Mobile User Needs
Remote or mobile users are generally more demanding than desktop-based users that reside in the office on the LAN, in terms of both support and overall power usage of systems. It is strongly advised that you work very closely with key users among the remote population and the executives over the key user profiles that have heavy mobile needs (sales, field services).
Whether you decide to pursue a pure Microsoft implementation of remote access services into your corporate network or choose to combine technologies and vendor products for redundancy, there are numerous common elements that most companies consider.
Remote Access Services (RAS)RAS technology from various vendors has been available for many years now. Essentially, a pool of modems is set up with security verification functions to allow remote modem users to dial into the corporate network. Windows 2000 continues to support RAS with additional enhancements. Other vendors such as Shiva make RAS devices that can be managed independently of the Windows OS or can be integrated.
Virtual private network (VPN)Numerous vendors offer VPN support in all manner of configurations and options. Windows 2000 offers VPN function using Routing and Remote Access Services (RRAS). Simply illustrated, a VPN client initiates a connection to a VPN server using either Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) with IPSec. This connection can be made usually across the Internet or from inside one corporate network to another. After the encrypted connection is established, a proper authentication is completed and a user can access resources on the remote network as if he were on the home office LAN.
SSL and IPSecGenerally, regardless of RAS or VPN, you may have corporate Web-based applications that you will want users to access directly, either internally or, more likely, through your firewall. Secure Sockets Layer (SSL) utilizes certificates to authenticate and encrypt data transmissions above the transport layer of the Open Systems Interconnection (OSI) reference model. Numerous certificate authorities exist, but the two major providers are Thawte and VeriSign. Microsoft offers a Certificate server for self-authentication within an organization as well. SSL is principally focused on browser interface traffic, but it can be utilized in many other ways.
IPSec as a standard has been around for a few years, pushed by vendors such as Cisco primarily as a router-to-router standard. Windows 2000 now fully supports IPSec connectivity as a part of the Microsoft Internet Security Framework (MISF), announced in 1996. IPSec also functions at the transport layer but does not require a separate certificate component. Kerberos v5 authentication from the Windows 2000 domain model is utilized for point-to-point secured communications with TCP, UDP, ICMP, RAW, and possibly custom protocols at the IP layer. No special modification is required to applications running on Windows 2000.
Token-based security systemsSeveral vendors offer security authentication enhancing add-on technologies to further supplement RAS and VPN access. One of the leaders is RSA Security, maker of the ACE/Server and SecurID token-card products. In a nutshell, users carry small devices with ever-changing numeric codes that are time synchronized with the central server. As the user enters a PIN into the token device, he is given an access number that is valid only for a minute and then expires. The benefit of this type of system is the ever-changing access code in case of network snooping or caching.
After the core services are functional for your remote users, you can begin considering Exchange 2000specific functions and needs. The primary services provided by Exchange 2000 without application extension are simply e-mail and public folder access.
Client protocols supported with Exchange 2000 include:
MAPI/RPCTraditional Outlook 9x and Outlook 2000 clients connect to an Exchange 2000 server using MAPI via Remote Procedure Calls (RPCs). With Windows 2000 and Exchange 2000, TCP/IP is the standard transport protocol. While it is possible to leave all IP ports associated with RPC traffic open through your firewall to the Exchange server, this would perhaps not be the most secure solution. A VPN option would be much preferred.
POP3Standard Post Office Protocol version 3 (POP3) is a simple store-and-forward standard found in many mail systems. Exchange supports the standard implementation model. Standard security options are available, including Secure Password Authentication (SPA). Adding VPN connection and IPSec would enhance overall security.
IMAP4Internet Message Access Protocol 4, rev 1 (IMAP4rev1), is preferred over POP3 primarily because content is not required to be downloaded from the mail server. IMAP allows the flexibility of storing all mail on the server or downloading to the client. Storing mail on the server allows for a more Outlook 2000style experience of sharing mail folders with other team members and assistants, as well as including the content in data backup. Similar security options to POP3 are used.
HTTP/HTTPS (Outlook Web Access)OWA is the primary client access method over Hypertext Transport Protocol (HTTP) using standard browsers. HTTP Secure (HTTPS) is used in combination with SSL technology. Different IP ports are used for HTTP and HTTPS connections.
SMTPSimple Mail Transport Protocol (SMTP) is used by POP3, IMAP4, and HTTP clients to send messages. Note that numerous client verification options exist on the SMTP virtual server to control a client's ability to send messages or a server's ability to relay them.
NNTPPublic Folders in Exchange 2000 are now published via Network News Transfer Protocol (NNTP) on standard IP ports. Any standard NNTP newsreader can access public folders with appropriate security rights.
LDAPLightweight Directory Access Protocol (LDAP) is used heavily by all Windows 2000 and Exchange 2000 clients. It is critical that clients access Global Catalog servers on the intranet or via DSProxy on an actual Exchange 2000 server.
Other protocolsNumerous IP ports would need to be opened to support direct access with instant messaging, chat services, and so on.