Remote Access Considerations

Selecting which remote access components of Windows 2000 to implement, how to implemented them, and how to design your Active Directory tree to support and manage these components in the context of your enterprise can depend on many factors. For example, designing an Active Directory tree and namespace with remote users in mind has an impact on performance. To account for this, a well-designed Active Directory tree and namespace needs to consider the quantity and location of Global Catalog (GC) servers—the GC provides an indexed catalog that speeds searches for network resources, an important requirement for remote users. To understand some of these issues and dependencies, consider the following:

  1. Who needs remote access in your organization?

  2. Where do these users gain access from, one location or multiple?

  3. What level of security does each user or group require, when accessing the network from each remote location?

  4. Which applications/services does each user/group require?

    Applications and services to consider include off-line file storage and synchronization; email, contact management, calendar, group scheduling, enterprise resource applications; videoconferencing or IP telephony services; and local or remote printing.

  5. Do any application services require, or benefit from, Terminal Services?

  6. Do you use dial-up or VPN servers? For help making this decision, see the VPN servers sidebar.

  7. If you are using a VPN, users can gain access to the Internet through the corporate network or from a split tunnel through the ISP (one PPTP or L2TP tunnel to the corporate network and another to the Internet)?

  8. Do you need to connect remote locations, such as a small branch office LAN?

  9. What Telco options are available at each location, and what are the bandwidth requirements for each site?

  10. Do you use Windows 2000 RRAS and Internet Authentication Service (IAS), or do you use separate routing device, like a Cisco VPN Router?

  11. How should you configure the Active Directory site topology to optimize access for remote offices over slow links?

  12. Consider how you authenticate remote users, and what level of authentication and data encryption you require for

    The number and placement of Active Directory Domain Controllers (DCs) and GC servers is relative to the entry point for remote users and the network resources to which they require access.

    The authentication approach and the level of encryption affect performance and could alter your Windows 2000 Active Directory design.

    Microsoft PPP Encryption (MPPE) for PPP and PPTP connections, 40-bit or 128-bit.

    IPSec for L2TP connections, 40-bit data encryption standard (DES), 56-bit DES, or Triple DES.

VPN Servers

Consider implementing VPN remote access servers if using the Internet to access intranet-based resources is an acceptable risk, or if the connection to the Internet will support the maximum number of remote access clients.

VPNs should specify the number of PPTP or L2TP ports necessary to support the maximum number of simultaneous clients, the user accounts that are granted remote access, and the remote access policy restrictions.

VPN servers might be an acceptable solution if your remote-user community is highly distributed and diverse.

Dial-up servers might be an acceptable solution if your remote-user community is relatively small and located within a local calling area.

VPN servers are excellent if you need to provide controlled, secure access to business partners, such as a supplier. This is typically referred to as an extranet, or business-to-business communications.


..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset