Managing NT's Remote Access Service
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Published in TechRepublic's Windows NT Adminstrator Report (TechRepublic.com)
In this article, we'll discuss some ways to handle increased use of RAS once your users become familiar with it. We'll explain how to deploy RAS using both hardware and software methods. The main thing to remember about RAS is that both its implementation and deployment are modular.
Using a dedicated RAS server
At some point, it will become unacceptable for all your RAS users to call into your primary NT Server, due to the high processor load, limited number of modems, and so on. Depending on the number of incoming connections you're managing, you may need to dedicate one or more servers to only handling RAS users.
When you do, you must consider the level of security you want on the network. Security concerns will dictate which of these configurations you choose for the NT Server(s) handling the RAS connections:
Member servers in your existing domain
Servers in a resource domain or another separate domain with trusts to the domain containing resources that users will need to access
Each of these options has advantages and disadvantages. Configuring the NT server as a workgroup server with no domain membership really isn't an acceptable option—you'll experience too many management headaches from users accessing resources in a domain to which they haven't authenticated. For most RAS implementations, management will be easiest if the RAS server is a member server in a domain (this option is also simplest for the users).
You can use the Allow Remote Access option in the Remote Access Admin program (under Administrative Tools on the Programs menu) to implement controller dial-up access to the network. In addition, RAS users must know the dial-in phone number. In many cases, these are sufficient security precautions. However, companies that are especially security conscious may want to consider placing the RAS server in another domain. You then establish either a resource domain configuration or two-way trusts between the domain containing the RAS server and the domain containing the resources that users need to access. By placing the NT server in another domain, you can require users to have a dial-in password that's different from the one they use in the office.
In the end, there's no one right way to handle security. The planning process for remote access should involve your company's internal and external auditors, so that any decisions you make will be in compliance with the regulations your company follows during its normal course of business.
Hardware options for handling RAS usage
For four phone lines or less, the regular modems you have now should be sufficient. To alleviate excess processor usage, you should consider using specialized communications boards such as the Comtrol RocketPort Serial Hub<http://www.comtrol.com>. This board comes in both ISA and PCI flavors and in either a four- or eight-port configuration.
As your needs grow beyond a few ports, the cabling mess you must deal with will also increase as you install additional lines. Equinox<http://www.equinox.com> offers two interesting modem pool products—one for analog use and one for digital use—that can help you prevent such a mess and manage growth. The analog option offers more flexible implementation, due to the way Equinox chose to implement the solution.
The analog modem pool, shown in Figure A, uses off-the-shelf internal ISA bus PC modems available for less than $100. The base kit comes with a multiport serial board that can drive either 64 or 128 modems. The cage unit can house up to 16 modems, and you can daisy-chain cages to handle additional card units as your needs grow. I recommend this approach because as modem standards change (and they will continue to do so), you can keep up with the standards by simply changing modems as the need arises. The best part of the Equinox modem pool is that you don't have to power down your entire RAS server to add or change modems. The modem cage unit can power down the slots in groups of four, which lets you add, remove, or replace modems as the situation dictates without adversely affecting your day-to-day operations.
Managing the modem pool
Equinox also offers an EquiView Plus NT Connections Manager software package, which lets you handle the modems in the cage units as if they were external modems—but without the cabling nightmare. Onscreen, you see the modems just as if you were in front of the rack. Equally important are the product's diagnostic capabilities, which let you view the data sent to and from the modem in detail. This capability can be handy when users complain that they can't log in or aren't getting the data they requested.
Depending on the telephone company tariffs in your area, it may be cheaper for you to use a Primary Rate ISDN (PRI) line to bring the phone lines for the RAS users into the building instead of a collection of individual lines. Equinox also offers a digital modem pool unit that gives you the same flexibility of handling RAS users without individual phone lines.
In this article, we've covered both hardware- and software-based options for handling RAS growth. Of course, we've only scratched the surface on the many ways you can handle increased usage. The secret is to keep in mind that RAS, and the service it provides, are like a set of building blocks—you can join and add to the elements in several ways to achieve the result that best suits your needs.
Ronald Nutter is a senior systems engineer in Lexington, Kentucky. He's an MCSE, Novell Master CNE, and Compaq ASE. Ron has worked with networks ranging in size from single servers to multiserver/multi-OS setups, including NetWare, Windows NT, AS/400, 3090, and UNIX. He's also the Help Desk Editor for Network World. You can reach Ron at Rnutter@ix.netcom.com.
Source of Content:
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.