Home as Office

You can conceivably set up most of your company for telecommuting with Windows Server 2003’s much-improved RRAS and VPN features. Here’s how.

In this sour economy, businesses are looking for ways to effectively scale back budgets. Doubtless most companies have “right-sized” in terms of attrition or layoffs, but there may still be a need for some trimming back.

Office space is one place where companies can cut back without having to cut people, processes or projects. If companies can somehow manage a group of telecommuting users — folks dialing in from home or accessing the private network through a VPN — then there isn’t as much need for office space expansion and, hence, there’s a recognizable savings. You can help your managers develop a robust telecommuting farm with Windows Server 2003 and other Microsoft server products, and you can develop the farm inexpensively and quickly. You’ll have assurance that you’ve developed a secure environment that users can connect to and that they’ll be able to get their work done as though they were at the office.

Additionally, workers who are frequently out of the office, such as salespersons, will greatly benefit from having the private network available to them from any location.

Telecommuting networks, while not simple to set up, are still definitely something that the neophyte administrator can tackle and be successful at implementing.

To further develop the idea of telecommuters and bringing your network to them, let’s imagine a small Bay-area company called The Neutrino Group. The Neutrino Group’s business is research and development of fuel-cell components (Proton Exchange Membranes) that can be used in automobiles. The majority of the company’s financing comes from federal research grants, coupled with venture capital funding. The hope, of course, is that The Neutrino Group will one day find that answer to a small, inexpensive and safe PEM that can be easily be deployed in new cars and possibly even retrofitted to late model used cars. The company has about 100 users consisting predominantly of engineers, research scientists, grant writers, administrative staff and some marketing specialists along with a small IT staff, of which you’re a member. The IT staff has a developer that writes firmware code for any integrated circuits that the company may use in their PEMs as well as a Web site developer and you, the network administrator.

You’ve set up The Neutrino Group on Windows 2000 Advanced Server and Exchange Server 2000 for e-mail. You have a dual T1 connection to the Internet (~3.88 Mb/sec) and your ISP provides firewall services.

You come in on Monday morning and your boss, the Chief Financial Officer, Ruben Mendez, has this to say:

“Kim, we didn’t do as well as we thought we would on our last grant application. We only got half of what we requested. I’ve done as many budgeting cutbacks as I safely can without having to let go of employees — we’re at the bare minimum that we need to be able to accomplish our mission — and the only thing that I can think of to help us is to allow our workers to telecommute from home. We could set up a virtual office environment somewhere in which we’d maintain a small administrative staff along with a couple of conference and demonstration rooms. The rest of our employees would work from home. Basically, we’d move from this building and run the company from our homes.”

You nod your head. Sounds like a good idea, especially in the Bay area where rush-hour traffic means you have to leave two hours early to get to work on time.

Ruben continues: “What I want to know from you is how we can utilize the equipment we currently have in order to meet the goal. I can give you a few thousand dollars to augment your budget, but you can’t go crazy! We need for people to be able to connect to the network, send and receive e-mail and updated calendar free and busy times, and to virtually collaborate. We’ll assemble the entire team once a month for a ‘level-setting’ meeting, just to make sure everyone’s going down the same road, but otherwise we’ll do everything electronically. Think you can make it happen? Can you go study this and come back at the end of the week with your report?”

You agree and leave wondering how you’re going to accomplish this ponderous new assignment.

After a brief technology assessment, you discover the following information about your users:

  • Thirty-five of them have a broadband Internet account.
  • Twenty-five have a DSL account.
  • The remaining forty either have no ISP or use dial-up to connect to their ISP.
  • There are fifteen people who have company laptops and who frequently travel; of these people, three have a broadband Internet account, two have DSL and the remainder use dial-up.
  • No users live less than seven miles from the proposed new office location.

The first question you ask yourself is this: Will wireless connectivity work to meet any of the requirements?

You do some initial research and find that the answer is, unfortunately, no. It would be cost-prohibitive to hook up with a company in the business of providing WAN-based wireless connectivity for corporate users via pole-top or building repeaters. (Ricochet — www.richochet.com — is such a company that can provide this, but it’d be expensive in this scenario.) Further, campus-based wireless implementations won’t work because your users aren’t really going to have a campus. Also, distance limitations from users’ houses prohibit you from implementing an 802.11 environment on your internal network. Wireless connectivity simply isn’t an option.

You have two other solutions at your disposal: Remote Access Services and Virtual Private Networking. In a RAS environment, users utilize their PC and modem to call a phone number connected to your network. Once the modem answers the phone call, authentication is passed to the Windows 2000 server, which, in turn, authenticates users and allow them onto the network.

With VPN, a home user uses a PC and dial-up networking (DUN) client to access the network by going through an ISP to yours and, hence, into your network.

To accomplish either goal you must have at least one server capable of handling RAS or VPN clients, as well as the modem hardware and telephone circuits necessary to accommodate dial-up users.

Fortunately for you, Windows 2000 Advanced Server as well as Windows Server 2003 both support Routing and Remote Access Services (RRAS), that service that you’ll use to configure both your network for both dial-up and VPN. Further, some enhanced tools such as Connection Manager and the Connection Manager Resource Kit allow you to streamline and customize the Windows dialer, and Internet Authentication Service (IAS) allows for centralized authentication of the authentication of users across a heterogeneous series of connection devices. These advanced tools aren’t necessary in a small network such as yours with no specialized requirements.

You have a meeting with your ISP to find out what sort of services they provide. You discover that, while your ISP can host VPN services for you, it’s cost-prohibitive and therefore not an option. You opt instead to have your ISP stop firewalling for you on a given date at which time you’ll provide your own firewall and Network Address Translation (NAT) services for the network.

Flow chart of telecommunication services
Figure 1. Flow of telecommuting services from client machines at various locations back to your network.

Next you develop a user flow diagram (see Figure 1) and develop a list of both the soft and hard components required:

  • Two Windows 2000 or Windows Server 2003 servers that will run Microsoft Internet Security and Acceleration Server and provide VPN services. The servers will be members of an ISA array. They must be beefy enough to handle the load of several dozen simultaneous users accessing the system. The servers will have dual processors and 2 GB of RAM apiece. Cost including server licenses: $20,000.
  • A Window 2000 or Windows Server 2003 server that will use Terminal Services to allow users to connect and remotely run corporate applications such as the accounting and engineering programs. Again, the server must be hefty enough to handle the processing load placed upon it. You’ll buy a four-way server that has 4 GB of RAM for this activity. Cost including server licenses: $8,000.
  • A Windows 2000 or Windows Server 2003 server that will be utilized as an RRAS dial-up server. You could require that your dial-up clients use their ISP and connect to the private network via VPN, but some ISPs charge by the number of online hours and the company’s budget would be chewed up in reimbursing employees for their ISP costs. Instead you’ll provide an RRAS server and modems that will answer calls, log in users and allow them to access the Terminal Services server. This server will be a two-way with 2 GB of RAM. Cost including server licenses: $8,000.
  • Two additional T1 circuits (each circuit can handle 24 voice channels) to be utilized for telephone service connectivity to the RRAS server. You’ll contract through your telephone company for these new circuits. You’ll require that the two circuits can be accessed by one telephone number that users can dial into (as well as a 1-800 number for the times when a user is overseas or out of state) and that will “hunt” down through the 48 channels to find one that’s available for use. All forty of your RRAS users should be able to dial up and work at the same time. Cost: $300/month/T1 circuit and a $300 one-time setup fee.
  • A Windows 2000 or Windows Server 2003 server that will act as a NetMeeting Internet Locator Service (ILS) server in order to host virtual collaboration meetings. This server only needs to house the names of the people who’ll be virtually meeting and does not need to be a powerhouse server. You have an older computer available that can act as the ILS server. Cost including server licenses: $500.
  • Two T1 adapters for the RRAS server. These adapters will be installed directly into the server and accept a cable from the T1 voice circuits. Cost: $4,500/adapter.

Now you’re equipped to begin setting up your telecommuting environment. All the rest of your design centers around setup, configuration, testing and deployment.

Dial-up users will dial into the network using their home PC and modem and the dial-up networking client. Once authenticated, they’ll be able to run NetMeeting, access company applications via the Terminal Services server and use Exchange for e-mail and calendaring. You’ll have to either provide a well-planned out instruction sheet on how to set everything up or plan on visiting each home to help the user get set up and able to connect.

Because all your VPN users are running Windows 2000 or XP, you can utilize Layer Two Tunneling Protocol (L2TP) in your VPN for a more secure environment. You can run the ISA wizard to set up VPN access, but you must then change the protocol it selects from Point to Point Tunneling Protocol (PPTP) to L2TP as it defaults to PPTP. You’ll have to provide an instruction sheet for your users to configure their VPN connection. There may be some work you’ll have to do in order for DNS and WINS to run correctly in this new environment.

ISA Server comes “hardened,” meaning that no outside user can get in the door without you first configuring the server to accept certain ports and protocols. This is a good thing. You’ll have to set the servers up in an ISA array (requiring Active Directory and an extension of the AD schema), configure VPN and NATting.

The RRAS server will be easy to set up — the biggest hurdle you’ll have to overcome will be installing and configuring the T1 cards so that they work correctly. Plan on devoting some time to this process, especially if you’ve never worked with voice cards before. And be prepared for a call or two to the company for assistance. You’ll probably also be quite engaged with your telephone company to make sure that the hunt numbers work and the circuits are provisioned correctly. RRAS itself is easy to set up to accept dial-up users.

You’ll set up the Terminal Services server with the applications that are required by certain of the users. Your intent is to allow all home users to run Office on their local machines. You’ll push antivirus software updates to them via a script at logon.

Finally, you set up the NetMeeting ILS server and test.

The single biggest obstacle you as an administrator face is getting all of your users to understand the complexity of becoming a telecommuting user. They have to understand how to dial-up or connect VPN, how to recognize when they’re connected, and how to perform some basic troubleshooting in the event they think they’re not getting connected. You’ll also have to train users how to utilize NetMeeting and Terminal Services applications and, more important, how to virtually collaborate. Video and audio are essentially out, especially over slow wires, because they’re just too bandwidth-intensive. Users need to understand how to conference-call in conjunction with their NetMeeting work.

Because users are running corporate applications from the server, they’ll be satisfied with the performance, even if they’re dialing up.

As an administrator, you’ll be faced with tons of technical challenges. Among them: Configuring all of the server components so they work as advertised; troubleshooting home user problems; making sure that name-resolution is happening correctly; assuring that users are NATted correctly and maintaining high security on the network.

Can this be done? Yes, there are lots of companies heavily involved in virtual collaboration and telecommuting. Windows 2000 Server and Windows Server 2003 give you greatly enhanced tool sets from which to develop your telecommuting environment.

You report back to Ruben: You need about $50,000 for the project and the company will incur an additional $600/month in T1 circuit charges. You estimate that you’ll need a month of configuration and testing time in the new location. Additionally, there’ll be some downtime as you swing the two, older T1 circuits from the old site to the new. The upside? The company can send ninety-five of its employees home permanently and save thousands of dollars a month in office lease expenses in the long term. It's almost that simple.

Featured