Microsoft Corporation
RFP for:
Powell Electrical Manufacturing CoThird party server hardware solution - 2 servers (dual proc Pentium) from OEM
Third party reporting solution such as Telco Research or Acotec reporting solution
Addressing the Requirements:
Fault tolerance for 99.9% uptime - A solution based on Windows NT Server 4.0 Enterprise Edition not only provides 99.9% uptime through integrated technologies such as Windows NT Load Balancing Service (WLBS), but also has the industry backing from major third party OEMs to commit to the same quality of service.
By utilizing WLBS, Powell will be assured full TCP/IP load balancing across up to 32 servers to ensure that incoming VPN traffic will always receive distributed access to the variety of servers acting as front ends to inbound IP traffic. This load balancing occurs transparently to the client with no modification needed to take advantage of it. For the number of users requiring access to the central office, only a single server would be needed. To ensure availability due to unexpected system outages or maintenance work on servers, two Windows NT Server 4.0 Enterprise Edition Servers have been recommended for this situation to meet the 99.9% requirement.
The two servers will have direct dial up connections split between the machines using the existing pool of modems. This will provide a provision in case of high speed Internet connectivity failure. The dial up and Internet connectivity to the servers will be discussed at greater length later in this document.
Additionally, commitments to support server solutions for NT Server 4.0 for 99.9% uptime are provided through a wide variety of OEMs including those listed on the Microsoft web site (click here).
Secure system to ensure unauthorized users are not allowed into the corporate network - Security under Windows NT Server comes in many forms. Windows NT Server provides a secure logon sequence and user authentication model built on C-2 level security. Additionally, NT Server provides a secure channel across the Internet using the industry standard PPTP encrypted protocol.
With Windows NT Server security isn't an add-on or after thought, it is an integrated part of the product. A Windows NT administrator can build a highly secure environment that will prohibit any unauthorized user from accessing the corporate network or data on that network, regardless of whether that user is approaching the network internally or externally. The security of Windows NT VPN and direct dial up functionality is based on 128-bit and RC4 encryption within North America and 40-bit encryption outside. Additionally the security interfaces within Windows NT allow an administrator to establish stringent guidelines for password and user authentication.
By implementing the Microsoft Routing and Remote Access Service on Windows NT Server, Powell can be further assured of only allowing authorized access for PPTP protocol users coming in from the public Internet by utilizing packet filters. Both PPTP and direct dial-in RAS solutions utilize the Windows NT security infrastructure to validate user access to the corporate network. Additionally, Powell may choose to utilize RADIUS logon to the corporate network in conjunction with the VPN services. Remote Authentication Dial-In User Service (RADIUS) is a popular method for managing remote user authentication and authorization across heterogeneous systems. RADIUS servers can be located anywhere on a network, and they provide authentication to their clients. Windows NT 4.0 includes RADIUS server in the NT4 Option Pack. Routing and Remote Access Server contains RADIUS client authentication properties.
Access to the corporate IP/IPX network for e-mail, file transfers (in some cases large CAD files), and intranet web servers for up to 70 mobile and remote users throughout the day for various durations of time - Powell currently requires RAS usage for up to 70 mobile and remote users. Microsoft recommends that in implementing the current solution, Powell should also plan for future expansion and flexibility of the infrastructure. The Windows NT Server family of communication services provides this. Windows NT Server fully supports a variety of networking protocols including IP and IPX, with IP being at the core of OS.
The proposed RAS solution from Microsoft for Powell will be built leveraging the existing Equinox asynchronous modems that the company already possesses. The modems will be spread across two (2) dual Pentium II 400 MHz processor machines running Windows NT Server 4.0 EE and configured into a common hunt group to load balance and ensure availability. The server machines will serve as both a fully functional VPN authentication gateway server as a well as direct dial entry points, which will allow access to the corporate network for authorized remote and mobile users. This allows centralized administration for both VPN and direct dial up access.
The primary groups of users requiring RAS connections will have multiple options available to them for accessing the corporate network for e-mail, file transfers, and corporate Intranet web access. These options include VPN access through modem, DSL, or cable modem using an ISP connection then tunneling into the corporate network using a secured PPTP connection between their client machine and the corporate Windows NT Server machines. Alternatively they can use direct dial through dedicated 56 Kbps lines attached to the Equinox modem bank.
By using the VPN RAS services there will be several benefits that the company will receive, the most substantial being reduced costs associated with RAS. By implementing a VPN solution, each remote or mobile user will dial into a local service provider using a standard modem to gain access to the Internet using a local call. Once connected to the local ISP the user will establish a secure PPTP VPN connection over the Internet and into the corporate central office network. This happens transparently for the user via Connection Manager to be discussed later. The user will be validated by one of the multiple Windows NT Server 4.0 machines running the PPTP VPN services there. There are multiple layers of security being implemented including authentication of the user ID for logon to domain access and also encryption of the data over the PPTP connection to ensure that other users on the Internet cannot decipher or intercept it.
Alternatively, using direct dial into the modem banks will provide an effective solution for priority users by ensuring a high level of quality of service and availability. This solution is more costly though due to the leased line and modem port costs associated with it. When a user dials up using a dedicated line, there may be many instances where the call will be a long distance call. Also, once all the ports on the modem bank are being utilized users will simply receive busy signals. To increase capacity here it will be necessary to purchase additional modems as well as leasing additional POTS lines from the local TelCo. Expanding a direct dial solution can grow costly very quickly. Microsoft recommends VPN access where possible and direct dial up where required. This will keep infrastructure expenses to a minimum.
The subgroup of remote telecommuters requiring high bandwidth access, the engineers using AutoCAD applications, should be offered DSL or cable access from their homes. By using the Windows NT VPN services they will be able to establish high-speed connections into the corporate network through the corporate high-speed access to the Internet. These connections will be completely secured both in regards to the transmission of data as well as access to the corporate network. The engineers can also use the WAN connectivity from the corporate central office to connect out to the subsidiary offices if needed to gain access to other files or information that they may require. Alternatively, engineers without DSL or cable connectivity from home could use a MLPPP connection over a RAS connection to aggregate bandwidth across multiple POTS phone lines. An MLPPP solution requires that each user have multiple phone lines and modems, but in the absence of DSL or cable connectivity this provides an alternative for providing higher bandwidth access for users to the corporate network.
Below is a summary of the connectivity recommendations based on the various user groups:
To further simplify the administration and user connection scenarios, Microsoft Windows NT Internet Connection Services for RAS (ICS) will be implemented. ICS is comprised of several components, including Connection Manager Administration Kit, Connection Manager, Connection Point Services, and Internet Authentication Services. The following describes the functionality of each and how Powell will benefit from their implementation as part of the Microsoft solution:
Additional responses
Plus the original RFP and a sample RFP from The Gartner Group.
Powell Electrical Manufacturing Co
Overview:
Powell Electrical Manufacturing Company is in the process of upgrading their remote access server (RAS) infrastructure to provide greater efficiencies for their mobile and remote workforces as well as improving the management functionality associated with the system. Additionally, although not an explicit goal, one that any company is always concerned with is lowering the total cost of ownership. The requirements for the Powell Electrical RAS infrastructure upgrade are the following:- Fault tolerance for 99.9% uptime
- Secure system to ensure unauthorized users are not allowed into the corporate network
- Centralized management through a standard management interface
- Access to the corporate IP/IPX network for e-mail, file transfers (in some cases large CAD files), and intranet web servers for up to 70 mobile and remote users throughout the day for various durations of time
- Production of usage statistics for their network managers
- Microsoft Windows NT Server 4.0 Enterprise Edition
- Client machines running Windows 98 (typical mobile/remote users) or Window NT Workstation 4.0 (Engineering AutoCAD users)
- Windows NT Load Balancing Service (WLBS)
- Windows NT Routing and Remote Access Service (RRAS)
- Windows Dial-Up Networking 1.3 (DUN 1.3)
- Windows NT 4.0 Option Pack which contains:
- Microsoft Internet Connection Services for RAS (includes Connection Manager Administration Kit, Connection Manager, Connection Point Services, and Internet Authentication Services)
- Optionally - Powell could utilize Microsoft Terminal Server 4.0 for slow link access to a specific application that requires high bandwidth or low latency
|
VPN via DSL/Cable |
VPN via 56 Kbps |
Direct Dial to Modem Pool |
MLPPP RAS |
|
|
Tele- commuters Engineering |
Primary |
Secondary |
||
|
Tele- commuters Product- ivity Apps |
Primary |
Secondary |
||
| Mobile Sales Force |
Primary |
Secondary |
||
| Executives |
Primary |
Backup |
Secondary |
- Connection Manager Administration Kit - allows a business or an ISP to preconfigure connection manager clients. Preconfiguration both improves the user experience, especially for novice users, and reduces support costs. Preconfigurable options include:
- Preloaded server information, protocols, and logon syntax
- Centralized deployment
- Dialer settings and access numbers, including automatic phone book publishing and updates to Connection Manager clients
- Customizable help files for ease of support
- Custom licensing to provide corporate policy information
- Branded desktop icons, dialer interface, and phone book to clearly indicate method of access
- The ability to automatically launch or close resident applications upon connection or disconnection via Connect Actions
- Automated logon to both the network and Web application servers
- Connection Manager (CM) - The CM is generated using the Connection Manager Administration Kit and provides an intuitive customizable user interface for dialing and gaining access to the Internet and corporate resources-eliminating the need for users to manage their access configuration, including their dial-in and VPN access numbers.
- Connection Point Services - provides phone book services-automatically aggregates access numbers from multiple disparate sources providing a single updated list to the Connection Manager client in a transparent manner. The phone book server can be centrally managed either by a corporate or ISP administrator.
- Internet Authentication Services - provides RADIUS authentication and registration services that can be integrated with Windows NT Server security domains.
- The T-1 link should be upgraded to multiple T-1 spans or perhaps T-3 to accommodate the increase in traffic resulting from VPN access to the corporate network.
- The company should contract with the ISP to obtain RADIUS authentication services. This will let the company be in control of user access to the ISP without having to create a separate ISP account for each user. People can then connect through VPN connections with a single sign-on using their corporate user ID and password. This allows the company to get a centralized bill from their ISP detailing all account activity and facilitates quantity use discount negotiations.
- The company should consider an ISP that is part of the iPass or Gric networks. These companies have spearheaded a "cross billing" service to deliver global roaming Internet access, similar to cellular telephone roaming. If a user is in a location where their primary ISP has no access points, the users will be able to make a local call for their VPN access using another ISP member. These companies also provide phonebook updates for all global ISP access points using the Connection Point Services (recommended as part of this implementation).
- RIP and OSPF (from Nortel, formerly Bay Networks) for the IP environment
- RIP and SAP for IPX
- Secure, global access to corporate resource for Powell mobile and remote users.
- Security infrastructure based on Windows NT, which integrates all components. No need to deploy or manage separate PKI environment.
- Reuse of existing Equinox modem pool.
- Solution can be easily expanded to meet future growth requirements.
- User connections can be tailored for each user based on need for modem, MLPPP, DSL, or cable connectivity.
- Single solution that integrates VPN and direct dial up options.
- Single UI allowing users to connect via dial up, VPN, DSL, cable, and even network connections for intranet VPN usage.
- Single sign on to the domain via VPN or direct dial up connection due to Windows NT integration.
- ICS functionality provides easy connection interface for users incorporating help file, licensing/policy info.
- ICS also automatically publishes phone book updates reducing administration costs.
- Subsidiary office can be easily brought online and incorporated into domain using Microsoft Windows NT and RRAS when the decision is made to open them up to RAS access.
- Can easily implement Microsoft Terminal Server on top of the solution if the need arises to utilize it for high bandwidth, low latency applications.
- 2 copies of Windows NT Server 4.0 Enterprise Edition - $3,199/per w/25 CALs
- 90 additional CALs to accommodate full client access redundancy across both servers access licenses for the users - $1,645 for $329/per 20 CALs
- Hardware costs (2 dual Pentium II 400 mhz machines) - Approx. $6,000/server
Additional responses
Plus the original RFP and a sample RFP from The Gartner Group.
Review: VPNs
We test 15 products. Network World, 5/10/99.
Interactive VPN buyer's guide
Find a VPN that best matches your critieria.
