Defining a Client Connectivity Strategy |
Medium to large networks need a more robust architecture, requiring a number of linked subnets with the potential for the network to grow as client demand increases.
One of the services that allows a corporation to improve its productivity is Windows 2000 Routing and Remote Access. When clients are not physically at the corporate campus, this service provides them with remote access to resources on the internal network. This service also provides several ways to maximize speed and security. Windows 2000 Professional makes it easier for users to remotely connect to networks, including VPNs, dial-up, infrared, and direct cable connections.
The Network Connection Wizard helps users create new types of connections with a single tool. Connection setup is also automated, eliminating the need to download and install additional services — a step that is necessary in Windows 95 for setting up certain types of remote networking. Figure 22.6 shows the Network Connection Wizard.
Figure 22.6 Network Connection Wizard
Clients who do not want to use remote access virtual private networks (VPNs) can dial directly into your corporation's remote access server to gain access to resources. The only requirement is to set permissions for the remote client that allows the user access. The disadvantage to this is potential long-distance charges either for the user or the company.
Clients can dial up their corporate remote access servers directly in order to transfer files and send and receive e-mail. This is a convenient way to gain access to the network but it can be costly. The long-distance charges can, over time, increase costs for both the remote user and the business. Additional costs include the need to administer the direct dial-up infrastructure. In some cases, it might be more economical to outsource direct dial-up services using Windows 2000 Internet Authentication Services (IAS). For more information about IAS, see "Determining Network Connectivity Strategies" in this book.
In order for the client to connect to a corporate remote access server, the client must be granted appropriate permissions on the corporate network. You then need to create a dial-up profile on the client computer by selecting Make New Connection in the Network and Dial-Up Connections folder located in Control Panel.
Another way that clients can access their corporate accounts is by using a VPN, which is discussed in the next section.
Remote clients in today's advanced networks can access resources using VPN protocols. While Windows 2000 supports PPTP, it also enables a very secure connection using L2TP in conjunction with IPSec. Using L2TP and IPSec, secure tunnels can be constructed through the remote client's ISP, enabling the client to send and receive data secure from Internet intrusion.
IPSec is designed to encrypt data as it travels between two computers, protecting it from unauthorized modification and interpretation while on the network. First, an administrator needs to define how the two computers will trust each other, and then specify how the computers will secure their traffic. This configuration is contained in an IPSec policy that the administrator creates and applies on the local computer or using Group Policy in Active Directory. Due to the difficulty of configuring IPSec policy, Microsoft has built IPSec support into L2TPso that all you need to do is to create a VPN connection using L2TP from the remote computer to the VPN server. For more information about IPSec, see the TCP/IP Core Networking Guide.
In order to use IPSec on Internet or network clients, you need to install the IPSec snap-in on both hosts that are exchanging the data. If a remote user dials in through the client's local Internet service provider (ISP), then that client and the VPN server it is calling in to must both be running the IPSec protocol. If two clients within an internal network need to exchange data securely, then both of those clients must also run IPSec.
A medium-sized to large-sized network contains hundreds to thousands of computers and multiple subnets. The technologies that were used in a SOHO to connect to the Internet or a corporate network now require more configuration, but at the same time have more capability. Table 22.2 lists the various technologies and how they apply to each type of network.
Table 22.2 Network Technologies
SOHO | Medium Network | Large Network |
---|---|---|
Uses ICS, private IP address range of 192.168.0.0/24. | Uses NAT configured with an appropriate private IP addresses range | Uses Microsoft Proxy Server to connect to the Internet, and uses DHCP to allocate IP addresses. |
Utilizes only PPTP. | Utilizes only PPTP. | Uses a separate VPN server to permit PPTP and L2TP/IPSec tunnel traffic. |
Utilizes only a single network interface. | Utilizes multiple network interfaces. | The Proxy and VPN server are attached to a router with multiple network interfaces. |
Uses only DNS for name resolution. | Uses DNS, WINS, or both for name resolution. | Uses DNS, WINS, or both for name resolution. |
The ICS works fine on smaller SOHO networks when there is only a single subnet and a single connection to the Internet. Medium-sized networks can use NAT to connect its clients to the Internet because of its capability to service more than one subnet and more than one IP address range. The larger network needs a proxy server and a VPN server in order to allow client access to Internet and tunnel traffic.
The large networks need to have an area in their infrastructure called a demilitarized zone (DMZ). This area is a network that permits the egression of the Internet into a private network, while still maintaining the security of that network. In this area go all of the servers that have any Internet exposed interfaces. For more information about DMZs, see "Determining Network Connectivity Strategies" in this book.
In this example, a medium-sized to large-sized business is using a network serving 750 to 1,000 employees in three sites. The sites in this network are connected by T1 and fractional T1 links. The business has some remote users who dial in to receive files and e-mail, and each employee has his or her own remote access account. Each site also has an Internet connection through which the employees can access the Internet for business needs. This network is in the process of transitioning from a NetWare to a Windows 2000 infrastructure, and interoperability between clients and servers in both the Windows 2000 and NetWare environments is essential.
Figure 22.7 is a simplified diagram of this example.
Figure 22.7 Medium to Large Network
The clients in the network are as follows:
Because this network is slowly being migrated from NetWare to Windows 2000, most of the employees still require access to NetWare servers and printers. Some Windows clients on the part of the network that is still running IPX are using Client Services for NetWare, and are running the NWLink protocol. The other Windows clients are using TCP/IP and are accessing required NetWare files and printers through Windows 2000 routers running Gateway Services for NetWare. The remote clients are accessing Windows 2000–based servers and NetWare servers by using the multiprotocol VPN and remote access server located in the demilitarized zone (DMZ) of the central site. The clients on this network get their IP addresses from a DHCP server, and Internet access is through a proxy server located in the DMZ. For more information about designing medium to large networks, see "Determining Network Connectivity Strategies" in this book.