By Tom Henderson
Windows has always caused its share of problems for enterprise MIS directors more accustomed to the wide-open world of UNIX. It's hard to control your company's software applications with the focus Windows places on end-user freedom. Multiple versions of products-including some with incompatible file formats-cause nightmares for the support desk. Security under Windows has traditionally been less than optimal. And, finally, many organizations just don't have the budget to scrap their older machines and replace them with Windows 95-capable computers.
There's a way to deal with all of these problems. Its name is not "mainframe"; it's Windows NT. Thanks to a few upgrades to NT, some new third-party products and the Internet, you can run the OS as a multi-user server with virtual machines and UNIX-like capabilities. This allows you to use those old legacy systems, control the software versions everyone is using, and maintain tight security-all without implementing new hardware.
Let's start with the changes you'll find in NT itself.
To be a truly "multi-user" server, NT needs to do more than just connect a number of workstations. It needs to allow users to connect in a number of ways-dial-up, through a LAN, and over a range of protocols from TCP/IP (the mainstay UNIX communications protocol), Novell's IPX/SPX (through NetWare Virtual Terminal) and NetBIOS. All of these communications standards are now supported by NT, either by the OS itself or via third-party add-ons.
It's also essential for NT to provide familiar DOS and Windows applications over the server, avoiding the need to have them run on the user's desktop. They have to run concurrently inside the NT server, offering support for file and print sharing, external communications and administrative functions. They also have to use native LAN or Internet protocols and wires. Microsoft accomplished all these goals with recent upgrades to NT.
Click Here to see a 30.0 KB bitmap image of artwork which goes with this article, entitled:
Windows95 Client running an NT session
You'll need a third-party application to actually change NT into a UNIX-style, multi-user system. Two notable products for that purpose are Citrix Systems' WinFrame/Enterprise 1.6 and the Windows Distributed Desktop (WinDD) 2.0 from Tektronix. Both add multi-user access, X Windows-like capabilities, native Internet access and enormous file-serving power to NT.
Citrix Systems was first to license the Windows NT kernel for third-party development. The company added the ability to run virtual sessions from different clients inside a single NT Server-based machine. The clients are actually virtual Windows or DOS sessions living in the NT hardware. Each of these clients has the same resources as the NT server, and each is subject to the usual level of NT security.
One of the primary benefits of a virtual-machine architecture: The NT server is accessible through both network wires and NT's Remote Access Service (RAS), and so are the virtual machines.
This setup turns Windows NT into a host as well as a server, allowing it to run applications inside the server hardware; it sends keyboard, mouse and screen information to a PC connected to the server via LAN or dial-up. This allows users to spawn sessions that are full-blown DOS, Windows 3.1x, 95 or NT applications as though the applications were discrete PCs attached to the network.
WinFrame/Enterprise gives NT the ability to run 10 or more DOS or Windows sessions within a single NT server. Citrix calls that capability MultiWin technology. The WinFrame client software (called WinFrame/Access) sends keyboard and mouse instructions while receiving screen changes through a variety of transportation methods, including dial-in and LAN transports.
This means that branch-office and remote users can access corporate-standard applications through their "terminals." Administrators get the benefit of permitting any compatible machine to connect across dial-up or network lines and use applications resident on the NT WinFrame server.
Citrix also added the ICA Windows presentation protocol to NT servers. Conceptually similar to X Windows, the ICA protocol has been directly incorporated inside WinFrame. By contrast, X Windows runs as a subordinate process under the UNIX kernel-not as part of it.
MultiWin via ICA allows virtual machines inside Windows NT under WinFrame, and the resources needed by the client (or "terminal") for those virtual machines are then communicated across LAN, WAN, modem or other communications wires.
For example, WinFrame/Enterprise allows an organization to run its software in several unique ways. An application can be run as a Windows 16-bit application or under DOS. Users can connect to the WinFrame/Enterprise NT server via Novell's IPX protocol at the corporate site for either type of session. The actual programs and data reside on a NetWare-linked Windows NT file server.
The Citrix WinFrame/Access software built on the ICA protocol also allows users of older DOS machines (even 286s) to run 16- or 32-bit Windows applications on the WinFrame server, if they have a monitor capable of viewing the software's graphics and a mouse on the client PC. Client software for WinFrame server access is also available for UNIX and Mac users.
But the cost is steep: WinFrame starts at $5,995 for 15 users. (You can add users in increments of five for $995 or 10 for $1,995.) When compared to PC remote-control frames at a bare minimum $20,000 for the same number of users, however, WinFrame's price suddenly becomes much more attractive.
The WinFrame server requires an NT-compatible platform with at least 32MB of DRAM, and 4MB of DRAM for each concurrent user. The actual amount of DRAM needed varies according to applications requirements. If users are just running DOS, 4MB of DRAM is fine, but running a Windows 95 or NT application with 4MB of DRAM allocated per concurrent user is nearly impossible. Each virtual session requires roughly the same DRAM resources as a similar discrete PC.
Click Here to see a 20.2 KB bitmap image of artwork which goes with this article, entitled:
The global nature of UNIX peer connectivity was another missing link in NT Server. UNIX hardware and software vendors could always rely on the familiar X Windows GUI for interoperability among the diverse UNIX hardware platforms. This kind of functionality did not exist in NT until recently, when Tektronix developed WinDD, which delivers Windows 95, 3.1x and NT applications to X-Windows-capable workstations.
X Windows offers a conceptual reversal of the traditional roles in client/server computing. The X client exports information to the X server-such as size and placement of windows, mouse movement and object movement-in a method similar to that of Windows remote-control software.
Delivery of Windows applications to the UNIX desktop through X Windows had been tried before. Running multiple sessions on 1992-era PC hardware proved to be difficult, however, and the idea of X terminal development languished. Meanwhile, Intel CPU emulators such as SoftWindows mimicked the function of an Intel CPU and provided localized use of Windows applications. Unfortunately, these products lacked two things: speed and compatibility with Windows Enhanced Mode.
The speed problem in Windows emulators meant that very expensive UNIX hardware was being used to serve up Windows applications at three to 10 times the cost of a comparable PC. You needed a super-hot box to get around the software overhead of the emulator and deliver acceptable Windows performance. What's more, Windows Enhanced Mode, which required tricky memory management and CPU emulation, proved difficult to work around. Worse, each port of the Windows emulators for UNIX was processor-specific and had to be rewritten for new platforms.
Click Here to see a 7.43 KB bitmap image of artwork which goes with this article, entitled:
Win DD/Windows NT
Tektronix took its experience as an X terminal developer and brought it to NT with WinDD. In a manner similar to Citrix WinFrame, WinDD uses the ICA protocol to send only screen-change information over a network or dial-up connection. WinDD also adds NFS support for NT, an interesting component that Citrix WinFrame lacks.
NFS, or Network File System, was developed by Sun Microsystems for peer-oriented directory services. UNIX machines export directories at startup to make them available to other users. These users, in turn, can mount entire subdirectory structures as extensions of their own hardware's filing system.
Windows NT has no native support for NFS, but WinDD (and other products like Hummingbird Communication's Exceed) adds NFS to NT. The WinDD server mounts filing systems remotely on the WinDD-NT application server so that entire subdirectory structures don't have to be dragged through slow modem links or network resources.
WinDD users can run Windows or DOS at the speed of the WinDD host computer-regardless of the X workstation speed.
Both WinFrame/Enterprise and WinDD are designed to give administrators thorough control. You can offer users their choice of a DOS session or a Win95 session, or you can lock the availability of sessions to your own choices.
Although each platform can run with minimal hard disk space (200MB), the number of concurrent users can chew up disk space quickly. So you have to arrange adequate storage for applications. Both WinFrame/Enterprise and WinDD support multi-CPU installations that can add muscle for processor-intensive or heavily used platforms, and both offer the same NetWare and Banyan support NT 3.51 offers.
These products do have a downside. WinFrame, for instance, couldn't run the initial release of Microsoft's new Exchange Server because the Citrix kernel is slightly different than the NT kernel, enough to make Exchange balk during installation. However, Exchange clients (DOS and all the Windows flavors) can run successfully and concurrently on WinFrame because they don't require the NT kernel to work properly.
Remote-control applications are prime WinFrame and WinDD candidates. These could include human-resources apps, pricing software for field sales personnel and environments in which users need to run programs that are too advanced for their hardware.
There's another way to turn your NT box into a UNIX-like terminal-NT now has the ability to take advantage of the Internet for internal connectivity.
The Internet was initially built to connect diverse hosts and workstations-most of them in one of the various flavors of UNIX-across varying types of communications links. The TCP/IP protocol suite, which the Internet uses as its foundation, is an open standard; unless specifically encrypted, all data on the Internet is visible to anyone who invests the time and effort to access it.
Thanks to NT, you can use the Internet as a Virtual Private Network (VPN), but it takes some additional work. Microsoft's new point-to-point tunneling protocol (PPTP) is a variation on the widely used point-to-point protocol (PPP). PPTP runs TCP/IP with error-checking and compression, and allows a variety of protocols to be tunneled inside of PPP, including TCP/IP, IPX and NetBEUI.
PPTP embeds security by using CHAP (challenge handshake authentication protocol), also used in Windows RAS. That security, coupled with multi-protocol tunneling, gives organizations the ability to link servers in a UNIX/Internet-style. It also allows remote users to engage virtual sessions from across the Internet, using products like WinFrame/Enterprise and WinDD, either with high-speed or dial-up links.
In effect, the Internet becomes the WAN connection for the VPN. PPTP allows users to access organizational resources as securely connected peers over the Internet. They can use whatever protocol suits company standards-TCP/IP, IPX and NetBEUI as required.
PPTP gives companies the freedom to build only a single access point for telecommuters-a connection between the LAN and the Internet. A PPTP-aware connection needs support for PPTP at both the client and the server end, but PPTP-equipped hardware will enable systems lacking PPTP drivers to use standard PPP to connect to the Internet, which would then be tunneled via PPTP to a corporate LAN.
On the security front, PPTP avoids the problem of managing encryption keys inherent in most current Secure IP setups. This integrates nicely with NT's mandate for ultra-tight security.
The contents of all PPTP sessions will be encrypted using RSA Data Security's RC4 specification. Only 40-bit encryption will be supported in PPTP initially; later iterations, however, will support 128-bit encryption-but only in the U.S.
In a way, PPTP is designed to compete with ICA as a multiprotocol transport method. ICA's adoption by Microsoft means it won't go away, while PPTP has not even been adopted as a standard yet.
Still, there are some heavy hitters interested in the PPTP protocol. Companies such as Ascend Communications, U.S. Robotics and 3Com are all committed to making router hardware and drivers to carry PPTP. Upstream Internet router equipment from third-party vendors such as Cisco Systems and Bay Networks will pass PPTP packets because PPP, a standard protocol, surrounds PPTP.
PPTP is not just for the high end. In the not-too-distant future, Microsoft plans to support the protocol in all versions of Windows. At that point, PPTP is bound to become ubiquitous.
When it becomes widely supported, PPTP will be a viable-and far less costly-alternative to leased lines within the enterprise infrastructure.
As Microsoft adopts its Web browser, Internet Explorer, as the user interface for Windows, it will become possible to use products like WinFrame and WinDD as directly accessible public or private applications servers. Instead of viewing HTML pages on the Internet, you may actually be using an application residing inside Windows NT on a LAN or WAN-and not know or care. The cross platform interchange ability allows the user to concentrate on working within the applications, regardless of platform.
Coupled with the preview edition of Microsoft's Directory Server in Windows NT 4.0 and the advent of Microsoft's Proxy Server, this will result in a wide variety of Internet and intranet applications, including ActiveX, DirectX or even Java-enabled applications.
With a ceiling for the number of concurrent users, Citrix's WinFrame won't replace Java applets for certain corporate uses, despite the Internet coloring of NT. Even so, products like WinFrame and WinDD will continue to be versatile and malleable puzzle pieces in the construction of network applications servers.
Price: $5,995 for 15 users and application server; five additional users, $995
Price: $2,495, 10 users
Tom Henderson is the Enterprise Administrator columnist for WINDOWS Magazine. Click Here to find the e-mail IDs for our editors, who can put you in touch with this author.