Home as Office
You can conceivably set up most of your company for telecommuting with Windows Server 2003’s much-improved RRAS and VPN features. Here’s how.
- By Bill Heldman
- June 01, 2003
In this sour economy, businesses are looking for ways to effectively
scale back budgets. Doubtless most companies have “right-sized”
in terms of attrition or layoffs, but there may still be a need for some
trimming back.
Office space is one place where companies can cut back without having
to cut people, processes or projects. If companies can somehow manage
a group of telecommuting users — folks dialing in from home or accessing
the private network through a VPN — then there isn’t as much
need for office space expansion and, hence, there’s a recognizable
savings. You can help your managers develop a robust telecommuting farm
with Windows Server 2003 and other Microsoft server products, and you
can develop the farm inexpensively and quickly. You’ll have assurance
that you’ve developed a secure environment that users can connect
to and that they’ll be able to get their work done as though they
were at the office.
Additionally, workers who are frequently out of the office, such as salespersons,
will greatly benefit from having the private network available to them
from any location.
Telecommuting networks, while not simple to set up, are still definitely
something that the neophyte administrator can tackle and be successful
at implementing.
To further develop the idea of telecommuters and bringing your network
to them, let’s imagine a small Bay-area company called The Neutrino
Group. The Neutrino Group’s business is research and development
of fuel-cell components (Proton Exchange Membranes) that can be used in
automobiles. The majority of the company’s financing comes from
federal research grants, coupled with venture capital funding. The hope,
of course, is that The Neutrino Group will one day find that answer to
a small, inexpensive and safe PEM that can be easily be deployed in new
cars and possibly even retrofitted to late model used cars. The company
has about 100 users consisting predominantly of engineers, research scientists,
grant writers, administrative staff and some marketing specialists along
with a small IT staff, of which you’re a member. The IT staff has
a developer that writes firmware code for any integrated circuits that
the company may use in their PEMs as well as a Web site developer and
you, the network administrator.
You’ve set up The Neutrino Group on Windows 2000 Advanced Server
and Exchange Server 2000 for e-mail. You have a dual T1 connection to
the Internet (~3.88 Mb/sec) and your ISP provides firewall services.
You come in on Monday morning and your boss, the Chief Financial Officer,
Ruben Mendez, has this to say:
“Kim, we didn’t do as well as we thought we would on our
last grant application. We only got half of what we requested. I’ve
done as many budgeting cutbacks as I safely can without having to let
go of employees — we’re at the bare minimum that we need to
be able to accomplish our mission — and the only thing that I can
think of to help us is to allow our workers to telecommute from home.
We could set up a virtual office environment somewhere in which we’d
maintain a small administrative staff along with a couple of conference
and demonstration rooms. The rest of our employees would work from home.
Basically, we’d move from this building and run the company from
our homes.”
You nod your head. Sounds like a good idea, especially in the Bay area
where rush-hour traffic means you have to leave two hours early to get
to work on time.
Ruben continues: “What I want to know from you is how we can utilize
the equipment we currently have in order to meet the goal. I can give
you a few thousand dollars to augment your budget, but you can’t
go crazy! We need for people to be able to connect to the network, send
and receive e-mail and updated calendar free and busy times, and to virtually
collaborate. We’ll assemble the entire team once a month for a ‘level-setting’
meeting, just to make sure everyone’s going down the same road,
but otherwise we’ll do everything electronically. Think you can
make it happen? Can you go study this and come back at the end of the
week with your report?”
You agree and leave wondering how you’re going to accomplish this
ponderous new assignment.
After a brief technology assessment, you discover the following information
about your users:
- Thirty-five of them have a broadband Internet account.
- Twenty-five have a DSL account.
- The remaining forty either have no ISP or use dial-up
to connect to their ISP.
- There are fifteen people who have company laptops and
who frequently travel; of these people, three have a broadband Internet
account, two have DSL and the remainder use dial-up.
- No users live less than seven miles from the proposed
new office location.
The first question you ask yourself is this: Will wireless connectivity
work to meet any of the requirements?
You do some initial research and find that the answer is, unfortunately,
no. It would be cost-prohibitive to hook up with a company in the business
of providing WAN-based wireless connectivity for corporate users via pole-top
or building repeaters. (Ricochet — www.richochet.com
— is such a company that can provide this, but it’d be expensive
in this scenario.) Further, campus-based wireless implementations won’t
work because your users aren’t really going to have a campus. Also,
distance limitations from users’ houses prohibit you from implementing
an 802.11 environment on your internal network. Wireless connectivity
simply isn’t an option.
You have two other solutions at your disposal: Remote Access Services
and Virtual Private Networking. In a RAS environment, users utilize their
PC and modem to call a phone number connected to your network. Once the
modem answers the phone call, authentication is passed to the Windows
2000 server, which, in turn, authenticates users and allow them onto the
network.
With VPN, a home user uses a PC and dial-up networking (DUN) client to
access the network by going through an ISP to yours and, hence, into your
network.
To accomplish either goal you must have at least one server capable of
handling RAS or VPN clients, as well as the modem hardware and telephone
circuits necessary to accommodate dial-up users.
Fortunately for you, Windows 2000 Advanced Server as well as Windows
Server 2003 both support Routing and Remote Access Services (RRAS), that
service that you’ll use to configure both your network for both
dial-up and VPN. Further, some enhanced tools such as Connection Manager
and the Connection Manager Resource Kit allow you to streamline and customize
the Windows dialer, and Internet Authentication Service (IAS) allows for
centralized authentication of the authentication of users across a heterogeneous
series of connection devices. These advanced tools aren’t necessary
in a small network such as yours with no specialized requirements.
You have a meeting with your ISP to find out what sort of services they
provide. You discover that, while your ISP can host VPN services for you,
it’s cost-prohibitive and therefore not an option. You opt instead
to have your ISP stop firewalling for you on a given date at which time
you’ll provide your own firewall and Network Address Translation
(NAT) services for the network.
|
Figure 1. Flow of telecommuting services from
client machines at various locations back to your network. |
Next you develop a user flow diagram (see Figure 1) and develop a list
of both the soft and hard components required:
- Two Windows 2000 or Windows Server 2003 servers that will run Microsoft
Internet Security and Acceleration Server and provide VPN services.
The servers will be members of an ISA array. They must be beefy enough
to handle the load of several dozen simultaneous users accessing the
system. The servers will have dual processors and 2 GB of RAM apiece.
Cost including server licenses: $20,000.
- A Window 2000 or Windows Server 2003 server that will use Terminal
Services to allow users to connect and remotely run corporate applications
such as the accounting and engineering programs. Again, the server must
be hefty enough to handle the processing load placed upon it. You’ll
buy a four-way server that has 4 GB of RAM for this activity. Cost including
server licenses: $8,000.
- A Windows 2000 or Windows Server 2003 server that will be utilized
as an RRAS dial-up server. You could require that your dial-up clients
use their ISP and connect to the private network via VPN, but some ISPs
charge by the number of online hours and the company’s budget
would be chewed up in reimbursing employees for their ISP costs. Instead
you’ll provide an RRAS server and modems that will answer calls,
log in users and allow them to access the Terminal Services server.
This server will be a two-way with 2 GB of RAM. Cost including server
licenses: $8,000.
- Two additional T1 circuits (each circuit can handle 24 voice channels)
to be utilized for telephone service connectivity to the RRAS server.
You’ll contract through your telephone company for these new circuits.
You’ll require that the two circuits can be accessed by one telephone
number that users can dial into (as well as a 1-800 number for the times
when a user is overseas or out of state) and that will “hunt”
down through the 48 channels to find one that’s available for
use. All forty of your RRAS users should be able to dial up and work
at the same time. Cost: $300/month/T1 circuit and a $300 one-time setup
fee.
- A Windows 2000 or Windows Server 2003 server that will act as a NetMeeting
Internet Locator Service (ILS) server in order to host virtual collaboration
meetings. This server only needs to house the names of the people who’ll
be virtually meeting and does not need to be a powerhouse server. You
have an older computer available that can act as the ILS server. Cost
including server licenses: $500.
- Two T1 adapters for the RRAS server. These adapters will be installed
directly into the server and accept a cable from the T1 voice circuits.
Cost: $4,500/adapter.
Now you’re equipped to begin setting up your telecommuting environment.
All the rest of your design centers around setup, configuration, testing
and deployment.
Dial-up users will dial into the network using their home PC and modem
and the dial-up networking client. Once authenticated, they’ll be
able to run NetMeeting, access company applications via the Terminal Services
server and use Exchange for e-mail and calendaring. You’ll have
to either provide a well-planned out instruction sheet on how to set everything
up or plan on visiting each home to help the user get set up and able
to connect.
Because all your VPN users are running Windows 2000 or XP, you can utilize
Layer Two Tunneling Protocol (L2TP) in your VPN for a more secure environment.
You can run the ISA wizard to set up VPN access, but you must then change
the protocol it selects from Point to Point Tunneling Protocol (PPTP)
to L2TP as it defaults to PPTP. You’ll have to provide an instruction
sheet for your users to configure their VPN connection. There may be some
work you’ll have to do in order for DNS and WINS to run correctly
in this new environment.
ISA Server comes “hardened,” meaning that no outside user
can get in the door without you first configuring the server to accept
certain ports and protocols. This is a good thing. You’ll have to
set the servers up in an ISA array (requiring Active Directory and an
extension of the AD schema), configure VPN and NATting.
The RRAS server will be easy to set up — the biggest hurdle you’ll
have to overcome will be installing and configuring the T1 cards so that
they work correctly. Plan on devoting some time to this process, especially
if you’ve never worked with voice cards before. And be prepared
for a call or two to the company for assistance. You’ll probably
also be quite engaged with your telephone company to make sure that the
hunt numbers work and the circuits are provisioned correctly. RRAS itself
is easy to set up to accept dial-up users.
You’ll set up the Terminal Services server with the applications
that are required by certain of the users. Your intent is to allow all
home users to run Office on their local machines. You’ll push antivirus
software updates to them via a script at logon.
Finally, you set up the NetMeeting ILS server and test.
The single biggest obstacle you as an administrator face is getting all
of your users to understand the complexity of becoming a telecommuting
user. They have to understand how to dial-up or connect VPN, how to recognize
when they’re connected, and how to perform some basic troubleshooting
in the event they think they’re not getting connected. You’ll
also have to train users how to utilize NetMeeting and Terminal Services
applications and, more important, how to virtually collaborate. Video
and audio are essentially out, especially over slow wires, because they’re
just too bandwidth-intensive. Users need to understand how to conference-call
in conjunction with their NetMeeting work.
Because users are running corporate applications from the server, they’ll
be satisfied with the performance, even if they’re dialing up.
As an administrator, you’ll be faced with tons of technical challenges.
Among them: Configuring all of the server components so they work as advertised;
troubleshooting home user problems; making sure that name-resolution is
happening correctly; assuring that users are NATted correctly and maintaining
high security on the network.
Can this be done? Yes, there are lots of companies heavily involved in
virtual collaboration and telecommuting. Windows 2000 Server and Windows
Server 2003 give you greatly enhanced tool sets from which to develop
your telecommuting environment.
You report back to Ruben: You need about $50,000 for the project and
the company will incur an additional $600/month in T1 circuit charges.
You estimate that you’ll need a month of configuration and testing
time in the new location. Additionally, there’ll be some downtime
as you swing the two, older T1 circuits from the old site to the new.
The upside? The company can send ninety-five of its employees home permanently
and save thousands of dollars a month in office lease expenses in the
long term. It's almost that simple.