2/15/98 Network Computing 106
1998 WL 9088052
Network Computing
Copyright 1998 CMP Publications Inc.
Sunday, February 15, 1998
903
Reviews
NT Remote-Access Servers: Ready For The Big League?
Mike Fratto
Remote Access Services (RAS) has long been a part of Microsoft
Corp.'s Windows NT operating system, though it typically has been used
only with a handful of ports for quick and dirty remote access. For
scalable, stable remote access, you need to integrate standalone servers
into your network structure-another device to learn, another user list
to manage and another point of failure to worry about.
Microsoft, however, hasn't been sitting idle: It's been working on
building up RAS and adding new services, such as RADIUS (Remote
Authentication Dial-In User Service) support and IP address allocation
(see "NT RAS: Ready for Enterprise Remote Access?," page 110). Shops
running NT have tremendous intellectual capital invested in
administering NT. This familiarity lowers the impact of remote-access
support and makes choosing NT as a remote-access solution easy. But does
NT RAS make sense for remote access beyond a handful of ports?
Answering that question requires some explanation. Enterprise
remote-access servers typically provide detailed reporting and
accounting facilities, scalability, fault tolerance and component hot
swappability-with varying degrees of success-in addition to reliable,
manageable remote access (see "Smokin' Remote Access Pushed to the Max,"
at www.NetworkComputing.com/ 822/822r2.html). NT provides a framework
that supports many features, but without third-party applications that
hook into NT (see "Management Additions," page 118), enterprise-caliber
reporting and accounting lacks necessary functionality for adequate
management. Scalability is a combination of NT's realistic performance
capabilities on a given hardware platform and the remote-access vendors'
maximum port density. Fault tolerance is tied to the PC architecture
containing the hardware and remote-access server. With a minimum of
three lines of responsibility, bundling enterprise NT-based
remote-access servers is difficult.
Enterprise-Ready? Is Windows NT-based RAS ready for the enterprise?
If you don't care about accounting and billing, or if you're willing to
purchase third-party accounting and billing packages, the answer is yes.
If your user to port ratio is low-like 4:1-and the calling rate is
relatively low (users are connected for longer periods), then yes. If
your remote-access users can stand long down times while the server is
being serviced, then yes again. However, if you need tight integration
into a heterogeneous network, modem and protocol debugging tools,
component hot-swappability and excellent call handling, you should focus
on devices built specifically for remote enterprise remote access.
Vendors are cranking out enterprise-scale solutions designed to
compete with standalone devices that have held court in enterprise
remote access: Ascend Communications' 4004 (and 4048), Cisco Systems'
5200 and Shiva Corp.'s AccessSwitch line.
One vendor claims it is tackling some of the more pressing needs with
an enterprise NT RAS product: 3Com Corp.'s EdgeServer Pro, a dual P-PRO
200-MHz NT server that slides into the vendor's Enterprise Network Hub
and handles 256 ports. Unfortunately, 3Com ran into some bugs with the
EdgeServer Pro and couldn't submit product in time for this review.
Digi International also submitted two of its T1 Modem Banks.
Surprisingly, we couldn't stabilize them in the lab. During throughput
tests, the two chassis continued to reboot for some unknown reason. Digi
is looking into the problem.
In this roundup, we looked at solutions that offered between 23 and
48 modems and T1/PRI WAN connectivity. Access Beyond's Hawk 2290 Remote
Access Server, Ariel Corp.'s RASCAL RS1000 Model 4802, Multi-Tech
Systems' CommPlete Communications Server and RAScom's RAServer 2500 went
head-to-head in our labs.
The devices fell into one of two categories: turnkey solutions
(RAServer and CommPlete) and card-based solutions (Hawk 2290 and
RASCAL). Turnkey systems are unpacked and cabled up, and you begin
running the server. With card-based systems, you need to install the
hardware into an existing NT server.
RAScom's RAServer 2500 and Ariel's RASCAL RS1000 came in a close
first and second, respectively. Both came with 46 ports. The RAServer
2500 was the only server to include a software package for reporting,
accounting and billing. The RASCAL was the fastest in performance and
call handling with the lowest price per port. Multi-Tech's CommPlete
edged out Access Beyond's Hawk 2290 with better management and call
handling. The Hawk 2290 offered decent throughput but lacked the
management for a similar price per port.
RAScom RAServer 2500
RAScom's RAServer 2500 takes top honors based on its management
package, decent throughput performance and wealth of features. Its price
per port is slightly higher than the runner-up, Ariel's RASCAL RS1000.
The RAServer, one of two turnkey solutions in this roundup, is a
multivendor solution: The chassis is from Texas Microsystems, the modem
cards come from Ariel, and RAScom supplies the T1/PRI line card. Add
Virtual Motion's RAS Manager and Imagen Communications' NT PayMaster 2.0
for billing, and Funk Software's Proxy Remote Control for remote
administration, and you have a complete remote-access server ready to
run out of the box.
Not surprisingly, the RAServer performance test results were almost
identical to those of Ariel's RASCAL 1000. However, the RAServer didn't
fare as well during the modem dial test. This test was designed to
stress the server's call-handling abilities by repeatedly dropping and
bringing up calls in batches. A successful call was counted when the
IPCP (IP Control Protocol) layer was successfully negotiated.
We compared the number of successful LCP (Link Control Protocol)
connections against the number of modem calls and the number of
successful IPCP connections against the number of successful LCP
connections. We checked our modem dial testing against a Cisco AS 5300
and Ascend MAX 4004 remote-access servers to ensure the test's validity,
and both of those devices completed nearly 100 percent of all calls. The
RAServer successfully negotiated 84 percent of the LCP and 93 percent of
the IPCP from the remaining LCP connections for a total of 78 percent
successful PPP connections. Compared with the 98 percent connection rate
for both the Hawk 2290 and the RASCAL RS1000, the RAServer connection
rate hurt its overall performance score.
The RAServer 2500 was the only product tested that shipped with a
full set of applications for management, billing and remote management.
The modem and server management is furnished by Virtual Motion's Remote
Access Manager (RAM). It provides a GUI that lets you view and manage
multiple RAS servers, and you can combine data across the multiple
servers. In addition to reporting on individual ports and users, RAM
comes with preset reports showing various aspects of server utilization,
such as port utilization and user access. Unfortunately, there is little
reporting customization with the exception of time interval.
Nevertheless, RAM's reporting far exceeds anything found native in NT.
RAM is not real-time; it periodically refreshes the state of the RAS
ports in the GUI. Selecting an active port displays current statistics,
such as user name or transferred data. RAM also shows error statistics
on the modem link, which is useful for troubleshooting. Updating takes
some time and adds to the server's load. If you are participating in an
NT Domain, you can also obtain RAS information on other servers that you
have administrative rights to. Imagen's NT PayMaster reads through the
NT Event log and gathers login information and tracks usage for
billing-useful for charge backs and other administrative tasks.
The additions within RAM that control access to specific ports and
set session criteria for users and user groups are especially notable
for user management. You can set up a number of ports to allow only
specific users or groups to log in on that port and alter session
parameters, such as static IP address assignment. You can also set up
user and group session restrictions according to time of day, access to
other servers and session duration. RAM surpasses NT's user management,
and the wizard presents the session options within a single menu
command.
Housed in its own chassis, the RAServer 2500 is custom-built to
withstand electronics' worst enemy: heat. Four fans move air through the
chassis and over the modem cards. Modems generate tremendous heat and
without proper cooling, the signal processors-the heart of the
modem-will quickly start to misbehave. Although our server contained 46
modems, the 2500 can handle up to 96 modems in a single chassis. The
4x6-inch filtered air inlet should keep the 2500 cool when loaded up.
Ariel Corp. RASCAL RS1000 Model 4802
The RASCAL RS1000 is the other 46-port remote-access server in this
roundup. The RASCAL has a useful management system on par for the most
part with those included with the RAServer and Multi-Tech's CommPlete.
It provides detailed information and testing, but it lacks the ability
to manage multiple servers. In addition, the RASCAL does not supply a
billing system. Those two factors hurt its scoring in the management
category. Its price per port, far below RAScom's and on par with that of
Access Beyond's and Multi-Tech's devices, softened the blow in the
price-per-feature category.
Performancewise, the RASCAL ran neck and neck with the RAServer 2500
and made it through the modem dial test with a whopping 98 percent of
successful calls-the best in this test.
The management software, RASCAL Administrator, offers real-time modem
status. As calls come in, they are assigned to the next available modem
in round-robin fashion. Modems unresponsive to NT are flagged as out of
service. When they become available, they are returned to service. In
addition to logging to the event log, the RASCAL Administrator also
offers text-based logging for incoming, dropped and failed calls.
This card-based system is assembled with a Netaccess PRI-ISA 48M-CSU
line card and two 24-port modem cards. The ISA cards are chained
together with a ribbon cable for timing and communication. During the
initial hardware installation, we ran into some problems with a bad MVIP
(Multivendor Integrated Protocol) cable that chains together the modem
cards and the T1 card, so we replaced it. Our first T1 card couldn't
provide timing to both modem boards either. We told Ariel about this
situation, and the company resolved it. With that taken care of,
installing the RASCAL was a snap.
We were very surprised that the cards quickly became very hot, which
resulted in the modems going offline. Ariel's packaging includes a
warning about the need to install a secondary fan in the PC to run air
over the cards, but that setup may not be practical for all chassis.
Space typically is at a premium, and unobstructed air flows are hard to
come by.
Ariel boasts about its ease of installation, and we quickly
configured the boards with its wizard tool. It correctly found and
configured the proper IRQ (Interrupt Request) and memory settings. It
also sensed the T1 line and located the proper line coding, framing and
line build-out on our Madge Networks' Teleos Model 60 switch. We had to
configure the PRI signaling by hand-the wizard doesn't do that. If you
choose to configure the resource settings manually, you will have to
reinstall the drivers if they are initially incorrect. The T1/PRI
settings can be changed dynamically while the server is running. With
the exception setting the IRQs, the installation went smoothly.
We found a bug in the installation where we could only connect 32
ports at one time-subsequent connections were met with a busy signal.
After some work by Ariel's engineers, Ariel had me edit the NT
Registry, adding a key and a value to set the maximum number of ports to
46. Apparently the configuration options we selected-PRI with analog
calls only-set the port count incorrectly. Ariel is fixing this
problem.
Multi-Tech Systems CommPlete Communication Server
The CommPlete Communication Server is a 24-port version of the larger
CC9600 reviewed in our March 15, 1997, feature on remote access. The
CommPlete comes with improved management and a comparable price per
port, as well as more features than the Hawk 2290. However, the
CommPlete initially had difficulty completing our modem dial testing.
Multi-Tech solved the problem in time for us to retest the product, and
its performance dramatically improved.
The included management software, MultiComm Manager, is a major
improvement over the previous management software package, MultiModem
Manager. MultiComm Manager, SNMP-based like its predecessor, is more
intuitive to use and lets you effectively manage CommPlete modems
locally or across the network. MultiComm Manager doesn't talk to the
modems via NT device drivers, however. It communicates with the CC2400
controller, which manages the modems and the T1 line card. It supplies
you with effective remote management from any Windows95 or NT
workstation. Unfortunately, you must disable the SNMP service on the
local NT server and rename other SNMP.DLL files, or MultiComm will fail
to load SNMP. That limitation hurt an otherwise excellent management
package.
The CommPlete came in last place in our throughput testing, but did
well in the modem dial test. Initially during the modem dial test, we
could only connect a couple of modems at a time. MultiComm Manager's
event log did not indicate an error, though all of the ports worked
during the throughput testing. Multi-Tech's engineers finally found that
the modems were transmitting too loudly for the short span of T1 cable
in the lab. They suggested we lower the transmission strength, which
solved the problem. Multi-Tech claims the problem has been fixed in the
current modem cards, but we couldn't get them in time for this review.
Installing Windows NT on the CommPlete requires a DA96002 adapter
card, which temporarily replaces the modem cards with a CD-ROM, and a
floppy disk drive, which mounts to the MTRAS96 CPU card. We installed
Windows NT and copied the necessary installation files onto the local
hard drive. When the CD-ROM was no longer needed, the modem cards were
replaced, and we were up and running.
Access Beyond Hawk 2290 Remote Access Server
The Access Beyond Hawk 2290 is the other card-based remote-access
server we tested with a maximum port count of 24 modems per NT server.
As a set of multiport comm boards, the Hawk 2290 offers minimal modem
management and no user management. Although it scored lower than the
CommPlete in management and price-per-feature categories, the Hawk's
performance edged out the CommPlete in overall scoring.
The Hawk lacks the RASCAL's and CommPlete's detailed real-time
reporting capabilities. Although the product's GUI presents all of the
information on the main screen, the inability to correlate user names
with ports or to gather historical information lessens management
utilization. In addition, statistics logging is not present in the Hawk
2290, making management difficult for determining utilization. The
documentation, however, lists all of the events that are logged to
system and application log, which aids troubleshooting.
The Hawk's testing ability was unique to the devices we tested.
Testing runs on either an Octal Communication Device (OCD) or a single
Communication Device (CD), or you can test the entire system with a
keystroke. The Hawk will also gather T1 robbed bit signaling statistics,
such as bit error rate, loss of signal and severely errored seconds. The
tests are disruptive, taking the system out of service. However, the
tests' thoroughness should provide early warning of failure, which
warrants the occasional 30 minutes of downtime.
After the initial installation, the comprehensive test ensures that
everything is connected and communicating properly. This test exercises
the main control processor on each card, the secondary control processor
and the digital signal processor for each modem, and the communication
with the T1 card over the MVIP ribbon cable. The results are logged to
the Event Log, in addition to the management console, for viewing. n
Mike Fratto can be reached at mfratto@nwc.com.
SIDEBAR: NT RAS: Ready For Enterprise Remote Access?
Everything but the kitchen sink seems to be the theory behind adding
more capabilities to NT, and RAS is no different. Vanilla NT 4.0 offers
enough functionality to connect most PPP dial-up users, authenticate
them against NT Domain and pass the proper addressing to the client. If
you are running a Wintel shop, many of the OS limitations aren't
important because of the integration on the Windows platforms.
Non-Windows PPP clients may require more work to connect authentication
and PPP sessions because the clients don't support many of the PPP
extensions, such as VJ Compression. Additionally, the NT architecture
and intrinsic limitations in the PC platform work against the movement
to place RAS into the position of enterprise remote access.
The Routing and RAS (RRAS) update and the NT Options pack address
some of the outstanding issues, and NT 5.0 should address even more, but
is it enough to push NT RAS into the enterprise? Authenticating users
is limited to PAP (Password Authentication Protocol) or MS-CHAP
(Microsoft's version of the Challenge Handshake Authentication
Protocol). Domain users can be authenticated only against a PDC (Primary
Domain Controller) using MS-CHAP. PAP is performed against the local
database. RRAS relieves some of the problems associated with
authentication by adding RADIUS client functionality, and the option
pack adds a RADIUS server, but this entails managing a separate user
database.
We ran into some odd problems during testing. To get RAS running, we
hacked the registry in two instances. To force RAS to only use PAP
authentication, we deleted two keys. The problem is RAS tries to
authenticate with MS-CHAP, then drops to PAP. Older clients will try to
negotiate MS-CHAP as CHAP, and the authentication will fail. Windows NT
will drop the connection without dropping back to PAP. Changing the
authentication sequence in NT 5 to allow PAP is a possible solution.
Redundancy and fault tolerance are largely outside of Microsoft's
control. The PC architecture, while fine for workstations and servers
running applications, wasn't made for typical remote-access demands.
Expansion cards are inserted into the server, configured and left alone.
However, remote-access servers are notorious for needing extra care and
feeding. If a modem fails and the card needs to be replaced, the entire
server must be dropped while the hardware is swapped and the server
brought back online. Adding new software to NT requires a rather complex
dance to reapply service packs and hot fixes. Minimum downtime can
easily amount to over an hour.
The use of the service packs and hot fixes becomes an exercise in
patience. Alter system components, and you have to reapply Service Pack
3 to overwrite any old files, update RRAS to overwrite SP3 files, apply
the hot fix to overwrite some RRAS files and copy RASTAPI.DLL back to
the winntsystem32 directory to stabilize RRAS.
SIDEBAR: How We Tested RAS-Based Servers
We created two separate tests designed to stress the servers: a
throughput test and a modem dial test. The latter was developed in
conjunction with Midnight Networks, a test equipment manufacturer, to
test the servers' call-handling abilities.
In both tests, the infrastructure remained the same, while the client
portion changed. Providing WAN connectivity, we used a Madge Teleos
Model 60 switch for T1/PRI signaling. The PC for the card-based
remote-access devices was a Micron Electronics' PPRO 200 with 128 MB of
RAM and a 3Com Corp. EtherLink 10/100 NIC. We used a Dell Computer Corp.
P90 running Windows NT 4.0 and IIS (Internet Information Server) for the
FTP server. The RAS and the FTP server were connected via a 3Com
SuperStack 10-Mbps switch. We used Klos Technologies' SerialView for PPP
tracing and debugging. Compaq Computer Corp.'s 4000 provided the
client-side modem.
The throughput testing was performed with a Micron PPRO 200 with a
Digi EPC/X multiport board connected to three EPC/CON RS-232 break-out
boxes. For background load, we made the maximum number of connections to
the remote-access server, less one port, and ran FTP traffic down each
pipe. We also connected a second Micron PPRO 200 running Windows 95(B)
with dial-up networking and ran several FTP transfers across the link.
We averaged the time reported by FTP on the Windows95 client for
performance measurements.
Our modem dial test used Midnight Networks' Avalanche system to load
the RAS with calls. All of the RAS servers used Microsoft's Service Pack
3 and the RRAS (Routing & RAS) update. Once the RAS was loaded with
calls, Avalanche ran a loop 1,000 times that dropped calls 10 at a time,
waited 15 seconds and reconnected the calls up to the IPCP (IP Control
Protocol) layer. Each loop ran through all of the ports once. Because we
couldn't determine with certainty why modems occasionally failed to
train up, we only included the modems that successfully trained in the
measurements. We then counted the number of successful LCP (Link Control
Protocol) negotiations. Once the LCP connections were up, we counted the
number of IPCP negotiations out of the successful LCP connections.
Notably, both the RAServer and the RASCAL posted the longest LCP
negotiation time (18 seconds), while the Hawk maxed out at five seconds.
This didn't seem to pose a problem with our rather light calling load.
The LCP negotiation times averaged three seconds across all devices,
indicating the longer times were rare.
SIDEBAR: Management Additions
Reporting and logging capabilities in NT 4.0 are fairly weak. Modem
events can be written to a test file, and with Microsoft's Network
Monitor (NetMon), a protocol analyzer packaged with Systems Management
Server (SMS), you can capture PPP connections. But to obtain utilization
statistics, real-time displays and advanced user, port and session
management, you need third-party management packages like Virtual
Motion's Remote Access Manager (RAM) and NTP Software's RAS Manager for
Windows NT. Designed to work with RAS regardless of the underlying
hardware, they scan the event log, poll RAS and work with NT Domains and
the event log to more effectively manage users and remote access.
With these products, you can set up time-of-day and session limit
restrictions, limit access to NT servers from a single interface and
apply those changes globally to individual users or groups of users.
This functionality provides a single point of management with access to
virtually all of the functions needed for day-to-day management.
Reporting and logging is also enhanced by management packages, as
utilization statistics are gathered and, in the case of RAS Manager,
exported to a comma delimited file or dBase file. This capability lets
you write custom reports for billing and management.
A word of caution: Windows NT hot fixes and service packs to RAS can
break the delicate dependency chain of NT RAS and third-party
applications. On our servers, we installed Service Pack 3, RRAS (Routing
and RAS) update and a RAS hot fix. The hot fix gave us trouble when both
Virtual Motion's RAM and NTP's RAS Manager for NT were installed. RAScom
prompted us to overwrite the RASTAPI.DLL from the RRAS update with the
DLL (Dynamic Link Library) from the hot fix. We applied the same fix to
the NT server running NTP's RAS Manager.
---- INDEX REFERENCES ----
COMPANY (TICKER): MICROSOFT CORP.; Ascend Communications Inc.; Cisco Systems Inc.; Shiva Corp. (MSFT ASND CSCO SHVA)
NEWS SUBJECT: World Equity Index (WEI)
INDUSTRY: Software; Communications Technology; Telecommunications, All (SOF CMT TEL)
Word Count: 3742
2/15/98 NTWK-COM 106
END OF DOCUMENT |
