NT -- TECHNICAL SUPPORT
Chapter 9 - NT Networking Environment
Chapter 10 - Configuring NT Protocols
Chapter 11. NT Networking Services
Chapter 12 Implementing Remote Access Service (RAS)
Chapter 13 Internetworking and Intranetworking (IIS and PWS)
Chapter 14 - Interoperating with Novell NetWare
Networking capabilities are built into NT operating system (MS-DOS and Windows install network capbilities separately from the core operating system). A single NT computer can simultaneously interoperate with the following networking environment:
- MS networks, incl. NT, Win 95, WfW, and LAN Manager
- TCP/IP networks, including UNIX hosts
- RAS
- Apple Talk-based networks (made possible through NT Server Service for Macintosh)
- Novell NetWare 3.x and 4.x networks
I/O Manager
-- a component of Executive Services in NT architecture, contains most of the NT networking components, which are organized into 3 layers, from bottom to top: NDIS 4.0-compatible Network adapter card drivers, Protocols, and File System Drivers. There is also a boundary layer called Transport Driver Interface (TDI) between Protocols and File System Drivers
Network adapter card drivers that are compatible with the network device interface specification (NDIS 4.0).
Each network adapter card can have one or more corresponding drivers. All these drivers must be compatible with NDIS 4.0.
with NDIS 4.0, one or more protocols can be bound, indepently, to one or more network adapter card drivers.
NDIS 4.0 defines the software interface used by protocols to communicate with network adapter card drivers. Any NDIS 4.0-compatible protocols can communicate with any NDIS 4.0-compatible network adapter card driver. Therefore, a protocol does not need to include blocks of code written for specific netwok adapter card drivers.
the initial communication channel between the protocol and the network adapter card driver is established through a process called binding
NDIS 4.0 is implemented in a module called Ndis.sys, which is referred to as NDIS 4.0 library or wrapper
in NT, NDIS 4.0 allows:
Note: of these protoctols listed-above, only DLC protocol is NOT a transport protocol.
Transport Driver Interface (TDI)
because TDI allows networking components to be independent of each other, protocols can be added, removed, or changed without reconfiguring the entire network subsystem.
File System Drivers -- used to access files
The I/O Manager controls file system drivers. I/O Manager can store files locally on a hard disk, using file system drivers shuch as Ntfs.sys, or on a remote networked computer using the Redirector file system driver.
Redirector -- (or referred to as Workstation Service) If an I/O request is for a network resource, the Redirector accepts the I/O requests and sends the or redirects the requests to the appropriate network resource. The NT Redirector allows connection to WfW, LAN Manager, LAN Server, and other MS network-based servers.
Server-- (or referred to as Server Service) The Server Service supplies the connections requested by client-side redirectors and provides them with access to the resources they request.
In short, the Workstation Service (Redirector) redirect the I/O requests to other servers, Server Service (Server) sets up the connection and provides the access on the local computer.
Each NT networking component communicates through programming interfaces called boundaries. There are two boundary layers in NT networking architecture model:
- transport driver interface (TDI)
- network device interface specification (NDIS 4.0)
Boundary Layers modularize NT network architecture and provide a platform for developers to build distributed applications. For example, vendors developing protocols need to program only between the boundaries, instead of programming for the entire Open System Interconnection (OSI) model.
In a typical distributed application, a computer task is divided into processes:
front-end prosesses that require minimal resources and run on a client, and
back-end processes that require large amounts of data, number calculations, shared processing rules, or specialized hardware that run on a server. The server shares its processing power, carrying out tasks on behalf of clients.
NT computers can perform the role of either the client or the server for distributed application support.
NT computers use interprocess communication (IPC) mechanisms to create client/server connections (bidirectional communications) that support distributed processing. These include named pipes, mailslots, Windows Sockets, remote procedure calls (RPCs), network dynamic data exchange (NetDDE), and distributed Component Object Model (DCOM)
NT computers have the following components, that are needed for accessing file and print resources on a network:
Workstation Service (Redirector) -- Identify the appropriate service that can provide the resources requested by an application.
Server Service (Server) -- Share and secure resources, such as directories and printers.
Multiple Universal Naming Convention Provider (MUP) -- Connect to a remote computer that accepts the universal naming convention (UNC). The UNC is a naming convention for describing network servers, such as:
\\server_name\share_name\subfolder\file_name
the MUP frees applications from having to maintain UNC provider listings. This allows a client computer with multiple redirectors installed to browse and access network resources without having to provide a unique syntax to each network redirector.
Multiple Provider Router (MPR) -- Supporta multiple redirectors, including NT, NetWare, and Banyan VINES. The MPR is responsible for routing network requests to the appropriate provider and redirector.
- Frame types --
>> Control Panel >>Network >>Adapters
Protocols communicate with network adapter cards by means of NDIS 4.0-compatible netwrok adapter card drivers.
NT supports multiple protocols, bound to one or more adapters, simultaneously.
>> Control Panel >>Network >>Protocols
NWLink IPX/SPX Compatible Transport ptotocol
-- MS 32-bit NDIS 4.0-compatible version of Novell's IPX/SPX protocol. Used when:
- MS clients need to access client/server applications on Novell NetWare servers, or NetWare clients need to access client/server applicaitons on NT.
- NT to communicate with other network devices that are running IPS/SPX, such as HP JetDirect printers.
- also in small network environment that only use NT and MS clients.
Frame types --
NT can be set to detect frame types automatically. However, if multiple frame types are detected in addition to 802.2, NWLink defaults to the 802.2 only -- i.e. NT can automatically detect only one frame type.
(on Ethernet networks, standard frame for NetWare 2.2 and 3.11 is 802.3. Starting from NetWare 3.12, the default frame type was changed to 802.2)It is possible to establish connections between two computers that are using different frame type, when one of those computers is a NetWare computer acting as a router. But this is not effcient and, depending on the number of computers using the two frame types, could potentially result in a bottleneck.
An NT computer can (must) be manually configured to use multiple frame types simultaneously. How?
Network Number and Internal Network Number
Network Number
-- identifies the network segment that you access. Also referred to as the external network number. Must be unique for each network segment. When choose "Manual Frame Type Detection", you assign a network number to each frame type and adapter combination on your computer.
Internal Network Number
-- an eight-digit hexdecimal number (00000000, by default) identifies your computer on the network for internal routing. NT does NOT automatically detect the internal network number. In each of the following situations, you need to assign an unique non-zero internal network number to your computer:
- File and Print Services for NetWare (FPNW) is installed, and choose multiple frame types on a single adapter
- NWLink is bound to multiple adapters
- an NT Server for an application that uses the NetWare Service Advertising Protocol (SAP), such as SQL or SNA
Routing Information Protocol (RIP)
Using RIP routing over IPX, an NT Server can act as an IPX router. RIP allows a router to exchange info with neighboring routers.
to enable or disable the RIP -->>Network >>Protocols >>NWLink IPX/SPX >>Routing
-- a protocol developed for small LANs of 20 to 200 computers. Not suitable for WANs, because it is non-routable. Mostly used for older, existing LANs.
-- a flexible suite of protocols designed for WANs and adaptable to a wide range of network hardware.
Parameters required for each network adapter card when using TCP/IP:
IP address -- a 32-bit address, idenfying a TCP/IP host. Each IP address has two parts: the network ID and the host ID. The network ID identifies all hosts on the same physical network. The host ID identify a host on the network. For example, in the ID address 131.107.2.200, 131.107 is the network ID, 2.200 is the host ID.
- Subnet Mask -- a subnet is a network in a multiple network environment that uses IP addresses derived from a single network ID. Using subnets, an organization can divide a single large network into multiple physical networks and connect them with routers.
A subnet mask is used to block out a portion of the IP address so that TCP/IP can distinguish the network ID from the host ID. It is used to determine whether the destination host is located on a local or a remote network.
In order for computers to communicate?? on a network, they must have the same subnet mask.
Default gateway -- for communication with a host on another network. If a default gateway is not configured, communication may be limited to local network (subnet).
Note: IP address and subnet mask must be assigned. For communication with a remote network, default gateway also need to be specified.
-- When DHCP (dynamic Host Configuration Protocol) Server Service is available. >>Obtain an IP address from a DHCP server.
>>Command Prompt >>ipconfig /all
-- verify the TCP/IP configuration parameters on a host. Useful in determine whether the configuration is initialized or if a duplicate IP address has been configured for the adapter bound to TCP/IP.
ipconfig /release --
release the IP address for the specified adapter
ipconfig /renew -- renew the IP address
for the specified adapter
Ping IP_address -- used to test connectivity, determines if a particular TCP/IP host is available and functional.
>>Control Panel >>Network >>Bindings
Network bindings are links that enable communication between network adapter card drivers, protocols, and services.
Bindings can be enabled, disabled, and ordered to optimize the network communication.
Example: An NT Server computer use TCP/IP as its primary protocol. It has also NWLink installed for the sole purpose for hosting connections from NetWare clients. How to optimize the bindings for this server?
Solutions -- For the Server service, order the bindings so that TCP/IP is first, and NWLink second. For the Workstation service, disable the binding between the Workstation service and NWLink, because the server will never need to establish connections or authenticate users over NWLink.
Note: DHCP, WINS, and DNS are all related services for TCP/IP.
Overview of DHCP Clients and Servers
A DHCP Server is a computer running NT Server, Microsoft TCP/IP, and the DHCP server software.
Note -- If you want to use a DHCP server to support subnetworks that span multiple routers, you may need a firmware upgrade for your routers. Your routers must support RFCs 1533, 1534, 1541, and 1542.
DHCP uses a client-server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration info and provide it to clients. The server database includes:
- Valid configuration parameters for all clients on the internetwork.
- Valid IP addresses maintained in a pool for assignment to clients, plus reserved addresses for manual assignment.
- Duration of leases offered by the server. The lease defines the length of time for which the assigned IP address can be used.
An NT computer becomes a DHCP client if Obtain an IP address from a DHCP server is selected in NT TCP/IP. When a DHCP client computer is started, it communicates with a DHCP server to receive the required TCP/IP configuration info, which includes at least an IP address and subnet mask plus the lease associated with the configuration.
Configuring DHCP servers for a network provides the following benefits:
The administrator can specify global and subnet-specific TCP/IP parameters centrally for the entire internetwork.
Client computers do not require manual TCP/IP configuration.
When a client computer moves between subnets, the old IP address is freed for reuse, and the client is automatically reconfigured for TCP/IP when the computer is started.
Most routers can forward DHCP configuration requests, so DHCP servers are not required on every subnet in the internetwork. (Note: If your IP router do not support RFC 1542, then a DHCP server is required on each subnet)
How the DHCP Server Service assigns an IP address
The client sends out a request. Each of the DHCP servers that receives the request selects an address from the pool of addresses defined in its database and offers it to the client. The client then accepts one of the offers, and the IP address is leased for a specific period of time.
A DHCP scope (or a range, or pool, of IP addresses) must be created on the DHCP server (using DHCP Manager (after DHCP Server Service is installed, it will appears) in Adminstrative Tools.
Installing and Configuring DHCP
To install DHCP Server Service (on an NT Server ONLY, but does NOT have to be a DC)
>>Control Panel >>Network >>Services >> Add >>DHCP Server ServiceTo connect to a DHCP server
>>DHCP Manager (appears once DHCP service is installed)>>Server >>Add >>type the DHCP Server name or IP addressTo disconnect from a selected DHCP server
>>DHCP Manager >>Server >>RemoveTo create a DHCP Scope -- use DHCP Manager
>>Administrative Tools (Common) >>DHCP Manager >>Scope >>Create ...Note: a scope must be activated before the DHCP server can provide a DHCP client with a valid IP address defined by the scope.
- To Configure Client Reservations
>>DHCP Manager >>Scope >>Add Reservation >> ...In the Unique Identifier box, type the physical address (without the hyphens) of the client computer's network adapter card. You can use ping and arp utility (in command prompt) to get the physical address of a computer's network adapter card.
- DHCP_options
>>DHCP Manager >>DHCP_optionsGlobal Options -- apply to all DHCP scopes defiened on the selected DHCP Server and all DHCP clients that lease an address from any of these scopes. It is used to when all clients on all subnets require the same configuration info. For example, to all clients can be configured to use the same WINS server. Unless Scope or Client options are configured, Global options are always used.
Scope Options -- apply to only the specified DHCP scope and clients that lease an address from that scope.
Client Options -- apply to only a specific client that has a DHCP lease. Client Options override Scope or Global Options.
- to view DHCP assigned addresses (created with >>Add Reservations)
on the DHCP Server, >>DHCP Manager >>Scope >>Active Leases
- to force the client with the existing lease to give it up
on the client computer >>command prompt >>ipconfig /release
- to renew an IP lease
on the client computer >>command prompt >>ipconfig /renew
TCP/IP devices use IP address rather than the computer names to locate a computer on the internetwork.
What is a NetBIOS name -- NT computer names, assigned during setup, such as server1, are NetBIOS names. A computer NetBIOS name (sometimes also referred to as NetBIOS computer name):
- is the computer name, such as Server1, assigned during installation
- is stored as an entry in the registry, and can be changed through the >>Control Panel >>Network program
- is always specified in NT commands, such as net use, and net view
- can be determined by using nbtstat -n at a command prompt
- can be 15 characters in length. A 16th character can be added to designate the service or application that registered the name. This extra character is added by the service or the application
What is NetBIOS Name Resolution -- In order to communicate successfully on a TCP/IP-based network, hosts need to identify each other's media access control address (also referred to as the hardware address), which is the physical address assigned to the network adapter card, for example the burned-in address. The process of converting a computer name to a media access control address is also known as name resoultion.
Name resoultion in a TCP/IP network is really a two-step process: computer name -> IP address -> hardware address (media access control address)
Miscrosoft TCP/IP can use ANY of the methods to resolve computer names to IP addresses:
- NetBIOS name catche
- NetBIOS Name Server (NBNS), such as WINS
- DNS -- Domain Name Server, a server configured with the DNS daemon that maintain a database of IP address /computer name (host name) mappings. A DNS is common to UNIX environment.
- Local broadcase
- LMHOST file -- a local text file that maps IP addresses to the NetBIOS computer names
- HOST file -- a local text file maps host names to IP addresses
What is WINS -- a dynamic naming service that resolves NetBIOS computer names to IP addresses. Typically, DHCP automatically configures your computer for WINS.
WINS uses p-node (peer-peer) mode to resolve NetBIOS names.
Because WINS database obtains NetBIOS name/IP address mappings dynamically, it is always current. If the WINS server is unavailable, the client switches to b-node (broadcast) and sends the query as a broadcase message on the local subnet.
- WINS Server Requirements (similiar to DHCP server)
- NT Server (NOT have to be a DC) computer with the WINS Server service installed
A static IP address
- WINS Client Requirements
- Windows-based networking clients, such as WINS-enabled computers running NT 3.5 or later, Win95, WfW 3.11 running TCP/IP-32, MS Network Client 3.0 for MS-DOS with the real mode TCP/IP, LAN Manager 2.2c for MS-DOS (... for OS/2 is Not support) and can use WINS directly.
- the IP address of a WINS server
Note: Non-WINS computers that use broadcasts can access WINS through proxies. Proxies are WINS-enabled computers that listen to name-query broadcast message, forward the request to the WINS server, and then respond for names that are not on the local subnet.
WINS Server
To install WINS Server service (NT
server only, but not have to be a DC)
>>Control Panel >>Network
>>Services >> Add >> Windows
Internet Name Service
To configure WINS Server service
>>Control Panel >>Network
>>Protocols
>>Properties >>WINS
Address >>...
use WINS Manager, appeas when WINS service has installed in the Administrator Tools (Common) allows you to obtain detailed info about WINS Servers, as well as the mapping database or adding static mappings to the database.
WINS client -- can be configured either manually or in conjunction with DHCP
Manually -- >>Control Panel >>Network >>Protocols >>TCP/IP >>Properties >>WINS Address ...
In Conjunction with DHCP -- use DHCP
Manager to add and configure the
following DHCP options:
>>Administrator Tools (Common) >>DHCP
Manager >> Local Machine
>>DHCP_Options >>Scope... >>
DNS is a distributed database providing a hierachical naming system for identifying hosts on the internet.
DNS computer names consist of two parts: a host name and a domain name, which combine to form the fully qualified domain name (FQDN). For example, research.widgets.com is a FQDN where reserach is the host name, widgets.com is the domain name.
(Note: the term domain, when used in the context of DNS, is not related to the term domain used when discussing NT Directory Services. An Internet domain is a unique name that identifies an Internet site. )
FQDN rules
- Each node (except the root, which is unnamed, or empaty) has a name of up to 63 characters.
- Each subdomain must have unique name within its parent domain.
- An optional period (.) that signifies the root can appear at the end of the name.
An example of FQDN: corp1.mrg.bigone.com.
What is DNS Server Service
is a name resolution service that resolve a FQDN to the IP address that is used by the internetwork.
Using DNS on an NT computer allows
- Access UNIXxxxxx-based systems using friendly names.
(Note: unlike WINS, DNS is not native to NT, rather it is common to UNIX systems)- Connect to Internet systems using Internet naming conventions.
- Maintain a consistent hierachical naming scheme across your organization.
The DNS name Space -- the DNS database is a tree structure called domain name space. Each domain (node in the tree structure) is named and can contain subdomains.
How are Root and Top-Level Domains managed -- The root and top level domains (such as .com, .edu, .au, .cn) are managed by the InterNIC. The DNS name space below the top level is delegated to other organizations by the InterNIC. These organizations further subdivide the name space and delegate responsibility down the hierachical tree structure. This decentralized administrative model allows DNS to be autonomously managed at the levels that make the most sense for each organization involved.
Zone -- is the administrative unit for DNS. It is a subtree of the DNS database that is administrated as a single separate entity. It can consist of a single domain or a domain with subdomains.
DNS WINS Internet name (FQDN) to IP address NetBIOS computer names to IP address Static database of DNS computer name to IP address mappings. It must be manually updated
Dynamic database of NetBIOS computer names and IP addresses. It is dynamically updated.
Installing
-- >>Control Panel >>Network >>Services >>Add >>Microsoft DNS Server
Configuring
-- >> Administrative Tools (Common) >>DNS Manager ...
NT Server, NT Workstation, Win95, WfW 3.11 with MS TCP/IP-32 installed all include DNS-resover functionality. Similar to WINS configuration, two ways to configure an NT client to use DNS server service --
Manually -- Control Panel >>Network >>Protocols >> TCP/IP Properties >> DNS ...
In conjunction with DHCP -- >> Administrative Tools (Common) >> DHCP Manager >>Local Machine >>DHCP_Options >>Scope >>add 006 DNS Server, type in the IP addresses of DNS Servers.
Note: on the client side, to configure either WINS or DNS to work together with DHCP, you use DHCP Manager
Whenever a new host is added or when an existing host is moved, the structure of a DNS zone changes. Because DNS is not dynamic, you must manually change the DNS database files if the zone is to reflect the new configuration.
NT DNS Server Service can be configured to use WINS for host name resolution. With this, you can direct DNS to query WINS for name resolution of the lower levels of the DNS tree in your zone (remember a FQDN consists of host name and domain name. WINS can only do the host name, which is the lower level in a FQDN). This integration creates a form of dynamic DNS Server Service that takes advantage of the best features of both DNS and WINS.
to configure DNS to use WINS to resolve the host name of a FQDN
-->>DNS Manager >>highligh the zone you want it to consult WINS for name resolution >>(right click) Properties >>WINS Lookup >>check "Use WINS Resolution" >>type in the WINS Servers' IP addresses
NT uses the Computer Browser Service to display a list of currently available network resources.
The Computer Browser Service maintains a centralized list of available network resources. This list is distributed to specially assigned computers that perform browsing services, along with other normal services. This reduces the amount of network traffic required to build and maintain a list of all shared resources on the network, and also frees the CPU time each computer would had to use in creating a network resource list.
Browser Roles -- the responsibility of providing a list of resource servers (here server is defined as any computer that provides resources to the network) to clients is distributed among multiple computers on a network. The browser roles of these computers are known to the Browser Service as:
- Domain Master Browser -- the computer that collects and maintains the master list of available network resource servers, as well as the the names of other domains and workgroups. It distributes this list to the master browser of each subnet in the NT domain.
There is only one Domain Master Browser in an NT domain, and it is the PDC.
- Master Browser -- the computer that collects and maintain the list of available network resource servers in its workgroup or subnet. It shares this list with the Domain Master Browser, and receives info on other workgroups, subnets, and domains from the Domain Master Browser, incorporating the info into its list of available resources. It distributes the browser list to the Backup Browser.
There is only one Master Browser for each workgroup or subnet of an NT domain
Backup Browser -- a computer that receives a copy of the browser list from the Master Browser, and distributes the list to the Browser Clients upon request.
Potential Browser -- a computer capable of becoming a browser (either backup or master) if instructed to do so by a Master Browser; But remember a Potential Browser is NOT a browser server at all.
Non-Browser -- a computer that has been configured so that it will not maintain a browser list.
Peer-to-peer networking computers are commonly non-browser despite their having resource server services.
In summary -- the procedure of the resource server list is transferred in this order:
Domain Master Browser ->> Master Browser ->>Backup Browser ->>Browser Clients (Non-Browsers)
Note: a client firstly contacts the Master Browser for a list of backup browsers, then requests the resource list from one of the backup browsers. (refer to page 413)
Browser Election -- ensure one master browser exists in a workgroup or a subnet
When a client computer cannot locate a master browser, or when a backup browser attempts to update its network resource list and cannot locate the master browser, a new master browser must be selected. This selection process is called a browser election, which ensures that only one master browser exists per workgroup or segment (subnet) in a domain.
Election Packet and Browser Criteria
Network computers can initiate an election by broadcasting a special message called an election packet. All browsers process the election packet. The Browser Criteria is used to determine which computer should be the master browser. The criteria include, among other things, the operating system (NT Server > NT Workstation >Win95 >WfW), the operating system version (for example, NT 4.0 > NT 3.51 > NT 3.5), the configured role in the browsering environment (browser >potential browser >non-browser).
The election process continues until a master browser is elected, based on the highest ranking criteria value.
- IIS and PWS Networking Components
- Features of IIS and PWS
- IIS and PWS Comparison
- Installing IIS and PWS
- Configuring IIS and PWS
- MS Internet Explorer
- Securing Internet and Intranet Sites
-- how NT computers access and distribute resources over the Internet and a private intranet.
The Internet is a network of computers located around the world that are able to communicate with one another through telephone lines. An intranet exists at a local level, internal to a company or organization, and consists of computers that are connected by LANs. Adding WWW, Gopher, and FTP services does not change the security of an intranet site.
The Internet and intranet communicate using common languages and protocols.
IIS and PWS (Peer Web Services), as two additional Internet and intranet components, provide NT computers with the ability to publish resources and services on the Internet and on private intranets. Use IIS and PWS for publishing hypertext Web pages and client/server applications, and for interactive Web applications.
IIS and PWS are network file and application servers that use HTTP, Gopher, and FTP to provide info over the Internet and an intranet.
IIS and PWS support the Internet Server application programming interface (ISAPI), ISAPI is used to create interfaces that can be used for client/server applications.
File Publication -- publishing existing files from NT and other file servers.
Network Management -- monitor and record network activity and provide clients with access to valuable network resources, such as HTML pages, shared files and printers, corporate databases, and legacy systems.
Security -- provide clients with secure access to Internet and intranet resources.
Support for common Internet standards -- enable development of Web applications, using such language as CGI and PERL.
MS Internet Explorer -- enable clients such as MS Windows 3.11, WfW, NT, Win9x, and Macintosh to easy access to info on the Web.
Scalability -- enable Internet access to multiple platforms running on standard hardware packages, including single and multiprocessor servers using Intel 486, Pentinum, Pentinum Pro, Digital Alpha AXP, PowerPC, and MIPS processors.
Support for MS BackOffice applications -- such as MS SQL Server and MS SNA Server. Provide businesses with the ability to deliver commercial solutions on the Web to customers.
IIS | PWS | |
Supported by | NT Server | NT Workstation |
Designed to | support the heavy usage occur on the Internet | for a small scale Web server to exchange info on an intranet |
IIS must be installed on an NT Server with TCP/IP.
PWS must be installed on an NT Workstaion with TCP/IP.
Changes can be made to a current IIS installation through the Internet Information Server Setup icon in the Microsoft Internet Server (Common) folder. Before adding or removing components, or reinstalling IIS, disable any previous versions of FTP, Gopher, or other Web services that may be installed on the NT Server.
Changes can be made to a current PWS installation through the Peer Web Services Setup icon in the Microsoft Peer Web Services (Common) folder. Before adding or removing components, or reinstalling PWS, disable any previous versions of FTP, Gopher, or other Web services that may be installed on the NT Workstation.
All of the Internet and intranet services can be configured and managed from one central point -- the MS Internet Service Manager (ISM).
ISM can be used to configure and monitor all of the internet services running on any NT computer in the network from one computer.
ISM is located in the MS Internet Server Tools (Common) on an NT Server computer, or in the MS Peer Web Services Tools (Common) folder on an NT Workstation computer.
Internet Explorer is a Web browser used to navigate and access, or browse, info on the web.
NT security is fully integrated with IIS and PWS. Both IIS and PWS can be configured to require a vallid user account and an encrypted authentication in order to access the site. You can allow anonymous access to your site through the Internet Guest account or another account designated by you, or to require an NT user name and password. Besides, specific resources can be protected by granting permissions to appropriate users and groups.
By default, NT security can protect computers from causal intrusion. However, it is still good idea to configure your computer securely.
-- Allow Anonymous Access with the Internet Guest Account
When you allow anonymous connections to your WWW, Gopher, and FTP services, NT uses the user name and password configured for the service to make the anonymous connections. By default, the Internet Guest account, IUSR_computername, which was created during IIS or PWS installation, is used to allowing anonymous connections.
Note: the Internet Guest account is added to the Guests group. Changes to the Guests group user rights and resource permissions also apply to the Internet Guest accounts. Review and ensure they are appropriate for the Internet Guest account.
If remote access is available only to the Internet Guest account, remote users do not provide a user name and password, and have only the permissions assigned to the Internet Guest account. This prevents unauthorized users from gaining access to sensitive info with fraudulent or illegally-obtained passwords.
-- Require a User Name and Password
The WWW and FTP services can be configured to require a valid user name and password to access your site's Internet resources. There are two types of authentication: Basic and NT Chanllenge/Response.
Basic authentication does not encrypt transmissions between the client and server. They are sent in clear text over the network.
NT Challenge/Response authentication, supported by IE 2.0 or later, protects the password, thereby providing for secure logon over the network.
Note: the FTP services only supports basic authentication, so your FTP site is more secure if you only allow anonymous connections.
-- Guidelines for Securing and Internet and Intranet Site
- No blank passwords
- Require a minimum password length
- Require users to change their passwords frequently
- Require users to use different passwords each time they are changed
- Lock out accounts after multiple failed logon attempts
- Require an administrator to unlock all locked accounts
- Require users with restricted hours to be automatically disconnected.
- NWLink
- Client Service for NetWare (CSNW)
- Gateway Services for NetWare (GSNW)
- Changing Password on a NetWare Server from NT Computer
- Issues related to direct connecting to NetWare Server
- Exam Specific Notes on Using GSNW
- FPNW -- File and Print Services for NetWare
- Remote Administration of Novell Networks
- Directory Service Manager for NetWare (DSMN)
- Migration Tool for Netware
- Interoperability with Novell NetWare
- Tips on Interoperability with NetWare
- Overview of NetWare Compatibility Features -- Summary
Included software
Migration Tool for NetWare -- included with NT Server
Add-on Utilities
NWLink IPX/SPX Compatible Transport (or NWLink in short) is a native 32-bit NT implementaion of IPX/SPX and supports application servers in a NetWare environment (remember Novell NetWare use IPX/SPX as its primary network protocol.)
NWLink allows NT computers to communicate with other NT computers, as well as with NetWare servers. Two networking application programming interfaces (APIs) are supported to allow these communications -- Windows Sockets and NetBIOS.
NWLink enables NT-based computers connect to client/server applications running on a NetWare server. But,
By itself, NWLink does NOT provide access to NetWare file and print resources. (what NWLink allowes is the access to NetWare application servers only)
included with NT Workstation, enables NT Workstation computers to make direct connection to file and printer resources at NetWare servers (NetWare 2.x or later).
NT computers with CSNW and NWLink installed support:
- NetWare Core Protocol (NCP) -- provides access to file and print services on a NetWare server.
- Large Internet Protocol (LIP) -- determines and uses the largest allowable frame size when communicating with a server across a router.
- Long file names (LFNs) -- can be used when the NetWare server is running OS/2 Name Space.
CSNW (and GSNW) supports NetWare 4.x servers running either NetWare Directory Service (NDS) or bindery emulation (version 3.x); and login script:
NDS organizes shared objects on participating NetWare Servers into a hierachical tree. Thus installing CSNW on an NT provides NT clients with the ability to browser resources, use authentication, and use printing services on NDS hierarchies.
NetWare bindery, which is Novell's equivalent of NT directory database, is where user accounts and privileges are stored.
Installing and Configuring CSNW
Note: before install CSNW or GSNW, use >>Control Panel >>Network >> Services to remove any existing NetWare redirector, such as NetWare Service for NT from Novell, then restart the computer.
Install CSNW ->>Control Panel >>Network >>Services >>Add >>Gateway (and Client Service) for NetWare (Note: this is the same as installing GSNW)>> ... ... >>Restart the computer, a new icon "CSNW" appears in the Control Panel
Configure CSNW ->> Control Panel >>CSNW >>...
Note: When configuring CSNW, if the NetWare network uses NDS, you should have a Default Tree and Context instead of a Preferred Server
NetWare Directory Services (NDS) -- On networks running Novell NetWare 4.0, NDS is a distributed database that maintains information about every resource on the network and provides access to these resources.
GSNW enables computers running NT Server and using NWLink as a transport protocol to access files and printers at NetWare servers.
In addition, you can use GSNW to create gateways to NetWare resources, to enable computers running only MS network client (such as NT Workstation, Win95, WfW) to access NetWare resources through the gateway.
How a Gateway Works
GSNW acts as a bridge between the server message block (SMB) protocol used by the NT network and the NetWare core protocol (NCP) used by the NetWare network. When a gateway is enabled, network clients running Microsoft client software can access NetWare files and printers without having to run NetWare client software locally.
A File Gateway Example: an NT Server running GSNWconnects to a NetWare file server's directory and then shares it, just as if the directory were on the NT server. Then MS network clients can access the directory on the NetWare server by connecting to the share created on the NT server)
Note:
GSNW is available only on NT Server. When GSNW is installed, CSNW is also installed automatically.
GSNW is designed to provide Windows clients with occasional access to a NetWare network. It is not designed to allow an NT Server to be a user-intensive, high-performance gateway.
Note: Because requests from MS networking clients are being processed through the gateway, access is slower than direct access from the client to the NetWare network. Clients that require frequent access to NetWare resources should run NT Workstation with the CSNW or Windows 95 with its NetWare client software, to achieve higher performance.
GSNW can also serve as a migration path, form NetWare to NT.
Like CSNW, GSNW also supports NetWare Directory Services, and the bindery-based 3.x versions.
Note: NT Server and NT Workstation (version 4.0) support connections to NDS, but they do NOT support administration of NDS trees.
To install the GSNW ->>Control Panel >>Network >>Services >>Add >>Gateway (and Client) Services for NetWare >>Add >> ... (exactly the same as instll CSNW on an NT Workstation) >>Restart the computer, a new icon "GSNW" appears in the Control Panel
Note: Before installing the Gateway Service, remove any existing third-party network service or client software, including Novell NetWare client software.
You must be logged on as a member of the Administrators group to install and configure the Gateway Service.
>>Control Panel >>GSNW >> ...
- To enable the gateway -- to share NetWare file and print resources, volumes, directories and to set permission for the gareway -->>GSNW >> Gateway... >>check Enable gateway >> type in Gateway Account name and Password
You can now share NetWare file and printing resources over the Microsoft network.
use Permissions to set permissions to control user access to a gateway. The default permission for a gateway is Full Control for Everyone
Notes: The gateway account must be a member of the NetWare NTGATEWAY group on all NetWare servers for which this server will act as a gateway. Access to NetWare is subject to trustee rights for both the gateway user account and the NTGATEWAY group.
NTGATEWAY -- A group on NetWare servers. Accounts used to create a gateway must belong to this group.
- To create a gateway share (i.e. to activate a gateway to a NetWare file resource)-- that the MS client users will use to connect to the shared directory -- use GSNW in the Control Panel
>>Control Panel >>GSNW >>Gateway >>Add >>type in Share Name, Network Path, and choose Use Drive
(once you have specified a gateway account and password, clicked Add, the New Share dialog box appears).Requirements for creating a gateway share /activing a gateway to a NetWare file resource:
- both the currently logged on user and the gateway account must have access to the NetWare resources.
- the gateway account must be in the NTGATEWAY group on the NetWare Server
- the current user must have the right to create a share on the local computer.
the share name can be as many as 12 characters, but for MS-DOS-based workstations to connect, the share name cannot exceed 8 characters.
- To create and activate a gateway to a NetWare print queue -- use Add Printer Wizard
>>Start >>Settings >>Printers >>Add Printer >>(Add Printer Wizard) Network printer server >>Next >>In Shared Printers, click the printer you want >>OK (if necessary, double-click NDS tree names and NetWare server names to find the printer) -->
>>In the Printers folder ->>File >>Properties >>Sharing >>Shared >>type a share name for the printer in Share Name >>OK.
Notes:
Before creating a gateway to a NetWare printer, you must enable gateways on the server.
The user account specified as the gateway user (in GSNW << Control Panel) must exist on the NetWare server where the printer resides and must be a member of the NTGATEWAY group on that server.
You can set permissions for the gateway by double-clicking that printer in the Printers folder and then clicking the Security tab.
GSNW installation requirements (on the NetWare network!)
For an NT Server act as a gateway to resources on a NetWare server, the steps that must be taken on the NetWare network:
- A user account must be set up on the NetWare server, with the same name and password that the user will use to log on to the NT Server computer. (! this NetWare user account will be used when configuring GSNW gateway as the "Gateway Account" )
- The user account set up on the NetWare server must have the necessary permissions assigned for the resources that are to be accessed.
- on the NetWare server, a group account named NTGATEWAY must be created and include the user in step1
Note: The NetWare user account you use to enable gateways can be either an NDS account or a bindery account. If the server will have gateways to both NDS resources and resources on servers running bindery security, the user account must be a bindery account. (This account can connect to NDS resources through bindery emulation). If you create gateways only to NDS resources, the account can be an NDS account.
Creating a gateway is a two-step process: enable and activate
1. First you enable gateways on the NT Server. When you enable a gateway, you must type the name and password of the user account that has access to the NetWare server and is a member of the Ntgateway group on that NetWare server.
You need to do this only once for each server that will act as a gateway.
2. For each volume or print queue to which you want to create a gateway, you activate a gateway. When you activate a gateway, you specify the NetWare resource and a share name that Microsoft client users will use to connect to the resource.
- To activate a gateway for a volume (file resources), use the GSNW icon in Control Panel.
- To activate a gateway for a print queue, use the Add Printers wizard.
If you are activating a gateway to an NDS resource, and the gateway user account is a bindery user account, you should specify the resource using the bindery context name.
If you are using a NDS user account, and you do not plan on also creating gateways to bindery resources, than you can specify the NDS resource name.
Security for gateway resources is provided on two levels:
On the NT Server that acting as a gateway, you can set share-level permissions for each resource made available through the gateway.
On the NetWare file server, the NetWare administrator can assign trustee rights to the user account used for the gateway or to the Ntgateway group. These rights will be enforced for all Microsoft client users who access the resource through the gateway. There is no auditing of gateway access.
RAS clients can also use GSNW to access NetWare servers. NT Server with GSNW enable remote users to have reliable and secure access to a NetWare LAN.
Users who use either GSNW or CSNW to directly access NetWare resources can change their passwords on NDS trees and NetWare bindery servers on the network. To do this, use the standard NT Server password changing procedure:
CTRL+ALT+DEL >>Change Password >>Domain >>choose NetWare or Compatible Network...
Notes: Your password is changed on all NDS trees to which you are currently connected. If the old password you specify does not match your current password on any of those trees, you are prompted to supply the old password for those trees.
>>Command Prompt >>change to the drive for the NetWare server >> type cd \public >>type setpass followed by the name of the NetWare server on which you want to change your password >> ...
Notes: To change your password on more than one NetWare bindery server, connect to all the servers before running setpass.
Summary on changing password: on an NT computer running CSNW or GSNW, Ctrl+Alt+Del change passwords on NDS trees, setpass change passwords on NetWare bindery servers.
If the NT computer also runs Directory Service Manager for Netware, Ctrl+Alt+Del change password for all servers in the NT Server domain (in this case, one password for all of the servers, whether NetWare Server or NT Server)
oppsite to using gateway services
In addition to providing gateway technology, GSNW enables users working locally at the server to access NetWare resources directly, just as CSNW provides this service to NT Workstation users.
When a user running either GSNW or CSNW to directly access NetWare resources first makes a connection to a particular NetWare server, the users logon script (if any) runs.
Users who connect to NetWare resources through a gateway do NOT have a logon script run, however.
With NT Server and GSNW, you can run many standard NetWare utilities from the command prompt. For some administrative functions, you must use NT Server management tools. In addition, GSNW supports many NetWare-aware applications.
Q1: How to install and configure GSNW?
1. Install GSNW on an NT server, and create a group called NTGATEWAY on the NetWare server (what this question is asking is really asking is where is Gateway for NetWare Services installed and where is the group called NTGATEWAY installed)
2. create a group called NTGATEWAY on the NetWare server, assign permissions to this group, and add any user accounts that need access to the NetWare server to this group.
(what these questions are probing at is on which server is what created)NOT: Create a group called NTGATEWAY on the NetWare server, create a local group with the same name on the NT server, assign permissions to this group on the NetWare server, and add any user accounts that need access to the NetWare server to the NTGATEWAY groups on both machines
After enabling a NT gateway to a NetWare resource, what else must you do to activate the gateway?
Choice c is correct.
Q3. The two steps of creating a gateway to a NetWare resource are enabling and activating.
Part 1 --
Part 2-- (through Control Panel GSNW Applet -- the only place to manage the NetWare shares and permissions)
FPNW allow NetWare clients to access resources on NT Server computers. (CSNW and GSNW allow NT computers to access NetWare servers)
In other words, FPNW enables an NT Server to function as a NetWare 3.12-compatible file and print server --to the NetWare clients, the server appears just like any other NetWare server. NetWare clients can access volumes, files, printers and application services on the NT server. No change or additions to the NetWare client software are necessary.
Novell NetWare servers cannot be administered directly; instead, a NetWare client acts as the system console and controls the administration of the NetWare server.
Syscon - System Console, primary admin tool used to setup user accounts, define policies, grant user access permissions to NetWare network
RConsole - provides remote view of NetWare system console. Console functions can be performed on remote console
PConsole - provides the administrator with tools necessary to manage print servers.
An NT computer with CSNW or GSNW enabled can also act as a system console to administer NetWare servers. Multiple sessions of NetWare administration tools can be run on a single NT client -- this allows to monitor all of the NetWare servers from one system console (NT Server and Workstation only; not possible in other MS operating systems, such MS-DOS).
Note: For NetWare client to access and administer an NT server, FPNW must be installed on that NT server computer. ( ! this means NetWare client can also administrater an NT server, when FPNW is installed on the NT server computer)
DSMN extends NT Server directory service feature to NetWare servers. DSMN allows a single network login for NetWare clients by synchronizing accounts across all NetWare servers.
It provides the ability to have one user account and password between a domain running NT and NetWare servers. Therefore, with DSMN, you can centrally manage mixed NT, and NetWare 2.x, 3.x, and 4.x (in bindery emaulation mode) environment with NT Directory Services.
Tasks that DSMN can accomplish -- the benefits of DSMN
You can manage NetWare User and Group accounts from a central location (from NT Server). Accounts are copied to domain's directory database on PDC. These NetWare accounts become NT Server accounts and comply with account policy of NT Server domain.
You can merge account names from multiple NetWare servers into one account name
You can specify which NT Server accounts (user and group, which are created on the PDC) to copy back to NetWare servers. This ensures that changes made to domain accounts are synchronized with NetWare server.
Note: With DSMN, sharing account info is accomplished without having to install additional software on NetWare servers.
The NT Server Migration Tool for NetWare enables you to migrate NetWare servers to computers running NT Server. The Migration Tool transfers user and group accounts, volumes, folders, and files. In addition, if the server you are migrating to runs FPNW, you can transfer users logon scripts.
The Migration Tool enables you to
- Preserve most user account info, incl. NetWare-specific info such as login and station restrictions.
- Preserve effective rights (the NetWare equivalent of permissions) on folders (directories) and files.
- Preserve/transfer login script with user account, if the NT server (a DC) you are migrating to runs FPNW.
- Control the transfer of user and group names.
- Control the transfer of account restrictions and administrative rights.
- Set passwords for transferred accounts.
- Select the folders and files to transfer.
- Select a destination for transferred folders and files.
- Generate comprehensive log files, detailing what happened during migration.
- Perform trial migrations, to test how current settings will actually transfer information.
Migration Tool for NetWare --Software Requirements
The Migration Tool can be used to migrate info only to computers that run NT Server and function as PDC or BDC (i.e. a domain controller).
You can run the Migration Tool from the server to which you are migrating, or remotely from another computer running NT Server or NT Workstation. To copy the Migration Tool to a workstation, copy the nwconv.exe -- which is the one for launching the Migration Tool, and related files when necessary -- nwconv.hlp, logview.exe, and logview.hlp from a servers systemroot\SYSTEM32 folder.
Both NWLink and GSNW must be installed on the server used to run the Migration Tool and on servers being migrated to. (when the Migration Tool running remotely on an NT Server)
It is best to migrate to servers that have the NTFS installed. Only files and folders transferred to NTFS can preserve permissions (trustee rights) from the NetWare server.
If you want to transfer users logon scripts, FPNW must run on the DC you are migrating to.
Note: the Migration Tool can be run locally, or remotely on an NT Server or even an NT Workstation, but the comupter that you are migrating to must be a Domain Controller.
! You always need NWLink on NT and IPX on NetWare
Platform | Running | Allows | Is Able to Connect to |
NetWare Client | IPX with NetBIOS, Named Pipes, or Windows Sockets support | Client/Server (distributed) applications | Client/Server (distributed) applications running IPX such as SQL Server on NT computers running NWLink. |
NetWare Client | IPX | Note: What GSNW is
to MS Network clients, FPNW is to native NetWare
clients. Note: For NetWare clients to admin NT Server remotely, FPNW must be installed on that NT server. |
NT Server, with NWLink and FPNW Service installed, for file and print services. |
NT computer | NWLink | -Client/Server (distributed) applications | Client/Server (distributed) applications on a NetWare server running IPX. |
NT Workstation | NWLink and CSNW | -Client/Server
(distributed) applications -Browsing of resources on NetWare servers. Looks same as MS Network -Using the authentication on NetWare servers. -Using print services on NetWare servers. |
NetWare Servers 2.x or later for for file and print services. |
NT Server | NWLink and GSNW | -NT Server gains all the
benefits of using NWLink and CSNW. -NT Server is still acting as a client to the NetWare Server. -BASICALLY, PROVIDES THE "NWLink" and "CSNW" for its clients. |
NetWare Servers 2.x or later for file and print services. |
Platform | Running | Allows | Is Able to Connect to |
Tips on Interoperability with NetWare |
NWLink can be thought of as the same language as NetWare's IPX -- NT uses NWLink as the only language to communicate with NetWare with IPX. Whatever services for the interoperating between NT and NetWare, NWLink (on NT computer) and IPX (on NetWare) are ALWAYS needed -- this simply because if there is no communication, nothing can be done.
NWLink or IPX alone can only enables its owner to access applications on the other side. To access file and printer resources (no matter who is the client -- NT or NetWare), besides NWLink on the NT side ), you need also some other services:
All the interoperating services (CSNW/GSNW, FPNW, Migration Tool) are installed on the NT side. Absoultly NOthing need to be done on the NetWare side. |
NT Server and NT Workstation provide several features and services that enable NT computers to coexist and interoperate with Novell NetWare networks and servers. Some of these services are included in NT Server and NT Workstation; others are available as separate products.
The NetWare Link IPX/SPX Compatible Transport (NWLink) is the NT implementation of the IPX/SPX protocol. NWLink supports connectivity between computers running NT and computers running NetWare and compatible systems. NWLink can also be used as a protocol connecting multiple NT computers. NWLink is included with both NT Server and NT Workstation.
CSNW, included with NT Workstation, enables workstations to make direct connections to file and printer resources at NetWare servers running NetWare 2.x or later. CSNW supports NetWare 4.x servers running either Novell Directory Services (NDS) or bindery emulation. Login script support is also included .
GSNW, included with NT Server, enables: 1. a computer running NT Server to connect to NetWare servers, just as CSNW enables workstations to connect to NetWare servers. 2. Creating a gateway to NetWare resources, which enables computers running only Microsoft client software to access NetWare resources through the gateway (no changes or addition to these MS clients are necessary).
Migration Tool for NetWare, included with NT Server, enables you to easily transfer user and group accounts, volumes, folders, and files from a NetWare server to a computer running NT Server. If the server you are migrating to runs File and Print Services for NetWare, you can also migrate users logon scripts.
FPNW is a separate product. It enables an NT Server computer to provide file and print services directly to NetWare and compatible client computers. The server appears just like any other NetWare server to the NetWare clients, and the clients can access volumes, files, and printers at the server. No changes or additions to the NetWare client software are necessary.
Directory Service Manager for NetWare, also available separately, extends NT Server directory service features to NetWare servers. It enables you to add NetWare servers to NT Server domains and to manage a single set of user and group accounts that are valid at multiple servers running either NT Server or NetWare. Users then have just one user account, with one password, to gain access to these servers.
Chapter 12 Implementing Remote Access Service (RAS)
Purpose of RAS and Dial-Up Networking
- WAN Connectivity
- Protocols supported by RAS
- PPP Multilink Protocol (MP)
- Poinit-to-Point Tunneling Protocols (PPTP)
- Gateways and Routers -- RAS can act as gateway or router in several situations
- RAS Security Features
- The phonebook feature of Dial-Up Networking
- Telephony API
Installing and Configuring RAS
- Configuring a RAS Server (re-configure RAS after installing RAS)
- Installing and Configuring Dial-Up Networking
Test the RAS Installation and Configuration
With RAS, users in remote sites can use the network as if their computers were directly connected to the network. RAS on the client side is called Dial-Up Networking.
You administer NT Remote Access servers and set permissions for RAS users using Remote Access Admin. User Manager for Domains can also be used to set permissions for RAS users.
You can use RAS phone book to maintain the telephone numbers of remote networks, and to connect to and disconnect from these remote networks.
NT Server RAS permits up to 256 remote clients to dial in. NT Workstation RAS supports only one dial-up connection.
The RAS server can be configured to provide access to an entire network or restrict access to resources on the RAS server only.
The RAS server acts as a gateway between the remote client and the network. RAS enables incoming connections from remote clients that are using Dial-Up Networking or other Point-to-Point (PPP) or Serial Line Internet Protocol (SLIP) dial-up software.
Using RAS and Dial-Up Networking, a business can extend its networks over Publish Swithed Telephone Network (PSTN), Integrated Services Digital Network (ISDN), X.25, and the Internet.
Because RAS supports WAN connections, protocols, and NT security features, remote clients can use the network as if they were directly connected to it.
Remote clients can connect directly to a RAS server through --
PSTN -- NT RAS uses standard moderm connection over PSTN.
ISDN -- much faster speed (>64 kb/s) than PSTN. ISDN adapter and lines must be installed in both the NT RAS server and remote client.
X.25 network -- X.25 transmits data with packet-switching protocol. Depending on the operating systems involved, RAS provides access to X.25 in one of the two ways:
PADs (Asynchronous Packet Assemblers/Disassemblers) -- for clients using Win95 or NT operating systems
X.25 smart card (direct connection) -- Both RAS Server and client using NT systems only. An X.25 smart card, a hardware with a PAD embedded in it, acts like a moderm.
TCP/IP network using PPTP -- A Dial-Up Networking client that has a PPTP driver as its WAN driver can connect to an NT RAS server using the Internet by either connecting directly to the Internet or calling an ISP.
If a direct connection to the Internet is required, the client must have a PPTP driver, and the RAS server must have a PPTP-enabled adapter.
- If an ISP provides the connection, and the ISP's POP supports PPTP, then PPTP is not required on the client. The client establishes a connection to the ISP and calls the NT RAS server to establish the PPTP tunnel.
(POP -- Point of Presence, is a physical site where an ISP has equipment for user to get access to the Internet, this is typically done by dialing in over a moderm and telephone line)
According to their functions, protocols supported by RAS can be grouped as LAN and WAN protocols:
LAN protocols -- RAS supports TCP/IP, IPX/SPX, NWLink, NetBEUI, thus, RAS can be integrated into existing MS, UNIX, or NetWare networks using the PPP remote access standard. NT RAS clients can also connect to existing SLIP-based remote access servers (primarily UNIX servers).
When you install and configure RAS, any protocols already installed on the computer (such as NetBEUI, TCP/IP, and IPX) are automatically enabled for RAS.
WAN protocols (remote access protocols) -- such as PPP, SLIP, and the MS RAS protocol
RAS connections can be established through SLIP or PPP.
SLIP -- Serial Line Internet Protocol - primary function is to dial in to Unix Server.
- SLIP is supported by NT Dial-Up Networking and give NT clients easier access to Internet services
Note: an NT RAS Server cannot be used as a SLIP server, because it does not have a SLIP server component.- support only TCP/IP protocol - no support for NetBEUI or IPX/SPX.
- SLIP server connot utiltise DHCP or WINS, must have statically assigned IP address
- no support for encrypted passwords - transmits authentication passwords as clear text.
- *requires less system overhead than PPP.
PPP -- Point-To-Point Protocol
supported by both NT Client / Server -- this enables NT computers to dial in to remote networks throught any server that complies with PPP standard.
support TCP/IP, IPX/SPX, NetBEUI, OSI (open systems interconnection), AppleTalk, DECnet
- RAS clients that have the IPX interface and CSNW can access NetWare servers.
- RAS clients that do not have CSNW can still access a NetWare server if GSNW is installed on a RAS server. In this case, IPX is also not required.
- RAS Setup automatically binds to NetBEUI, TCP/IP, and IPX if they are already installed on the computer.
Microsoft RAS protocol -- a proprietary remote access protocol supporting the NetBIOS standard.
It is supported in all previous versions of MS RAS, and is used in NT 3.1, WfW, MS-DOS, and LAN Manager client. A RAS client dialing in to an older version of Windows (e.g. NT 3.1, WfW) must use the NetBEUI protocol. The RAS server then acts as a "gateway" for the remote client, providing access to servers that use the NetBEUI, TCP/IP, or IPX protocols.
The PPP Multilink Protocol provides the means to increase data transmission rates, by combining multiple physical links into a logical bundle to increase bandwidth. With PPP MP, it is possible to combine analog modem paths, ISDN paths, and even mixed analog and digital communications links on both client and server computers. For example, with two 28.8 kbps modems and two PSTN lines can use MP to establish a single 57.6 kbps connection to an MP server.
Both the Dial-Up Networking client and RAS server need to have MP enabled for this protocol to be used.
PPTP is a technology that supports multiprotocol virtual private network (VPNs).
PPTP provide a way to route IP, IPX, or NetBEUI PPP packets over a TCP/IP network. Because PPTP allows multiprotocol encapsulation, any of these packets can be sent over the TCP/IP network.
PPTP Advantages
Comparing PPTP to other WAN protocols
NetBIOS Gateway -- RAS includes a NetBIOS gateway that enables remote clients to access NetBIOS resources, such as file and print services, on a network. This enables clients running NetBIOS to access remote servers regardless of which protocols is installed on the remote server. The NetBIOS gateway does this by translating the NetBIOS packets into IPX or TCP/IP formats that can be understood by remote servers.
IP and IPX Routers -- RAS servers that have IP and IPX installed can:
RAS implements several security measures to validate remote client access to a network:
To connect to a RAS server, clients must have a valid NT user account as well as RAS dial-in permission. Clients are first be authenticated by RAS before they can log on to NT.
It is possible to configure RAS and Dial-Up Networking so that ALL data that passes between a client and server is encrypted.
Auditing -- With auditing enabled, RAS generates audit info on all remote connections, incl authentication and logging on processes.
Intermediary Security Hosts -- a third-party intermediary security host between RAS clients and the RAS server(s) can be added.
Callback Security -- RAS server can be configured to provided callback as a means of increasing security. With callback enabled, the RAS server receives the client call, disconnects the connection, then call the client back either at a preset telephone number or a number provided during the initial call. This guarantees the connection to the locl network was made from a trusted site.
(Why use PPTP Filtering? -- When using PPTP, the RAS server must have a direct connection to both the Internet and a company's corporate network. This could pose a security risk because the corporate network could be access through the RAS server. )
To enable PPTP filtering >>Control Panel >>Network >>Protocols >>TCP/IP Protocols >>Properties >>IP Address >>Advanced >>select Enable PPTP Filtering
this feature enables clients to record telephone numbers that are needed to connect to remote networks (this requires Dial-Up Networking installed on the client side).
NT Telephony API (TAPI) virtualizes the telephone system by acting as a device driver for a telephone network.
To configure -->>Control Panel >>Telephony
If you select "Remote access to the network" during NT setup, both RAS and Dial-Up Networking will be automatically installed.
Either one or both services can also manually after NT installation, through >>Control Panel >>Network >>Services >>Add >>Remote Access Services >>...
where to? >>Control Panel >>Network >>Services >>Remote Acess Service >>Properties... >> Remote Acess Setup diaglog box ...
Note: if TAPI has already configured, RAS Setup will not prompt for the Location Information.
Configure... -- to set up the specific port usage of a installed modem (or X.25 card) to be one of:
- Dial out only / Receive calls only /Dial out and Receive calls
- Configuration of Port Usage affect only the specified port.
Network... -- to configure network protocols (NetBEUI, TCP/IP, IPX), Multilink, and encryption settings.
Note: to use Multilink, both the client and the server must have Multilink enabled.
Granting Remote Access Permissions to Users
After installing RAS on a server, you must grant Remote Access permissions to users before they can connect through Dial-Up Networking. To do this,
use >>Administrative Tools >>Remote Access Admi >>Users >>Permissions...
or >> Administrative Tools >>User Manager for Domains >>User >>Properties >>Dialin >>check Grant dialin permission to user
Installing -- Dial-Up Networking is automatically installed if you selected Remote access to the network when installing NT; or you chose to dial out and receives calls, or dial out only when installing RAS.
To Manually Install (and reconfigure) Dial-Up Networking -- >>My Computer >>Dial-Up Networking
Configuring Phonebook Entries
A phonebook entry stores all of the settings needed to conncet to a particular remote network. (when a phonebook is shared among all users, it is called a system phonebook).
To create/edit phonebook entries, -->>My Computer (or >>Programs >>Accessories) >>Dial-Up Networking
Configuring Loggon Preferences
These preferences apply to "Logon using Dial-up Networking" at Ctrl+Alt+Del login.
>>Dial-Up Networking >>More >>Loggon Preferences ... can configure: Dialing (interval between redial attempts...), Callback, Appearance, and Phonebook (specify the system phonebook or an alternate phonebook to be used when logging on).
To use local-catched profile when loggon -- >>Control Panel >>System >>User Profiles >>User Profiles >>Change Type >>Local profile /Roaming profile
This can be used to speed up the loggon process with Dial-Up Networking -- configure the client computer so that it does not download the server-based profile during logon across RAS.
The same logon process is used by NT to log on to a LAN directly or through Dial-Up Networking. The reason for this is that a copy of user's profile is catched on the client each time the user logs off. You may use the locally catched user profile rather than the server-based profile when logging on through Dial-Up Networking (especially when the server containing your server-based profile is unavailable).
AutoDial (enabled by default)-->>Dial-Up Networking >>More >>User Perferences ... >>Dialing >>Enable auto-dial by location
RAS AutoDial works only when the Remote Access AutoDial service is running. To determine if this service is running, >>Control Panel >>Services >> Remote Access AutoDial Manager ...
AutoDial (available only in NT 4.0 Dial-Up Networking, not in Win95 or NT 3.51) maps and maintains network addresses to phonebook entries, allowing them to be automatically dialed when referenced from an application or from the command line.
The AutoDial database include IP address (e.g. 202.209.76.138), Internet host names (e.g. www.mysite.com) or , NetBIOS names (e.g. server1). Each of these addresses are accociated with a set of one or more entries in the AutoDial databse. An entry in a AutoDial database specifies a phonebook entry that RAS can dial to connect to the address from a particular TAPI dialing location.
AutoDial keep track all connections made over a Dial-Up Networking connection so that clients can be automatically reconnected.
Two methods of testing RAS installation and configuration:
- use a modem and telephone to dial in a RAS server from the Dial-Up Networking client
- use a null modem cable to connect a Dial-Up Networking client and a RAS server. (the two computers must be physically connected, otherwise, you cannot do any testing!)
Event Viewer >>System Log -- many RAS events are logged in the system log. Check it if the Dial-Up Networking client fails to connect, or if the RAS fails to start.
Dial-Up Networking Monitor -- (icon in Control Panel) can be used to show the status of a session that is in progress. It also shows which line are being used for Multilink sessions (in Summary tab).
problems with PPP connections -- if the user is having problems being authenticated over PPP, a ppp.log can be create to provide debugging info. This log file is stored in system_root\System32\Ras folder
To enable to create ppp.log file, change this
registry parameter value to 1:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl\Services\Rasman\PPP\Logging
Authentication problems -- try to change the authentication settings for the client. Try the lowest authentication option on each side, and if successful, start increasing the authentication options to determine the highest level of authentication that can be used between the two systems.
Multilink and Callback -- Multilink NOT work with Callback when the client use more than one phone numbers.
RAS allows only one phone number to be stored for callback purpose for each user account. Thus, when a client uses Multilink-enabled phonebook entry to call a server and that server is configured to call back, then the call back is made use ONLY one of the Multilink devices (phone numbers).
If the link between the Dial-Up Networking client and RAS server is made using ISDN with two channel that have the same telephone number, then Multilink will work with callback.