Networking

Demystifying the Remote Access Server (RAS)

Got questions about your communication server? Ron Nutter has answers. During this Guild Meeting, Ron took the mystery out of communication servers.


Got questions about your communication server? Ron Nutter has answers. On August 17th Ron took the mystery out of communication servers. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

 

Got questions about your communication server? Ron Nutter has answers. On August 17th Ron took the mystery out of communication servers. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Tonight’s RAS Guild Meeting
MODERATOR: Welcome to tonight's Guild Meeting. The topic for this evening will be how you allow your road warriors to connect to your network using RAS. Our Guest Speaker will be Ron Nutter, frequent contributing Editor for TechProGuild's NetWare and NT/2000 tracks. Ron will be with us shortly.

The benefits of RAS
KEVINOSAR: So, what does everyone know about RAS?

TLSNC: I have used it to support remote locations. It was very useful.

MODERATOR: RAS, of course, stands for Remote Access Service. It allows traveling users to dial in to your network and have full network access just as if they were connected to your LAN. NT includes a version of RAS. If you’re running NetWare, there's a basic dialup connection program included, but I don’t know of anyone who's ever used it.

TLSNC: Anybody set it up for the warriors to dial in?

KEVINOSAR: No, but I'm learning.

DJMARCOVITZ: I’m in the process of setting it up in our office.

KEVINOSAR: What's a more popular connection?

DJMARCOVITZ: We are attempting to use Novell Border Manager.

MODERATOR: Border Manager is definitely the way to go on NetWare, plus it gives you a lot more options than the old NetWare Connect.

KEVINOSAR: I take it Novell allows anyone to dial in, and then you can either use passwords or a login for a secure connection. Well, by the same respect, NT allows anyone to dial in, but to actually be allowed to do anything you must authenticate to the network.

MODERATOR: In an NetWare environment, you'll go through NDS to do that. Likewise, in an NT environment, rights are determined by your user ID's rights in the domain.

TLSNC: When I was using it most, the company had no laptops connected. I have heard some people have had success with BM. What has been your experience so far?

DJMARCOVITZ: BM verifies users with the Novell user name and password, then you see the office network as if you were at the office, with all the same permissions a user would normally have.

The benefits of Border Manager
KEVINOSAR: What are some of the advantages BM has over NT?

DJMARCOVITZ: I do not know, becuase I have not used NT Our office is mainly Novell.

KEVINOSAR: That's OK. We're just picking your brain a little.

MODERATOR: Border Manager does more than just RAS. It can also server as a proxy and firewall for your network. It can control access both going out and coming in. You can also use it to set up VPNs between remote locations over the Internet.

DJMARCOVITZ: We set up Border Manager first to serve as our firewall and control where and when users could serf on the Web.

TLSNC: Has it been easy to set up, Djarcovitz?

DJMARCOVITZ: It was not the easiest to set up, but once we understood (actually it wasn’t me but somebody else in our office), it was not as complicated as we thought. We had to teach ourselves by reading and trying, not any real outside help.

Introducing our RAS expert
MODERATOR: And now... here's tonight's speaker, Ron Nutter.

RON NUTTER: Good evening everyone! Sorry for being late. My mail server decided to stop allowing logins and routing mail. It took me a while to figure that one out.

MODERATOR: And now, back to our regularly scheduled guild meeting. The topic is RAS speaker, and our speaker is Ron Nutter. You’re on!

RON NUTTER: Setting up RAS is part science and part art. One of the more significant problems I have seen more often than not comes down to a modem problem.

RAS on W2K versus NT 4
KEVINOSAR: Let's get down to business. What's new with RAS?

RON NUTTER: Do you have a question in particular? I have worked mostly with RAS on NT 4. I am getting more familiar with RAS on W2K.

TLSNC: Are there many differences, Ron?

RON NUTTER: Tlsnc, I haven’t seen many, other than the differences that come with W2K itself.

Accessing servers without cables
TLSNC: Well, Ron, we are wondering what is in RAS for us and our road warriors.

RON NUTTER: Tlsnc, RAS provides an option, although somewhat slower for traveling users and system admins, to get access to your servers without having to be directly cabled to them. One of the best suggestions I can make is to use the same modem on the RAS server as on the remote users’ computer and that will go a long way to reducing the number of modem/connection related calls the help desk will get.

KEVINOSAR: Are there limits to remote users based on modems?

RON NUTTER: Kevinosar, the limits will depend on the connectivity speed that the remote user is able to get and maintain into the RAS server.

Multiaccess via one phone number
KEVINOSAR: Have you worked with Border Manager a lot?

RON NUTTER: I have installed BM five times for different customers when I was in the reseller channel, beside my own BM server. I have also spoken at Novell's Brainshare in the US and in Europe.

DJMARCOVITZ: I am looking for some help with setting up Border Manager, any tips?

RON NUTTER: Djmarcovitz, what kind of question do you have?

DJMARCOVITZ: Is it possible to set up a 800 number with a bank of modems so several users can gain access at the same time but only have to remember one telephone number?

RON NUTTER: Djmarcovitz, yes, that is very possible. What you will want to do is have your telco either set up a hunt group or enable automatic rollover from the first line that the physical 800 number is assigned to the remaining numbers in the group. Each of the additional phone lines will have a number associated with each individual line but that will be transparent to the 800 number stuff since that is simply a redirection to your local lines.

DJMARCOVITZ: OK, I guess most of that will be configured by the telco.

RON NUTTER: Djmarcovitz, depending on your incoming phone line setup and PBX in use, it could be handled at your end. I would recommend using totally outside lines unless your PBX is digital and is serving as a channel bank to break the phone lines out of a T1.

DJMARCOVITZ: The internal phone is digital, it’s not using T1 but about the same thing with ISDN PRI.

RON NUTTER: Djmarcovitz, your long distance carrier should be able to help set it up.

DJMARCOVITZ: I will have to get them in and work it out, thanks.

JIM MCINTYRE: Ron, are PDAs being used to access NetWare networks yet?

RON NUTTER: I have seen a modem or two for the newer CE devices (2.0 or later) that should get you in. I don’t know that I would try very hard due to the hassles of getting a phone line to PDA, power drain of the modem, and general small form factor of the PDA.

 

Assigning an IP to a RAS connect

TLSNC: I have seen problems with assigning an IP to a RAS connect but not releasing it when the connection is terminated. Any ideas?

RON NUTTER: Tlsnc, hopefully the newest version of Windows CE may make that a little better. I haven’t worked with that type of connectivity as much as I would have liked.

TLSNC: This was on NT server to server, Ron.

RON NUTTER: Tlsnc, what are the specifics of your RAS server configuration?

TLSNC: Sorry, it has been awhile, and I am not sure exactly what config you want to know about.

RON NUTTER: What service pack do you have installed and how many modems are connected?

TLSNC: OK, we were using it only in support of remote servers. They all had USRobotics external modems. At the time, we had SP3 installed.

RON NUTTER: Have you tried it with SP 5 or later? How were the modems connected? Via serial ports or a com card such as Comtrol?

TLSNC: Serial.

RON NUTTER: I have not had good luck with serial ports built in to the servers, quirky problems just seem to abound. An added advantage of using a com card, such as Comtrol, is that you take the load off of servicing the com ports and hand it off to the processor chip on the com board.

TLSNC: I will have to check in to that for future support jobs.

Support laptops that dial in
TLSNC: Ron, have you been supporting laptops dialing in, and if so how do you get them the same modem to eliminate those problems you were speaking of earlier?

RON NUTTER: Yes, I do support laptops dialing in at the company I work for during the day. We are fortunate to have an IS director and a CEO who allow us to mandate/require that only a certain modem can be used and only those who use that modem will get support/help on problems relating to dialing in.

DJMARCOVITZ: We will do the same by getting all the same modems for the laptops, and all remote users will have the same laptop also.

RON NUTTER: That is exactly what we do (except when the model of laptop we are using gets discontinued and then we have to find another model to work with).

DJMARCOVITZ: True, and they get discontinued every three months or so.

RON NUTTER: Djmarcovitz, we have been starting to get a hiring projection from HR and from the various department heads, so that will sometimes allow us to purchase some laptops in bulk so that we can have more of the same model when possible. When it works out, we try to have the same portable to all the individuals in a given department so that we can have just one workstation image to support for a given department.

TLSNC: So, you get it to work with certain modems on the server and then find one that works reliably dialing in and get one for every laptop?

RON NUTTER: That is what seems to work the best for us. We try to use modems from the same manufacturer at each end of the connection. It doesn’t solve all the remote connectivity problems, but it certainly reduces the number of calls.

Dial-in security concerns
KEVINOSAR: What kind of protection does Windows provide in regards to security?

RON NUTTER: In relation to security, you have the security that comes with NT/Windows. For those that are really concerned with security for dial-in connections, you can take additional steps by using a dial back system. The users then have to either be at a certain number where they are called back or have to enter another identification sequence when they are called by your system.

DJMARCOVITZ: I played around with the call back stuff, and it was more of a pain than a benefit, so we are going to rely on the internal security with just the username and password.

RON NUTTER: The call back stuff can be a hassle, but depending on the level of paranoia that your management has, there may be no other choice.

DJMARCOVITZ: If you get good daily backups of your data and you do not really have any data that would be of interest to many others, then that level of paranoia can be kept pretty low, but never done away with completely.

RON NUTTER: Djmarcovitz, that is true.

New RAS technology
KEVINOSAR: Anything new coming out which has you excited in regards to RAS?

RON NUTTER: Not coming from Microsoft. I think more of the new stuff will be coming from third parties.

TLSNC: Have you "seen" anything in the works from third parties yet?

RON NUTTER: Starting to see some additional security offerings from companies such as RSA Security that force the users to enter a randomly changing pin from a computerized token. The real interesting area of remote security for RAS logins is in the biometric area. That is just starting to settle down and become somewhat affordable and easy to implement.

KEVINOSAR: What do you mean by biometric?

RON NUTTER: Sorry, been living in my world a little too much lately. Biometric refers to a category of devices that allow users to login by using a fingerprint instead of a regular password. They now have fingerprint scanners in a PCMCIA form factor.

KEVINOSAR: OK, I've heard of those. They are becoming more affordable aren't they?

PRPLDODGE: I have heard of eye scans, face scans, and voice scans. The James bond kinda stuff.

RON NUTTER: Prpldodge, that kind of thing is becoming more and more available.

KEVINOSAR: Welcome to the future.

DJMARCOVITZ: Where can you find out more about this biometric stuff?

RON NUTTER: It is hard to find info on the biometric stuff. You’re kind of dependent on OEMs to have partnerships with the companies that make those products. Novell, for example, is rolling out a product that allows you a choice of how users authenticate when connecting in.

KEVINOSAR: Investors Business Daily had an article on biometric companies a few weeks ago.

DJMARCOVITZ: How about some of the "RAS" servers that advertise just plug them in and all the software you need is ready to run?

RON NUTTER: I haven’t worked with those. My only concern is that if you have problems with the RAS device, you may be limited as to what you can do without getting it replaced. I try to avoid that kind of downtime.

TLSNC: Amen to that! Any kind of downtime is our worst enemy.

DJMARCOVITZ: Downtime is definitely no good.

TLSNC: Ron, what kind of pre-emptive tools or procedures do you use to keep those servers healthy? Your RAS servers that is.

RON NUTTER: When running a modem pool, I look at something from either USR/3COM or other companies that have monitoring software that can tell you what is going on. As to procedures, I usually reboot the RAS server(s) at least once a month and almost always after a major storm in the area. I prefer to use external modems when dealing with only a few phone lines or card modems. I prefer those with status lights when I’m working with a cage situation.

TLSNC: I prefer the external myself and have had better luck with their reliability.

Thanks for coming
RON NUTTER: We are coming to the close of tonight’s Guild meeting. Thanks to everyone for coming in and being patient while my mail server came out of intensive care.

MODERATOR: OK gang, it’s top of the hour. Thanks for participating. Any last words, Ron? DJMARCOVITZ: Thanks for the info Ron and the rest of you.

MODERATOR: Thanks to Ron for speaking, and thank you everyone for your participation and attendance.

JIM MCINTYRE: Thanks, good meeting.

MODERATOR: Guild Meeting adjourned.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Editor's Picks

Free Newsletters, In your Inbox