The IBM Remote LAN Access Capability 5.0

THE IBM REMOTE LAN ACCESS CAPABILITY

Version 5.0

IBM PSP LAN Systems

11400 Burnet Road

Austin, Texas 78758 +--- NOTE ---+ |                                                                   |  | Before using this information and the product it supports, be sure | | to read the general information under TRADEMARKS. | |                                                                    |  ++

THE FOLLOWING  PARAGRAPH  DOES NOT APPLY TO THE UNITED KINGDOM OR ANY COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTER- NATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION  "AS  IS"   WITHOUT  WARRANTY  OF  ANY  KIND,  EITHER  EXPRESS  OR  IMPLIED, INCLUDING, BUT  NOT   LIMITED   TO,   THE   IMPLIED   WARRANTIES   OF  MERCHANTABILITY  OR  FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of  express  or  implied  warranties  in  certain transactions; therefore, this statement may not apply to you. This publication could include technical inaccuracies or typographical errors. Changes are  periodically  made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time. It is  possible  that  this  publication may contain reference to, or  information about, IBM products (machines and programs),  programming, or services  that are not announced in your country. Such references or information must not be construed to  mean  that  IBM  intends  to  announce such IBM products, programming, or services in your country. (C) COPYRIGHT  INTERNATIONAL BUSINESS MACHINES CORPORATION 1992. ALL RIGHTS RESERVED. Note to U.S. Government Users -- Documentation related to  restricted rights --  Use,  duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation.

TRADEMARKS
References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference  to  an  IBM  product, program, or service is not intended to state or imply that only IBM's product, program, or service  may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM's intellectual  property  rights  or  other  legally protectible rights  may  be  used  instead  of  the IBM product, program, or  service. Evaluation and verification of operation in conjunction with other products, programs,  or  services, except those expressly designated by IBM, are the user's responsibility. IBM may have patents or pending patent applications covering subject  matter in this  document. The furnishing of this document does not give you any rights to these patents. You can inquire, in writing, to the IBM Director of Commercial Relations, IBM Corporation, Purchase, NY 10577-USA. The following terms in this publication, are trademarks of  the  IBM  Corpo- ration in the United States and/or other countries: IBM Corporation              IBM,  OS/2,  NetBIOS,  DOS,  LAN Server, ARTIC, AS/400, AS/400 PC Support Program,  Person-to- person The following terms in this publication, are trademarks of other companies as follows: 3Com Corporation             NDIS Hayes Corporation            ULTRA SmartModem Intel Corporation            80386, 80486 Lotus Development Corporation Lotus Notes Microsoft Corporation        LAN Manager, Windows Novell Corporation           NetWare, NetWare Server, ODI Xerox Corporation            Ethernet

CONTENTS
What Is The IBM Remote LAN Access Capability? 1 Remote LAN Access Environments   1 Current Remote LAN Access Technologies  3 Components and Packaging  5 Supported Hardware  6 Supported Connectivities  7 Supported Software Interfaces  8 Security  8 Administrative Features  11 User Interface  11 Installation and Configuration  12 Additional Information and Beta Program  13

WHAT IS THE IBM REMOTE LAN ACCESS CAPABILITY?
The IBM  remote  LAN access capability enables remote users to transparently run their LAN-based applications over  switched  connections  (asynchronous,  synchronous  and  ISDN)  using  public  switch  telephone networks or PBX/CBX exchanges. The primary distinction of the IBM remote LAN access  capability is that it uses a device driver replacement technology to provide a superset of functionality available with remote LAN access  products  on  the  market today, and  it  accomplishes this using a non-dedicated communication server and non-proprietary hardware. The IBM remote LAN access capability addresses all of the following remote LAN access environments: o  A remote workstation connecting to another remote workstation o  A remote workstation connecting to LAN workstations o  A LAN workstation connecting to a remote workstation o  A LAN workstation connecting to a remote LAN workstation The IBM remote LAN access capability's communication server supports up to 32 simultaneous communication ports and provides a full range  of  configurable security and administrative features. In essence, the IBM remote LAN access capability provides the user with functionality  and  features  to  run  LAN applications anywhere  anytime,  and provides the systems administrator with effective tools for managing the wide area network (WAN). REMOTE LAN ACCESS ENVIRONMENTS ______________________________ REMOTE-TO-REMOTE The four main environments listed in the introductory paragraph  are  illus- trated in Figure 1 on page 2. A "remote-to-remote" environment consists of a connection  established between two or more remote workstations. Conferences may be set up between multiple workstations creating an ad hoc LAN over tele- phone lines. Without LAN adapters and without LAN wiring,  remote-to-remote workstations can  access  each  other's LAN resources and LAN-based applica- tions. This environment supports customers who need  a  low-cost  WAN  con- nection to support data, resource and program sharing. Another example of a remote-to-remote implementation would be a remote client using the  telephone line to access resources from a file or application server. REMOTE-TO-LAN A "remote-to-LAN"  environment,  sometimes  called  "dial-in", occurs when a  remote workstation initiates a connection to a LAN workstation via some  form of WAN/LAN  communication  server. The IBM  remote LAN access capability remote-to-LAN environment is characterized by the remote workstation running LAN applications between itself and one or more LAN-attached workstations via a single WAN connection to the LAN. A separate and direct connection is not required for each LAN-attached workstation with which the remote workstation needs to  communicate. Once the WAN connection is established between the remote workstation and the LAN, the remote workstation can directly  address any  LAN-attached   workstation   configured   to   participate  within  the remote-to-LAN environment. Likewise, because the remote workstation has its own unique  address,  it  can  receive information directly from the partic- ipating LAN-attached workstations. The IBM remote LAN access capability thus provides a remote LAN access environment which allows the remote workstation to transparently run LAN-based applications and interoperate with the LAN as  if it were LAN-attached. The IBM remote LAN access capability also  enables remote workstations to concurrently access multiple LAN-attached workstations without redialing. -   Remote-to-Remote                            Remote-to-LAN +--+  |remote|                                                    +--+ | ws  |==                                                  |remote| +--+ ==                                                |  ws  | ==                                             +--+   +--+      ==  +--+                                      |   |remote|        =>|remote|                                   ::::::: | ws  |=========>|server|                                 ::       :: +--+     ===>+--+                 +--+       ::         ::               ==                             |remote|=====>::  TR LAN   :: +--+  ==                              |  ws  |       ::         :: |remote|==                                +--+        ::       :: | ws  |                                                     ::::::: +--+        LAN-to-Remote                               LAN-to-LAN +--+                                               +--+     |remote|                                                |remote| | ws  |                                                |  ws  | +--+                                               +--+         |                                                       |      :::::::                              :::::::            :::::::    ::       ::                          ::       ::        ::       ::   ::         ::      +--+          ::         ::      ::         ::  ::  TR LAN   ::====>|remote|         ::  TR LAN   ::===>::  TR LAN   :: ::        ::      |  ws  |          ::         ::      ::         :: ::      ::       +--+           ::       ::        ::       ::      :::::::                              :::::::            :::::::                                              |                                           +--+                                           |remote| | ws  | +--+ -  Figure 1. Four Remote LAN Access Environments LAN-TO-REMOTE A "LAN-to-remote"  environment,  sometimes  called "dial-out", occurs when a  LAN-attached workstation initiates a connection to a remote workstation via a  WAN/LAN  communication  server. The IBM  remote  LAN  access   capability LAN-to-remote environment  has  the same characteristics and capabilities as  the remote-to-LAN environment except that the LAN-attached workstation initi- ates the connection. An example of LAN-to-remote would  be  a  LAN-attached workstation accessing  a  remote  "information  server"  to  acquire product pricing data. LAN-TO-LAN A "LAN-to-LAN" environment occurs when a LAN-attached workstation connects to another LAN-attached workstation via two WAN/LAN communication servers. The IBM remote  LAN  access  capability's LAN-to-LAN implementation combines the functionality of the LAN-to-remote  and  remote-to-LAN  environments. The resulting "casual  bridge"  allows  the  customer  to utilize switched links rather than leased lines for a more cost effective solution. The LAN-to-LAN environment provides  the  capability for LAN-attached machines to access or  update information residing in remote locations, and also, to act as a server for other remote workstations connecting onto the LAN. Note that this envi- ronment is  very  different from a split bridge environment. A split bridge establishes a permanent connection between all machines on the two LANs. In the  IBM remote LAN access capability LAN-to-LAN environment, connections are established on a temporary workstation-to-workstation basis across the  WAN. The LAN-to-LAN environment is particularly useful for customers with numerous separate LAN networks and a need to control access on and off the LANs, such as banking companies with their many branch offices. It provides an inexpen- sive mechanism for dynamically connecting the LANs while maintaining control over the origin of traffic flowing between them.

CURRENT REMOTE LAN ACCESS TECHNOLOGIES
There are  numerous other remote LAN access products available today. These products vary widely in cost and functionality. Many utilize extensions of a remote-to-remote environment to provide  remote-to-remote  and  remote-to-LAN access capabilities, but do not support the LAN-to-remote or LAN-to-LAN envi- ronments. Many of the products currently available do not support graphical interfaces. Many require dedicated or proprietary hardware. Remote LAN access products use one of four known  technological  approaches. Each approach  provides  an inherent level of functionality and limitations. In order to better compare the functionality offered by the IBM  remote  LAN access capability to that offered by other products, an overview of the four remote LAN access technologies is provided in the following sections. These four technologies are: o  The hardware approach o  The remote control approach o  The remote client approach o  The remote node approach THE HARDWARE APPROACH The hardware approach replaces the LAN adapter with a customized WAN adapter in the remote workstation and provides a compatible hardware  "tap"  on  the LAN. This LAN hardware tap varies from a specialized adapter on the LAN file server to  a  standalone  multiprocessor  box. The implementation of this approach varies widely in sophistication, cost, and performance. In general, supporting a large number of remote users with customized  hardware  may  be  cost prohibitive. Difficulties in network maintenance and compatibility have been cited as additional reasons this approach might be considered suboptimum for distributed environments. The IBM remote LAN access capability does not use this approach. THE REMOTE CONTROL APPROACH One of the earliest and most pervasive software approaches is remote control. The remote workstation using this approach dials  into,  and  takes  control over, a  LAN-attached  workstation  which executes programs on behalf of the remote workstation over the LAN. Keyboard and screen data from the dedicated LAN-attached system is then routed back  to  the  remote  workstation. By routing  only keyboard and screen data, this approach minimizes the amount of  data which flows across the link; however, there are numerous  disadvantages. Because this approach requires a dedicated machine on the LAN for each remote workstation dialing onto the LAN, customers are required to invest in dupli- cate hardware. Most remote control products transmit  keyboard  and  screen data over  the  WAN in character mode, though some companies are planning to  provide transmission of graphical screen data in the near future. Transmit- ting graphics  images  will be slower than transmitting characters; however, graphics mode transmission will be necessary to support the use of  graphics or graphical interfaces across the remote link. Lack of graphics support has been a  major  factor  in the loss of popularity for this approach. Another disadvantage with this approach is security. In addition to the requirement for the LAN-attached workstation to be powered on for remote use, screen data transmitted across  the link contains a high percentage of fixed information in a fixed format. Data encrypted in this form is relatively easy to  break because the intruder can see the effects of encryption on the fixed informa- tion that is transmitted. The IBM remote LAN access capability does not use the remote control approach. THE REMOTE CLIENT APPROACH Gaining popularity  today in the remote LAN access market, the remote client approach utilizes a simple mechanism to extend the remote-to-remote environ- ment to service the remote workstation and allow it to share data and appli- cations located on a common WAN/LAN server. This may  be  accomplished  by  replacing  the  LAN device drivers in the remote workstation and LAN-attached server with customized device drivers that  will  allow  them  to  send  and receive LAN  frames across a WAN link. This provides LAN application trans- parency within the remote workstation. The new  device  drivers  utilize existing protocols to allow remote workstations to connect with each other to form a virtual LAN via the WAN link. In addition, the device drivers provide a mechanism for remote workstations to disconnect from one another upon con- clusion of the remote transaction. Since the entire LAN frame is transported between the remote machines over the WAN link, LAN applications  running  in  the  remote  workstations can support graphical interfaces in the same way as  those running on LAN-attached workstations. Also, the LAN frames have  much less fixed  format information thus providing a more secure link encryption. This approach is used to provide the remote-to-remote environment within the IBM remote LAN access capability. Extending the  remote client approach to access information elsewhere on the LAN from a remote workstation requires a LAN-attached server to manage trans- action data on the workstation's behalf. The remote environment is analogous to a standard LAN client-server environment. The remote  workstation  has addressability only  to  the WAN/LAN server to which it is connected. Files and programs residing on the common WAN/LAN server can be shared  throughout the virtual  LAN. This approach supports small single-server networks, but does not scale well to support large or distributed environments. Bottle- necks in both memory and CPU capacity tend to form in the common WAN/LAN com- munication and file server. Because of this, most products using the remote client approach are dedicated servers supporting a limited number of  remote connections (generally,  1 to 16). Organizations requiring more connections or greater capacity than can be accommodated by a single WAN/LAN server face potentially complex  challenges  in duplicating and maintaining data on mul- tiple communication servers. Accessing data and applications which are dis- tributed across  multiple  servers  can  be  annoying for a remote user in a  remote client environment. For instance, a remote user would have to  phys- ically disconnect  from one server and reconnect to a second server in order to access its resources even though the two servers may be attached  to  the same LAN. Due to the constraints on distributed environments imposed by the remote client  approach,  The  IBM  remote  LAN access capability utilizes a  fourth approach, called remote node, to provide fully integrated capabilities for the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments. THE REMOTE NODE APPROACH The remote node approach replaces the device driver  within  a  LAN-attached communication server. The device driver enables the server to take incoming data off a WAN and put it onto the LAN, and also, to take outgoing data  off the LAN  and put it onto the WAN. In addition to providing the transparency and remote LAN access capabilities of the remote client approach, remote node provides full addressability allowing the remote workstation to access  dis- tributed LAN-attached servers and peer services. This means that the remote workstation can access information and services wherever they reside on  the LAN rather  than  the  LAN  having to be redesigned with a central dedicated server to accommodate access by the remote workstation. It also means  that growth in the number of local and remote LAN users can be easily accommodated without duplicating  (and  maintaining)  data files across numerous communi- cation servers. In summary, the IBM remote LAN access capability utilizes  both  the  remote client and the remote node approaches to provide a flexible and full-function remote LAN  access capability. The rest of the paper describes the features provided by the IBM remote LAN access capability.

COMPONENTS AND PACKAGING
The IBM remote LAN access capability consists of  three  components  (remote  workstation, server, and LAN workstation) contained within two packages: THE IBM REMOTE WORKSTATION PACKAGE The IBM remote workstation package contains the remote workstation component and enables the remote-to-remote environment by  establishing  a  connection with one  or  more  workstations. Used alone, the IBM remote workstation package can provide a low-cost means for  LAN  applications  to  communicate without requiring  a  physical  LAN. If installed on a LAN-attached file server, the IBM remote workstation package    can  provide  indirect  remote access to the LAN through shared files contained on the server. This config- uration supplies  the level of functionality available with the remote clent approach described earlier. If used in conjunction with  a  WAN/LAN  server supplied by  the  IBM remote LAN access server package, a remote workstation can directly access any workstation on the LAN which has been configured  to  participate  in  the remote environment. The IBM remote workstation package runs on either OS/2(R) 2.X or Microsoft Windows(R) 3.1. THE IBM REMOTE LAN ACCESS SERVER PACKAGE The IBM  remote  LAN access server package contains the server and LAN work- station components. The IBM remote LAN access server package enables the LAN portion of the remote-to-LAN, LAN-to-remote, and LAN-to-LAN environments  by  allowing  a LAN workstation to dial-out to a remote workstation, allowing the remote workstation to dial-in to  a  LAN  workstation,  and  passing  frames between the  WAN  and  LAN  environments. The non-dedicated WAN/LAN server requires an OS/2(R) 2.X base. The LAN workstation component provides an interface  to  allow  LAN-attached workstations to  dial-out  of  the LAN and participate in remote LAN access. The LAN workstation component  runs  on  either  OS/2(R)  2.X  or  Microsoft Windows(R) 3.1.

SUPPORTED HARDWARE
The IBM  remote LAN access capability supports all hardware supported by the operating system platform on which the IBM remote LAN access capability com- ponent runs. Thus, remote and LAN workstations support all OS/2(R) 2.X and Microsoft Windows(R) 3.1 hardware platforms, and the WAN/LAN server supports all hardware platforms supported by OS/2(R) 2.X. The  following  configuration  is  recommended  for  a  remote workstation or  WAN/LAN server with very light usage (ie. one person dialing in or out  at  a  time): o  An IBM or IBM-compatible 386 non-dedicated machine o  A 9600 to 14400 bps modem For WAN/LAN  server to support up to 32 concurrent channels, the recommended configuration would be: o  An IBM or IBM-compatible 486 dedicated machine o  Up to four ARTIC cards (each card supports eight ports) o  A 9600 to 14400 bps modem for each supported port A LAN adapter IS NOT required on a remote workstation nor is a modem required on a LAN-attached workstation to access the WAN. Communication between the LAN and WAN is accomplished via the WAN/LAN server.

SUPPORTED CONNECTIVITIES
Remote LAN  Access  software  products  in  the  market today provide remote machines with the ability to access information  on  a  LAN-attached  server using asynchronous modem connections at rates generally between 2400 to 14400 bits per  second  (bps). However, the IBM remote LAN access capability is optimized for higher speed (9600 bps and greater)  connections  and  includes support for the following LAN and WAN connectivities: o  LAN Connectivities -  Token Ring -  Ethernet o  WAN Connectivities -  ISDN Basic Rate Adapter -  Asynchronous Communications Port -  Dual Asynchronous Adapter -  Asynchronous/Synchronous Artic Adapter -  Synchronous Wide Area Connector -  X.25 When the  LAN is a Token Ring, the IBM remote LAN access capability utilizes source routing information from LAN control frames to efficiently relay data to and  from the LAN. Token Ring adapters must support "promiscuous mode". Promiscuous mode allows control frames to be transparently passed up to  the software layers. As it is required by many LAN management tools and protocol analyzers, promiscuous  mode  is  commonly  supported  by  most  Token  Ring adapters. An example of an adapter which supports promiscuous mode  is  the IBM Token Ring 16/4 Adapter. When the  LAN  is  Ethernet,  the  IBM  remote  LAN access capability uses a  learning filter technique with a spanning tree algorithm. Without microcode assistance from  the  Ethernet card, the overhead for filtering unwanted LAN traffic will likely result in fewer ports supported by the Ethernet-attached WAN/LAN server  as  compared  to  a WAN/LAN server attached to a Token Ring. This overhead, however, is a small fraction of that which would be  incurred if unfiltered Ethernet traffic were allowed to flow over the WAN. The IBM  remote  LAN access capability allows other techniques to be used in  the WAN/LAN server to move frames to and from the LAN. To offset the  proc- essing overhead  when  using  Ethernet  or connecting different LAN types, a  higher layer router can be used. For example, if the protocol is TCP or IPX, the IP Router/Gateway could be used with the IBM  remote  LAN  access  capa- bility. By using  the IP Router, only frames known to be directed off the local LAN would be sent to WAN/LAN server. The IBM remote LAN access capability can support an X.25 network; the type of connection is determined by the X.25 network  provider. The remote  work- station can use an asynchronous modem connected to an X.3 pad provided by the network, or an X.25 modem (such as the Hayes Ultra Smart Modem) to connect to a  network SYNC access point. On the server side, most X.25 networks require a SYNC access point and a permanent connection to the X.25 modem. The IBM remote LAN access capability includes Medium  Access  Control  (MAC) drivers for the first four WAN connectivities. Other adapters packaged with MAC drivers which adhere to, and support, the NDIS interface may also be sup- ported by the IBM remote LAN access capability such as the  IBM  Synchronous Wide Area Connector.

SUPPORTED SOFTWARE INTERFACES
The IBM  remote  LAN  access capability supports the following protocols and application programming interfaces: o  Netbios o  802.2 o  NDIS o  ODI requester All that is required to support the above interfaces is included with the IBM remote LAN access capability. This allows the user to transparently run any LAN applications  which  utilize these interfaces within the WAN environment without modification. IPX, TCP/IP, Person-to-Person, Lotus Notes  and  OS/2 Communication Manager  are  a few examples of applications which can be pur- chased and installed to run within the WAN environment. The IBM remote  LAN access capability  has  also been used to access an AS/400 via the AS/400 PC  Support Program. The IBM remote LAN access capability is network operating system independent, and therefore, is not packaged with any specific network  operating  system. It is designed to support any network operating system which resides over the 802.2, Netbios or NDIS interface including the following: o  IBM(R) LAN Server o  Microsoft(R) LAN Manager o  Novell Netware(R) Server (802.2 Compatibility Mode)

SECURITY
The  IBM   remote  LAN  access  capability  provides  an  extensive  set  of  configurable security options which are enabled via WAN/LAN server configura- tion. These security options include: o  Workstation address identification o  Valid logon time intervals o  Password encryption and session-based user authentication o  Access privilege levels o  Simplified log-on for LAN-to-LAN o  Call back Details of each of these features are provided below. In addition  to  the security features listed, the IBM remote LAN access capability transparently supports existing LAN and application level security mechanisms. In other words, security features originating from applications, the network operating system, the  operating system platform, and hardware should run without mod- ification. WORKSTATION ADDRESS IDENTIFICATION Each user  account on the WAN/LAN server can be configured with 0 to 8 work- station LAN MAC addresses. If one or more addresses have been defined for a  user's  account,  the  user  must  call  from  a  workstation with an address matching one of the user account addresses or the logon attempt will fail. VALID LOGON TIME INTERVALS The Valid Logon Time Intervals option allows a Security Administrator to con- figure the days of the week and the times of day during  which  a  user  can logon to  the  server. Any logon attempts outside of the designated time periods will fail. PASSWORD ENCRYPTION AND SESSION-BASED USER AUTHENTICATION To minimize the possibility of off-line "dictionary attacks" to discover user passwords, a one-way encrypted password key is generated  from  a  "password  phrase." For each subsequent logon, the security subsystem implements a two party, two-way entity authentication protocol using  message  authentication code which  adheres  to  the OSI X9.9 security standard. After a successful mutual authentication (workstation-to-server and server-to-workstation)  the workstation and  WAN/LAN server  both share a common secret session key that is used to build certificates that authenticate all  subsequent  workstation service requests  sent  to  the server. A new session key is generated for every session. ACCESS PRIVILEGE LEVELS A database of user accounts is maintained at the WAN/LAN server. User's are classified into the following types: o  User o  Administrator o  Security Administrator "User" is  the  lowest  security  classification. A User has permission to access the dial services of a WAN/LAN server in order to dial off LAN and can be granted permission to remotely attach to the LAN wire by calling a WAN/LAN server. A User can also view and change selected information, such as  user description and  user  password,  within the User's own account on a WAN/LAN server. An Administrator  has  the  same privileges as a User, and additionally, can perform management functions such as transaction logging and  report  gener- ation. A Security Administrator has the same privileges as an Administrator and, in  addition, is authorized to maintain a  WAN/LAN  server's  User  Account  Data Base. This includes changing user account policy parameters (e.g. maximum  number of logon attempts permitted during a single call), as well as viewing, adding, and deleting user accounts within the User Account Data Base. The Security Administrator  can also change account information contained in any user's accounts and disable the security features. SIMPLIFIED LOG-ON FOR LAN-TO-LAN A user is required to logon and be authenticated  by  each  secured  WAN/LAN server before  accessing  that server's resources. If the same user ID and password are maintained at multiple servers, the user will be able to access these additional  servers  without having to reenter IDs and passwords. For example, if a user on a LAN-attached workstation wishes to  access  a  work- station on another LAN, the user would logon to the locally-attached WAN/LAN server to dial-out to a second, remote WAN/LAN server. The user would only be prompted  for an ID and password by the remote WAN/LAN server if they are different from those used to access the first WAN/LAN server. This feature should not be confused with what is  generally  called  "single  logon." Single logon,  or  the ability to bypass network operating system logons, is not provided by the IBM remote LAN access capability. In other words, users  must  still logon to LAN servers in the same way they would if  they were LAN-attached. CONFIGURABLE LOGON PARAMETERS Several logon policy options can be configured by a  Security  Administrator when setting up a WAN/LAN server. These include: o  Minimum and Maximum Password Age o  Minimum Password Length o  Maximum Number of Unsuccessful Logon Attempts o  Password History The Password  History  option  allows  a Security Administrator to specify a  history of zero to eight prior passwords to be saved in the  user's  account. When a user submits a new password, the password is checked against the pass- word history to ensure it does not duplicate one previously submitted. If a duplicate is found, the new password is invalid and the user is requested  to  submit another new password. CALL BACK The Call Back feature is optional. Remote workstations can be configured to handle either a fixed or  mobil  telephone  number. The mobil  Call  Back requires the  user to submit a telephone number as part of the logon process which the server then uses to call back. The caller is authenticated  both prior to  the  call back to prevent unnecessary telephone charges, and also, after the call back is complete to guard against known hacker techniques that can normally only be avoided using special telephone  equipment  or  service options. Beyond security, call back can be useful if reversal of telephone charges is needed, such as from a hotel or customer site.

ADMINISTRATIVE FEATURES
The IBM remote LAN access capability provides full administrative support for monitoring connection status as well as logging errors, user data, and audit information. Audit information  includes  all connections attempted, com- pleted, and rejected. Also included are  security  trails  and  statistics useful for  capacity  planning. The audit logs can be displayed locally or retrieved from a remote workstation. In addition, several key configuration files from a given workstation can be collected into a single file for anal- ysis. The IBM remote LAN access capability  can  interface  with  a  user- supplied report  program  to  schedule  and create daily, weekly, or monthly reports, or to periodically generate output when the log file reaches a spec- ified size.

USER INTERFACE
The IBM remote LAN access  capability  employs  a  standard  object-oriented graphical user  interface  consistent  with  that used for OS/2(R) 2.0. The interface has been designed to be consistent across all supported  operating systems and machine types, whether it be a Microsoft Windows(R)-based remote workstation or  an  OS/2(R)-based  LAN-attached  workstation. Only those selections appropriate  to  the user's location and privilege level are pre- sented. An example of this interface is the  phone  book  and  call  status screen illustrated in Figure 2 on page 12. The graphical user interface provides information on available servers, call status, and context sensitive help screens. Connection to the "virtual LAN" may be accomplished by selecting an entry from a user's phone book or through a command  line  interface. Commands may be entered from the keyboard or  imbedded in a batch or command file. Another unique feature is support for moving workstations between remote and LAN-attached environments, or "docking." When a workstation is configured as both  LAN-attached  and  remote, the IBM remote LAN access capability manages the configuration changes to support the correct environment. This vastly simplifies the use of a single workstation for home, office, and travel. - +-+  |   SERVER-10 - Phone Book                                | +-+ |                                                         |  | +---+-+-+           |  | | Austin    \\|                             --+     | | | Berlin   \\| Name:           (Dial)        A-L |     | | | Deauville \\|  Austin, TX                --+     | | | Leipzig  \\|                 (Hang Up)   |           | | | Marseille \\| Number:                    |-+     | | | Munchen  \\|   512 555 1212  (Alternate) | M-R |     | | | Paris    \\|                             |-+     | | | Stuttgart \\| Modem:                     |           | | | Toulouse \\|   ATDT15125551212           |-+     | | |          \\|   CONNECT 19200/ECL V.32BIS | S-Z |     | | |          \\|                             |-+     |  | |           \\|          page 1 of 4  < | > |           | | +---+-+-+          |  |                                                         |  |  (Add)  (Change)  (Delete)  (Help)                      | |                                                        |  +-+  -  Figure 2. Phone Book and Call Status Screen

INSTALLATION AND CONFIGURATION
The IBM remote LAN access capability provides a guided quick installation and configuration path as well as support for advanced configuration via CUA'91's Notebook  Controls. The quick install feature may be used to install the IBM remote LAN access capability on LAN-attached and remote workstations. It is  designed  for  non-technical users to provide a simple workstation configura- tion with a minimum amount of knowledge, time and effort. After installation is complete, the advanced configuration may be used  to  customize  selected configuration parameters  for  optimum  network and system performance. The advanced configuration is designed for  experienced  users. Preconfigured default values make tuning via the advanced configuration panels unnecessary for most parameters on most networks. Online hypertext help  panels  guide users through possible choices for each parameter. The remote  workstation can be installed directly over OS/2(R) 2.X or Micro- soft Windows(R) 3.1. The WAN/LAN  server  and  LAN  workstation  assume  a  LAN-enabled system for installation; minimum requirements are for the Netbios or 802.2  LAN  Adapter  Protocol Support to be present. The WAN/LAN server requires OS/2(R) 2.X while the  LAN  workstation  may  be  either  Microsoft Windows(R) or OS/2(R)-based. The IBM remote LAN access capability may be installed by using: o  diskettes o  a LAN redirected drive o  a LAN redirected drive and a response file Installation using a LAN redirected drive is performed via the LAN's Config- uration, Installation and Distribution (CID) facility. The IBM remote  LAN access capability  is  fully  CID-enabled  for installation. Users of this facility install the IBM remote LAN access capability on their  workstations and servers  by  attaching  to  the  LAN  and  redirecting  the files from a  LAN-attached source. A response file may be specified at the time installa- tion is invoked. A response file contains all the answers to the questions that are asked during a panel-driven installation. This allows administra- tors to setup quick and simple installations for their users. The user would only need  to  enter  a single command and the installation would proceed to  completion without any further interaction required.

ADDITIONAL INFORMATION AND BETA PROGRAM
THE BETA PROGRAM provides the IBM remote LAN access capability code at prede- termined development  checkpoints prior to general availability. The remote LAN access functions described in "The IBM Remote LAN Access Capability" doc- ument may not be fully supported in the beta program. BETA CODE FROM IBM MARKETING AND VM To obtain beta code and documentation via electronic delivery,  contact  your IBM marketing representative and submit the following information via FAX to  (512) 838-4002 or have your marketing representative submit a PROFS  note  to  BETASRUS  at  AUSVM1:   (IMPORTANT NOTE - Please supply all data requested in  order to avoid delays in filling your order.) IBMers that are requesting the beta for their own use should specify IBM  as  the Company Name and their name as the Company Technical Contact Name. Their VM Id and Node are also required. Specify that you are ordering the RLA beta program. BETA CODE FROM 1-800 TELEPHONE NUMBER To obtain diskettes and hardcopy publications, call one of the numbers below and specify you are ordering the RLA beta. o  In the U.S., call 1-800-IBM-3040. You will be charged $80.00 (U.S.) plus a shipping charge. o  In Canada, call 1-800-561-5293. You will be charged $100.00  (Canadian) plus Tax and a shipping charge. o  Elsewhere, see the Electronic Delivery ordering information below. ADDITIONAL INFORMATION IBM does  not guarantee this beta program will ever be made generally avail- able. All beta code and documentation are under development and may be modi- fied substantially should there  be  a  generally  available  product. In addition,  the  manner  in which IBM packages these development materials may differ substantially from any generally available products. IBM reserves the right to modify or withdraw this offering at any time. Your license for the beta code may be terminated by IBM upon 30 days written notice.

+--+ |                                                                      |  |                             ELECTRONIC DELIVERY RLA                  | |                                                                     |  |                                                                      |  |   Please specify which of the following categories applies to you:   | |    _____  LAN Customer with no HOST computers in your Company. | |     _____  LAN Customer with HOST computers in your Company, but:    | |             - HOST computer not connected to your LAN               | |             - or HOST connected, but not used as a Client/Server    | |             - or HOST connected and used as a Client/Server only    | |                  one or two times a day. | |     _____  LAN Customer with HOST connected to your LAN used as a    | |             Client/Server. | |                                                                      |  |                                                                      |  |   Where did you learn about this beta program? (Check Applicable)   | |                                                                     |  |         Trade Show _____________      CompuServe ________________    | |        IBM Representative _____      Trade Publications ________    | |        Other (specify)__________________________________________    | |                                                                     |  |                                                                      |  |   Company Name:__________________________________________________    | |                                                                     |  |   Mailing Address:_______________________________________________    | |                                                                     |  |                   _______________________________________________    |  |                                                                      |  |                   _______________________________________________    |  |                                                                      |  |  Company Technical Contact Name:_________________________________    | |                                                                     |  |   Technical Contact Phone Number:________________________________    | |                                                                     |  |   Technical Contact FAX Number:__________________________________    | |                                                                     |  |   IBM Marketing Rep Name:________________________________________    | |                                                                     |  |   IBM Marketing Rep Phone Number:________________________________    | |                                                                     |  |   VM Node (VM Userid):___________________________________________    | |                                                                     |  |   Country, if other than U.S.:___________________________________    | |                                                                     |  |   (IBM, in its sole and absolute discretion, reserves the right      |  |     to reject any beta applicant from participation in this          |  |     beta program.)                                                   | |                                                                     |  |                                                                      |  +--+