Académique Documents
Professionnel Documents
Culture Documents
Microsoft Corporation
Published: March 2003
Abstract
In today’s business world, being connected to the marketplace and to your customers means getting connected
to the Internet. Windows® Server 2003 makes it easier to securely connect your network to the Internet, enabling
your employees to access the information they need. This white paper describes the steps needed to provide
shared Internet access to Microsoft® Windows® XP-based clients that are directly attached to a medium-sized
private network using Windows Server 2003 and network address translation.
Microsoft® Windows® Server 2003 White Paper
Contents
Contents................................................................................................................. .......................3
Introduction..................................................................................................................... ..............1
Updating the Local DNS Server for Internet Naming Resolution ............................... ...............13
Conclusion.............................................................................................................................. ...13
Summary.................................................................................................................................... ..14
Introduction
Connecting a medium-sized office network to the Internet has traditionally been a difficult process
requiring separate computers and extensive knowledge of network devices. For many, making a
connection to the Internet seemed costly and difficult to manage. With Windows Server 2003, making a
connection to the Internet is easier, more secure, and can be accomplished with relatively inexpensive
hardware and basic Internet service provider (ISP) services.
This white paper is intended for users of medium-sized Windows Server 2003 domain-based networks
who want to set up Internet access and share it with local area network clients. A basic understanding of
domain-based networks, Domain Name System (DNS), and the Dynamic Host Configuration Protocol
(DHCP) is assumed. This paper is not intended as a comprehensive review of all routing features of
Windows Server 2003; rather, it focuses on the basic Internet gateway capabilities.
Scenario Requirements
This document walks you through the setup of a Windows Server 2003-based server as an Internet
connection server that shares access with a local area network. It is assumed that in order to connect to
the Internet you have an active account with an ISP and a physical connection to the Internet. This
could be a dial-up connection (such as an analog modem or ISDN connection) or a dedicated
connection using a cable modem or Digital Subscriber Line (DSL).
To configure the server for Internet access sharing, you will need to configure the Routing and Remote
Access service to act as a network address translator (NAT). A NAT relies on a single public IP address
for the Internet and translates all internal client traffic to and from this IP address.
Scenario Tasks
In this white paper, we will describe the following tasks:
Setup and Management Tasks • Network setup and configuration using the
network address translation capability of
Routing and Remote Access
• Configuration and setup of Routing and
Remote Access service for a dedicated or
demand-dial connection to the Internet
• Configuration of the private network DNS
server to forward Internet name resolution
requests to an ISP DNS server
• Assigned IP address. This is your public IP address associated with your account. This can be
statically or dynamically assigned.
• ISP DNS server address. This is used to forward DNS requests for Internet names to the ISP’s DNS
server.
• Phone number. For demand-dial connections, this is the number for your ISP.
Note If you plan to host a Web server or a virtual private network (VPN) remote access server, you need to
request a static IP address or have an ISP that supports DNS dynamic update. Outbound Internet traffic will
work with a dynamically assigned IP address, but external computers will not be able to connect to your
network over the Internet.
Before you set up Internet sharing, check with your ISP about any licensing limitations on shared
access through a single ISP connection.
Assigning IP Addresses
If your server is already connected to the private network, the attached network adapter should already
have an IP address that was dynamically assigned by the local DHCP server. Because this server will
be used as the Internet connection server, you will need to assign a static IP address to the private
network adapter. This static IP address should be excluded from the DHCP scope for the subnet to
which the Internet connection server is attached.
To communicate the server’s new role as an Internet gateway to all clients on the subnet attached to
the Routing and Remote Access server, you will also need to add this static IP address to the Router
(Default Gateway) DHCP option. For more information about how to add this option, see Windows
Server 2003 Help and Support. If your private network consists of multiple subnets, adjust your routing
infrastructure so that default route traffic is forwarded to the static IP address of the Internet connection
server's private network interface.
When you have two network adapters installed on the server computer, you must be able to identify
which network adapter is connected to the private network and the Internet. Therefore, it is a good idea
to rename the connections corresponding to the adapters with descriptive names, such as "Private
Network" and "Internet." This can be done from the Network Connections folder.
For this white paper, we assume that the private network adapter is named "Private Network" and is
assigned a reserved static IP Address of 10.10.1.90. We also assume that the ISP assigned a static
public IP address of 131.107.0.20 to your company. The public IP address should be assigned to the
Internet connection. To assign IP addresses to the LAN connections:
1. Log on the Routing and Remote Access server with an account that has administrator privileges.
2. Click Start, point to Settings, point to Network Connections, right-click the connection connected to
your private network, and then click Properties.
3. On the General tab, under This connection uses these items, double-click Internet Protocol
(TCP/IP).
4. On the General tab, click Use the following IP address and type the appropriate IP address and
subnet mask. Click OK to accept the changes to the TCP/IP protocol. Click OK to save changes to
the connection.
5. If you have a dedicated Internet connection, repeat these steps for the Internet connection, but
assign the static IP address provided by your ISP.
Routing and Remote Access can be configured to provide the following networking services:
• Remote access (dial-up or VPN) allows remote access clients to connect to this server through either
a dial-up connection or a secure virtual private network (VPN) connection.
• Network address translation (NAT) allows internal clients to connect to the network using one public
IP address.
• Virtual Private Network (VPN) access and NAT allows remote clients to connect to this server
through the Internet and local clients to connect to the Internet using a single public IP address.
• Secure connection between two private networks allows a connection between your network and a
remote network, such as a branch office.
• Custom configuration allows the selection of any of the features available in Routing and Remote
Access.
For this deployment scenario, we are going to configure Routing and Remote Access to provide NAT
services using the following procedure:
1. Click
Start, point to Programs, point to Administrative Tools, and then click Routing and Remote
Access.
2. In
the contents pane, right click the server name and click Configure and Enable Routing and
Remote Access. The Routing and Remote Access Server Setup Wizard appears. Click Next to view
choices for several default server roles.
4. ClickNext. If you are using a dedicated Internet connection, see "Creating a dedicated Internet
connection." If you are using a demand-dial Internet connection, see "Creating a demand-dial
Internet connection."
In our example, we have two network adapters, one named Private Network and one named Internet.
The Private Network connection is connected to the internal network and has the static IP address of
10.10.1.90. The Internet connection is configured with the IP address 131.107.0.20.
1. Continuing the procedure from "Configuring Routing and Remote Access for network address
translation", on the NAT Internet Connection page, click Use this public interface to connect to
the Internet, and click the Internet connection. Leave the Enable security on the selected
interface by setting up Basic Firewall check box selected. This is shown in the following figure.
2. ClickNext. On the Name and Address Translation Services page, click I will set up name and
address services later. Because you already have DNS and DHCP services operating on your
private network, you do not need the Routing and Remote Access server to provide these services.
This is shown in the following figure.
3. Click
Next. On the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish.
4. Toadd a default route, in the console tree, double-click IP Routing, right-click Static Routes, and
then click New Static Route.
5. InInterface, select the interface that corresponds to your dedicated Internet connection. In
Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following
figure.
6. Click OK.
Steps 4-6 configure a default route, making all the locations on the Internet reachable from the
Routing and Remote Access server.
You have finished configuring your Routing and Remote Access server as a network address translator
with a dedicated Internet connection. Skip ahead to the "Updating the local DNS server for Internet
naming resolution" section.
Instead of having a dedicated connection to the Internet, you may choose to connect only when your
private network users require access. Routing and Remote Access can automate the connection
process whenever someone tries to access the Internet. In this example, we are using a modem to
access the Internet instead of a network adapter.
1. Continuing the procedure from "Configuring Routing and Remote Access for network address
translation," on the NAT Internet Connection page, click Create a new demand-dial interface to
the Internet. Leave the Enable security on the selected interface by setting up Basic Firewall
check box selected. The basic firewall is a stateful firewall that monitors all outbound traffic and
dynamically creates inbound packet filters for the response traffic. This is shown in the following
figure.
2. Click
Next. On the Network Selection page, click the connection that is connected to the private
network. This is shown in the following figure.
3. ClickNext. On the Name and Address Translation Services page, click I will set up name and
address services later. Because you already have DNS and DHCP services operating on your
private network, you do not need the Routing and Remote Access server to provide these services.
This is shown in the following figure.
4. Onthe Ready to Apply Selections page, click Next. The Routing and Remote Access service is
configured and initialized and the Demand-Dial Interface Wizard is started.
6. On the Interface Name page, type the name of the demand-dial interface. An example is shown in
the following figure.
7. Click
Next. On the Connection Type page, click Connect using a modem, ISDN adapter, or other
physical device. This is shown in the following figure.
8. Click
Next. On the Select a Device page, click the modem used to dial your ISP. An example is
shown in the following figure.
9. Click
Next. On the Phone Number page, type the phone number to dial your ISP in Phone number
or address. An example is shown in the following figure.
11.Onthe Dial Out Credentials page, type the credentials used to make a connection to your ISP. An
example is shown in the following figure.
12.Click Next. On the Completing the Demand-Dial Interface Wizard page, click Finish.
14.In the details pane, double-click the newly created demand-dial interface.
15.Click the Networking tab, and then double-click Internet Protocol (TCP/IP).
16.Click
Use the following IP address, and then type the public IP address assigned by the ISP in IP
address. An example is shown in the following figure.
17.Click OK to save changes to the TCP/IP configuration. Click OK to save changes to the demand-dial
interface.
18.Toadd a default route, in the console tree, double-click IP Routing, right-click Static Routes, and
then click New Static Route.
19.In Interface, select the interface that corresponds to your demand-dial connection to the Internet. In
Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following
figure.
20.Click OK.
Steps 18-20 configure a default route, making all the locations on the Internet reachable from the
Routing and Remote Access server.
You have now completed configuring a demand-dial connection to the Internet. Similar to the dedicated
Internet configuration, this server now has a static private network IP address and a static public IP
address provided by the ISP.
2. Click Start, point to Programs, point to Administrative Tools, and click DNS.
3. In the console tree, right-click the DNS server name and click Properties.
4. Clickthe Forwarders tab. In Selected domain's forwarder IP address list, type the IP address of
your ISP DNS server and click Add. Select the Do not use recursion for this domain check box.
An example is shown in the following figure.
You have now completed the process of configuring the local DNS server to forward Internet name
resolution requests to the external ISP DNS server.
Conclusion
Local area network clients now have access to the Internet through the Routing and Remote Access
server. To test this, clients should start a Web browser and begin accessing Web sites on the Internet.
Summary
This white paper describes how to provide medium-sized networks with secure access to the Internet
using the network address translator (NAT) services of Windows Server 2003. By configuring Windows
Server 2003 as a NAT and updating the private network DNS server to forward Internet names to an
ISP DNS server, companies can quickly add Internet access to their networks. In addition, with NAT
technology hiding the internal client IP addresses, customers gain an increased level of Internet
security.
Related Links
See the following resources for further information:
• Windows Server 2003 Networking and Communications Services Web site at
http://www.microsoft.com/windowsserver2003/technologies/networking/
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003/.