home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 14 Text
/
14-Text.zip
/
rlawp.zip
/
RLAPAPER.TXT
Wrap
Text File
|
1993-05-14
|
51KB
|
1,531 lines
THE IBM REMOTE LAN ACCESS CAPABILITY
Version 5.0
IBM PSP LAN Systems
11400 Burnet Road
Austin, Texas 78758
+--- NOTE -----------------------------------------------------------+
| |
| Before using this information and the product it supports, be sure |
| to read the general information under TRADEMARKS. |
| |
+--------------------------------------------------------------------+
THE FOLLOWING PARAGRAPH DOES NOT APPLY TO THE UNITED KINGDOM OR ANY
COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTER-
NATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do
not allow disclaimer of express or implied warranties in certain
transactions; therefore, this statement may not apply to you.
This publication could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time.
It is possible that this publication may contain reference to, or
information about, IBM products (machines and programs), programming,
or services that are not announced in your country. Such references
or information must not be construed to mean that IBM intends to
announce such IBM products, programming, or services in your country.
(C) COPYRIGHT INTERNATIONAL BUSINESS MACHINES CORPORATION 1992. ALL
RIGHTS RESERVED.
Note to U.S. Government Users -- Documentation related to restricted
rights -- Use, duplication or disclosure is subject to restrictions
set forth in GSA ADP Schedule Contract with IBM Corporation.
TRADEMARKS
__________
References in this publication to IBM products, programs, or services do not
imply that IBM intends to make these available in all countries in which IBM
operates. Any reference to an IBM product, program, or service is not
intended to state or imply that only IBM's product, program, or service may
be used. Any functionally equivalent product, program, or service that does
not infringe any of IBM's intellectual property rights or other legally
protectible rights may be used instead of the IBM product, program, or
service. Evaluation and verification of operation in conjunction with other
products, programs, or services, except those expressly designated by IBM,
are the user's responsibility.
IBM may have patents or pending patent applications covering subject matter
in this document. The furnishing of this document does not give you any
rights to these patents. You can inquire, in writing, to the IBM Director of
Commercial Relations, IBM Corporation, Purchase, NY 10577-USA.
The following terms in this publication, are trademarks of the IBM Corpo-
ration in the United States and/or other countries:
IBM Corporation IBM, OS/2, NetBIOS, DOS, LAN Server, ARTIC,
AS/400, AS/400 PC Support Program, Person-to-
person
The following terms in this publication, are trademarks of other companies as
follows:
3Com Corporation NDIS
Hayes Corporation ULTRA SmartModem
Intel Corporation 80386, 80486
Lotus Development Corporation Lotus Notes
Microsoft Corporation LAN Manager, Windows
Novell Corporation NetWare, NetWare Server, ODI
Xerox Corporation Ethernet
Trademarks iii
iv The IBM Remote LAN Access Capability
CONTENTS
________
What Is The IBM Remote LAN Access Capability? 1
Remote LAN Access Environments 1
Current Remote LAN Access Technologies 3
Components and Packaging 5
Supported Hardware 6
Supported Connectivities 7
Supported Software Interfaces 8
Security 8
Administrative Features 11
User Interface 11
Installation and Configuration 12
Additional Information and Beta Program 13
Contents v
vi The IBM Remote LAN Access Capability
WHAT IS THE IBM REMOTE LAN ACCESS CAPABILITY?
_____________________________________________
The IBM remote LAN access capability enables remote users to transparently
run their LAN-based applications over switched connections (asynchronous,
synchronous and ISDN) using public switch telephone networks or PBX/CBX
exchanges. The primary distinction of the IBM remote LAN access capability
is that it uses a device driver replacement technology to provide a superset
of functionality available with remote LAN access products on the market
today, and it accomplishes this using a non-dedicated communication server
and non-proprietary hardware. The IBM remote LAN access capability addresses
all of the following remote LAN access environments:
o A remote workstation connecting to another remote workstation
o A remote workstation connecting to LAN workstations
o A LAN workstation connecting to a remote workstation
o A LAN workstation connecting to a remote LAN workstation
The IBM remote LAN access capability's communication server supports up to 32
simultaneous communication ports and provides a full range of configurable
security and administrative features. In essence, the IBM remote LAN access
capability provides the user with functionality and features to run LAN
applications anywhere anytime, and provides the systems administrator with
effective tools for managing the wide area network (WAN).
REMOTE LAN ACCESS ENVIRONMENTS
______________________________
REMOTE-TO-REMOTE
The four main environments listed in the introductory paragraph are illus-
trated in Figure 1 on page 2. A "remote-to-remote" environment consists of a
connection established between two or more remote workstations. Conferences
may be set up between multiple workstations creating an ad hoc LAN over tele-
phone lines. Without LAN adapters and without LAN wiring, remote-to-remote
workstations can access each other's LAN resources and LAN-based applica-
tions. This environment supports customers who need a low-cost WAN con-
nection to support data, resource and program sharing. Another example of a
remote-to-remote implementation would be a remote client using the telephone
line to access resources from a file or application server.
REMOTE-TO-LAN
A "remote-to-LAN" environment, sometimes called "dial-in", occurs when a
remote workstation initiates a connection to a LAN workstation via some form
of WAN/LAN communication server. The IBM remote LAN access capability
remote-to-LAN environment is characterized by the remote workstation running
LAN applications between itself and one or more LAN-attached workstations via
a single WAN connection to the LAN. A separate and direct connection is not
required for each LAN-attached workstation with which the remote workstation
needs to communicate. Once the WAN connection is established between the
1
remote workstation and the LAN, the remote workstation can directly address
any LAN-attached workstation configured to participate within the
remote-to-LAN environment. Likewise, because the remote workstation has its
own unique address, it can receive information directly from the partic-
ipating LAN-attached workstations. The IBM remote LAN access capability thus
provides a remote LAN access environment which allows the remote workstation
to transparently run LAN-based applications and interoperate with the LAN as
if it were LAN-attached. The IBM remote LAN access capability also enables
remote workstations to concurrently access multiple LAN-attached workstations
without redialing.
-----------------------------------------------------------------------------
Remote-to-Remote Remote-to-LAN
+------+
|remote| +------+
| ws |== |remote|
+------+ == | ws |
== +------+
+------+ == +------+ |
|remote| =>|remote| :::::::
| ws |=========>|server| :: ::
+------+ ===>+------+ +------+ :: ::
== |remote|=====>:: TR LAN ::
+------+ == | ws | :: ::
|remote|== +------+ :: ::
| ws | :::::::
+------+
LAN-to-Remote LAN-to-LAN
+------+ +------+
|remote| |remote|
| ws | | ws |
+------+ +------+
| |
::::::: ::::::: :::::::
:: :: :: :: :: ::
:: :: +------+ :: :: :: ::
:: TR LAN ::====>|remote| :: TR LAN ::===>:: TR LAN ::
:: :: | ws | :: :: :: ::
:: :: +------+ :: :: :: ::
::::::: ::::::: :::::::
|
+------+
|remote|
| ws |
+------+
-----------------------------------------------------------------------------
Figure 1. Four Remote LAN Access Environments
LAN-TO-REMOTE
A "LAN-to-remote" environment, sometimes called "dial-out", occurs when a
LAN-attached workstation initiates a connection to a remote workstation via a
WAN/LAN communication server. The IBM remote LAN access capability
LAN-to-remote environment has the same characteristics and capabilities as
the remote-to-LAN environment except that the LAN-attached workstation initi-
ates the connection. An example of LAN-to-remote would be a LAN-attached
workstation accessing a remote "information server" to acquire product
pricing data.
LAN-TO-LAN
A "LAN-to-LAN" environment occurs when a LAN-attached workstation connects to
another LAN-attached workstation via two WAN/LAN communication servers. The
IBM remote LAN access capability's LAN-to-LAN implementation combines the
functionality of the LAN-to-remote and remote-to-LAN environments. The
resulting "casual bridge" allows the customer to utilize switched links
rather than leased lines for a more cost effective solution. The LAN-to-LAN
environment provides the capability for LAN-attached machines to access or
update information residing in remote locations, and also, to act as a server
for other remote workstations connecting onto the LAN. Note that this envi-
ronment is very different from a split bridge environment. A split bridge
establishes a permanent connection between all machines on the two LANs. In
the IBM remote LAN access capability LAN-to-LAN environment, connections are
established on a temporary workstation-to-workstation basis across the WAN.
The LAN-to-LAN environment is particularly useful for customers with numerous
separate LAN networks and a need to control access on and off the LANs, such
as banking companies with their many branch offices. It provides an inexpen-
sive mechanism for dynamically connecting the LANs while maintaining control
over the origin of traffic flowing between them.
2 The IBM Remote LAN Access Capability
CURRENT REMOTE LAN ACCESS TECHNOLOGIES
______________________________________
There are numerous other remote LAN access products available today. These
products vary widely in cost and functionality. Many utilize extensions of a
remote-to-remote environment to provide remote-to-remote and remote-to-LAN
access capabilities, but do not support the LAN-to-remote or LAN-to-LAN envi-
ronments. Many of the products currently available do not support graphical
interfaces. Many require dedicated or proprietary hardware.
Remote LAN access products use one of four known technological approaches.
Each approach provides an inherent level of functionality and limitations.
In order to better compare the functionality offered by the IBM remote LAN
access capability to that offered by other products, an overview of the four
remote LAN access technologies is provided in the following sections. These
four technologies are:
o The hardware approach
o The remote control approach
o The remote client approach
o The remote node approach
THE HARDWARE APPROACH
The hardware approach replaces the LAN adapter with a customized WAN adapter
in the remote workstation and provides a compatible hardware "tap" on the
LAN. This LAN hardware tap varies from a specialized adapter on the LAN file
server to a standalone multiprocessor box. The implementation of this
approach varies widely in sophistication, cost, and performance. In general,
supporting a large number of remote users with customized hardware may be
cost prohibitive. Difficulties in network maintenance and compatibility have
been cited as additional reasons this approach might be considered suboptimum
for distributed environments. The IBM remote LAN access capability does not
use this approach.
THE REMOTE CONTROL APPROACH
One of the earliest and most pervasive software approaches is remote control.
The remote workstation using this approach dials into, and takes control
over, a LAN-attached workstation which executes programs on behalf of the
remote workstation over the LAN. Keyboard and screen data from the dedicated
LAN-attached system is then routed back to the remote workstation. By
routing only keyboard and screen data, this approach minimizes the amount of
data which flows across the link; however, there are numerous disadvantages.
Because this approach requires a dedicated machine on the LAN for each remote
workstation dialing onto the LAN, customers are required to invest in dupli-
cate hardware. Most remote control products transmit keyboard and screen
data over the WAN in character mode, though some companies are planning to
3
provide transmission of graphical screen data in the near future. Transmit-
ting graphics images will be slower than transmitting characters; however,
graphics mode transmission will be necessary to support the use of graphics
or graphical interfaces across the remote link. Lack of graphics support has
been a major factor in the loss of popularity for this approach. Another
disadvantage with this approach is security. In addition to the requirement
for the LAN-attached workstation to be powered on for remote use, screen data
transmitted across the link contains a high percentage of fixed information
in a fixed format. Data encrypted in this form is relatively easy to break
because the intruder can see the effects of encryption on the fixed informa-
tion that is transmitted. The IBM remote LAN access capability does not use
the remote control approach.
THE REMOTE CLIENT APPROACH
Gaining popularity today in the remote LAN access market, the remote client
approach utilizes a simple mechanism to extend the remote-to-remote environ-
ment to service the remote workstation and allow it to share data and appli-
cations located on a common WAN/LAN server. This may be accomplished by
replacing the LAN device drivers in the remote workstation and LAN-attached
server with customized device drivers that will allow them to send and
receive LAN frames across a WAN link. This provides LAN application trans-
parency within the remote workstation. The new device drivers utilize
existing protocols to allow remote workstations to connect with each other to
form a virtual LAN via the WAN link. In addition, the device drivers provide
a mechanism for remote workstations to disconnect from one another upon con-
clusion of the remote transaction. Since the entire LAN frame is transported
between the remote machines over the WAN link, LAN applications running in
the remote workstations can support graphical interfaces in the same way as
those running on LAN-attached workstations. Also, the LAN frames have much
less fixed format information thus providing a more secure link encryption.
This approach is used to provide the remote-to-remote environment within the
IBM remote LAN access capability.
Extending the remote client approach to access information elsewhere on the
LAN from a remote workstation requires a LAN-attached server to manage trans-
action data on the workstation's behalf. The remote environment is analogous
to a standard LAN client-server environment. The remote workstation has
addressability only to the WAN/LAN server to which it is connected. Files
and programs residing on the common WAN/LAN server can be shared throughout
the virtual LAN. This approach supports small single-server networks, but
does not scale well to support large or distributed environments. Bottle-
necks in both memory and CPU capacity tend to form in the common WAN/LAN com-
munication and file server. Because of this, most products using the remote
client approach are dedicated servers supporting a limited number of remote
connections (generally, 1 to 16). Organizations requiring more connections
or greater capacity than can be accommodated by a single WAN/LAN server face
potentially complex challenges in duplicating and maintaining data on mul-
tiple communication servers. Accessing data and applications which are dis-
tributed across multiple servers can be annoying for a remote user in a
remote client environment. For instance, a remote user would have to phys-
4 The IBM Remote LAN Access Capability
ically disconnect from one server and reconnect to a second server in order
to access its resources even though the two servers may be attached to the
same LAN. Due to the constraints on distributed environments imposed by the
remote client approach, The IBM remote LAN access capability utilizes a
fourth approach, called remote node, to provide fully integrated capabilities
for the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments.
THE REMOTE NODE APPROACH
The remote node approach replaces the device driver within a LAN-attached
communication server. The device driver enables the server to take incoming
data off a WAN and put it onto the LAN, and also, to take outgoing data off
the LAN and put it onto the WAN. In addition to providing the transparency
and remote LAN access capabilities of the remote client approach, remote node
provides full addressability allowing the remote workstation to access dis-
tributed LAN-attached servers and peer services. This means that the remote
workstation can access information and services wherever they reside on the
LAN rather than the LAN having to be redesigned with a central dedicated
server to accommodate access by the remote workstation. It also means that
growth in the number of local and remote LAN users can be easily accommodated
without duplicating (and maintaining) data files across numerous communi-
cation servers.
In summary, the IBM remote LAN access capability utilizes both the remote
client and the remote node approaches to provide a flexible and full-function
remote LAN access capability. The rest of the paper describes the features
provided by the IBM remote LAN access capability.
COMPONENTS AND PACKAGING
________________________
The IBM remote LAN access capability consists of three components (remote
workstation, server, and LAN workstation) contained within two packages:
THE IBM REMOTE WORKSTATION PACKAGE
The IBM remote workstation package contains the remote workstation component
and enables the remote-to-remote environment by establishing a connection
with one or more workstations. Used alone, the IBM remote workstation
package can provide a low-cost means for LAN applications to communicate
without requiring a physical LAN. If installed on a LAN-attached file
server, the IBM remote workstation package can provide indirect remote
access to the LAN through shared files contained on the server. This config-
uration supplies the level of functionality available with the remote clent
approach described earlier. If used in conjunction with a WAN/LAN server
supplied by the IBM remote LAN access server package, a remote workstation
can directly access any workstation on the LAN which has been configured to
5
participate in the remote environment. The IBM remote workstation package
runs on either OS/2(R) 2.X or Microsoft Windows(R) 3.1.
THE IBM REMOTE LAN ACCESS SERVER PACKAGE
The IBM remote LAN access server package contains the server and LAN work-
station components. The IBM remote LAN access server package enables the LAN
portion of the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments by
allowing a LAN workstation to dial-out to a remote workstation, allowing the
remote workstation to dial-in to a LAN workstation, and passing frames
between the WAN and LAN environments. The non-dedicated WAN/LAN server
requires an OS/2(R) 2.X base.
The LAN workstation component provides an interface to allow LAN-attached
workstations to dial-out of the LAN and participate in remote LAN access.
The LAN workstation component runs on either OS/2(R) 2.X or Microsoft
Windows(R) 3.1.
SUPPORTED HARDWARE
__________________
The IBM remote LAN access capability supports all hardware supported by the
operating system platform on which the IBM remote LAN access capability com-
ponent runs. Thus, remote and LAN workstations support all OS/2(R) 2.X and
Microsoft Windows(R) 3.1 hardware platforms, and the WAN/LAN server supports
all hardware platforms supported by OS/2(R) 2.X.
The following configuration is recommended for a remote workstation or
WAN/LAN server with very light usage (ie. one person dialing in or out at a
time):
o An IBM or IBM-compatible 386 non-dedicated machine
o A 9600 to 14400 bps modem
For WAN/LAN server to support up to 32 concurrent channels, the recommended
configuration would be:
o An IBM or IBM-compatible 486 dedicated machine
o Up to four ARTIC cards (each card supports eight ports)
o A 9600 to 14400 bps modem for each supported port
A LAN adapter IS NOT required on a remote workstation nor is a modem required
on a LAN-attached workstation to access the WAN. Communication between the
LAN and WAN is accomplished via the WAN/LAN server.
6 The IBM Remote LAN Access Capability
SUPPORTED CONNECTIVITIES
________________________
Remote LAN Access software products in the market today provide remote
machines with the ability to access information on a LAN-attached server
using asynchronous modem connections at rates generally between 2400 to 14400
bits per second (bps). However, the IBM remote LAN access capability is
optimized for higher speed (9600 bps and greater) connections and includes
support for the following LAN and WAN connectivities:
o LAN Connectivities
- Token Ring
- Ethernet
o WAN Connectivities
- ISDN Basic Rate Adapter
- Asynchronous Communications Port
- Dual Asynchronous Adapter
- Asynchronous/Synchronous Artic Adapter
- Synchronous Wide Area Connector
- X.25
When the LAN is a Token Ring, the IBM remote LAN access capability utilizes
source routing information from LAN control frames to efficiently relay data
to and from the LAN. Token Ring adapters must support "promiscuous mode".
Promiscuous mode allows control frames to be transparently passed up to the
software layers. As it is required by many LAN management tools and protocol
analyzers, promiscuous mode is commonly supported by most Token Ring
adapters. An example of an adapter which supports promiscuous mode is the
IBM Token Ring 16/4 Adapter.
When the LAN is Ethernet, the IBM remote LAN access capability uses a
learning filter technique with a spanning tree algorithm. Without microcode
assistance from the Ethernet card, the overhead for filtering unwanted LAN
traffic will likely result in fewer ports supported by the Ethernet-attached
WAN/LAN server as compared to a WAN/LAN server attached to a Token Ring.
This overhead, however, is a small fraction of that which would be incurred
if unfiltered Ethernet traffic were allowed to flow over the WAN.
The IBM remote LAN access capability allows other techniques to be used in
the WAN/LAN server to move frames to and from the LAN. To offset the proc-
essing overhead when using Ethernet or connecting different LAN types, a
higher layer router can be used. For example, if the protocol is TCP or IPX,
the IP Router/Gateway could be used with the IBM remote LAN access capa-
bility. By using the IP Router, only frames known to be directed off the
local LAN would be sent to WAN/LAN server.
The IBM remote LAN access capability can support an X.25 network; the type of
connection is determined by the X.25 network provider. The remote work-
station can use an asynchronous modem connected to an X.3 pad provided by the
network, or an X.25 modem (such as the Hayes Ultra Smart Modem) to connect to
a network SYNC access point. On the server side, most X.25 networks require
a SYNC access point and a permanent connection to the X.25 modem.
7
The IBM remote LAN access capability includes Medium Access Control (MAC)
drivers for the first four WAN connectivities. Other adapters packaged with
MAC drivers which adhere to, and support, the NDIS interface may also be sup-
ported by the IBM remote LAN access capability such as the IBM Synchronous
Wide Area Connector.
SUPPORTED SOFTWARE INTERFACES
_____________________________
The IBM remote LAN access capability supports the following protocols and
application programming interfaces:
o Netbios
o 802.2
o NDIS
o ODI requester
All that is required to support the above interfaces is included with the IBM
remote LAN access capability. This allows the user to transparently run any
LAN applications which utilize these interfaces within the WAN environment
without modification. IPX, TCP/IP, Person-to-Person, Lotus Notes and OS/2
Communication Manager are a few examples of applications which can be pur-
chased and installed to run within the WAN environment. The IBM remote LAN
access capability has also been used to access an AS/400 via the AS/400 PC
Support Program.
The IBM remote LAN access capability is network operating system independent,
and therefore, is not packaged with any specific network operating system.
It is designed to support any network operating system which resides over the
802.2, Netbios or NDIS interface including the following:
o IBM(R) LAN Server
o Microsoft(R) LAN Manager
o Novell Netware(R) Server (802.2 Compatibility Mode)
SECURITY
________
The IBM remote LAN access capability provides an extensive set of
configurable security options which are enabled via WAN/LAN server configura-
tion. These security options include:
o Workstation address identification
o Valid logon time intervals
o Password encryption and session-based user authentication
o Access privilege levels
o Simplified log-on for LAN-to-LAN
o Call back
Details of each of these features are provided below. In addition to the
security features listed, the IBM remote LAN access capability transparently
supports existing LAN and application level security mechanisms. In other
8 The IBM Remote LAN Access Capability
words, security features originating from applications, the network operating
system, the operating system platform, and hardware should run without mod-
ification.
WORKSTATION ADDRESS IDENTIFICATION
Each user account on the WAN/LAN server can be configured with 0 to 8 work-
station LAN MAC addresses. If one or more addresses have been defined for a
user's account, the user must call from a workstation with an address
matching one of the user account addresses or the logon attempt will fail.
VALID LOGON TIME INTERVALS
The Valid Logon Time Intervals option allows a Security Administrator to con-
figure the days of the week and the times of day during which a user can
logon to the server. Any logon attempts outside of the designated time
periods will fail.
PASSWORD ENCRYPTION AND SESSION-BASED USER AUTHENTICATION
To minimize the possibility of off-line "dictionary attacks" to discover user
passwords, a one-way encrypted password key is generated from a "password
phrase." For each subsequent logon, the security subsystem implements a two
party, two-way entity authentication protocol using message authentication
code which adheres to the OSI X9.9 security standard. After a successful
mutual authentication (workstation-to-server and server-to-workstation) the
workstation and WAN/LAN server both share a common secret session key that
is used to build certificates that authenticate all subsequent workstation
service requests sent to the server. A new session key is generated for
every session.
ACCESS PRIVILEGE LEVELS
A database of user accounts is maintained at the WAN/LAN server. User's are
classified into the following types:
o User
o Administrator
o Security Administrator
"User" is the lowest security classification. A User has permission to
access the dial services of a WAN/LAN server in order to dial off LAN and can
be granted permission to remotely attach to the LAN wire by calling a WAN/LAN
server. A User can also view and change selected information, such as user
description and user password, within the User's own account on a WAN/LAN
server.
9
An Administrator has the same privileges as a User, and additionally, can
perform management functions such as transaction logging and report gener-
ation.
A Security Administrator has the same privileges as an Administrator and, in
addition, is authorized to maintain a WAN/LAN server's User Account Data
Base. This includes changing user account policy parameters (e.g. maximum
number of logon attempts permitted during a single call), as well as viewing,
adding, and deleting user accounts within the User Account Data Base. The
Security Administrator can also change account information contained in any
user's accounts and disable the security features.
SIMPLIFIED LOG-ON FOR LAN-TO-LAN
A user is required to logon and be authenticated by each secured WAN/LAN
server before accessing that server's resources. If the same user ID and
password are maintained at multiple servers, the user will be able to access
these additional servers without having to reenter IDs and passwords. For
example, if a user on a LAN-attached workstation wishes to access a work-
station on another LAN, the user would logon to the locally-attached WAN/LAN
server to dial-out to a second, remote WAN/LAN server. The user would only
be prompted for an ID and password by the remote WAN/LAN server if they are
different from those used to access the first WAN/LAN server.
This feature should not be confused with what is generally called "single
logon." Single logon, or the ability to bypass network operating system
logons, is not provided by the IBM remote LAN access capability. In other
words, users must still logon to LAN servers in the same way they would if
they were LAN-attached.
CONFIGURABLE LOGON PARAMETERS
Several logon policy options can be configured by a Security Administrator
when setting up a WAN/LAN server. These include:
o Minimum and Maximum Password Age
o Minimum Password Length
o Maximum Number of Unsuccessful Logon Attempts
o Password History
The Password History option allows a Security Administrator to specify a
history of zero to eight prior passwords to be saved in the user's account.
When a user submits a new password, the password is checked against the pass-
word history to ensure it does not duplicate one previously submitted. If a
duplicate is found, the new password is invalid and the user is requested to
submit another new password.
10 The IBM Remote LAN Access Capability
CALL BACK
The Call Back feature is optional. Remote workstations can be configured to
handle either a fixed or mobil telephone number. The mobil Call Back
requires the user to submit a telephone number as part of the logon process
which the server then uses to call back. The caller is authenticated both
prior to the call back to prevent unnecessary telephone charges, and also,
after the call back is complete to guard against known hacker techniques that
can normally only be avoided using special telephone equipment or service
options. Beyond security, call back can be useful if reversal of telephone
charges is needed, such as from a hotel or customer site.
ADMINISTRATIVE FEATURES
_______________________
The IBM remote LAN access capability provides full administrative support for
monitoring connection status as well as logging errors, user data, and audit
information. Audit information includes all connections attempted, com-
pleted, and rejected. Also included are security trails and statistics
useful for capacity planning. The audit logs can be displayed locally or
retrieved from a remote workstation. In addition, several key configuration
files from a given workstation can be collected into a single file for anal-
ysis. The IBM remote LAN access capability can interface with a user-
supplied report program to schedule and create daily, weekly, or monthly
reports, or to periodically generate output when the log file reaches a spec-
ified size.
USER INTERFACE
______________
The IBM remote LAN access capability employs a standard object-oriented
graphical user interface consistent with that used for OS/2(R) 2.0. The
interface has been designed to be consistent across all supported operating
systems and machine types, whether it be a Microsoft Windows(R)-based remote
workstation or an OS/2(R)-based LAN-attached workstation. Only those
selections appropriate to the user's location and privilege level are pre-
sented. An example of this interface is the phone book and call status
screen illustrated in Figure 2 on page 12.
The graphical user interface provides information on available servers, call
status, and context sensitive help screens. Connection to the "virtual LAN"
may be accomplished by selecting an entry from a user's phone book or through
a command line interface. Commands may be entered from the keyboard or
imbedded in a batch or command file.
Another unique feature is support for moving workstations between remote and
LAN-attached environments, or "docking." When a workstation is configured as
11
both LAN-attached and remote, the IBM remote LAN access capability manages
the configuration changes to support the correct environment. This vastly
simplifies the use of a single workstation for home, office, and travel.
-----------------------------------------------------------------------------
+---------------------------------------------------------+
| SERVER-10 - Phone Book |
+---------------------------------------------------------+
| |
| +-----------+-+-----------------------------+ |
| | Austin \\| ------+ |
| | Berlin \\| Name: (Dial) A-L | |
| | Deauville \\| Austin, TX ------+ |
| | Leipzig \\| (Hang Up) | |
| | Marseille \\| Number: |-----+ |
| | Munchen \\| 512 555 1212 (Alternate) | M-R | |
| | Paris \\| |-----+ |
| | Stuttgart \\| Modem: | |
| | Toulouse \\| ATDT15125551212 |-----+ |
| | \\| CONNECT 19200/ECL V.32BIS | S-Z | |
| | \\| |-----+ |
| | \\| page 1 of 4 < | > | |
| +-----------+-+-----------------------------+ |
| |
| (Add) (Change) (Delete) (Help) |
| |
+---------------------------------------------------------+
-----------------------------------------------------------------------------
Figure 2. Phone Book and Call Status Screen
INSTALLATION AND CONFIGURATION
______________________________
The IBM remote LAN access capability provides a guided quick installation and
configuration path as well as support for advanced configuration via CUA'91's
Notebook Controls. The quick install feature may be used to install the IBM
remote LAN access capability on LAN-attached and remote workstations. It is
designed for non-technical users to provide a simple workstation configura-
tion with a minimum amount of knowledge, time and effort. After installation
is complete, the advanced configuration may be used to customize selected
configuration parameters for optimum network and system performance. The
advanced configuration is designed for experienced users. Preconfigured
default values make tuning via the advanced configuration panels unnecessary
for most parameters on most networks. Online hypertext help panels guide
users through possible choices for each parameter.
The remote workstation can be installed directly over OS/2(R) 2.X or Micro-
soft Windows(R) 3.1. The WAN/LAN server and LAN workstation assume a
LAN-enabled system for installation; minimum requirements are for the Netbios
or 802.2 LAN Adapter Protocol Support to be present. The WAN/LAN server
requires OS/2(R) 2.X while the LAN workstation may be either Microsoft
Windows(R) or OS/2(R)-based.
The IBM remote LAN access capability may be installed by using:
o diskettes
o a LAN redirected drive
o a LAN redirected drive and a response file
Installation using a LAN redirected drive is performed via the LAN's Config-
uration, Installation and Distribution (CID) facility. The IBM remote LAN
access capability is fully CID-enabled for installation. Users of this
facility install the IBM remote LAN access capability on their workstations
and servers by attaching to the LAN and redirecting the files from a
LAN-attached source. A response file may be specified at the time installa-
tion is invoked. A response file contains all the answers to the questions
that are asked during a panel-driven installation. This allows administra-
tors to setup quick and simple installations for their users. The user would
12 The IBM Remote LAN Access Capability
only need to enter a single command and the installation would proceed to
completion without any further interaction required.
ADDITIONAL INFORMATION AND BETA PROGRAM
_______________________________________
THE BETA PROGRAM provides the IBM remote LAN access capability code at prede-
termined development checkpoints prior to general availability. The remote
LAN access functions described in "The IBM Remote LAN Access Capability" doc-
ument may not be fully supported in the beta program.
BETA CODE FROM IBM MARKETING AND VM
To obtain beta code and documentation via electronic delivery, contact your
IBM marketing representative and submit the following information via FAX to
(512) 838-4002 or have your marketing representative submit a PROFS note to
BETASRUS at AUSVM1: (IMPORTANT NOTE - Please supply all data requested in
order to avoid delays in filling your order.)
IBMers that are requesting the beta for their own use should specify IBM as
the Company Name and their name as the Company Technical Contact Name. Their
VM Id and Node are also required.
Specify that you are ordering the RLA beta program.
BETA CODE FROM 1-800 TELEPHONE NUMBER
To obtain diskettes and hardcopy publications, call one of the numbers below
and specify you are ordering the RLA beta.
o In the U.S., call 1-800-IBM-3040. You will be charged $80.00 (U.S.) plus
a shipping charge.
o In Canada, call 1-800-561-5293. You will be charged $100.00 (Canadian)
plus Tax and a shipping charge.
o Elsewhere, see the Electronic Delivery ordering information below.
ADDITIONAL INFORMATION
IBM does not guarantee this beta program will ever be made generally avail-
able. All beta code and documentation are under development and may be modi-
fied substantially should there be a generally available product. In
addition, the manner in which IBM packages these development materials may
differ substantially from any generally available products.
IBM reserves the right to modify or withdraw this offering at any time.
13
Your license for the beta code may be terminated by IBM upon 30 days written
notice.
14 The IBM Remote LAN Access Capability
+----------------------------------------------------------------------+
| |
| ELECTRONIC DELIVERY RLA |
| |
| |
| Please specify which of the following categories applies to you: |
| _____ LAN Customer with no HOST computers in your Company. |
| _____ LAN Customer with HOST computers in your Company, but: |
| - HOST computer not connected to your LAN |
| - or HOST connected, but not used as a Client/Server |
| - or HOST connected and used as a Client/Server only |
| one or two times a day. |
| _____ LAN Customer with HOST connected to your LAN used as a |
| Client/Server. |
| |
| |
| Where did you learn about this beta program? (Check Applicable) |
| |
| Trade Show _____________ CompuServe ________________ |
| IBM Representative _____ Trade Publications ________ |
| Other (specify)__________________________________________ |
| |
| |
| Company Name:__________________________________________________ |
| |
| Mailing Address:_______________________________________________ |
| |
| _______________________________________________ |
| |
| _______________________________________________ |
| |
| Company Technical Contact Name:_________________________________ |
| |
| Technical Contact Phone Number:________________________________ |
| |
| Technical Contact FAX Number:__________________________________ |
| |
| IBM Marketing Rep Name:________________________________________ |
| |
| IBM Marketing Rep Phone Number:________________________________ |
| |
| VM Node (VM Userid):___________________________________________ |
| |
| Country, if other than U.S.:___________________________________ |
| |
| (IBM, in its sole and absolute discretion, reserves the right |
| to reject any beta applicant from participation in this |
| beta program.) |
| |
| |
+----------------------------------------------------------------------+
15