NCP Secure Communications
The whole is greater than the sum of its parts
Not every enterprise has a connection from the central site to the ISP (Internet Service Provider) with a permanent IP address. For cost reasons the decision is made for a DSL line. However since the reachability of corporate headquarters depends on knowledge of the IP address, the current valid IP address of the central Secure Gateway must be communicated to the Remote Client.
NCP Secure Communications can also work with changing IP addresses that are assigned by the ISP each time there is a forced disconnect of the DSL connection. The problems associated with changing IP addresses also involve accessing remote clients from the central site.
Three basic scenarios are feasible:
- Teleworkers access the corporate network, which has a DSL or ISDN flat rate connection to the Internet (dial in).
- Teleworkers access the corporate network, which has an ISDN connection to the Internet (dial-in)
- Teleworkers or subsidiaries are dialed-up via ISDN from the corporate network (dial-out)
NCP Secure Communications offers two performance features that correspond to all communication relationships in these dynamic environments:
- Trigger call The destination system does not have to be online (ISDN)
Trigger call makes it possible to inform the communication partner of the desire for communication, without that partner being online The first step for this is a direct no-charge dial-in via ISDN using the "D-channel knocking" feature with concurrent caller-ID. After verifying the caller-ID, the callback follows via the Internet and a VPN tunnel is set-up for secure data transfer. The destination can be a remote client, a de-centralized gateway (subsidiary for example) or the central gateway in the corporate headquarters.-
An example of how a connection is set-up:
- The central gateway initiates a trigger call to the other side via ISDN (Gateway or Client).
- Call-back to the pre-configured permanent IP address of the central gateway.
- Concurrent establishment of the VPN tunnel (end-to-end).
- DynDNS (Dynamic Domain Name Server) - the destination system must be online (Flat rate)
In this case dial-in is executed immediately via Internet in contrast to Trigger Call. If the communication partner is online, then, with this feature, an end-to-end VPN connection can be set-up between client and gateway, or between gateways, in spite of an initially unknown IP address.click images to enlarge-
An example of how a connection is setup:
- The central gateway dials into the Internet via DSL (flat rate). There is a DynDNS server in the Internet, where the (permanent) host name (DNS name) of the central gateway is registered. After dial-in, this current IP address is assigned to this entry.
- The remote client wants to access the central data network and dials into the Internet. Instead of an IP address, the DNS name of the destination system is configured. The DynDNS server handles conversion into the IP address (name resolution).
- After assigning the current IP address, an end-to-end tunnel is set-up to the destination system.
){kind=link}
){kind=link}
The destination system is always addressed by its name for DynDNS, regardless of whether it has an IP address from the local area network, or an IP address in the VPN. The name assignment according to DNS is significantly more user-friendly than individual configuration of the IP addresses on the teleworkstation.