RAS Protocols

Knowing the options for configuration

Few articles in this magazine generate as much feedback as those aboutWindows NT's Remote Access Service (RAS). In May, I gave an overview of how to install and configure RAS in "Remote Access Service." In this article, I address configuring protocols in RAS. I will look at the remote access protocols and the LAN protocols RAS supports.

Which Protocols Does RAS Support?
RAS supports two sets of protocols: remote access protocols and LANprotocols. When you use the Remote Access Service, NT uses the remote access protocols to make the RAS connection to another computer, the Internet, or an Internet Service Provider (ISP). These protocols include Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), the Microsoft RAS protocol, and Point-to-Point Tunneling Protocol (PPTP). The LAN protocols that NT uses to communicate over the RAS connection can be any of the protocols that you use in NT, including NetBEUI, NWLink, or TCP/IP. I will look first at theremote access connection protocols and then at how you must configure the LAN protocols to work with RAS.

The Remote Access Protocols: Client Configuration
When you configure NT 4.0 RAS for a server, the software supports PPPconnections. So, this configuration gives you options about which remote accessprotocol to employ on the client side only.

SLIP. NT's RAS supports SLIP, but only from the clientside. RAS clients can connect to existing SLIP servers, but an NT RAS serverwill not act as a SLIP server. SLIP does not support authentication as part ofthe protocol, so logon sessions use clear-text transmission of usernames andpasswords. Also SLIP cannot negotiate automatic network connection settings. Themain use for the SLIP protocol is for connecting to mostly UNIX-based Internetservers.

To configure the RAS client (known as Dial-Up Networking--DUN--in Windows95 and NT 4.0) for SLIP, open the Phonebook entry, click More, chooseEdit entry and modem properties, select the Server tab, and selectSLIP:Internet under the Dial-up server type box, as Screen 1, page 222,shows. Many SLIP servers require a logon exchange, so you have two options.Under the Script tab, you can select the Pop up a terminal windowoption. Or you can use a Switch.inf file to automate the exchange of logonparameters. See the references at the end of this article for information aboutthe contents of the Switch.inf file.

PPP. PPP is the most commonly used remote access protocol.It's a great improvement over SLIP, offering automated, encrypted authentication(although some service providers that use PPP still require a text-based logonexchange). Clients and servers that use the PPP protocol will automaticallynegotiate authentication and network settings.

To configure PPP in the Phonebook entry, follow the steps outlined forSLIP, but select PPP: Windows NT, Windows 95 Plus, Internet as theDial-up server type. As with the SLIP logon, if the remote server requires thatyou log on, set the script option to Pop up a terminal window so thatyou can interact with the server and provide the required information, or use ascript file.

Microsoft RAS Protocol. In Windows NT 3.1 and Windows forWorkgroups 3.11, Microsoft supplied an earlier version of the RAS client (atthat time, Dial-Up Networking was called the RAS client). It supports both theRAS Terminal and Switch.inf script files for making logon connections.

PPTP. PPTP lets a remote user use a dial-up networkingconnection to connect to an ISP. This connection transmits data in secure,encapsulated form via the Internet to the corporate Remote Access Server.Essentially, you're using the Internet as a Virtual Private Network (VPN), whichhelps to reduce costs and maintain security. (For more about PPTP and RAS, seeSean Daily, "Watch Your RAS," August 1997.)

The LAN Protocols: Client Configuration
After you establish the connection between the RAS client and the RASserver, you must decide which LAN protocol to use over that connection. At theclient end, you choose the protocol from the Server tab under the Edit Entry andModem Properties dialog box, as we saw in Screen 1. For TCP/IP, you will need toconfigure some options.

NetBEUI and IPX/SPX on the client. You have no options toconfigure for NetBEUI on the client. The same applies to the IPX/SPX Compatibleoption.

TCP/IP on the client. TCP/IP requires considerably moreconfiguration than any other protocol, as Screen 2 shows. First, determinewhether your network has a Dynamic Host Configuration Protocol (DHCP) serverthat can supply an IP address. If not, you must enter a static IP address. Thisentry can result in problems unless you use the dial-up connection to connect tothe same server each time. Most ISPs and most companies that have RAS serversuse DHCP. Even with DHCP, you must decide whether the DHCP server will supplythe name server addresses for the Domain Name System (DNS) and Windows InternetName Service (WINS). This issue is less of a concern when you're connecting to acorporate server, which often will supply these addresses. ISPs, however, mightrequire entries for the DNS server.

In the PPP TCP/IP Settings window, which you see in Screen 2, leave theUse IP header compression option checked, unless you can connect butcannot transfer IP data in one or both directions. The window also has a checkbox to specify that you want to use the default gateway on the remote network.This option applies only if you are using a DUN connection into one network buthave a network card in your computer that is talking to another network. If apacket cannot be routed on the local network, the routers will forward it to thedefault gateway on the remote network, not the default gateway on the localnetwork. Uncheck this box if you don't want this behavior.

If SLIP is your remote access protocol, you have no option. Youmust use TCP/IP on the client computer, because SLIP is an Internet protocol.

Configuring LAN Protocols on the Server
To find the RAS settings on the server, go to Settings, Control Panel,Network and choose the Services tab. Select Remote Access Service, and thenclick Properties. When the Remote Access Setup dialog shown in Screen 3 appears,click the Configure button and select Dial out only (which you would not use fora RAS server), Receive calls only, or Dial out and Receive calls. Close thisport settings window and click the Network button to configure the inbound andoutbound protocols, shown in Screen 4. If you have RAS set for dial out only,you will see only the three protocols (i.e., NetBEUI, TCP/IP, and IPX) listed,with no configurable options. For incoming calls, you can select one or moreprotocols. For each protocol, you will see the same option, which is whether tolet the dial-in user connect beyond the server to the rest of the network. Ifthe intent is to let a user dial in from home and connect to his or her desktopsystem at the office, you can configure the desktop system as a RAS server, withno access beyond that one computer to the rest of the network.

NetBEUI on the server. NetBEUI is the simplest LAN protocolto configure on the server. The only option is whether to allow access to therest of the network.

TCP/IP on the server. For an incoming call using TCP/IP,you have the option of assigning the client an IP address from your network DHCPserver, as Screen 5 shows. But how can you assign IP addresses to clients if youdo not have a DHCP server? The solution is to use the static address pool, whichis a range of IP addresses allocated to the RAS server for assignment toclients. If you use this method, you'll need at least two IP addresses: one forthe RAS server and the other for the remote client. Another approach, if yourclients always connect to the same server, is to assign them a fixed IP addressand have them request that address when they connect.

IPX on the server. When clients connect with IPX, you mustprovide a network number. The RAS server can allocate these numbersautomatically by finding a network number not in use. Or, you can specify astarting network number. You can type an entry in the From: box in the RASServer IPX Configuration window, but the RAS configuration software computes theTo: based on the starting value and the number of ports. Network administratorsoften use this option when they want to identify RAS clients on the network bytheir network number. Or, you can assign the same network number to all the RASclients, which adds only one entry to the routing table for all the connectedRAS clients and reduces the size of the Routing Information Protocol (RIP)broadcasts. Be careful with the last option, which lets remote clients requestan IPX node number instead of using one the RAS server provides. This optionopens a possible security hole because a client can impersonate a previouslyconnected client and access resources previously accessed by that client.

The NetBIOS Gateway
Microsoft RAS servers support the NetBIOS gateway, which gives users moreflexibility. A gateway, by definition, converts between protocols. You can runonly NetBEUI on the remote client, making a RAS connection into a RAS server.The RAS server can then translate the network traffic to IPX or TCP/IP, lettingthe remote client connect to another computer system on the network, even thoughthat computer does not have NetBEUI installed. Although TCP/IP is the fastestprotocol overall (at least since NT 4.0), NetBEUI might be the fastest protocolto run over a RAS connection and takes less resources on the client. Thisapproach works well for access to file and print resources on an NT network. Itdoes not let the client run applications that depend on having TCP/IP or IPX onthe client computer. If your applications have this requirement, you will stillneed to install the appropriate protocols on the client.

Configuring Bindings
Don't forget to look at the bindings once you've configured the protocols.You might use some protocols only for the RAS connections or with the networkcard, as Screen 6 shows. To improve performance, disable bindings to enable onlythe appropriate combinations of network card and protocols, or RAS link (calledWAN connection in the bindings window) and protocols. Or perhaps you use twoprotocols, but one takes priority for the network card and the other is usedmost often for the RAS connection. Changing the order of the protocols bound toeach adapter is worth doing.

For More Information
One of the best sources of information about RAS is the documentation thatcomes with NT Server. The "Networking Supplement" contains fivechapters on RAS. The Networking Guide volume of the Microsoft Windows NTServer Resource Kit also contains a great deal of useful information aboutRAS connections and protocols. For further reading on RAS, see the relatedarticles in Windows NT Magazine box, page 222.