Patrick Awuah, Program Manager

David Lazar, Senior Systems Engineer

September 1994

Abstract

Remote Access Service (RAS) is Microsoft's strategic solution for connecting today's mobile workforce to corporate networks. Optimized for client-server computing, RAS is implemented primarily as a software solution, and is available for all of Microsoft's operating systems. Microsoft's goal for RAS is to enable remote networking out of the box with the Microsoft® Windows® operating system, thus making Windows the best platform for mobile computing.

The goals in designing RAS were to make it:

Secure

Interoperable

Economical

Scalable

High performance

Easy to use

Extensible

Capabilities/Functionality

Remote Access Service (RAS) is designed to provide transparent network access for PCs running the Microsoft® Windows® operating system. Users run the RAS graphical phone book on a remote PC and initiate a connection to the RAS server via a locally-installed modem, X.25, or ISDN card. The RAS server, running on a Windows NT™ Server-based PC connected to the corporate network, authenticates the users and services the sessions until terminated by the user or network administrator. All services that are typically available to a LAN-connected user (including file- and print-sharing, database access and messaging) are enabled via the RAS connection. The following figure depicts the RAS architecture.

Note that the remote clients use standard tools to access resources. For example, the Windows File Manager is used to make drive connections, and Print Manager is used to connect printers. Connections made while LAN-connected via these tools are persistent, so users don't need to re-connect to network resources during their remote sessions. Because drive letters and Universal Naming Convention (UNC) names are fully supported via RAS, most commercial and custom applications work without any modification.

Connectivity is achieved in one of three ways: via a standard modem, ISDN, or X.25. The asynchronous modem is the most popular means of connecting, with ISDN emerging as a high-speed alternative. X.25 is a standard for many companies doing business internationally.

In understanding the RAS architecture, it is important to make the distinction between RAS and remote control solutions, such as Cubix® and PC Anywhere™. RAS is a software-based multi-protocol router; remote control solutions work by sharing screen, keyboard, and mouse over the wire. In a remote control solution, users share a CPU or multiple CPUs on the server. The RAS server's CPU is dedicated to communications, not to running applications.

This architectural difference has significant implications in two areas: scalability and software applications architecture. In the area of scalability, consider the differing approach to increasing the capacity or performance of a remote-control server. For best performance, an additional or upgraded CPU or PC would need to be purchased for every port to be added or upgraded. With RAS, additional ports can be added without upgrading the server PC. When it does require an upgrade, the RAS Server would generally get additional RAM, a far less costly approach than with remote-control. With Windows NT, a single server can scale easily to support hundreds of remote users, using far fewer hardware resources than a remote control solution.

In the area of software applications architecture, the RAS client normally executes applications from the remote workstation. Contrast this with the remote control client, which runs applications from the host-side CPU. The RAS arrangement is better suited to graphical, client-server-based applications, and because network traffic is reduced, the user achieves higher performance.

Remote control is, however, useful in non-client-server environments. Appendix B of this document explains what client-server computing means, why RAS works extremely well in a client-server environment, and why remote control may be better suited for non-client-server environments. Appendix B also shows how RAS and remote control can be deployed together to take advantage of their unique advantages, and most importantly, demonstrate how corporations can design their remote computing systems in anticipation of their migration to client-server computing.

New Features of Windows NT 3.5

Microsoft's Remote Access Server first shipped with LAN Manager 2.1 in 1991. It was included with the Windows NT 3.1 operating system, and has now been significantly enhanced for Windows NT 3.5. RAS features the following capabilities:

Multi-protocol routing via PPP support

Internet support

Improved integration with Novell® NetWare® networks

Large capacity

Software data compression

Data encryption

Availability of the RAS APIs

Multi-protocol routing via PPP support

The underlying RAS architecture has been enhanced to allow clients to run any combination of NetBEUI, IP, or IPX during a RAS session. This means that Windows Sockets and NetWare-aware applications, as well as NetBIOS applications, can be run remotely. The Point-to-Point Protocol (PPP) is used as the framing mechanism on the wire. Using PPP enables a high degree of interoperability with existing remote access services.

Internet support

RAS enables Windows NT and Windows 95 to provide complete on-ramp services to the Internet. A Windows NT Server 3.5-based PC can be configured as an Internet service provider, offering dial-up Internet connections to a client workstation running Windows NT 3.5 or Windows 95. A PC running Windows NT Workstation 3.5 can dial into an Internet-connected PC running Windows NT Server 3.5, or to any one of a variety of industry-standard PPP or SLIP-based Internet servers. Microsoft expects the tremendous growth in Internet access to continue, and is committed to providing operating systems that can easily access the Internet.

Improved integration with NetWare networks

Windows NT 3.5 and RAS fully integrate into a NetWare network. The RAS clients are running IPX and/or NetBIOS, so all applications that typically work when directly connected to the network continue to work when remotely connected. And the RAS server now supports IPX routing, so remote clients can gain access to all NetWare resources via the RAS server.

Large capacity

Windows NT Server 3.5 now supports up to 256 simultaneous connections, up from 64 in version 3.1. Details of the configuration, system requirements, and performance are presented later in this paper. The Windows NT Workstation continues to provide a single RAS connection, primarily for personal use or for very small networks.

Software data compression

Software data compression in RAS allows users to boost their effective throughput. Data is compressed by the RAS client, sent over the wire in a compressed format, and decompressed by the server. In typical use, RAS software compression will double effective throughput.

Data encryption

Remote Access Service now provides data encryption, in addition to password encryption, to provide a high measure of privacy for sensitive data. Although most customers may choose not to enable encryption, government agencies, law enforcement organizations, financial institutions, and others will benefit from it. Microsoft RAS uses the RC4 encryption algorithm of RSA Data Security, Inc.

RAS APIs

In April 1994, Microsoft published the 16-bit and 32-bit RAS APIs, which allow corporate developers and solution providers to create custom, remote-enabled applications. Applications which establish the remote connection, use network resources, and reconnect in the event of a communications link failure can now be economically developed and deployed. Applications developed today using these tools will be compatible with Windows 95, Windows NT Workstation and Server 3.5, and Windows for Workgroups 3.11.

Security

Corporate and government organizations, deploying remote access solutions across the enterprise, require varying degrees of security, from virtual public access, to total discrete control. Microsoft's Windows NT, with its Remote Access Service, offers all of the tools necessary to implement whatever degree of security is desired.

Microsoft's RAS provides security at the operating system, file system, and network levels, as well as data encryption and event auditing. Some of the security features are inherited from the Windows NT operating system, while others are specific to RAS itself. Every stage of the process-such as user authentication, data transmission, resource access, log off and auditing-can be secured. The next section will describe RAS security in detail.

Security of Windows NT

First and foremost, Windows NT Server, the host for RAS, must be understood as a secure operating environment. Windows NT was designed to meet the requirements for C-2 level (U.S. Department of Defense) security, meaning that access to system resources can be discretely controlled, and all access to the system can be recorded and audited. A Windows NT Server-based computer, provided it is secured physically, can be totally locked-down from a software perspective-any access of the system will require a password and leave an audit trail.

Windows NT provides for enterprise-wide security using a trusted domain, single-network logon model. A domain is simply a collection of servers that are administered together. Trusted domains establish relationships whereby the users and groups of one domain can be granted access to resources in a trusting domain. This eliminates the need for duplicate entry of user accounts across a multi-server network. Finally, under the single-network-logon model, once users are authenticated, they carry with them their access credentials. Anytime they attempt to gain access to a resource anywhere on the network, Windows NT automatically presents their credentials for them. If trusted domains are used, users may never have to present a password after initial logon, even though their account exists on one server in one domain only.

The single-network-logon model extends to RAS users. RAS access is granted from the pool of all Windows NT user accounts. An administrator grants a single user, group of users, or all users the right to dial into the network. Then, users use their domain logon to connect via RAS. Once users have been authenticated by RAS, they can use resources throughout the domain and in any trusted domains.

Finally, Windows NT provides the Event Viewer for auditing. All system, application, and security events are recorded to a central secure database that, with proper privileges, can be viewed from anywhere on the network. Any attempts to violate system security, start or stop services without authorization, or gain access to protected resources are recorded in the Event Log and can be viewed by the administrator. Microsoft's RAS makes full use of the Event Viewer in Windows NT.

Authentication

One of the most important concerns that corporate customers express relative to security is in the area of authentication. We will attempt to answer here some of the most frequently asked questions, such as:

How can we ensure the privacy of passwords?

Can we use our own security mechanism in addition to that provided by RAS feature of Windows NT?

Is callback supported?

Authentication protocols

The Challenge Handshake Authentication Protocol (CHAP) is used by the Remote Access Server to negotiate the most secure form of encrypted authentication supported by both server and client. CHAP uses a challenge-response mechanism with one-way encryption on the response, the most secure form of encrypted authentication available. CHAP allows the RAS server to negotiate downward from the most-secure to the least-secure encryption mechanism, and protects whatever passwords are transmitted in the process.

Level of Security Type of Encryption RAS Encryption Protocol

High One-way CHAP, MD5

Medium Two-way SPAP

Low Clear-text PAP

CHAP allows different types of encryption algorithms to be used. Specifically, RAS uses DES and RSA Security Inc.'s MD5. Microsoft RAS uses DES encryption when both the client and the server are using RAS. DES encryption, the U.S. government standard, was designed to protect against password discovery and playback. Windows NT 3.5, Windows for Workgroups, and Windows 95 will always negotiate DES-encrypted authentication when communicating with each other. When connecting to third-party remote access servers or client software, RAS can negotiate SPAP or clear text authentication if the third-party product does not support encrypted authentication.

MD5, an encryption scheme used by various PPP vendors for encrypted authentication, can be negotiated by the Microsoft RAS client when connecting to other vendors' remote access servers. MD5 is not available in the RAS server.

SPAP, the Shiva Password Authentication Protocol, is a two-way (reversible) encryption mechanism employed by Shiva. Windows NT Workstation 3.5, when connecting to a Shiva LAN Rover, uses SPAP; as does a Shiva client connecting to a Windows NT Server 3.5. This form of authentication is more secure than clear text, but less secure than CHAP.

PAP uses clear text passwords and is the least sophisticated authentication protocol. It is typically used if the remote workstation and server cannot negotiate a more secure form of validation.

The Microsoft RAS server has an option that prevents clear text passwords from being negotiated. This enables system administrators to enforce a high level of security.

Third-party security hosts

RAS supports third-party security hosts. The security host sits between the remote user and the RAS Server, as pictured below:

The security host generally provides an extra layer of security by requiring a hardware key of some sort in order to provide authentication. Verification that remote users are in physical possession of the key takes place before they are given access to the RAS Server. This open architecture allows customers to choose from a variety of security hosts to augment the security in RAS.

As an additional measure of security, RAS offers call back. Call back security enables administrators to require remote users to dial from a specific predetermined location (for example, their telephone at home) or to call back a user from any location, in order to use low-cost communications lines. In the case of secured call back, the user initiates a call and connects with the RAS Server. The RAS Server drops the call, then calls back a moment later to the predetermined call back number. This security method will generally thwart most impersonators.

Network Access Restrictions

Remote access to the network under RAS is under the complete control of the system administrator. In addition to all of the tools provided with Windows NT Server (authentication, trusted domains, event auditing, C2 security design, and so on), the RAS Administrator tool gives an administrator the ability to grant or revoke remote access privileges on a user-by-user basis. This means that even though RAS is running on a Windows NT Server-based PC, access to the network must be explicitly granted for each user who is to be authorized to enter the network via RAS.

The procedure to grant remote access is illustrated below to show that it is an easy process, but one that helps protect the network from unauthorized access.

1. Start the Administrator's utility by double-clicking the Remote Access Admin icon.

2. From the Users menu, Choose Permissions.

3. Select the Users that you want to grant Remote Access Permissions to, then click the check box. Grant dial-in permission to user.

This process ensures that remote access must be explicitly granted, and provides a convenient means for setting call back restrictions.

In order to further protect customers' networks, RAS provides an additional measure of security. The RAS Administrator provides a switch that allows access to be granted to all resources that the RAS host machine can see, or just resources local to that PC. This allows a customer to tightly control what information is available to remote users, and to limit their exposure in the event of a security breach.

Data Encryption

Data encryption in RAS is designed to protect customers' data and ensure secure dial-up communications. This is especially important for financial institutions, law-enforcement and government agencies, and corporations that require secure data transfer. With data encryption, your data will be kept private.

For installations where total security is required, the RAS administrator can set the RAS server to force encrypted communications. Users connecting to that server would be forced to encrypt all data sent.

Security Conclusion

Corporate customers and other users who are implementing remote access solutions have a justifiably high level of concern about security. RAS leverages and extends the security provided by the Windows NT operating system, and provides the tools to create a totally secure, yet highly functional, remote LAN access solution.

Interoperability

Because LANs are evolving quickly from islands of information to fully-connected networks of diverse operating systems, protocols, and file systems, Microsoft has defined interoperability as a key feature in Windows NT and RAS. Microsoft understands customers' needs for interoperability, and has concentrated on the following areas to ensure smooth integration into the heterogeneous networks of today and tomorrow:

Flexible hardware options

PPP: An underlying protocol for interoperability

A ramp to the Internet

Seamless integration with NetWare networks

Interoperability with other third-party remote access vendors

Flexible Hardware Options

Remote Access Service offers the broadest hardware support of any remote access vendor. Currently, more than 1700 PCs, 300 modems, and 11 multi-port serial adapters are supported. By selecting a remote access solution with very broad hardware support, customers can gain flexibility in their system design. A complete listing of the hardware devices supported by RAS can be found in the Windows NT Hardware Compatibility List (HCL). The HCL ships with Windows NT, and can also be found on the Microsoft Download Service (206-936-MSDL) or on CompuServe® (GO WINNT).

Point-to-Point Protocol: The Enabling Technology

Previous versions of RAS functioned as NetBIOS gateways. Users would make their connections using NetBEUI/NetBIOS, and then inherit other protocols from the server. This enabled users to share network resources in a multi-vendor LAN environment, but prevented them from running applications that relied on the presence of a protocol other than NetBEUI on the client side. The enhanced architecture is as follows:

Although this architecture continues to support the NetBIOS gateway, it also offers some exciting new possibilities. This architecture enables clients to load any combination of NetBEUI, IPX, and TCP/IP. Applications written for the Windows Sockets, NetBIOS, or IPX interface can now be run on a Windows NT Workstation. This architecture will be the basis for the RAS client in Windows 95 as well.

Multi-protocol routing is just one of the benefits of Microsoft's move to the Point-to-Point Protocol (PPP) in RAS. The PPP is a set of industry standard protocols that enable remote access solutions to interoperate in a multi-vendor network. PPP support in Windows NT 3.5 and Windows 95 means that workstations running Windows can dial into remote networks through any industry standard PPP server. It also enables a Windows NT Server to receive calls from, and provide network access to, other vendors' remote access workstation software.

And although multi-protocol support is an important new feature of RAS, NetBIOS gateway support continues to be an important part of its feature set. An example of the NetBIOS gateway capability is remote network access for Lotus® Notes® users. Although Lotus Notes does offer dial-up connectivity, dial-up is limited to the Notes application only. RAS complements this connectivity by providing a low-cost, high-performance remote network connection for Notes users that not only connects Notes, but offers file and print services and access to other network resources.

Many customers who are interested in PPP interoperability are also concerned with SLIP. SLIP, the Serial Line Internet Protocol, is an older communications standard found in UNIX environments. SLIP does not provide automatic negotiation of network configuration; it requires user intervention. It also does not support encrypted authentication. Microsoft has chosen to support SLIP on the client side, so that the clients running Windows NT Workstation 3.5 may dial into an existing SLIP server. RAS does not provide a SLIP server in this release of Windows NT Server.

RAS: A Ramp to the Internet

Perhaps the most exciting development in networking during the 1990s has been the explosive growth in Internet usage. The latest figures indicate that over 20 million people have access to this world-wide network. The Internet's diverse services appeals to a broad spectrum of business people, academics, government users, and others, and is the best model in existence today of the "Information Superhighway" of tomorrow.

Today, more and more companies are turning to the Internet to conduct their business. The Internet provides a public domain network that spans the world. Businesses can gather information, share electronic mail, collect research data, house information data banks, distribute software, participate in special interest groups, and get daily news and market services over the Internet. Users can send electronic mail or documents that are normally sent through overnight express services. Companies that sell products or services can set up an Internet host computer that supplies potential customers with product information, an area to place orders, or access to a bulletin board with the latest technical information. For example, Microsoft has an Internet server (ftp.Microsoft.com) to distribute software, provide product fixes, and supply technical articles.

The Internet provides the curious user with a colossal list of topics from which to choose. An astronomy buff can learn about the Hubbell Space Telescope; a traveler can find out the weather in Dallas; a prospective student can access college and university brochures on-line. The Internet has a collection of computers that have information on meteorology, science, art, geology, medicine, law, physics, technology, geography, and more.

Traditionally, connecting to the Internet has been a difficult process that is daunting for a beginner. Early tools such as FTP and TelNet featured character-based commands suited for the technical elite who knew how to connect and maneuver through the intertwined network with 32-bit IP addresses. Today's tools such as Gopher and World Wide Web provide front-end viewers that allow users to scan through and search for information without much knowledge of where information resides and without having to log on to the source computer.

With Windows NT and RAS, Microsoft provides an operating system that fully supports the Internet. There are several different scenarios for connecting to the Internet using Windows NT and RAS:

Using Windows NT and RAS, a user can make an IP over PPP connection to practically any Internet host. Speeds of 2400 baud up to 128 KBPS are supported. Once the RAS connection is established, the user can choose from a variety of tools, from the traditional, non-graphical to those that fully exploit the Windows interface.

A business can establish a RAS server with direct connections to the Internet. The server can be isolated from the rest of the corporate network to provide for security. Users can dial one number for access to the Internet, and one number for access to the corporate LAN.

An Internet service provider can set up a "Rent-A-Net" service that provides a shared Internet connection, plus value-added services, such as electronic mail and fax gateways, custom databases, software distribution, and other custom applications. RAS is a very good solution for this scenario because it offers up to 256 connections at very high speeds, with a variety of protocols and client software supported.

Microsoft has a reputation for providing easy-to-use operating systems and software. We plan to continue this approach with Internet access-providing the best solutions available for mobile computer users.

NetWare Interoperability

For most customers, the ability for remote users to gain access to Novell NetWare services is at the top of the requirements list for a remote access solution. Microsoft is working hard to make RAS a viable solution for networks using both Windows NT and NetWare.

Workstations running Windows NT 3.5 and Windows 95

The client enhancements described above allow Windows NT Workstation 3.5 and Windows 95 remote users to function as full IPX clients. Applications designed to run in an IPX environment are fully supported. The configuration on the Windows NT Workstation-based PC would include the IPX application, CSNW (Client Service for NetWare, the Windows NT requester for NetWare), the NWLink (IPX-compatible) transport, and RAS.

On the server, the NWLink transport and RAS are loaded. This allows IPX packets to be routed to NetWare-based servers, so users can connect transparently to NetWare resources. There is no need to load the Gateway Services for NetWare (GSNW).

For the client running Windows NT Workstation 3.5 or Windows 95, the remote session proceeds as follows: The user starts the machine, loads the graphical RAS phone book, initiates the RAS session, enters his or her credentials, is authenticated by the RAS server, goes to File Manager, and then browses NetWare resources. If the user's credentials are the same for Windows NT Server as they are for NetWare, then they need to enter their password only once during the session. The connectivity is transparent, so that from the user's perspective there is no indication that they are using a Windows NT Server (non-NetWare) dial-up connectivity solution.

Windows for Workgroups 3.11, Windows NT 3.1, and RAS 1.1 Workstations

Previous versions of RAS (included in Windows NT 3.1, Windows for Workgroups 3.11 and RAS 1.1) only had the capability of running NetBEUI. These clients (henceforth called downlevel RAS clients) were not able to run IPX over RAS links as Windows NT Workstation 3.5 and Windows 95 can.

Windows NT Server 3.5, with Gateway Services for NetWare, enables downlevel RAS clients to connect to NetWare servers even though they cannot directly access NetWare via the IPX protocol stack.

On the RAS server, the NWLink transport, Gateway Services for NetWare (GSNW), and RAS are loaded. Once the GSNW is installed, the administrator mounts NetWare volumes from the Windows NT Server using File Manager, and then shares the mounted drives using GSNW from the GSNW control panel. (For the sake of simplicity, this document says that Gateway Services for NetWare should be installed on the RAS server. In practice, the Gateway Services for NetWare can be installed on any Windows NT Server 3.5-based PC on the LAN, not just the RAS server.)

To the downlevel RAS client, the remote session proceeds as follows: The user starts the machine, loads the graphical RAS phone book, initiates the RAS session, enters his or her credentials, is authenticated by the RAS Server, goes to File Manager, and then browses Windows Network resources. The user then connects to the NetWare drives, which appear as Windows NT Server drives by virtue of the Gateway Services for NetWare. The connectivity is transparent, so there is no indication from the user's perspective that he or she is connecting to a NetWare server.

Third-Party Interoperability Options

With the inclusion of PPP in RAS, Microsoft can now offer interoperability with a variety of third-party remote access solutions. This enables PCs running Windows NT Workstation to connect to existing remote access servers, as well as RAS-based servers to come on-line without affecting existing client configurations.

In April 1994, Microsoft hosted PPP Bakeoff '94. Bakeoff '94 provided a venue for many PPP vendors to get together and test interoperability of their respective products, identify problem areas, and fix problems. The following PPP Consortium members participated in Bakeoff '94:

Advanced Computer Communications NEC America, Incorporated

3Com Corporation NetManage, Inc.

Cayman Systems Network Application Technology

Cisco Systems Network Systems, Inc.

Computone Corporation Networks Northwest, Inc.

Digital Equipment Corporation Novell

FTP Software, Incorporated Proteon

IBM Corporation Shiva Corporation

Institute for Information Industry Taipei, Taiwan Spry, Incorporated

Klos Technologies SunSoft

Lachman Technologies Telebit Corporation

Lantronics, Incorporated Wellfleet Communications

Microsoft Corporation Xylogics

Morning Star Technologies Xyplex Incorporated

To ensure interoperability of your current remote access solution with Windows NT 3.5 and Windows 95, contact your remote access vendor for their latest software update based on the results of PPP Bakeoff '94.

In addition to participating in the PPP Bakeoff '94, Microsoft has conducted follow-up calls with individual vendors to retest our products, and has also installed the following products in our labs permanently for interpretability testing.

Remote access servers:

3Com Access Builder

Cisco PPP Routers

Shiva LAN Rover 2.0

Telebit NetBlazer

Remote access clients:

FTP OnNet 1.1 (beta version)

NetManage Chameleon 4.1

Shiva ShivaRemote 3.1a

Interoperability Conclusion

Microsoft is committed to achieving interoperability with other vendors' remote access products via PPP. A tremendous amount of effort has gone into interoperability testing and will continue in future versions of Windows and Windows NT operating systems as well.

Scalability

This section will detail how RAS can effectively scale from 1 to 256 users on a single PC. First, we will discuss the scalability of Windows NT Server, the host platform for RAS. Next, we will discuss the details of a 256-port test of RAS performed by Microsoft prior to shipping Windows NT 3.5. Finally, cost comparisons will be provided that compare RAS with typical software and hardware solutions, showing estimated costs for various numbers of users.

Windows NT Scalability Overview

Because Remote Access Service (RAS) is hosted by the Windows NT platform, it inherits the scalability built into Windows NT. Windows NT was designed to scale from a departmental server for several users running on inexpensive hardware, to a symmetric multi-processing enterprise-wide super-server. Windows NT scales to multiple CPUs, gigabytes of RAM (even across to the RISC platform) running on machines based on MIPS® and DEC™ Alpha AXP™ processors.

At the high-end, Windows NT supports a number of fault-tolerant features required for mission-critical operations. For example, disk striping with parity (RAID 5) support allows hardware configurations that provide a high level of recoverability from disk failures. Other features such as multi-threaded asynchronous I/O, UPS support, disk duplexing, and automatic system restart in the unlikely event of a crash allow customers to deploy high-capacity, highly reliable servers.

The Windows NT Performance Monitor also promotes scalability. As demands on a system increase, bottlenecks typically appear. Because of the complexity of modern PC hardware, there are hundreds of potential chokepoints for a server. Performance Monitor allows an administrator to set counters on a variety of system resources on a local or distant Windows-based NT server, and then to receive alerts when performance thresholds are reached. This powerful tool is also open, so that software added to a Windows NT-based system (including RAS) can install its own counters into the Performance Monitor object list.

Details of Large Scale Internal Testing

Shown below is a diagram of the RAS configuration tested by Microsoft prior to the release of Windows NT 3.5. This test was designed to demonstrate that a server running RAS could scale to meet customer needs, and to provide configuration guidelines to customers deploying RAS on a large scale.

The test environment consisted of the following:

Remote client machines, running a mixture of MS-DOS®, OS/2®, Windows 3.1, Windows for Workgroups 3.11, Windows NT 3.1, and Windows NT Workstation 3.5.

A RAS-based server with two Digiboard EPC Controllers. The RAS server was configured to use 128 ports on each of the EPC Controllers.

Clients running IPX, NetBEUI, and IP; both single-stack and in various combinations.

The RAS-based server running NWLink (IPX-compatible transport), TCP/IP, and NetBEUI.

Tests consisted of workstations dialing in, running network tests, and then disconnecting. The peak number of simultaneous connections registered was 108.

The clients ran four different types of applications:

File copy and compare with the PC running Windows NT Server 3.5

SQL Server on Windows NT, table updates and queries

FTP sessions to a Windows NT Server

Microsoft's internal stress tests

Communications equipment:

Digiboard EPC Serial Adapter

US Robotics V.32bis QUAD Digital rack mounted modems

11 T1 lines connecting the modem bank to public telephone network

256 RS232 Serial cables connecting the modem bank to Digiboard EPC

RAS server configuration recommendations:

32 ports or less

Intel 486/66 or greater with 32 MB RAM

RISC (DEC Alpha AXP, MIPS) with 48 MB RAM

64 ports or less

Dual Processor Intel® Pentium™ with 64 MB RAM

RISC (DEC Alpha AXP, MIPS) with 64 MB RAM

More than 64 ports

Dual Processor RISC (DEC Alpha, AXP, MIPS) with 64Meg RAM

In order for a remote network access solution to make sense for broad deployment, it must scale to support the needs of various workgroups. In all cases, remote access should be reliable, economical, and able to support a variety of user tasks. Microsoft's Remote Access Service leverages the scalability and fault tolerance of Windows NT, and has been shown to scale well to its full rated capacity of 256 users.

Cost Comparisons

In order to assist customers who are evaluating remote network access solutions, we have prepared a comparison showing pricing from three vendors, Microsoft, Novell, and Shiva. Microsoft and Novell offer software-based solutions, while Shiva provides a hardware solution. Because of this, hardware costs were added to the Microsoft and Novell software costs to come up with an apples-to-apples comparison. The hardware used was the Digiboard EPC, the same product used in the RAS scalability tests described above.

It is important to note that modem costs were not considered for the purpose of this comparison. However, modem costs would be the same for each solution.

1 8 16 32 64 256

Microsoft Windows NT Server (1) 2,684 (2) 3,825 4,506 8,010 (3) 18,825 (3) 56,620 (3)

Novell NetWare Connect (4) 2,544 5,040 7,735 12,185 24,370 97,480

Shiva LAN Rover/E 2,899 3,999 7,998 15,996 31,992 127,968

All prices shown $US, ERP. All prices subject to change.

1. Price calculation assumes that a Windows NT Server network is not in place, thus requiring purchase of extra user licenses. If Microsoft network clients have already been purchased, then the total software cost for RAS will be only $700 per RAS server.

2. Based on the cost of one Windows NT Workstation; all other prices based on one Windows NT Server.

3. Lower prices may be available via Microsoft Select volume purchase program.

4. Prices are for NetWare Connect only; NetWare servers would be extra, as would extra user licenses for NetWare.

Hardware Configuration Estimates for NetWare Connect and Windows NT Server

In order to provide complete cost information, hardware cost was factored into estimates for Microsoft RAS and Novell NetWare Connect. The following assumptions were made about hardware configurations:

Numberof Ports NetWare Connect Windows NT Server

1 1 PC 486/33 16Meg RAM 1 PC 486/33 16Meg RAM

8 1 PC 486/33 16Meg RAM1 Digiboard PC/8e Adapter 1 PC 486/33 16Meg RAM1 Digiboard PC/8e Adapter

16 1 PC 486/33 16Meg RAM1 Digiboard EPC Adapter with 16 ports 1 PC 486/33 16Meg RAM1 Digiboard EPC Adapter with 16 ports

32 1 PC 486/33 32Meg RAM1 Digiboard EPC Adapter with 32 ports 1 PC 486/33 32Meg RAM1 Digiboard EPC Adapter with 32 ports

64 2 PCs 486/33 32Meg RAM2 Digiboard EPC Adapters with 32 ports each 1 PC Dual Pentium 64Meg RAM1 Digiboard EPC Adapter with 64 ports

256 8 PCs PC 486/66 32Meg RAM8 Digiboard EPC Adapters with 32 ports each 1 PC Dual RISC 64Meg RAM2 Digiboard EPC Adapters with 128 ports each

Hardware Cost Estimates:

486/33 with 16Meg RAM $1,949

486/33 with 32Meg RAM $2,050

486/66 with 32Meg RAM $3,100

Dual Pentium with 64Meg RAM $11,000

Dual MIPS R4X00 $11,000

Dual Alpha with 64Meg RAM $25,000

Digiboard PC/8e Adapter (8 ports) $795

Digiboard EPC Adapter (16 ports) $1,295

Digiboard EPC Adapter (32 ports) $3,090

Digiboard EPC Adapter (64 ports) $4,885

Digiboard EPC Adapter (128 ports) $15,460

Remote Access Product Cost Estimates:

Shiva LAN Rover/E

4 Port $2,899

8 port $3,999

Microsoft Windows NT Server

Base Server $700

User License $35/user

Novell NetWare Connect

2-user $595

8-user $2,195

32-user $5,995

The cost comparison is shown graphically:

Microsoft RAS is an economical solution, offering savings for networks of any size, and significant savings when maximum capacity is required.

Performance Comparisons

In order to assist customers who are evaluating remote network access solutions, here is a performance comparison from three vendors: Microsoft, Novell, and Shiva. Given the relatively lower bandwidth, low speed networks available for remote computing today, remote access solutions need to be very efficient about managing data traffic. Efficiency is achieved by data compression and intelligent I/O management at the remote access server.

Prior to releasing Windows NT 3.5, Microsoft conducted performance tests comparing Windows NT Remote Access with Shiva LAN Rover 2.0 and NetWare Connect 1.0. Microsoft RAS proved to be the best performing solution. The test consisted of dialing into the network and then simply recording the time taken to transfer various files.

The test results are shown below.

Test Configuration

In order to ensure fairness, identical hardware was used for testing whenever possible. Windows NT Server 3.5 and NetWare Connect 1.0 server ran in dual boot mode on the same server.

For Shiva and Windows NT Server 3.5 testing, the same workstation was used. This was possible because both Shiva LAN Rover and Microsoft RAS support the PPP standard. It was not possible to use the same workstation for the NetWare Connect 1.0 testing because NetWare Connect does not support PPP.

Shiva LAN Rover 2.0

9600 baud modem

Modem compression enabled

Windows NT Workstation 3.5 running IPX over PPP

Novell NetWare Connect 1.0 running on NetWare 4.01

9600 baud modem

NetWare Connect software compression enabled

MS-DOS 6.2-based workstation running NetWare Connect dial in client software

Microsoft Windows NT Server 3.5

9600 baud modem

Microsoft RAS software compression enabled

Windows NT Workstation 3.5 running IPX over PPP

Conclusions

Mobile computing is a critical aspect of doing business today. Microsoft is committed to building operating systems that address this need, both on the desktop and the server. Microsoft's Remote Access Service, in both Window NT 3.5 and Windows 95, is designed to provide comprehensive dial-up connectivity for corporate networks and the global Internet.

RAS is Microsoft's strategic mobile computing technology, and provides the following key features that make Windows and Windows NT great remote computing operating systems:

Transparent network access

Multi-protocol support (TCP/IP, IPX, and NetBEUI)

Ease of use

Advanced, reliable security

Excellent performance

Scalability from the workgroup to the enterprise, and to the global Internet

Comprehensive wide-area networking (public telephone, ISDN, and X.25 networks)

Programmability via Windows RAS Application Programming Interfaces (APIs)

Perhaps most importantly, RAS preserves your investments by using industry standard protocols that ensure interoperability with non-Microsoft remote access solutions.

Appendix A. Product Capabilities Matrix

This product capabilities matrix provides a comparison of functionality for all RAS platforms.

# of Ports Protocols WAN Options

MS-DOS (RAS 1.1a) 1 NetBIOS Async, X.25

Windows for Workgroups 3.11 1 NetBIOS Async, X.25, ISDN

Windows NT 3.1 1/64 (1) NetBIOS Async, X.25, ISDN

Windows NT 3.5 1/256 (1) NetBIOS, IP, IPX Async, X.25, ISDN

Windows 95 1 NetBIOS, IP, IPX Async, X.25, ISDN

1. The first number given is for Windows NT Workstation, the second is for Windows NT Server.

Data Encryption Compression Authentication

MS-DOS(RAS 1.1a) No Modem MS Encrypt, Callback

Windows for Workgroups 3.11 No Modem MS Encrypt, Callback, 3rd Party

Windows NT 3.1 No Modem MS Encrypt, Callback, 3rd Party

Windows NT 3.5 Yes Modem, Software MS Encrypt, Callback, 3rd Party

Windows 95 Yes Modem, Software MS Encrypt, Callback, 3rd Party

Appendix B. PPP RFCs

Windows NT 3.5 and Windows 95 implement the following RFCs:

1144 Compressing TCP/IP Headers (Van Jacobson header compression)

1332 IP Control Protocol

1334 Authentication Protocols

1547 Requirements for PPP

1548 PPP

1549 PPP in HDLC

1055 SLIP

1552 IPXCP

1570 LCP Extensions

Draft NBFCP

Draft PPP over ISDN

Draft PPP over X.25

Appendix C. The Move to Client-Server Computing (Remote Node vs. Remote Control)

This section explains client-server computing, why RAS works very well in a client-server environment, and why remote control may be better suited for non-client-server environments. This section also shows how RAS and remote control can be deployed together to take advantage of their unique advantages, and most importantly, demonstrates how corporations can design their remote computing systems in anticipation of their migration to client-server computing.

Client-Server Computing

Client-server computing is a new networking computing model that optimizes network usage, and greatly facilitates data analysis and decision making by end users.

Client-server networks are composed of back-end servers that are responsible for data storage, organization, and retrieval, and front-end systems running applications that manipulate, analyze, and present data to the user in an intuitive way.

In the example below, the SQL database server is responsible for data storage, record locking and so on. The client computer runs an application that is compliant with the Open Database Connectivity (ODBC) standard and asks for specific information from the server. The server retrieves data and sends it back to the client. The client application then manipulates and displays the information to the user, using various functions of productivity tools such as the Microsoft Visual Basic® programming system, Microsoft Excel, Lotus 1-2-3®, and others.

Network traffic in this model is limited to:

A query from the client workstation

Specific data requested by the client workstation

This approach to networking reduces congestion on corporate networks, as well as remote workstations that are connected via RAS.

Non-Client-Server Computing

In older LANs, data access and retrieval has not typically followed the client-server networking model. In this model, a server stores data in a database, and client workstations run applications that are responsible for directly manipulating the database (for example, opening the database, locking records, and so on). In this model, the client application does more work than in a client-server model. Furthermore, the client application opens the entire database, and typically downloads a large portion of the main database into workstation memory.

In the non-client-server model, because applications open entire databases and so on, network traffic is not optimized. This puts a heavy load on the corporate network, and drastically affects performance of remote attached workstations that are connected via relatively slow links.

In this environment, it becomes useful to adopt the remote control approach for dial-up networking. With remote control, a client computer connects to a "host" and takes over the screen and keyboard of the host. With this model, the data transferred between the two machines consists of key strokes and screen updates. This will typically be less data than an entire database.

Using RAS and Remote Control Simultaneously

Remote control applications can run on the LAN. Therefore, by definition, they can work over RAS connections that simply extend the LAN to remote locations.

By running remote control applications over RAS, the user gains the advantages of RAS in a client-server environment, in addition to being able to run non-client-server applications with relatively adequate performance. The key advantages that the user gains by using RAS with their remote control applications are:

Modem pooling for incoming calls

Migration path to client-server computing

RAS compression

Single access point for security, including all the advanced security options that RAS provides

RAS wide-area networking support (telephone, X.25, and ISDN networks)

Most remote control solutions today work with MS-DOS and will work with Microsoft RAS 1.1a workstations. Contact your remote control vendor for information on 32-bit networking support availability for Microsoft Windows. With 32-bit networking support, remote control applications will be able to run on Windows for Workgroups 3.11 RAS and Windows 95.

Appendix D. Resource Directory

This resource directory provides contact information on many of the vendors listed in this article. It is not intended as an all-inclusive list of RAS-related products.

Digiboard

6400 Flying Cloud Drive

Eden Prairie, MN 55344

(612) 943-9020

Multi-port Serial Adapters, ISDN Adapters

SpartaCom

10 Ave du Quebec - BP537

91946 COURTABOEUF CEDE

FRANCE

Tel: +33 1 69 07 17 80

Fax: +33 1 69 29 09 19

SpartaCom USA

1951 Airport Road

Suite 211

Atlanta, GA 30341

Tel: (404) 455 0701

Fax: (404) 457 9500

Modem Sharing Software for Windows NT Server

Eicon Technology Corp.

2196 - 32nd Avenue (Lachine)

Montreal, Quebec H8T 3H7

Canada

(514) 631-2592

X.25 Adapters

NetManage, Inc.

20823 Stevens Creek Blvd.

Cupertino, CA 95014

Phone: (408) 973-7171

Fax: (408) 257-6405

Terminal Emulation, File Transfer, X Windows, E-mail, NFS, TN3270, BIND, SNMP

Security Dynamics

One Alewife Center

Cambridge, MA 02140 USA

Phone (617) 547-7820

Fax (617) 354-8836

Advanced network security and authorization products

Digital Pathways Inc.

201 Ravendale Drive

Mountain View, CA 94043-5216

Phone (415) 964-0707

Fax (415) 961-7487

Advanced network security and authorization products

Racal

480 Spring Park Place

Suite 900

Herndon, Virginia 22070

Phone (703) 437-9333

Fax (703) 471-0892

Advanced network security and authorization products