Connecting the LAN to the Internet | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

EXAM 70-293 OBJECTIVE 2, 2.3, 2.5

You can connect a Windows Server 2003 network to the Internet in two basic ways:

Using a router to directly route traffic to and from the Internet
Using a translation service to convert traffic from an internal network to Internet traffic

The following sections discuss the advantages and disadvantages of these methods.

Routed Connections

The traditional method of connecting a network to the Internet is to use a router to route traffic between the external network and your local network. The advantages of this approach are that it is easy to configure, requiring only simple hardware setup, and that it allows full Internet access for all machines on the local network segment. It also allows all machines on the network to provide services to the Internet.

Routed connections have two chief disadvantages. First, every machine on the local network is reachable from anywhere on the Internet. This is rarely necessary and creates a large number of potential security problems. Second, a separate Internet IP address is required for each machine that can access the Internet. Since IP addresses are scarce and are issued only to networks that can prove a need for them, this is not the most efficient approach.

Advantages of Routed Connections

Although translated connections are becoming increasingly popular, routed connections do have a number of advantages:

Since each client is connected to the Internet through the router, clients can connect even if the local network servers are not working.
Some Internet clients, such as multimedia applications and games, do not work correctly over a translated connection.
Each machine has a dedicated Internet IP address and can be used for services such as File Transfer Protocol (FTP) and Domain Name System (DNS) that require a unique IP address per host.

Hardware and Software Routers

A routed connection uses a router, a device that transmits data between the internal network and the Internet. There are two types of routers:

A hardware router is a dedicated device. Hardware routers provide a simple “out-of-the-box” solution for Internet connections.
A software router runs as a service on one of the computers on the network. The Routing and Remote Access Service (RRAS) in Windows Server 2003 allows a computer to act as a router.

In order to use a computer as a software router, it must have two network connections: one to the internal network (LAN) and one to the external network (the Internet). Microsoft sometimes refers to a computer with two network connections as a multihomed computer.

IP Addressing for Routed Connections

When you are using a routed connection to the Internet, each machine on the internal network will need a valid Internet IP address. IP addresses are managed by a central authority, the American Registry for Internet Numbers (ARIN). You will typically obtain IP addresses from an Internet Service Provider (ISP), which has obtained a block of addresses from ARIN for use by its clients.

Once you have been issued one or more IP addresses, you can assign them to the computers in the network. There are two basic ways to accomplish this:

By manually configuring an IP address in each computer’s network connection properties
By using the Dynamic Host Configuration Protocol (DHCP) to assign addresses

Using DHCP, you can define the IP addresses you have been issued in the DHCP server, and clients are automatically assigned, or leased, an address when they are booted. If a client disconnects from the network, its lease is terminated after a timeout period and available to other computers.

Test Day Tip

Any Windows Server 2003 (or Windows 2000 Server) computer can act as a DHCP server. To configure DHCP, select Start | Administrative Tools | Configure Your Server Wizard and enable the DHCP Server role.

Translated Connections

The second strategy is to use a service that translates between internal IP addresses and external addresses used on the Internet. By using this technique, you can enable Internet access for many computers using a single Internet IP address. Along with conserving address space, address translation ensures that your computers are not accessible directly from the Internet, effectively preventing many types of network attacks.

Network Address Translation (NAT) is an Internet standard defined in RFC 1631 for systems that translate between internal and external network addresses. Windows networks support two types of NAT service:

Network address translation (NAT) is a full-featured NAT implementation supported by Windows 2000 Server and Windows Server 2003.
Internet Connection Sharing (ICS) is a simplified NAT implementation for small networks, and is supported by Windows 98 Second Edition, Windows Me, Windows XP, and Windows 2000 Professional.

When you configure the NAT or ICS service, the computer that acts as the NAT server must have at least two network connections: a connection to the Internet (typically a modem or broadband connection) and a connection to the LAN containing the computers that will share the Internet connection.

Network Address Translation (NAT)

EXAM 70-293 OBJECTIVE 2.5

NAT is Microsoft’s full-featured address translation feature. When you access the Internet on a network that uses a NAT server, outgoing packets are sent to the NAT server, which changes their originating address and forwards them to the Internet. The returned packets are delivered to the NAT server. The server then translates the packets to internal IP addressing and sends them to the machine that made the original request.

The Windows Server 2003 NAT server actually supports three separate services:

NAT, the address translation service
DHCP for assigning IP addresses to clients that are sharing the Internet connection
DNS for name resolution

Depending on your network configuration, you might not need the NAT server to handle address assignment or name resolution. You can choose whether to use these components when you configure the NAT server. If you have dedicated DHCP or DNS servers on the network, you can continue to use them with NAT. (The DNS service forwards requests to an Internet DNS server and returns the results to the appropriate client within the private network.)

Installing the NAT Service

NAT is part of the RRAS component of Windows Server 2003. RRAS is installed with Windows Server 2003 but is not enabled by default. You can enable this service using the Manage Your Server application that is launched when you install the operating system or by using the Routing and Remote Access MMC snap-in. Windows Server 2003 includes a wizard that can enable RRAS and set up a NAT server. Exercise 5.01 shows how to configure NAT using the wizard.

Exercise 5.01: Installing NAT Using the Wizard

You can install NAT on a Windows Server 2003 server that does not yet have RRAS enabled using the Routing and Remote Access Server Setup Wizard. This exercise guides you through the process of setting up a basic NAT server using the Wizard.

Select Start | Administrative Tools | Routing and Remote Access to start the RRAS MMC snap-in.
Click the RRAS server name (usually the current machine) in the left column to highlight it.
From the menu, select Action | Configure and Enable Routing and Remote Access.
The Wizard displays a Welcome window. Click Next to continue.
The Configuration window appears. Select the Network address translation (NAT) option, as shown in Figure 5.1, and click Next.

Figure 5.1: Select NAT from the RRAS Wizard
The NAT Internet Connection window is displayed. Here, you can choose how the NAT server will connect to the Internet. Choose either Use this public interface to connect to the Internet or Create a new demand-dial interface to the Internet.
You can optionally choose to enable basic security for the Internet interface by checking the Enable security on the selected interface by setting up Basic Firewall option. This option is enabled by default.
Click Next to continue.
The Ready to Apply Selections window is displayed. Click Next to start the RRAS service.

If you chose to create a new demand-dial interface in Step 6, the Demand-Dial Interface Wizard will guide you through this process. This Wizard is described in Exercise 5.04, later in this chapter. Otherwise, you are returned to the Routing and Remote Access MMC snap-in, and you can now manage the NAT service as described in the next section.

Test Day Tip

Remember that you need at least two network interfaces on the NAT server: one connected to the private network, usually a LAN adapter, and one connected to the Internet. You can configure a demand-dial Internet connection (if you’re using a modem or ISDN dial-up instead of an “always-on” connection to the Internet) during the NAT server setup process.

You can also configure NAT manually using the Routing and Remote Access MMC snap-in. This is the only way to configure a NAT server on a machine that already has RRAS enabled. RRAS can perform NAT along with its other functions, which include acting as a network router or accepting dial-up network connections.

Managing NAT

After you have enabled RRAS and set up a NAT server, you can manage the server from the Routing and Remote Access MMC snap-in. Select the server and select Action | Properties to display the Properties dialog box. Select the IP tab within this dialog to display the IP properties, shown in Figure 5.2. This page allows you to manage the address assignment feature of NAT. The NAT server can assign IP addresses in one of two ways:

Select Dynamic Host Configuration Protocol (DHCP) to use an existing DHCP server to handle addressing.
Select Static address pool to explicitly list the IP addresses this server can assign to clients. Once you have selected this option, you can use the Add, Edit, and Remove options to create a list of one or more IP address ranges for the address pool.

Figure 5.2: The IP Properties for an RRAS Server

The IP properties tab also include an option to manage the name resolution feature of NAT. Select the Enable broadcast name resolution option if you do not have a DNS or Windows Internet Name Service (WINS) server on the network to handle name resolution. If this option is selected, the RRAS server uses network broadcasts to resolve names. This eliminates the need for a dedicated name server on single-subnet Windows-based networks.

Test Day Tip

If you are not using broadcast name resolution, the NAT server needs to know the IP address of a DNS or WINS server to complete resolution requests. These server addresses are not part of the RRAS configuration. You must specify them using the Properties dialog box for the network interface.

Configuring a NAT Connection

You can also manage the settings for a NAT interface from the Routing and Remote Access console. To access these settings, select the NAT/Basic Firewall entry under IP routing in the left column, and then select Action | Properties from the menu. The Properties dialog box is divided into four tabbed sections:

NAT / Basic Firewall On this tab, shown in Figure 5.3, you can enable or disable NAT for the connection. You can also enable a basic firewall, which prevents unauthorized traffic from the Internet from reaching the internal network. You can also use the Inbound Filters and Outbound Filters buttons to define IP filters to further secure the connection.

Figure 5.3: NAT Properties
Address Pool Allows you to define the Internet addresses that will be used by the NAT server. Don’t confuse this with the pool of private addresses the server can assign to clients. At least one Internet address must be included here. You can also use the Reservations button to define an external address that always reaches the same internal client machine. This is useful if you need to run a Web server or other service and make it accessible over the Internet.
Services and Ports Allows you to enable various services, such as FTP and Simple Mail Transfer Protocol (SMTP), that will be accessible to Internet users, and define the internal machines these packets will be routed to.
ICMP Allows you to enable various types of diagnostic packets. These may be needed if you wish the NAT server to respond to PING or Traceroute diagnostics.

How NAT Works

NAT transparently handles translation, so clients do not need to be aware that NAT is in use. Instead, they are configured with the NAT server’s address as their default gateway. When a client sends an outgoing packet, it is sent to the NAT server. The NAT server receives the packet and performs the following tasks:

The packet’s destination address and port are stored in an entry in the NAT table, along with the internal address from which the packet originated.
The packet’s source address is changed to the NAT server’s address, and a random port number is assigned.
The packet is sent over the Internet.
When the remote server responds, the response is sent to the NAT server at the port number previously assigned. The NAT server consults the NAT table to determine which client requested the response, edits the packet to use the client’s internal IP address as its destination, and sends it to the internal network.

Some Internet protocols, such as FTP, store addressing information within the packet itself, which would not normally work with NAT. The NAT server uses a NAT editor to modify the addresses for these protocols. Windows Server 2003 includes editors for several protocols. Keep in mind that some protocols may not be supported across the NAT server.

Internet Connection Sharing (ICS)

Internet Connection Sharing (ICS) is a simple implementation of a NAT server and is included with all versions of Windows 2000, Windows XP, and Windows Server 2003, as well as Windows 98 Second Edition and Windows Me. It is much easier to configure and use than the full NAT service. Although ICS supports the basic translation features of NAT, it has a couple of limitations:

ICS supports only a single Internet IP address and a single LAN connection. The full NAT service can connect any number of public IP addresses to multiple LANs.

ICS cannot be used on networks that have a DHCP or DNS server implemented.

Test Day Tip

You should use ICS only when you are not using the NAT feature on the server, or when you are using an operating system for the NAT host, such as Windows XP, that supports ICS but not the full NAT service.

Activating the ICS Service

ICS is included and installed automatically with all versions of Windows Server 2003 and Windows 98 Second Edition and later. This feature is disabled by default, but enabling it is a simple process.

To enable ICS, open the Properties dialog box for the network adapter that connects to the Internet and select the Advanced tab. The Advanced properties are displayed, as shown in Figure 5.4. To enable ICS, simply check the Allow other network users to connect through this computer’s Internet connection option. You can also optionally check the Establish a dial-up connection whenever a computer on the network attempts to access the Internet option for a dial-up Internet connection.

click to expand
Figure 5.4: The Advanced Internet Provider Properties

Test Day Tip

The ICS options are included only in the Advanced tab of the Properties dialog box for Internet connections. LAN connections, such as the default Local Area Connection, do not include this option, since they connect only to the local network. You will, however, find the Connection Sharing option in the Properties dialog box for VPN connections.

Configuring Services

ICS is primarily a way for computers on your network to access Internet services, but it also allows you to configure services that are provided by a machine on your network and available via the Internet. When you use this option, incoming requests from the Internet are received by the ICS server and forwarded to whichever local machine is providing the service.

When ICS is enabled, you can click the Settings button in the Advanced tab of the Properties dialog box to configure the services available on your network and specify which client machines provide them. No services are enabled by default. The Services dialog box, shown in Figure 5.5, lists a number of common services and allows you to configure them or add addtional services.

click to expand
Figure 5.5: The Network Services That Internet Users Can Access

Whether you use one of the predefined services, such as an FTP server or a Telnet server, or configure a custom service, you need to specify which computer on the local network will provide the service. Exercise 5.02 demonstrates the process of adding a new service.

Exercise 5.02: Adding a Custom Service

You need to add an entry for any service on your network that should be accessible from outside the network. For example, the Network News Transfer Protocol (NNTP) service is not included as one of the default options, so you can add an entry for it. Follow these steps to add a custom service:

From the Network Connections window, right-click the Internet connection you are sharing and click Properties.
Select the Advanced tab.
Ensure that the Allow other network users to connect through this computer’s Internet connection is enabled and click Settings.
The Services dialog box is displayed. Click Add.
The Service Settings dialog is displayed. In the Description of service text box, enter Net News Transfer Protocol, as shown in Figure 5.6.

Figure 5.6: Service Settings
In the Name or IP address text box, enter the machine name or IP address for the local machine providing the service.
In the External port number for this service text box, enter 119.
In the Internal port number for this service text box, also enter 119.
Click OK.
You are returned to the Services dialog box, and the new service is now listed. Click OK to return to the Properties dialog box.