Hanson Brothers, a hockey equipment manufacturing company based in Warroad, Minnesota, requires a remote access solution for its employees. Hanson Brothers must address the following three remote access scenarios:
- Providing access to network resources for employees at the Boise, Calgary, and Warroad offices. Due to the increasing demand that the company implement telecommuting, employees will be allowed to work from home one day a week. Employees require access to all network resources. Some employees have asymmetric digital subscriber line (ADSL) and cable connections to the Internet at home and wish to use these technologies to connect to their local office network.
- Providing access to a production server at the Warroad office for a partner organization. Adventure Works is a major distributor of Hanson Brothers hockey equipment. Only a single specified computer at Adventure Works will be allowed to dial up to the production server at the Hanson Brothers Warroad office to determine stock availability.
- Providing network connectivity to a new office in Montréal. Hanson Brothers plans to open a new office in Montréal. Due to the high cost of establishing a dedicated network link across national borders, Hanson Brothers plans to investigate a virtual private networking (VPN) solution.
All domain controllers operating in the Hanson Brothers network are running Microsoft Windows 2000. No more Windows NT 4.0 backup domain controllers (BDCs) are running on the network.
Business goals and network infrastructure proposals for the three projects are detailed in the following sections.
Providing Access to Home Users
Hanson Brothers management plans to meet the following business objectives when granting remote access to employees:
Providing Access to the Partner Organization
While Adventure Works is a trusted partner, Hanson Brothers management wants to ensure that users connecting from Adventure Works have restricted access to the Hanson Brothers corporate network.
- Connections from Adventure Works will be granted only if strong encryption of account and password is used.
- Connections from Adventure Works will be limited to a single phone number. Connections from any other phone number will be disallowed.
- Connections from Adventure Works will be limited to the remote access server hosting the stock application. Connections to any other server on the network must be prevented.
- The computer accessing the stock application from Adventure Works is running Windows NT 4.0 Workstation as the operating system.
Connecting the Montréal Office
Due to the cost of establishing a dedicated network link between the Montréal and Warroad offices, Hanson Brothers will establish a VPN solution to connect the two offices securely. The following constraints will affect the design of the VPN connection:
- The Montréal office has acquired a third-party firewall to protect their office. The third-party firewall supports Internet Protocol Security (IPSec) but doesn't support Point to Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).
- The third-party firewall doesn't support certificate-based authentication.
- Users at the Montréal office access corporate resources through the VPN connection to the corporate office.
- The VPN connection must provide the strongest encryption of the data encapsulated within the VPN.
- The Warroad office must ensure that the VPN server accepts only connections from the Montréal office.