Defining a Client Connectivity Strategy |
One of the ways in which a company can improve its productivity is by using Windows 2000 Routing and Remote Access service. When clients are located off campus, this service can provide them with remote access to resources on the internal network and help maximize speed and security. Windows 2000 Professional makes it significantly easier for users to remotely connect to networks, including virtual private networks (VPNs), over dial-up, infrared, and direct cable connections.
The Network Connection Wizard helps users create new types of connections with a single tool. Connection setup is also automated, eliminating the need to download and install additional services. Figure 22.3 shows the Network Connection Wizard.
Figure 22.3 Network Connection Wizard
Clients who do not want to use remote access virtual private networks (VPNs) can dial directly into your corporation's remote access server to gain access to resources. The advantage of this is you can use a simple dial-up connection without having to use an Internet service provider (ISP). The disadvantage of this method is potential long-distance charges.
Remote clients in today's advanced networks can access resources using VPN protocols. While Windows 2000 supports the widely-used Point-to-Point Tunneling Protocol (PPTP), it also enables a very secure connection using Layer 2 Tunneling Protocol (L2TP) in conjunction with Internet Protocol Security (IPSec). Using L2TP and IPSec, secure tunnels can be constructed through the remote client's ISP, enabling the client to send and receive data that is secure from Internet intrusion.
IPSec is designed to encrypt data as it travels between two computers, protecting it from unauthorized modification and interpretation while on the network. First, an administrator needs to define how the two computers will trust each other, and then specify how the computers will secure their traffic. This configuration is contained in an IPSec policy that the administrator creates and applies on the local computer or using Group Policy in Active Directory. Due to the difficulty of configuring IPSec policy, Microsoft has built IPSec support into L2TP so that all you needs to do is to create a VPN connection using L2TP from the remote computer to the VPN server. For more information about IPSec, see the TCP/IP Core Networking Guide.
In order to use IPSec on Internet or network clients, the IPSec snap-in needs to be installed on both hosts that are exchanging the data. If a remote user is dialing in through the client's local Internet service provider (ISP), then that client and the VPN server it is calling into must both be running the IPSec protocol. If two clients within an internal network need to exchange data securely, both of those clients must also run IPSec.