet link (this can even be a personal dial-in account). Software such as WinGate acts as a proxy for Internet traffic on a LAN and ensures that Internet data gets to the right workstation. A proxy in this context is an application that acts on behalf of another application when that application cannot do something for itself. In this case, we're talking about something like Netscape that can't access the Internet on its own because the workstation does not have a valid Internet connection. Netscape can be instructed to talk to a proxy, which in turn talks to the Internet and forwards the data to Netscape. WinGate can be found at the address http://nz.com/NZ/commerce/creative-cgi/special/qbik/wingate.asp or downloaded from www.windows95.com. It works well on an NT server and is worth looking at if you need this sort of solution for your LAN. Trust Relationships over a RAS ConnectionThis is a situation I found myself in once and thought it might be a good idea to cover it here because I have never seen it addressed in any other place. The purpose of trust relationships is to allow users from one domain access to the resources of the other domain without needing to have parallel user accounts in both domains. Trust relationships can be a pain when RAS becomes involved. As already covered, LAN to LAN routing is not possible without some extra RAS server software and some alterations to the Registry. So, if the PDCs of both domains are connected through RAS, the back-end workstations will not have access to that RAS link (and to the remote domain's resources). Suppose that while the two PDCs are connected, the administrators of each domain establish a two-way trust relationship between the two domains. That means that the PDC for domain A will reference the PDC for domain B when domain B users attempt to access domain A resources and vice versa. Suppose now that the RAS link between the two PDCs is severed. Suppose, however, that workstation A1 (let's say it's a Windows 95 workstation) does a direct dial-in through the network dialer to the PDC of domain B. Now, A1 should have access to the network resources of domain B, in theory. This is not the case, though, because of the established trust between domains A and B. A trust should make networking easier, but in this case it makes it frustrating. Because A1 is a member of the A domain, the PDC from domain B wants to talk to the PDC of A to get validation information on A1. But because it cannot find the PDC of A to validate A1 (it cannot use the RAS link between A1 and PDC B—Windows 95 does not route network connections over RAS links either), A1 will be denied all access to NT-secured resources. In these types of situations, you may find yourself getting a lot of Cannot find Logon Server error messages. This is the remote PDC telling you that it cannot find your local PDC to validate your account. The solution to this situation is to not have a trust relationship between two RAS-linked domains and rely on parallel user accounts in each domain that match exactly. Managing Bindings to Enhance Network SecurityOne of the surest ways to make certain that part of your network is not accessible to outside RAS clients is to use a protocol on the section of the network you want isolated that is not used by RAS or at least is not bound to the network adapter card in the RAS server. For example, let's say you had certain Windows 95 workstations on your LAN that you did not want RAS callers to have access to but you did not want to go to the trouble of setting up passwords or user lists on all of the resources of those network workstations. Windows 95 workstations are horrible at securing their own resources. All Windows 95 workstations can do to secure their own network resources is assign passwords or valid user lists to resources. These workstations do not reference an NT PDC to find out if an outside user can access their resources. NT is a much more secure platform for network restricting. These Windows 95 workstations could have only the NetBEUI protocol installed in them and the RAS server of the network could only support TCP/IP connections. This in effect would isolate those workstations from RAS callers. However, what if you wanted to have RAS callers with both NetBEUI access to the local RAS machine and network-wide TCP/IP access? This could be done by unbinding the NetBEUI protocol on the NT RAS server from the network adapter in the NT machine. This would give RAS callers NetBEUI access to the RAS resources and systemwide TCP/IP access, but no NetBEUI access to any other areas of the network. Be careful not to accidentally sever a portion of your actual LAN by altering the bindings of your NT server. Think things through before you snip. You can alter bindings by going into the Network setup area of Control Panel and selecting the Bindings tab. The NetBIOS Interface controls the basic In/Out operations of the network hardware/adapters. You will find an entry for each network protocol you have installed in NT listed under this heading. Under those protocols, you will see which network adapters are bound to those protocols. You can choose to disable a binding for a protocol to an adapter, thereby severing that network channel. You can see in Figure 20.14 that I have highlighted my network adapter card under the NetBEUI protocol. If I click Disable, all NetBEUI access to the rest of the network from my NT server would be severed, but I could still rely on the TCP/IP protocol for network-wide access. But be careful when disabling binding. It is unlikely that you will make your system unstartable, but you could cause certain elements to stop working if they do not have the correct bindings. For example, if you disable the TCP/IP binding to the local network adapter, the WINS server might fail to start correctly. Disabling a binding to the server side of a network from RAS clients. Name Resolution over RAS linksGenerally, only one WINS server is needed in an NT network. Look at Figure 20.13. If both domain A and domain B had their own WINS servers and A1 dialed into PDC B, it would still be asking its own WINS server on domain A for name resolutions for the hostnames on the remote network. This causes problems when trying to browse remote resources. The network dialer of Windows 95 workstations allows for the stipulation of a Primary and Secondary WINS server. However, this is overridden and not used when a workstation already has an established connection to a running WINS server. Indicating a Primary and Secondary WINS server in the network configuration is not a process of setting a chain of WINS servers to reference for name resolutions; it is indicating which addresses to attempt to find a single running WINS server. So, what do you do when you want name resolution on remote network workstations but your local WINS server has no information on these systems? Well, as a Network Administrator, you could manually enter the remote network names/IP sets into the local WINS database as static systems, or you could set up an LMHOSTS. file for network workstations that might have RAS connections to the remote systems. An LMHOSTS. (LAN Manager Hosts) file is a text file found in the \Windows directory of Windows 95 workstations and in the \%systemroot%\system32\drivers\etc directory of NT servers and workstations. When all normal channels of name resolution fail to come up with an IP for a hostname, the local system trying to resolve the name will reference an LMHOSTS. file. The format of this file is simple. The following line is an example of a line you might see in an LMHOSTS. File: 220.200.200.1 PANDY.COM #PRE The first item of the line is the IP address of the host; the second is the hostname; and the third, #PRE, instructs NT to preload the name into the name resolution cache when NT is started. Normally, the LMHOSTS. file is read from a datafile when necessary. If you have systems you will be referencing often, their names/IPs should be preloaded into the name cache when NT starts to ensure that the names are resolved quickly. Each of the items of the line must be separated by at least one space and the IP must begin on the first character of the line. An LMHOSTS.SAM file can be found in the \Windows directory of Windows 95 system and in the \%systemroot%\system32\drivers\etc directory of NT systems. You can reference these sample files to see more options that the LMHOSTS. file supports. Another way of ensuring that all names are resolved is to use a DNS server rather than a WINS server. Unlike WINS servers, DNS servers can be chain searched when one DNS fails to resolve a hostname. The DNS entry of a network dialing entry will be referenced even if a local DNS server is in operation. Using RAS AdminThe Remote Access Admin application is your main application for controlling active RAS connections. It can be found on the Start menu in the Administrative Tools folder/submenu. Figure 20.15 shows the main RAS Admin interface. The Remote Access Admin dialog box.
After starting RAS Admin, you are shown a list of all RAS servers running in the current domain and what the connection load is on each one. On my own network, I have only one RAS server, and that is located on the NT server called CONTROLLER (which also happens to be my PDC). As you can see, I have two RAS ports, and one of them is currently in use by a friend of mine.. Double-clicking a RAS server listed in this area will display a detailed report of that RAS server's connections. As you can see in Figure 20.16, a detailed listing of all ports on the selected RAS server is shown. On my own system, I have two ports configured, ports 11 and 12—both of which are 28.8 Kbps modems. From this dialog box, I can do the following by clicking the buttons on the right side: The RAS Communications Ports dialog box.
The Server pull-down menu of RAS Admin contains the following commands:
The Users' pull-down menu contains the following two commands:
The View pull-down menu allows you to refresh the list of RAS servers for the current domain. Sometimes it may take a few moments before the RAS connections register in the list. Refresh enables you to manually update the display. The Options menu contains two commands. The first is a toggle of Low Speed connection, which tells RAS that the currently highlighted server is to be considered a low-speed connection, and as such browsing services are restricted to RAS users logging on to the network through this machine. The second enables you to Save Settings when you exit RAS Admin. Using the RAS Icon in the NT TrayNew to NT (and Windows 95) is the tray on the system desktop. The tray is the small sunken area in the lower right-hand area of the desktop that displays icons of system-related applications. When RAS is running on NT and a caller is connected, you will see a small icon that looks like two rectangular status lights with a small phone in front of them, as shown in Figure 20.20. The Windows NT system tray with the RAS icon.
Double-clicking this system icon in the tray will pull up the Dial Up Networking Monitor. This monitor has three tabs of information. The first tab displays statistics of RAS ports, as shown in Figure 20.21. The Status tab of the Network Monitor dialog box.
A drop-down box enables you to browse through all local RAS ports and view information on the current connection, or the most recent connection if the port is free. The Summary tab shows you information on multilink sessions, as shown in Figure 20.22. NT RAS 4.0 allows you to connect multiple RAS ports to a single host. This increases the available data transfer rate when multiple ports can be used for a single connection. The Summary tab of the Network Monitor dialog box.
The Preferences tab enables you to configure some basic options for RAS, as shown in Figure 20.23. You can toggle sounds for four RAS events: On Connection, On Disconnect, On Transmission, and On Line Error. Normally, the RAS monitor is not shown on the task list (accessed by Ctrl+Alt+Del and then selecting Task List). The RAS monitor's presence on the task list can be toggled on or off. The Preferences tab of the Network Monitor dialog box.
You also have the option of indicating whether the small RAS monitor is shown as an icon in the tray or as a larger dialog box on the desktop by selecting "As an icon next to the taskbar clock" or "As a window on the desktop." If the RAS monitor is a window on the desktop, selecting Lights lets you to choose which RAS device is represented with lights in that window. Clicking OK will return the Dial Up Network Monitor to an icon in the system tray. Using RAS as a ClientIf you have indicated that at least one RAS port can be used as a dial-out port, you will have access to Dial-Up Networking with which to make client-side connections. Dial-Up Networking can be found in the Accessories folder/submenu. Adding a New Phone guide EntryWhen you start Dial-Up Networking for the first time, you are prompted to enter the first entry of the phone guide (Figure 20.24). Adding a new entry to the RAS phone guide.
Creating a phone guide entry is a fairly simple and straightforward process. As with most Windows 95 and Windows NT 4.0 interfaces, this add-entry dialog box has tabs of information that must be filled out. The following sections describe tabs of information that must be completed. The Basic TabThe Basic tab holds information related to the server to which this entry will be connecting. Most fields are self-explanatory. Alternate phone numbers for an entry can be indicated by selecting the Alternate button. There is a checkbox in the dialog box for adding alternate numbers: "Move Successful numbers to the top of the list on connection." When checked, this forces RAS to consider the last successfully connected number in the alternate numbers list to be the highest priority when attempting to reconnect. The Dial Using field enables you set which dial-out RAS device should be used for this entry. RAS entries can be set to use any available RAS dial-out port or to use one port in particular. Selecting the Configure button next to this field enables you to configure the hardware setting for the RAS dial-out device selected. This includes such things as hardware flow control, port speed, and so on. If the RAS entry is set to use any available port, the Configure button is not accessible. If the Use Telephony Dialing Properties checkbox is selected, RAS will use the built-in telephony settings to control how it dials the phone. Both Windows 95 and Windows NT 4.0 can reference internal information on such things as long-distance dialing, phone card information, and dialing code information when dialing the phone. When the Use Telephony Dialing Properties checkbox is selected, two new fields are accessible (Figure 20.25). The Basic tab with Telephony setting present.
The Country Code and Area Code fields enable you to tell NT where this entry is located (as far as phone numbers go). If the country and/or area code is different from your own (the ones NT knows as yours, at least), RAS will try to dial internationally or long distance when dialing this entry. The Server TabThe Server tab (Figure 20.26) enables you to configure network settings for the server to which this entry will be connecting. This is probably the most import tab of information to get right. The Server tab.
By default, new entries are set to be PPP entries. This form of connection is becoming the standard for dial-up network communication and Internet access. RAS supports two other forms of communication with servers— SLIP and the Windows for Workgroups/Windows 3.11 standard. If you are uncertain which protocol the server you are going to connect to users, leave this setting at PPP. All three network protocols can be used over RAS connections. These can all be left enabled, and only those that are correctly negotiated during a connection will be used. Having a protocol enabled here that is not supported by a server does not mean the connection attempt will fail. RAS can use a form of compression on all data that transfers between server and client to speed up the data. Unless you have a reason for disabling compression, leave Enable Software Compression checked. Enable PPP LCP Extension tells RAS to try to use an enhanced form of PPP. If it cannot use LCP extensions, RAS will revert automatically to standard PPP. Selecting the TCP/IP Settings button (Figure 20.27) enables you to set some important TCP/IP data necessary for correctly linking to some servers and the Internet. The TCP/IP settings in RAS.
When RAS negotiates a TCP/IP protocol link, it can get its setup information automatically from the host. In Windows NT, this information is handed out by a DHCP server. UNIX hosts will also hand on setup information. Unless you need to manually set the IP for your machine on a RAS connection, leave the first setting at Server Assigned IP Address. If you must enter an address, select Specify an IP Address and enter it. The Server Assigned Name Server Addresses tells RAS that the host will be sending information on where RAS can find a server that can resolve Internet-style names to IP addresses. Most of the time, a host will not send this information correctly on connection and you must manually indicate settings for DNS and WINS servers. You might need to talk to the Network Administrator of the host you are calling to find this data out. The remaining two settings—Use IP Header Compression and Use Default Gateway on Remote Computer—can be left checked 95% of the time. They control minor elements that are rarely important. The Scripts TabThe Scripts tab (Figure 20.28) controls how RAS will log into a host. RAS knows how to correctly log into most hosts in both UNIX and Microsoft environments, so it is unlikely that you will need to create a login script; but the ability is present if needed. The Scripts tab.
By default, RAS will use no script and attempt to negotiate a login on its own. However, you can indicate that a terminal window must be displayed after dialing, enabling you to manually control the login procedure. When login is complete, closing the terminal window allows RAS to finish the network link. You can indicate that RAS should run a script for this entry. Scripts are plain text files that consist of "wait for this text" then "send this response" sequences. RAS scripts have the extension .INF, and a sample script SWITCH.INF can be reviewed if you need to create a script for one of your RAS entries. A script can also be executed before dialing, enabling you to manually interact with the modem to feed it setup information that NT might not be able to do in rare situations. Normally, no predialing script is executed, and you also have the option of interacting with the modem through a terminal window. Closing the terminal window will prompt RAS to continue the dialing procedure. The Security TabThe Security tab enables you to choose which form of encryption RAS will use when trying to log into a host. The Security tab.
Accept Any Authentication including clear text tells RAS to not encrypt the user name and password it sends to the host. This is generally needed when dialing into UNIX hosts because most do not accept user name and password encryption. Accept only Encrypted Authentication tells RAS to encrypt user information according to accepted standards for connection negotiation. Accept only Microsoft Encrypted Authentication tells RAS to use only known Microsoft methods of authentication when negotiating with a host for connection. When this option is checked, two other options are available: Require Data Encryption tells RAS to encrypt all data that flows between client and host, and Use Current User Name and Password tells RAS to use the login name and password used to log into NT itself when negotiating with a host for connection. If this RAS entry is not using the current user name and password, the Unsave Password will force RAS to clear the currently remembered password for this entry. The X.25 TabIf you are using an X.25 pad as your dial-out line, you can alter such settings as the Network your X.25 line is connected to, the address you have been assigned, and your User Data and Facilities. Consult the online help if you need definitions with these fields. The Main Dial-Up Networking Dialog BoxWhen all the tabs are complete, the RAS entry is finished and ready to dial. The main Dial-Up Networking dialog box is displayed, as shown in Figure 20.30. This is also the dialog box you will see when selecting Dial-Up Networking on subsequent occasions. The main Dial-Up Networking dialog box.
You can select the entry to dial from the drop-down list. Clicking New enables you to add new entries; with the More button you can configure other areas of Dial-Up Networking; and the Location button enables you to define settings for various locations, which may be necessary if your NT server is running on a noteguide computer. Selecting the Location button also enables you to define such things as dialing prefixes and suffixes for the location you are calling from. The Location Settings dialog box.
New locations can be created by clicking the Locations List button. New prefixes and suffixes can be added to the prefix and suffix lists by clicking the Prefix List and Suffix List buttons respectively. When prefixes and suffixes have been defined, they can be quickly used for any dialing entry. The More button (Figure 20.32) contains several RAS options. The following list describes them: The More options in the Dial-Up Networking dialog box.
User PreferencesThe User Preferences option enables users to define settings for dialing, callback, appearance, and phone guide. Figure 20.33 shows the User Preferences dialog box. The User Preferences dialog box.
The Dialing tab enables you to indicate which entries in the phone guide are autodial entries. NT tracks which resources are connected to which dialing entry; when those resources are requested, RAS will automatically dial those checked as autodial. Other settings such as Number of Redial Attempts, Seconds between Redial Attempts, and Idle Seconds before Hanging Up can also be set on this tab. The Callback tab (Figure 20.34) enables users to determine how Dial-Up Networking will handle host demands for call-back. Callback is both a security measure and cost-saving feature. It is a security feature in that RAS can be instructed to call a user back at a predetermined number when they attempt to connect. It can also be a cost-saving measure if long-distance charges are involved. The Callback tab.
Users can determine if they will accept Callback by selecting No, Skip Callback, which may not be a real option if the host requires call-back for security reasons. If this is selected and the host demands call-back, the host will disconnect the client anyway. Maybe, ask me during dial when server offers sets Dial-Up Networking to query the user if the host prompts for Callback. Again, indicating no callback may forcibly disconnect the user anyway. Yes, Call Me Back at the Numbers Below enables the user to select which RAS devices are available for call-back service. The Edit button enables you to select a RAS device and set the phone number for it. Anything in the list is considered a valid callback line. Clicking Delete will remove a RAS device from callback contention. The Appearance tab (shown in Figure 20.35) enables you to set various Dial-Up Networking details. The Appearance tab.
Most of the settings on this tab are self-explanatory. If you are confused by any checkbox here, click the question mark in the upper right of the dialog box, then click the setting with which you need help. NT will pop up a short description of what that setting controls. The Phoneguide tab (Figure 20.36) enables you to indicate which phone guide you want to use: the System Phoneguide (default), your Personal Phoneguide, or an Alternate Phoneguide. The Phoneguide tab. Logon PreferencesLogon Preferences can be set only by users with Administrator privileges. They control how a user can connect to a server when logging onto a network using Dial-Up Networking. This dialog box is nearly identical to the User Preferences dialog box, except that the Appearance and Phoneguide tabs are slightly different. Most of the Appearance checkboxes are self-explanatory. If you need help, click the question mark in the upper right-hand corner of the dialog box, then click the Appearance setting you need help with, and NT will pop up a short description of the setting. The only difference between the Phoneguide tabs of the User Preferences dialog box and the Logon Preferences dialog box is that on the Logon Preferences dialog version, there is no option for using a Personal Phoneguide. During logon through Dial-Up Networking, NT has not yet validated the user logging in, so no personal phone guides can be accessed. This means that any server a user might need to use Dial-Up Networking to connect to should be listed in the System Phoneguide. Using Dial-Up NetworkingDial-Up Networking is very simple to use. When an entry to a server has been created in the phone guide, that entry can be dialed. When a connection is made to the server and authentication has taken place, the local user can access remote network resources through the RAS connection as if the user were directly connected to the network. The Network Neighborhood will show remote servers and workstations (although this may not happen for a few minutes after connection), and the command line utility NET.EXE can be used to establish connections to remote resources that are on the network but do not show up in the Network Neighborhood. Logging onto a Network Using Dial-Up NetworkingAt the NT login prompt, users now have the option of logging into the network using Dial-Up Networking. Remember that NT is very different from Windows 95 in the realm of security. In Windows 95, no security authorization is needed to actually access the system. In NT, security is required and users cannot do anything on an NT server or workstation until a PDC or BDC authenticates them (or a stand-alone NT workstation validates them with locally maintained user information). The NT login prompt can now have a checkbox for logging users onto a network using Dial-Up Networking (provided RAS has been installed into the NT machine in question). If this box is checked, NT will start Dial-Up Networking and allow the user to select a server to call from the System Phoneguide. NT will then call the server and attempt to validate the user information. If the user is successfully validated, the login continues and the user is given access to the system. The RAS connection is maintained unless the user manually halts the connection. Obtaining Internet Access for a Small LAN Using RASThere are several low-cost solutions for getting an Internet connection for a small LAN. In the first part of this chapter I discuss the process of configuring your NT RAS server to act as an Internet gateway for a small LAN. Now, I' briefly cover how I have my own small connection to the Internet. A lot of folks would like to find a cheap alternative to dedicated Internet access. Not too many hobbyists can afford $1,400 a month in Internet costs, not to mention the outlay just to get started. These days many people do have dial-up PPP accounts with ISPs in their area. And most know that when they dial into their ISP, they are given a temporary IP, which changes with each connection they make. If only they could rely on a static IP from their ISP, they would have a form of dedicated Internet access, albeit intermittent and low speed. Even though they might have a static IP from a provider, most people want an Internet domain name such as microsoft.com. You can have both for just a little more money than your average dynamic, IP-based PPP account. One of the major ISPs here in Central Indiana is a company known as Iquest, which offers standard dial-in PPP accounts for $20 a month. This is an average cost in most places in the United States these days. What few people realize is that Iquest and many other ISPs offer dial-in PPP accounts with static IPs associated with them for a small additional fee. Iquest charges an extra $5 a month for a static IP. I know a lot of people who would jump at the chance to have a static presence on the Internet for an extra five bucks. Ask your own ISP if this is a service it offers. Anybody can obtain a domain name as well. All it takes is a few weeks of waiting and a little cash. Just a few years ago, you could get a domain assigned to you for a setup fee from your provider and a small fee from Internic. Well, those charges have gone up a bit but are still affordable for most people. Today, to get a domain assigned in your name, you simply work with your ISP to apply to Internic for one that is available. The Internic charge is $100, and most ISPs will charge around $50 for helping to process your application. (You cannot apply to the Internic personally for a domain; domain requests can come only from established ISPs.) When you have a static IP and a domain, boom! That's all you need to be on the Internet as a site. Your ISP should be able to associate your static IP with the domain you receive from Internic. When that is done, anytime you log onto the Internet with that account, your domain is up and running for anyone to access (provided you have the correct server software running, such as a Web server or an FTP server). NT is great for this form of Internet access. Iquest gives its users 120 hours of access a month for the standard $20 fee. Therefore, my site can stay up without incurring any addition costs for 120 hours each month. Iquest and many other ISPs offer inexpensive forms of dedicate modem access, too. For example, Iquest offers dedicated (that's 24 hours a day, 7 days a week) 28.8-Kbps access for $100 a month. For that fee you also receive six additional valid Internet IP addresses to use on your personal network. If you are looking for a cheap way of putting up a low-volume Internet server, this form of connection may just be what you're looking for. When you have your form of access, RAS will connect you to the Internet, and soon your site will be hopping with visitors. RAS-Related Registry SettingsMany RAS settings can be changed only by using the Registry editor. Keep in mind that working with the NT Registry is always a dangerous task. If you edit the wrong thing you could seriously mess up your system in such a way that only reinstalling will get you up and running again. However, most, if not all, of the RAS-related settings in the Registry will not cause a system crash even if set incorrectly. Refer to chapter 18 for a full overview of how to correctly modify Registry settings. Microsoft Knowledge Base article Q97599 is a great source for RAS-related Registry settings and contains more information that I can repeat here. Knowledge Base articles can be retrieved from CompuServe by entering GO MSKB from any ! prompt or by Webbing out to the www.microsoft.com Web page and selecting the Support link. I will cover only two of RAS Registry settings that I think are among the most important. The Registry Editor can be started by opening a command prompt and typing RegEdt32. All changes made to the Registry are automatically saved when you click OK after editing a specific key. It is always a good idea to reboot after editing the Registry. AutoDisconnect, found in the HKEY_LOCAL_MACHINE subtree in the \System\CurrentControlSet\Services\RemoteAccess\Parameters branch, controls how long RAS will wait during inactivity before disconnecting a client. The default is 20 minutes (14 in hexadecimal notation). Setting this key to 0 will disable auto disconnect and allow RAS callers to remain connected indefinitely. CallBackTime, found in the HKEY_LOCAL_MACHINE subtree in the \System\CurrentControlSet\Services\RemoteAccess\Parameters branch, controls how long RAS will wait before calling a RAS client back that is set for call-back. The default is 2 seconds. If your modems need more time to reset after a disconnect, set this to a higher value. Troubleshooting RASRAS is actually very robust (the latest catch phrase in magazine ads these days...) and very little can actually go wrong with it. If you are experiencing problems with RAS connections, determine first if it is a hardware-, security-, or configuration-related problem. Hardware-Related ProblemsEven though NT does a decent job of knowing how to configure your brand of modem, it doesn't always get it right. And even if it does know the right way to initialize your modem, your modem may be finicky or old and not behave the way it is supposed to. The most common problem people have with their modems is that the Carrier Detect signal is always on. Until recently, a constant carrier signal, no matter what the connection state, was the power-up standard for most modems. NT should initialize your modem so that the CD signal is only on when someone is actually connected to the modem. If you have an external modem, it is easy to track down this problem. Watch the CD light and make sure it's not on when no one is connected. If it stays on after you are certain the connection has been lost, look in your modem documentation to find out if there are any dip switches that control that element of your modem's behavior. You might have to add special commands to the modem initialization NT uses for the modem. This is added through the Modem icon in the Control Panel. Another physical problem with modems is poor line quality. If your modem keeps hanging up on people or never seems to transfer data correctly, put a telephone on the line the modem is using and call someone. Hear any static or clicking sounds? Hear any conversation bleed over from your neighbors? If so, you have phone line interference. You can call the phone company and ask them to check your lines, but don't tell them you are having modem troubles. They'll tell you they do not ensure data line quality on standard phone lines. If your performance is poor for certain RAS ports but not others, do you have outdated UARTs on the ports performing poorly? UARTs are asynchronous controller chips that manage serial data. You should always have the 16550AFN (the latest version of the 16550 chip) UARTs or better for RAS servers. Security-Related ProblemsA lot of people immediately blame the RAS connection itself if they cannot see remote resources or browse lists. The more likely reason for this is that they do not have sufficient network security to see or use the resources they want. Always double-check the user records of those having trouble to make sure they are members of network groups that have access to use the resources they want. If they are members of the correct groups, has their access been limited at certain times of the day or night? NT allows for controlling what users can do and at what time they can do it. Configuration-Related ProblemsIf RAS just won't work for you but everything seems to be set up correctly, try uninstalling it, rebooting, and then reinstalling. NT sometimes messes up during installation and does not bind RAS correctly to the installed network protocols. If your TCP/IP clients cannot see TCP/IP resources, are they using the DHCP server to get their TCP/IP setup information? Chances are they have configured their TCP/IP setting without consulting you as the Network Administrator for the correct numbers. Are RAS clients calling in with a network protocol that is not supported network-wide? Make sure clients know that just because they connect with a certain network protocol active, it does not mean that the protocol is used throughout the entire network. In my office, only about one-fifth of the machines use the TCP/IP protocol, but all of them use the NetBEUI protocol. Therefore, TCP/IP RAS clients only get to see part of the network when they dial in. Tracking Down a ProblemYou can use several built-in applications to help you track down problems with RAS. The first and most useful is the Event Viewer, which logs all system activities from successes to failures of the smallest of elements. The Event Viewer can be viewed by selecting it from the Administrative Tools folder/submenu, as shown in Figure 20.37. The NT Event Viewer.
The red stop signs indicate trouble, and the blue I's indicate a system information entry. Yellow exclamation marks indicate a lesser problem. You can select a listing in the Event Viewer and double-click it for more details. Unfortunately, the event error messages are sometimes hard to decipher. I suggest getting a copy of the latest NT Resource Kit, which comes with a volume dedicated to explaining what all the cryptic NT error messages mean. Through the Modems icon in the Control Panel, you can have NT create a log file for your modems if you suspect that NT is incorrectly initializing your modems. When you indicate that NT should keep a modem log, it will write a log file into the \%systemroot% directory called modemlog.txt. You can view this with any ASCII editor to find out if your modem does not like any of the commands NT is trying to send it. When Remote Access is connected to a server, you will notice simulated modem lights in the system tray in the lower right-hand corner of the desktop. If you have an internal modem and you are having trouble, keep an eye on these lights. The top light is the Receive light, and the bottom light is the Send light. If you are not seeing any data being received, it might not be your system that is having the trouble.... SummaryOne of NT's strongest points has always been Remote Access. This chapter should give you the information needed to correctly set up and operate Remote Access network connections. Covering all aspects of RAS is difficult to do, and NT's place as an Internet-oriented server is still questioned by UNIX gurus. However, with the release of NT 4.0, it is becoming clear which platform is the easiest to operate in the world of the Internet, and NT is showing it has the strength to do the jobs asked of it. This chapter has covered how to set up RAS as a Server as well as how to use RAS as a dial out client. This chapter has also covered issued relating to network connections obtained through RAS. In this chapter you should also have gained information on the basics of how to use RAS to gain a network wide Internet link as well as information some of the pitfalls associated with RAS. If you need more information on more specific elements of RAS, I suggest you search the Microsoft Knowledge base through CompuServe or Microsoft's Web site at www.microsoft.com. Many RAS-related articles can be found in the Knowledge Base and are very helpful when problems are encountered.
|
