Client Features

System Requirements

Pricing and Licensing

Solutions

Which Client to Choose

Windows 2000 Server Family

Upgrading to Windows 2000

Windows 2000 Tips and Tricks

Technical Information

Whether telecommuting, traveling, or working permanently from a satellite location, staying connected to the company network is critical. The best solutions let employees work anytime and anywhere�as if they were directly connected to the company network. Letting employees work in a consistent way, regardless of their location, can aid productivity, improve internal communications, and increase an organization�s responsiveness to customers.

The Microsoft� Windows� 2000 operating system supports an array of features to address different needs�from small, one-office businesses to very large, geographically-dispersed organizations. Remote network access capabilities are secure, fast, and easy-to-use. With Windows 2000, mobile users can connect directly to the company network through with their own dial-up connection or ISDN line. Or they can connect securely through most Internet connections using virtual private networking (VPN). Regardless of where you are, Windows 2000 can help get you connected quickly, easily, and securely.

Connecting a telecommuter or traveling employee requires four components.

1. A PC loaded with connection features such as Dial-up Networking in addition to a secure communications environment.
2. A server �gateway� system that links the remote PC to the company network.
3. An authentication system (on the gateway or another system) that validates remote users and manages the policy for giving them access to the network.
4. A simple way to manage remote PC configurations, so that traveling employees don�t have to be technical experts.

Depending on the situation, the configuration and services involved in these components can be basic or sophisticated. Some just require a single modem in a single server to handle direct-dial connections from a few employees. Others require a complex network of VPN gateways, direct-dial network access boxes, centralized RADIUS authentication servers, smart cards, and public key infrastructure (PKI)-based encryption systems. Regardless of the situation, Windows 2000 includes everything needed to confidently connect remote users to the company network.

Through its integrated remote access services, Windows 2000 helps organizations provide:

Most users work inside the company network with the benefit of high-speed links. Others travel between buildings and need wireless communications to overcome limitations of running copper or optical fiber links under sidewalks and streets. Some users require quick access from home to check e-mail on the company server. Others work remotely on a full-time basis and need high performance, reliable connections. Still others travel frequently and need low-cost access from whatever city they happen to be in.

To meet these needs, Windows 2000 Professional provides:

In the case of wired connections, it�s a simple matter of plugging in the card and starting the system. For other connections that require some information that cannot be automatically sensed by Plug and Play, Windows 2000 makes setup easy through the New Connections Wizard. Non-technical users can easily define their own dial-up connections by just knowing phone numbers and their login information. Because of the auto-configuration features in Windows 2000, IP addresses, gateway information, naming service addresses and more can be hidden through standards-based services.

For larger organizations requiring central control of client set-up, Windows 2000 includes a variety of management features. The Connection Manager Administration Kit lets administrators customize the dialer with the phone books and customized connection action features they need. The resulting dialer can be easily distributed in a number of ways, including through mail or Web downloads. The end user can easily install the customized dialer without any user intervention, and in the process receive updated software drivers, custom help files, auto-updating phonebooks, and more.

These features make it easy to keep the mobile professional connected and productive without technical difficulties.

Small and growing business owners don�t require advanced technical skills to take advantage of Windows 2000 remote access networking services. Simple-to-set-up remote access services that include scalable technologies ensure the remote access services will meet the changing needs of a growing business.

For basic networks, the New Connection Wizard walks you through the set-up of the remote access server for both direct-dial connections and for VPN. Plug and Play modem configuration makes it easy to install a modem in the server. The wizard asks a few simple questions to determine if you want dial-up, VPN, or both types of access, and asks you which network interface to allow the connections to come in on. Next, it presents you with a simple list of known users; just check the box on the users you want to allow remote access for, and you're essentially finished.

With Windows 2000 in small business, you can have gateway services, authentication system, and central client-management tools all integrated in a single low-cost PC platform. And you can run these services on an existing server to save hardware costs.

In larger companies, remote access infrastructure can get much more complex. The servers need to be part of a demilitarized zone (DMZ) architecture. The volume of connections is high. There may be multiple systems involved, some managing incoming modem connections and others managing VPN. There may be multiple access points in different geographic locations that all link to the corporate network. You may be allowing contractors, partners and customers into specific regions of your network. And there are likely different and fine-grained policies that go beyond the simple �yes/no let them have remote access� scenario. Finally, centrally managing mobile PCs is critical to avoid the costs of creating depots that employees must send systems to for configuration.

This means having a set of services that allow integration of different vendor products based on standards. It means integrating policy management with the corporate user directory so that rules can be applied to groups of users. It means having the scalability to grow with an increasing population of telecommuters. And it means having rock-solid security for the connections to prevent intrusion.

Windows 2000 Server and Windows 2000 Advanced Server include rich, scalable, secure, and high-performance remote access services. You can choose to use some or all of the services to create the solution you need.

The integrated Routing and Remote Access Service acts as a foundation for the network access system, or �gateway.� It includes the ability to connect high-density modem pools to manage hundreds of incoming direct-dial connections. With broad third-party support, you can choose from a variety of devices with telephone, ISDN, T1, or T3 interfaces. In addition, the system lets you accept incoming connections over network interfaces including WAN connections like frame relay or X.25 and LAN interfaces (coming in from your DMZ) on Ethernet or Token-ring. You can use these connections to link systems in the clear or using the most advanced standards-track encryption capabilities available today [Layer 2 Tunneling Protocol (L2TP) with IPSec].

You can choose to start small with a non-dedicated server that accepts incoming connections, move to a dedicated uni-processor gateway, or even a multi-processor system with multiple high-speed links. And because the system includes the option to add hardware acceleration cards for encryption, you can scale the system to thousands of simultaneous connections in a single server. Finally, you can combine multiple systems together with central management control to scale out for an advanced, reliable remote access infrastructure that�s always available.

Scalable Remote Access Policy Management

Many companies have existing remote access infrastructures that they want to preserve and add to, and some have strong preferences for third-party network access boxes. Regardless of the situation, virtually every large company wants to centrally manage remote access policies based on the groups of users defined in their company-wide user directory.

Windows 2000 lets you accomplish this in several ways:

First, the remote access services of Windows 2000 let you use passwords to existing PAP, CHAP or MS-CHAP systems, or add new and forthcoming authentication tools like smart cards and biometric devices, to login users. Because it implements the standards-based Extensible Authentication Protocol (EAP), you have the confidence that your Windows 2000 Server-based gateway can authenticate users with new devices as they emerge in the future and that they will work with other authentication databases as well.

Second, because the Routing and Remote Access Service can authenticate the login directly with the Active Directory^TM service, you don't have to install a separate computer to act as an authentication server.

Third, the remote access services can use the RADIUS protocol to forward authentication to a RADIUS-capable authentication server that might validate users on a non-Windows user directory (like NetWare or UNIX).

Fourth, Windows 2000 includes an advanced RADIUS server of its own called Internet Authentication Service (IAS). With IAS, most RADIUS network access servers can integrate indirectly with Active Directory to authenticate users. For example, you might use a Cisco VPN-router and a Lucent dial-up access box and have them authenticate incoming connections against Active Directory. IAS also includes sophisticated remote access policy rules that let you manage things based on a combination of Active Directory groups, time of day, type of connection, type of authentication (for example, smart card only), encryption protocol used, strength of encryption key used, and much more. IAS can even tell the remote access server how to restrict where users can go once they connect. This lets you open access to business partners and be confident they only get to the system or two that you want them to, and they can't see other parts of the network.

Flexibility, Standards-Based Remote Access Platform

Best of all, Windows 2000 is built entirely on interoperable remote access standards. All of the protocols are published with broad industry support. For VPN access, it gives you the choice of Point-to-Point Tunneling Protocol (PPTP) or L2TP with IPSec encryption. There are no proprietary extensions that compromise interoperability or IPSec security. You can use the integrated Windows 2000 Professional VPN client with a standards-based VPN server and authenticate users against Active Directory through IAS. You can offer access to contractors and business partners without telling them which proprietary systems to buy. And if you are consolidating networks inherited through acquisitions, you know that the Windows 2000 remote access services will work with other standards-based systems. Windows 2000 was designed for interoperability so you�ll have a lasting investment based on proven security and communications protocols.

� 2000 Microsoft Corporation. All rights reserved. Terms of use.