Microsoft Corporation
Published: March 2003

Introduction

Connecting a medium-sized office network to the Internet has traditionally been a difficult process requiring separate computers and extensive knowledge of network devices. For many, making a connection to the Internet seemed costly and difficult to manage. With Windows Server 2003, making a connection to the Internet is easier, more secure, and can be accomplished with relatively inexpensive hardware and basic Internet service provider (ISP) services.
This white paper is intended for users of medium-sized Windows Server 2003 domain-based networks who want to set up Internet access and share it with local area network clients. A basic understanding of domain-based networks, Domain Name System (DNS), and the Dynamic Host Configuration Protocol (DHCP) is assumed. This paper is not intended as a comprehensive review of all routing features of Windows Server 2003; rather, it focuses on the basic Internet gateway capabilities.
Scenario Requirements

This document walks you through the setup of a Windows Server 2003-based server as an Internet connection server that shares access with a local area network. It is assumed that in order to connect to the Internet you have an active account with an ISP and a physical connection to the Internet. This could be a dial-up connection (such as an analog modem or ISDN connection) or a dedicated connection using a cable modem or Digital Subscriber Line (DSL).
To configure the server for Internet access sharing, you will need to configure the Routing and Remote Access service to act as a network address translator (NAT). A NAT relies on a single public IP address for the Internet and translates all internal client traffic to and from this IP address.
By setting up NAT, companies benefit in the following ways:
· Lower cost
NAT allows you to share a single public IP address with many internal clients, avoiding the cost of setting up multiple public Internet address accounts.
· Increased security
By hiding the IP addresses of private network clients and servers from the Internet, NAT provides an increased level of intranet security.


Scenario Tasks

In this white paper, we will describe the following tasks:
Setup and Management Tasks
· Network setup and configuration using the network address translation capability of Routing and Remote Access
· Configuration and setup of Routing and Remote Access service for a dedicated or demand-dial connection to the Internet
· Configuration of the private network DNS server to forward Internet name resolution requests to an ISP DNS server



Internet Connection Setup Tasks

The Routing and Remote Access service, which is integrated in Windows Server 2003, provides a variety of capabilities such as connecting remote users, connecting office networks, and connecting networks to the Internet. This white paper describes how to configure Windows Server 2003 to provide a basic outbound connection to the Internet that can be shared with other computers on your internal network.
To set up your network for Internet access, you need to:
1.Establish an Internet account with an ISP.
2.Configure Windows Server 2003 for Internet access.
3.Update your local DNS server for Internet naming resolution.
Establishing an Internet Account with an ISP

You must establish an account with an ISP to access the Internet. An ISP provides the following information needed to configure your server and network environment:
· Account name and password. This is used for authentication purposes.
· Assigned IP address. This is your public IP address associated with your account. This can be statically or dynamically assigned.
· ISP DNS server address. This is used to forward DNS requests for Internet names to the ISP’s DNS server.
· Phone number. For demand-dial connections, this is the number for your ISP.
Note If you plan to host a Web server or a virtual private network (VPN) remote access server, you need to request a static IP address or have an ISP that supports DNS dynamic update. Outbound Internet traffic will work with a dynamically assigned IP address, but external computers will not be able to connect to your network over the Internet.
Before you set up Internet sharing, check with your ISP about any licensing limitations on shared access through a single ISP connection.
Configuring Windows Server 2003 for Internet Access

Select a computer on your network that will act as the Internet connection server. This computer requires Windows Server 2003 with Routing and Remote Access configured and at least one network adapter connected to your private network. For a dedicated connection to the Internet, an additional network adapter must be installed. For a demand-dial connection to the Internet, install a modem or ISDN adapter.
Assigning IP Addresses

If your server is already connected to the private network, the attached network adapter should already have an IP address that was dynamically assigned by the local DHCP server. Because this server will be used as the Internet connection server, you will need to assign a static IP address to the private network adapter. This static IP address should be excluded from the DHCP scope for the subnet to which the Internet connection server is attached.
To communicate the server’s new role as an Internet gateway to all clients on the subnet attached to the Routing and Remote Access server, you will also need to add this static IP address to the Router (Default Gateway) DHCP option. For more information about how to add this option, see Windows Server 2003 Help and Support. If your private network consists of multiple subnets, adjust your routing infrastructure so that default route traffic is forwarded to the static IP address of the Internet connection server's private network interface.
When you have two network adapters installed on the server computer, you must be able to identify which network adapter is connected to the private network and the Internet. Therefore, it is a good idea to rename the connections corresponding to the adapters with descriptive names, such as "Private Network" and "Internet." This can be done from the Network Connections folder.
For this white paper, we assume that the private network adapter is named "Private Network" and is assigned a reserved static IP Address of 10.10.1.90. We also assume that the ISP assigned a static public IP address of 131.107.0.20 to your company. The public IP address should be assigned to the Internet connection. To assign IP addresses to the LAN connections:
1.Log on the Routing and Remote Access server with an account that has administrator privileges.
2.Click Start, point to Settings, point to Network Connections, right-click the connection connected to your private network, and then click Properties.
3.On the General tab, under This connection uses these items, double-click Internet Protocol (TCP/IP).
4.On the General tab, click Use the following IP address and type the appropriate IP address and subnet mask. Click OK to accept the changes to the TCP/IP protocol. Click OK to save changes to the connection.
5.If you have a dedicated Internet connection, repeat these steps for the Internet connection, but assign the static IP address provided by your ISP.
Configuring Routing and Remote Access for Network Address Translation

Routing and Remote Access can be configured to provide the following networking services:
· Remote access (dial-up or VPN) allows remote access clients to connect to this server through either a dial-up connection or a secure virtual private network (VPN) connection.
· Network address translation (NAT) allows internal clients to connect to the network using one public IP address.
· Virtual Private Network (VPN) access and NAT allows remote clients to connect to this server through the Internet and local clients to connect to the Internet using a single public IP address.
· Secure connection between two private networks allows a connection between your network and a remote network, such as a branch office.
· Custom configuration allows the selection of any of the features available in Routing and Remote Access.
For this deployment scenario, we are going to configure Routing and Remote Access to provide NAT services using the following procedure:
1.Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
2.In the contents pane, right click the server name and click Configure and Enable Routing and Remote Access. The Routing and Remote Access Server Setup Wizard appears. Click Next to view choices for several default server roles.
3.Select Network address translation (NAT) as shown in the following figure.



4.Click Next. If you are using a dedicated Internet connection, see "Creating a dedicated Internet connection." If you are using a demand-dial Internet connection, see "Creating a demand-dial Internet connection."
Creating a Dedicated Internet Connection

In our example, we have two network adapters, one named Private Network and one named Internet. The Private Network connection is connected to the internal network and has the static IP address of 10.10.1.90. The Internet connection is configured with the IP address 131.107.0.20.
1.Continuing the procedure from "Configuring Routing and Remote Access for network address translation", on the NAT Internet Connection page, click Use this public interface to connect to the Internet, and click the Internet connection. Leave the Enable security on the selected interface by setting up Basic Firewall check box selected. This is shown in the following figure.



2.Click Next. On the Name and Address Translation Services page, click I will set up name and address services later. Because you already have DNS and DHCP services operating on your private network, you do not need the Routing and Remote Access server to provide these services. This is shown in the following figure.



3.Click Next. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.
4.To add a default route, in the console tree, double-click IP Routing, right-click Static Routes, and then click New Static Route.
5.In Interface, select the interface that corresponds to your dedicated Internet connection. In Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following figure.



6.Click OK.
Steps 4-6 configure a default route, making all the locations on the Internet reachable from the Routing and Remote Access server.
You have finished configuring your Routing and Remote Access server as a network address translator with a dedicated Internet connection. Skip ahead to the "Updating the local DNS server for Internet naming resolution" section.
Creating a Demand-dial Internet Connection

Instead of having a dedicated connection to the Internet, you may choose to connect only when your private network users require access. Routing and Remote Access can automate the connection process whenever someone tries to access the Internet. In this example, we are using a modem to access the Internet instead of a network adapter.
1.Continuing the procedure from "Configuring Routing and Remote Access for network address translation," on the NAT Internet Connection page, click Create a new demand-dial interface to the Internet. Leave the Enable security on the selected interface by setting up Basic Firewall check box selected. The basic firewall is a stateful firewall that monitors all outbound traffic and dynamically creates inbound packet filters for the response traffic. This is shown in the following figure.



2.Click Next. On the Network Selection page, click the connection that is connected to the private network. This is shown in the following figure.



3.Click Next. On the Name and Address Translation Services page, click I will set up name and address services later. Because you already have DNS and DHCP services operating on your private network, you do not need the Routing and Remote Access server to provide these services. This is shown in the following figure.



4.On the Ready to Apply Selections page, click Next. The Routing and Remote Access service is configured and initialized and the Demand-Dial Interface Wizard is started.
5.On the Welcome to the Demand-Dial Interface Wizard page, click Next.
6.On the Interface Name page, type the name of the demand-dial interface. An example is shown in the following figure.



7.Click Next. On the Connection Type page, click Connect using a modem, ISDN adapter, or other physical device. This is shown in the following figure.



8.Click Next. On the Select a Device page, click the modem used to dial your ISP. An example is shown in the following figure.



9.Click Next. On the Phone Number page, type the phone number to dial your ISP in Phone number or address. An example is shown in the following figure.



10.Click Next. On the Protocols and Security page, click Next.
11.On the Dial Out Credentials page, type the credentials used to make a connection to your ISP. An example is shown in the following figure.



12.Click Next. On the Completing the Demand-Dial Interface Wizard page, click Finish.
13.In the console tree, click Network Interfaces.
14.In the details pane, double-click the newly created demand-dial interface.
15.Click the Networking tab, and then double-click Internet Protocol (TCP/IP).
16.Click Use the following IP address, and then type the public IP address assigned by the ISP in IP address. An example is shown in the following figure.



17.Click OK to save changes to the TCP/IP configuration. Click OK to save changes to the demand-dial interface.
18.To add a default route, in the console tree, double-click IP Routing, right-click Static Routes, and then click New Static Route.
19.In Interface, select the interface that corresponds to your demand-dial connection to the Internet. In Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following figure.



20.Click OK.
Steps 18-20 configure a default route, making all the locations on the Internet reachable from the Routing and Remote Access server.
You have now completed configuring a demand-dial connection to the Internet. Similar to the dedicated Internet configuration, this server now has a static private network IP address and a static public IP address provided by the ISP.
Updating the Local DNS Server for Internet Naming Resolution

Before network clients can access the Internet, your private network DNS server needs to know how to resolve Internet domain names. For example, if someone types MSN.com in an Internet browser, the private network DNS server should forward the request to resolve the MSN.com name to the ISP DNS server.
To configure DNS name resolution forwarding to the ISP DNS server:
1.Log on to the DNS server computer with an account that has administrator privileges.
2.Click Start, point to Programs, point to Administrative Tools, and click DNS.
3.In the console tree, right-click the DNS server name and click Properties.
4.Click the Forwarders tab. In Selected domain's forwarder IP address list, type the IP address of your ISP DNS server and click Add. Select the Do not use recursion for this domain check box. An example is shown in the following figure.



5.Click OK to save changes to the DNS server properties.
You have now completed the process of configuring the local DNS server to forward Internet name resolution requests to the external ISP DNS server.
Conclusion

Local area network clients now have access to the Internet through the Routing and Remote Access server. To test this, clients should start a Web browser and begin accessing Web sites on the Internet.

Summary

This white paper describes how to provide medium-sized networks with secure access to the Internet using the network address translator (NAT) services of Windows Server 2003. By configuring Windows Server 2003 as a NAT and updating the private network DNS server to forward Internet names to an ISP DNS server, companies can quickly add Internet access to their networks. In addition, with NAT technology hiding the internal client IP addresses, customers gain an increased level of Internet security.





موضوعات مشابه: