Network Computingwww.networkcomputing.com

Although this type of access lets remote users work from virtually anywhere, it does not guarantee access to network services that require IPX/SPX, NetBEUI or other network protocols. Until recently, you needed a remote-access solution based on the Point-to-Point Protocol (PPP) to gain multiprotocol remote access.

Implementing and managing large modem pools and remote-access servers is costly not only in dollars, but also in time and other resources. To circumvent these costs, you could outsource your remote-access services. Outsourced remote access, coupled with virtual dial-up private networking (VDPN), lets users call any ISP, make a PPP connection, then create a private connection to your network over the Internet.

In this workshop, we'll discuss the effectiveness of VDPN-remote-access coupling, and what it means for remote access.

Your Own Private Tunnel VDPN lets users establish a remote-node connection to a network over a WAN, such as the Internet. In doing so, the technology extends the PPP session created between the clie nt and the remote-access server to a home gateway on the network. The home gateway terminates the PPP session and perfor ms all of the functions of a remote-access server, including user authentication and protocol negotiation.

The two technologies most often used are the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). PPTP is an Internet Engineering Task Force (IETF) draft authored by several companies, including Ascend Communications Corp., ECI/Telematics, Microsoft Corp., 3Com Corp. and U.S. Robotics. Cisco Systems' L2F is also an IETF draft. The protocols provide the same basic services, but they approach these services from different angles.

One word of caution if you're using a public WAN--such as the Internet--to transport your VDPN tunnels: You will have to establish security measures at the PPP or IP levels. Unfortunately, neither tunneling protocol specifies any encryption technologies.

VDPNs use two servers to create multiprotocol tunnels via a WAN (see "The Virtual VDPN Connection" next page). A user dials an ISP (or corporate modem pool) and establishes a PPP session between the network access service (NAS), which answers the incoming call and forms one end of the VDPN tunnel, and the client. The NAS tells the home gateway (the other end of the VDPN tunnel) that a VDPN session has been requested. The NAS then forwards the client's user name and password. If the user is valid, the NAS and the home gateway establish the tunnel and assign a session ID that specifically identifies the user and his or her tunnel.

Once the user has been authenticated and the tunnel established, the client and the home gateway negotiate the PPP session, setting up protocols and allocating network addresses to the client. In this model, the tunneling process is transparent to the user.

VDPN connections made from Windows NT Workstation are more flexible because tunnels are created directly from the workstation ("Client Established VDPN With NT").

We established a VDPN tunnel connecti on in our Syracuse lab by initiating a PPP dial-up session to Shiva Corp.'s LANRover, and then made a second remote-access serv ice (RAS) call to create the PPTP tunnel. The RAS dialer uses the home gateway's IP address in place of the phone number. The VDPN is established with the client as one end of the tunnel.