The IBM Remote LAN Access Capability 5.0

THE IBM REMOTE LAN ACCESS CAPABILITY

Version 5.0

IBM PSP LAN Systems

11400 Burnet Road

Austin, Texas 78758 +--- NOTE ---+ | Before using this information and the product it supports, be sure | | to read the general information under TRADEMARKS. | ++

THE FOLLOWING PARAGRAPH DOES NOT APPLY TO THE UNITED KINGDOM OR ANY COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time.

It is possible that this publication may contain reference to, or information about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that IBM intends to announce such IBM products, programming, or services in your country. (C) COPYRIGHT INTERNATIONAL BUSINESS MACHINES CORPORATION 1992. ALL RIGHTS RESERVED.

Note to U.S. Government Users -- Documentation related to restricted rights - Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation.

TRADEMARKS
References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM's intellectual property rights or other legally protectible rights may be used instead of the IBM product, program, or service. Evaluation and verification of operation in conjunction with other products, programs, or services, except those expressly designated by IBM, are the user's responsibility.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any rights to these patents. You can inquire, in writing, to the IBM Director of Commercial Relations, IBM Corporation, Purchase, NY 10577-USA.

The following terms in this publication, are trademarks of the IBM Corporation in the United States and/or other countries:
 * IBM Corporation - IBM, OS/2, NetBIOS, DOS, LAN Server, ARTIC, AS/400, AS/400 PC Support Program, Person-to-person

The following terms in this publication, are trademarks of other companies as follows: 3Com Corporation             NDIS Hayes Corporation            ULTRA SmartModem Intel Corporation            80386, 80486 Lotus Development Corporation Lotus Notes Microsoft Corporation        LAN Manager, Windows Novell Corporation           NetWare, NetWare Server, ODI Xerox Corporation            Ethernet

What Is The IBM Remote LAN Access Capability?
The IBM remote LAN access capability enables remote users to transparently run their LAN-based applications over switched connections (asynchronous, synchronous and ISDN) using public switch telephone networks or PBX/CBX exchanges. The primary distinction of the IBM remote LAN access capability is that it uses a device driver replacement technology to provide a superset of functionality available with remote LAN access products on the market today, and it accomplishes this using a non-dedicated communication server and non-proprietary hardware. The IBM remote LAN access capability addresses all of the following remote LAN access environments: The IBM remote LAN access capability's communication server supports up to 32 simultaneous communication ports and provides a full range  of  configurable security and administrative features. In essence, the IBM remote LAN access capability provides the user with functionality  and  features  to  run  LAN applications anywhere  anytime,  and provides the systems administrator with effective tools for managing the wide area network (WAN).
 * A remote workstation connecting to another remote workstation
 * A remote workstation connecting to LAN workstations
 * A LAN workstation connecting to a remote workstation
 * A LAN workstation connecting to a remote LAN workstation

Remote LAN Access Environments
REMOTE-TO-REMOTE The four main environments listed in the introductory paragraph  are  illus- trated in Figure 1 on page 2. A "remote-to-remote" environment consists of a connection established between two or more remote workstations. Conferences may be set up between multiple workstations creating an ad hoc LAN over tele- phone lines. Without LAN adapters and without LAN wiring,  remote-to-remote workstations can  access  each  other's LAN resources and LAN-based applica- tions. This environment supports customers who need  a  low-cost  WAN  con- nection to support data, resource and program sharing. Another example of a remote-to-remote implementation would be a remote client using the telephone line to access resources from a file or application server.

REMOTE-TO-LAN A "remote-to-LAN" environment, sometimes called "dial-in", occurs when a remote workstation initiates a connection to a LAN workstation via some form of WAN/LAN communication server. The IBM remote LAN access capability remote-to-LAN environment is characterized by the remote workstation running LAN applications between itself and one or more LAN-attached workstations via a single WAN connection to the LAN. A separate and direct connection is not required for each LAN-attached workstation with which the remote workstation needs to communicate. Once the WAN connection is established between the remote workstation and the LAN, the remote workstation can directly address any LAN-attached workstation configured to participate within the remote-to-LAN environment. Likewise, because the remote workstation has its own unique address, it can receive information directly from the partic- ipating LAN-attached workstations. The IBM remote LAN access capability thus provides a remote LAN access environment which allows the remote workstation to transparently run LAN-based applications and interoperate with the LAN as if it were LAN-attached. The IBM remote LAN access capability also enables remote workstations to concurrently access multiple LAN-attached workstations without redialing. Remote-to-Remote                           Remote-to-LAN +--+  |remote|                                                    +--+ | ws  |==                                                  |remote| +--+ ==                                                |  ws  | ==                                             +--+   +--+      ==  +--+                                      |   |remote|        =>|remote|                                   ::::::: | ws  |=========>|server|                                 ::       :: +--+     ===>+--+                 +--+       ::         ::               ==                             |remote|=====>::  TR LAN   :: +--+  ==                              |  ws  |       ::         :: |remote|==                                +--+        ::       :: | ws  |                                                     ::::::: +--+        LAN-to-Remote                               LAN-to-LAN +--+                                               +--+     |remote|                                                |remote| | ws  |                                                |  ws  | +--+                                               +--+         |                                                       |      :::::::                              :::::::            :::::::    ::       ::                          ::       ::        ::       ::   ::         ::      +--+          ::         ::      ::         ::  ::  TR LAN   ::====>|remote|         ::  TR LAN   ::===>::  TR LAN   :: ::        ::      |  ws  |          ::         ::      ::         :: ::      ::       +--+           ::       ::        ::       ::      :::::::                              :::::::            :::::::                                              |                                           +--+                                           |remote| | ws  | +--+ ''Figure 1. Four Remote LAN Access Environments''

LAN-TO-REMOTE A "LAN-to-remote" environment, sometimes called "dial-out", occurs when a LAN-attached workstation initiates a connection to a remote workstation via a WAN/LAN communication server. The IBM remote LAN access capability LAN-to-remote environment has the same characteristics and capabilities as the remote-to-LAN environment except that the LAN-attached workstation initiates the connection. An example of LAN-to-remote would be a LAN-attached workstation accessing a remote "information server" to acquire product pricing data.

LAN-TO-LAN A "LAN-to-LAN" environment occurs when a LAN-attached workstation connects to another LAN-attached workstation via two WAN/LAN communication servers. The IBM remote LAN access capability's LAN-to-LAN implementation combines the functionality of the LAN-to-remote and remote-to-LAN environments. The resulting "casual bridge" allows the customer to utilize switched links rather than leased lines for a more cost effective solution. The LAN-to-LAN environment provides the capability for LAN-attached machines to access or update information residing in remote locations, and also, to act as a server for other remote workstations connecting onto the LAN. Note that this environment is very different from a split bridge environment. A split bridge establishes a permanent connection between all machines on the two LANs. In the IBM remote LAN access capability LAN-to-LAN environment, connections are established on a temporary workstation-to-workstation basis across the WAN. The LAN-to-LAN environment is particularly useful for customers with numerous separate LAN networks and a need to control access on and off the LANs, such as banking companies with their many branch offices. It provides an inexpensive mechanism for dynamically connecting the LANs while maintaining control over the origin of traffic flowing between them.

Current Remote LAN Access Technologies
There are numerous other remote LAN access products available today. These products vary widely in cost and functionality. Many utilize extensions of a remote-to-remote environment to provide remote-to-remote and remote-to-LAN access capabilities, but do not support the LAN-to-remote or LAN-to-LAN environments. Many of the products currently available do not support graphical interfaces. Many require dedicated or proprietary hardware.

Remote LAN access products use one of four known technological approaches. Each approach provides an inherent level of functionality and limitations. In order to better compare the functionality offered by the IBM remote LAN access capability to that offered by other products, an overview of the four remote LAN access technologies is provided in the following sections. These four technologies are:
 * The hardware approach
 * The remote control approach
 * The remote client approach
 * The remote node approach

THE HARDWARE APPROACH

The hardware approach replaces the LAN adapter with a customized WAN adapter in the remote workstation and provides a compatible hardware  "tap"  on  the LAN. This LAN hardware tap varies from a specialized adapter on the LAN file server to  a  standalone  multiprocessor  box. The implementation of this approach varies widely in sophistication, cost, and performance. In general, supporting a large number of remote users with customized  hardware  may  be cost prohibitive. Difficulties in network maintenance and compatibility have been cited as additional reasons this approach might be considered suboptimum for distributed environments. The IBM remote LAN access capability does not use this approach.

THE REMOTE CONTROL APPROACH

One of the earliest and most pervasive software approaches is remote control. The remote workstation using this approach dials  into,  and  takes  control over, a  LAN-attached  workstation  which executes programs on behalf of the remote workstation over the LAN. Keyboard and screen data from the dedicated LAN-attached system is then routed back  to  the  remote  workstation. By routing  only keyboard and screen data, this approach minimizes the amount of  data which flows across the link; however, there are numerous  disadvantages. Because this approach requires a dedicated machine on the LAN for each remote workstation dialing onto the LAN, customers are required to invest in dupli- cate hardware. Most remote control products transmit  keyboard  and  screen data over  the  WAN in character mode, though some companies are planning to  provide transmission of graphical screen data in the near future. Transmit- ting graphics  images  will be slower than transmitting characters; however, graphics mode transmission will be necessary to support the use of  graphics or graphical interfaces across the remote link. Lack of graphics support has been a  major  factor  in the loss of popularity for this approach. Another disadvantage with this approach is security. In addition to the requirement for the LAN-attached workstation to be powered on for remote use, screen data transmitted across  the link contains a high percentage of fixed information in a fixed format. Data encrypted in this form is relatively easy to  break because the intruder can see the effects of encryption on the fixed informa- tion that is transmitted. The IBM remote LAN access capability does not use the remote control approach. THE REMOTE CLIENT APPROACH

Gaining popularity  today in the remote LAN access market, the remote client approach utilizes a simple mechanism to extend the remote-to-remote environ- ment to service the remote workstation and allow it to share data and appli- cations located on a common WAN/LAN server. This may  be  accomplished  by replacing  the  LAN device drivers in the remote workstation and LAN-attached server with customized device drivers that  will  allow  them  to  send  and receive LAN  frames across a WAN link. This provides LAN application trans- parency within the remote workstation. The new  device  drivers  utilize existing protocols to allow remote workstations to connect with each other to form a virtual LAN via the WAN link. In addition, the device drivers provide a mechanism for remote workstations to disconnect from one another upon con- clusion of the remote transaction. Since the entire LAN frame is transported between the remote machines over the WAN link, LAN applications  running  in the  remote  workstations can support graphical interfaces in the same way as those running on LAN-attached workstations. Also, the LAN frames have  much less fixed  format information thus providing a more secure link encryption. This approach is used to provide the remote-to-remote environment within the IBM remote LAN access capability.

Extending the  remote client approach to access information elsewhere on the LAN from a remote workstation requires a LAN-attached server to manage trans- action data on the workstation's behalf. The remote environment is analogous to a standard LAN client-server environment. The remote  workstation  has addressability only  to  the WAN/LAN server to which it is connected. Files and programs residing on the common WAN/LAN server can be shared  throughout the virtual  LAN. This approach supports small single-server networks, but does not scale well to support large or distributed environments. Bottle- necks in both memory and CPU capacity tend to form in the common WAN/LAN com- munication and file server. Because of this, most products using the remote client approach are dedicated servers supporting a limited number of  remote connections (generally,  1 to 16). Organizations requiring more connections or greater capacity than can be accommodated by a single WAN/LAN server face potentially complex  challenges  in duplicating and maintaining data on mul- tiple communication servers. Accessing data and applications which are dis- tributed across  multiple  servers  can  be  annoying for a remote user in a remote client environment. For instance, a remote user would have to  phys- ically disconnect  from one server and reconnect to a second server in order to access its resources even though the two servers may be attached  to  the same LAN. Due to the constraints on distributed environments imposed by the remote client  approach,  The  IBM  remote  LAN access capability utilizes a fourth approach, called remote node, to provide fully integrated capabilities for the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments.

THE REMOTE NODE APPROACH

The remote node approach replaces the device driver  within  a  LAN-attached communication server. The device driver enables the server to take incoming data off a WAN and put it onto the LAN, and also, to take outgoing data  off the LAN  and put it onto the WAN. In addition to providing the transparency and remote LAN access capabilities of the remote client approach, remote node provides full addressability allowing the remote workstation to access  dis- tributed LAN-attached servers and peer services. This means that the remote workstation can access information and services wherever they reside on  the LAN rather  than  the  LAN  having to be redesigned with a central dedicated server to accommodate access by the remote workstation. It also means  that growth in the number of local and remote LAN users can be easily accommodated without duplicating  (and  maintaining)  data files across numerous communication servers.

In summary, the IBM remote LAN access capability utilizes  both  the  remote client and the remote node approaches to provide a flexible and full-function remote LAN  access capability. The rest of the paper describes the features provided by the IBM remote LAN access capability.

Components and Packaging
The IBM remote LAN access capability consists of three components (remote workstation, server, and LAN workstation) contained within two packages: THE IBM REMOTE WORKSTATION PACKAGE

The IBM remote workstation package contains the remote workstation component and enables the remote-to-remote environment by establishing a connection with one or more workstations. Used alone, the IBM remote workstation package can provide a low-cost means for LAN applications to communicate without requiring a physical LAN. If installed on a LAN-attached file server, the IBM remote workstation package can provide indirect remote access to the LAN through shared files contained on the server. This config- uration supplies the level of functionality available with the remote clent approach described earlier. If used in conjunction with a WAN/LAN server supplied by the IBM remote LAN access server package, a remote workstation can directly access any workstation on the LAN which has been configured to participate in the remote environment. The IBM remote workstation package runs on either OS/2(R) 2.X or Microsoft Windows(R) 3.1.

THE IBM REMOTE LAN ACCESS SERVER PACKAGE

The IBM  remote  LAN access server package contains the server and LAN work- station components. The IBM remote LAN access server package enables the LAN portion of the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments  by allowing  a LAN workstation to dial-out to a remote workstation, allowing the remote workstation to dial-in to  a  LAN  workstation,  and  passing  frames between the  WAN  and  LAN  environments. The non-dedicated WAN/LAN server requires an OS/2(R) 2.X base.

The LAN workstation component provides an interface  to  allow  LAN-attached workstations to dial-out of the LAN and participate in remote LAN access. The LAN workstation component runs on either OS/2(R) 2.X or Microsoft Windows(R) 3.1.

Supported Hardware
The IBM remote LAN access capability supports all hardware supported by the operating system platform on which the IBM remote LAN access capability com- ponent runs. Thus, remote and LAN workstations support all OS/2(R) 2.X and Microsoft Windows(R) 3.1 hardware platforms, and the WAN/LAN server supports all hardware platforms supported by OS/2(R) 2.X.

The following configuration is recommended for a remote workstation or WAN/LAN server with very light usage (ie. one person dialing in or out at a time): For WAN/LAN server to support up to 32 concurrent channels, the recommended configuration would be: A LAN adapter IS NOT required on a remote workstation nor is a modem required on a LAN-attached workstation to access the WAN. Communication between the LAN and WAN is accomplished via the WAN/LAN server.
 * An IBM or IBM-compatible 386 non-dedicated machine
 * A 9600 to 14400 bps modem
 * An IBM or IBM-compatible 486 dedicated machine
 * Up to four ARTIC cards (each card supports eight ports)
 * A 9600 to 14400 bps modem for each supported port

Supported Connectivities
Remote LAN Access software products in the market today provide remote machines with the ability to access information on a LAN-attached server using asynchronous modem connections at rates generally between 2400 to 14400 bits per second (bps). However, the IBM remote LAN access capability is optimized for higher speed (9600 bps and greater) connections and includes support for the following LAN and WAN connectivities: When the LAN is a Token Ring, the IBM remote LAN access capability utilizes source routing information from LAN control frames to efficiently relay data to and from the LAN. Token Ring adapters must support "promiscuous mode". Promiscuous mode allows control frames to be transparently passed up to the software layers. As it is required by many LAN management tools and protocol analyzers, promiscuous mode is commonly supported by most Token Ring adapters. An example of an adapter which supports promiscuous mode is the IBM Token Ring 16/4 Adapter. When the LAN is Ethernet, the IBM remote LAN access capability uses a learning filter technique with a spanning tree algorithm. Without microcode assistance from the Ethernet card, the overhead for filtering unwanted LAN traffic will likely result in fewer ports supported by the Ethernet-attached WAN/LAN server as compared to a WAN/LAN server attached to a Token Ring. This overhead, however, is a small fraction of that which would be incurred if unfiltered Ethernet traffic were allowed to flow over the WAN. The IBM remote LAN access capability allows other techniques to be used in the WAN/LAN server to move frames to and from the LAN. To offset the proc- essing overhead when using Ethernet or connecting different LAN types, a higher layer router can be used. For example, if the protocol is TCP or IPX, the IP Router/Gateway could be used with the IBM remote LAN access capa- bility. By using  the IP Router, only frames known to be directed off the local LAN would be sent to WAN/LAN server.
 * LAN Connectivities
 * Token Ring
 * Ethernet
 * WAN Connectivities
 * ISDN Basic Rate Adapter
 * Asynchronous Communications Port
 * Dual Asynchronous Adapter
 * Asynchronous/Synchronous Artic Adapter
 * Synchronous Wide Area Connector
 * X.25

The IBM remote LAN access capability can support an X.25 network; the type of connection is determined by the X.25 network provider. The remote  work- station can use an asynchronous modem connected to an X.3 pad provided by the network, or an X.25 modem (such as the Hayes Ultra Smart Modem) to connect to a network SYNC access point. On the server side, most X.25 networks require a SYNC access point and a permanent connection to the X.25 modem.

The IBM remote LAN access capability includes Medium  Access  Control  (MAC) drivers for the first four WAN connectivities. Other adapters packaged with MAC drivers which adhere to, and support, the NDIS interface may also be sup- ported by the IBM remote LAN access capability such as the  IBM  Synchronous Wide Area Connector.

Supported Software Interfaces
The IBM remote LAN access capability supports the following protocols and application programming interfaces: All that is required to support the above interfaces is included with the IBM remote LAN access capability. This allows the user to transparently run any LAN applications  which  utilize these interfaces within the WAN environment without modification. IPX, TCP/IP, Person-to-Person, Lotus Notes  and  OS/2 Communication Manager  are  a few examples of applications which can be pur- chased and installed to run within the WAN environment. The IBM remote  LAN access capability  has  also been used to access an AS/400 via the AS/400 PC Support Program.
 * Netbios
 * 802.2
 * NDIS
 * ODI requester

The IBM remote LAN access capability is network operating system independent, and therefore, is not packaged with any specific network  operating  system. It is designed to support any network operating system which resides over the 802.2, Netbios or NDIS interface including the following:
 * IBM(R) LAN Server
 * Microsoft(R) LAN Manager
 * Novell Netware(R) Server (802.2 Compatibility Mode)

Security
The IBM remote LAN access capability provides an extensive set of configurable security options which are enabled via WAN/LAN server configuration. These security options include: Details of each of these features are provided below. In addition  to  the security features listed, the IBM remote LAN access capability transparently supports existing LAN and application level security mechanisms. In other words, security features originating from applications, the network operating system, the  operating system platform, and hardware should run without modification.
 * Workstation address identification
 * Valid logon time intervals
 * Password encryption and session-based user authentication
 * Access privilege levels
 * Simplified log-on for LAN-to-LAN
 * Call back

WORKSTATION ADDRESS IDENTIFICATION

Each user  account on the WAN/LAN server can be configured with 0 to 8 work- station LAN MAC addresses. If one or more addresses have been defined for a user's  account,  the  user  must  call  from  a  workstation with an address matching one of the user account addresses or the logon attempt will fail.

VALID LOGON TIME INTERVALS

The Valid Logon Time Intervals option allows a Security Administrator to con- figure the days of the week and the times of day during  which  a  user  can logon to  the  server. Any logon attempts outside of the designated time periods will fail.

PASSWORD ENCRYPTION AND SESSION-BASED USER AUTHENTICATION

To minimize the possibility of off-line "dictionary attacks" to discover user passwords, a one-way encrypted password key is generated  from  a  "password phrase." For each subsequent logon, the security subsystem implements a two party, two-way entity authentication protocol using  message  authentication code which  adheres  to  the OSI X9.9 security standard. After a successful mutual authentication (workstation-to-server and server-to-workstation)  the workstation and  WAN/LAN server  both share a common secret session key that is used to build certificates that authenticate all  subsequent  workstation service requests  sent  to  the server. A new session key is generated for every session.

ACCESS PRIVILEGE LEVELS

A database of user accounts is maintained at the WAN/LAN server. User's are classified into the following types:
 * User
 * Administrator
 * Security Administrator

"User" is  the  lowest  security  classification. A User has permission to access the dial services of a WAN/LAN server in order to dial off LAN and can be granted permission to remotely attach to the LAN wire by calling a WAN/LAN server. A User can also view and change selected information, such as  user description and  user  password,  within the User's own account on a WAN/LAN server.

An Administrator  has  the  same privileges as a User, and additionally, can perform management functions such as transaction logging and  report  gener- ation. A Security Administrator has the same privileges as an Administrator and, in addition, is authorized to maintain a WAN/LAN  server's  User  Account  Data Base. This includes changing user account policy parameters (e.g. maximum number of logon attempts permitted during a single call), as well as viewing, adding, and deleting user accounts within the User Account Data Base. The Security Administrator  can also change account information contained in any user's accounts and disable the security features.

SIMPLIFIED LOG-ON FOR LAN-TO-LAN

A user is required to logon and be authenticated  by  each  secured  WAN/LAN server before  accessing  that server's resources. If the same user ID and password are maintained at multiple servers, the user will be able to access these additional  servers  without having to reenter IDs and passwords. For example, if a user on a LAN-attached workstation wishes to  access  a  work- station on another LAN, the user would logon to the locally-attached WAN/LAN server to dial-out to a second, remote WAN/LAN server. The user would only be prompted  for an ID and password by the remote WAN/LAN server if they are different from those used to access the first WAN/LAN server. This feature should not be confused with what is  generally  called  "single logon." Single logon,  or  the ability to bypass network operating system logons, is not provided by the IBM remote LAN access capability. In other words, users  must  still logon to LAN servers in the same way they would if they were LAN-attached.

CONFIGURABLE LOGON PARAMETERS Several logon policy options can be configured by a Security Administrator when setting up a WAN/LAN server. These include:
 * Minimum and Maximum Password Age
 * Minimum Password Length
 * Maximum Number of Unsuccessful Logon Attempts
 * Password History

The Password History option allows a Security Administrator to specify a history of zero to eight prior passwords to be saved in the user's account. When a user submits a new password, the password is checked against the pass- word history to ensure it does not duplicate one previously submitted. If a duplicate is found, the new password is invalid and the user is requested to submit another new password.

CALL BACK The Call Back feature is optional. Remote workstations can be configured to handle either a fixed or mobil telephone number. The mobil Call Back requires the user to submit a telephone number as part of the logon process which the server then uses to call back. The caller is authenticated both prior to the call back to prevent unnecessary telephone charges, and also, after the call back is complete to guard against known hacker techniques that can normally only be avoided using special telephone equipment or service options. Beyond security, call back can be useful if reversal of telephone charges is needed, such as from a hotel or customer site.

Administrative Features
The IBM remote LAN access capability provides full administrative support for monitoring connection status as well as logging errors, user data, and audit information. Audit information  includes  all connections attempted, com- pleted, and rejected. Also included are  security  trails  and  statistics useful for  capacity  planning. The audit logs can be displayed locally or retrieved from a remote workstation. In addition, several key configuration files from a given workstation can be collected into a single file for anal- ysis. The IBM remote LAN access capability  can  interface  with  a  user- supplied report  program  to  schedule  and create daily, weekly, or monthly reports, or to periodically generate output when the log file reaches a spec- ified size.

User Interface
The IBM remote LAN access capability employs a standard object-oriented graphical user  interface  consistent  with  that used for OS/2(R) 2.0. The interface has been designed to be consistent across all supported  operating systems and machine types, whether it be a Microsoft Windows(R)-based remote workstation or  an  OS/2(R)-based  LAN-attached  workstation. Only those selections appropriate  to  the user's location and privilege level are pre- sented. An example of this interface is the  phone  book  and  call  status screen illustrated in Figure 2 on page 12. The graphical user interface provides information on available servers, call status, and context sensitive help screens. Connection to the "virtual LAN" may be accomplished by selecting an entry from a user's phone book or through a command  line  interface. Commands may be entered from the keyboard or imbedded in a batch or command file.

Another unique feature is support for moving workstations between remote and LAN-attached environments, or "docking." When a workstation is configured as both LAN-attached  and  remote, the IBM remote LAN access capability manages the configuration changes to support the correct environment. This vastly simplifies the use of a single workstation for home, office, and travel. +-+ |   SERVER-10 - Phone Book                                | +-+ |                                                         |  | +---+-+-+           |  | | Austin    \\|                             --+     | | | Berlin   \\| Name:           (Dial)        A-L |     | | | Deauville \\|  Austin, TX                --+     | | | Leipzig  \\|                 (Hang Up)   |           | | | Marseille \\| Number:                    |-+     | | | Munchen  \\|   512 555 1212  (Alternate) | M-R |     | | | Paris    \\|                             |-+     | | | Stuttgart \\| Modem:                     |           | | | Toulouse \\|   ATDT15125551212           |-+     | | |          \\|   CONNECT 19200/ECL V.32BIS | S-Z |     | | |          \\|                             |-+     |  | |           \\|          page 1 of 4  < | > |           | | +---+-+-+          |  |                                                         |  |  (Add)  (Change)  (Delete)  (Help)                      | |                                                        |  +-+ ''Figure 2. Phone Book and Call Status Screen''

Installation and Configuration
The IBM remote LAN access capability provides a guided quick installation and configuration path as well as support for advanced configuration via CUA'91's Notebook Controls. The quick install feature may be used to install the IBM remote LAN access capability on LAN-attached and remote workstations. It is designed for non-technical users to provide a simple workstation configuration with a minimum amount of knowledge, time and effort. After installation is complete, the advanced configuration may be used to customize selected configuration parameters for optimum network and system performance. The advanced configuration is designed for experienced users. Preconfigured default values make tuning via the advanced configuration panels unnecessary for most parameters on most networks. Online hypertext help panels guide users through possible choices for each parameter.

The remote workstation can be installed directly over OS/2(R) 2.X or Microsoft Windows(R) 3.1. The WAN/LAN server and LAN workstation assume a LAN-enabled system for installation; minimum requirements are for the Netbios or 802.2 LAN Adapter Protocol Support to be present. The WAN/LAN server requires OS/2(R) 2.X while the LAN workstation may be either Microsoft Windows(R) or OS/2(R)-based.

The IBM remote LAN access capability may be installed by using: Installation using a LAN redirected drive is performed via the LAN's Configuration, Installation and Distribution (CID) facility. The IBM remote LAN access capability is fully CID-enabled for installation. Users of this facility install the IBM remote LAN access capability on their  workstations and  servers  by  attaching  to  the  LAN  and  redirecting  the files from a LAN-attached source. A response file may be specified at the time installation is invoked. A response file contains all the answers to the questions that are asked during a panel-driven installation. This allows administrators to setup quick and simple installations for their users. The user would only need  to  enter  a single command and the installation would proceed to completion without any further interaction required.
 * diskettes
 * a LAN redirected drive
 * a LAN redirected drive and a response file

Additional Information and Beta Program
THE BETA PROGRAM provides the IBM remote LAN access capability code at predetermined development checkpoints prior to general availability. The remote LAN access functions described in "The IBM Remote LAN Access Capability" document may not be fully supported in the beta program.

BETA CODE FROM IBM MARKETING AND VM

To obtain beta code and documentation via electronic delivery, contact  your IBM marketing representative and submit the following information via FAX to (512) 838-4002 or have your marketing representative submit a PROFS  note  to BETASRUS  at  AUSVM1:   (IMPORTANT NOTE - Please supply all data requested in order to avoid delays in filling your order.)

IBMers that are requesting the beta for their own use should specify IBM  as the Company Name and their name as the Company Technical Contact Name. Their VM Id and Node are also required.

Specify that you are ordering the RLA beta program. BETA CODE FROM 1-800 TELEPHONE NUMBER To obtain diskettes and hardcopy publications, call one of the numbers below and specify you are ordering the RLA beta.


 * In the U.S., call 1-800-IBM-3040. You will be charged $80.00 (U.S.) plus a shipping charge.
 * In Canada, call 1-800-561-5293. You will be charged  $100.00  (Canadian) plus Tax and a shipping charge.
 * Elsewhere, see the Electronic Delivery ordering information below.

ADDITIONAL INFORMATION

IBM does  not guarantee this beta program will ever be made generally avail- able. All beta code and documentation are under development and may be modi- fied substantially should there  be  a  generally  available  product. In addition, the  manner  in which IBM packages these development materials may differ substantially from any generally available products.

IBM reserves the right to modify or withdraw this offering at any time.

Your license for the beta code may be terminated by IBM upon 30 days written notice.

+--+ |                                                                      |  |                             ELECTRONIC DELIVERY RLA                  | |                                                                     |  |                                                                      |  |   Please specify which of the following categories applies to you:   | |    _____  LAN Customer with no HOST computers in your Company. | |     _____  LAN Customer with HOST computers in your Company, but:    | |             - HOST computer not connected to your LAN               | |             - or HOST connected, but not used as a Client/Server    | |             - or HOST connected and used as a Client/Server only    | |                  one or two times a day. | |     _____  LAN Customer with HOST connected to your LAN used as a    | |             Client/Server. | |                                                                      |  |                                                                      |  |   Where did you learn about this beta program? (Check Applicable)   | |                                                                     |  |         Trade Show _____________      CompuServe ________________    | |        IBM Representative _____      Trade Publications ________    | |        Other (specify)__________________________________________    | |                                                                     |  |                                                                      |  |   Company Name:__________________________________________________    | |                                                                     |  |   Mailing Address:_______________________________________________    | |                                                                     |  |                   _______________________________________________    |  |                                                                      |  |                   _______________________________________________    |  |                                                                      |  |  Company Technical Contact Name:_________________________________    | |                                                                     |  |   Technical Contact Phone Number:________________________________    | |                                                                     |  |   Technical Contact FAX Number:__________________________________    | |                                                                     |  |   IBM Marketing Rep Name:________________________________________    | |                                                                     |  |   IBM Marketing Rep Phone Number:________________________________    | |                                                                     |  |   VM Node (VM Userid):___________________________________________    | |                                                                     |  |   Country, if other than U.S.:___________________________________    | |                                                                     |  |   (IBM, in its sole and absolute discretion, reserves the right      |  |     to reject any beta applicant from participation in this          |  |     beta program.)                                                   | |                                                                     |  |                                                                      |  +--+