Tuesday, March 8, 2011

Configuring Windows Server 2003 to act as a NAT router



More years ago than I care to think about, IP addresses were handed out to companies on an in-discriminant basis. As the popularity of the Internet increased, IP addresses soon grew to be a scarce commodity. Internet service providers began to strictly limit the number of IP addresses that they would lease to companies. This presented an interesting challenge. A PC has to have an IP address in order to communicate with the Internet, but there weren't enough IP addresses left for every PC to be given one. The solution to this problem was a technology called Network Address Translation (NAT). Today, NAT is alive and well, and more popular than ever. In this article, I will explain what NAT is and how you can configure Windows Server 2003 to act as a NAT router.

What is NAT?
So what is NAT? Network Address Translation, or NAT, is a technology that uses a router to share an Internet connection among the PCs on your private network, even though those PCs do not have a valid public IP address. There are both hardware and software NAT routers. In this particular situation, we will be configuring a Windows Server 2003 machine to act as a software based NAT router.
As you probably know, a router's primary purpose is to regulate traffic flow between two networks, and a NAT router is no exception. The server that you will use as a NAT router must have two network interface cards (NICs) installed. One of these NICs will connect to the Internet and the other will connect to the private network. PCs on the private network will then send HTTP requests to the NAT server via the server's private network connection. The server will then retransmit the request over the Internet on behalf of the client. When the requested Web site responds, the response is sent to the NAT server, which in turn forwards it to the client who made the original request. The client never communicates across the Internet directly.
IP Addressing Considerations
As I explained in the section above, a NAT router acts as a gateway between your private network and the Internet. The server that is acting as the NAT router must have two NICs. One of the NICs is connected to the Internet. This NIC must be assigned the IP address that was given to you by your Internet Service Provider.
The other NIC connects to your private network. As I mentioned, NAT does not expect you to have valid IP addresses on your private network. Instead, you are basically free to pick an address range at random. There is the off chance that the range that you pick might already be in use by a popular Web site, but I have only seen someone pick an address range that caused problems once. If you want to use an address range that is guaranteed not to interfere with anything on the Internet, you can use the 192.168.x.x address range.
After you pick an address range, I recommend setting up a DHCP server so that it will assign addresses from your chosen address range (the DHCP term for an address range is a scope) to the workstations on your network. You must however statically assign an address to the NIC on the NAT server that connects to your private network. For example, if you chose to use the address range 192.168.1.0 to 192.168.1.99, then you might consider assigning the address 192.168.1.0 to the NAT server. You could then use the 192.168.1.1 to 192.168.1.99 address block as your DHCP scope.
While you are configuring your DHCP server, there are a couple of other considerations that you need to make. As you may know, DHCP allows you to optionally assign a default gateway and a DNS server to workstations along with an IP address. When doing so, you must set the default gateway address to match the private network address that you assigned to your NAT server.
You have a few different options when choosing which DNS server address the DHCP server should assign to the workstations on your network. If you don't have your own DNS server, then the best thing that you can do is to just use the IP address of your Internet service provider's DNS server. If your network is running Active Directory though, then you already have a DNS server and you should use its address. It doesn't matter if your DNS server is authoritative for your domain or not. Simply point the workstations to it. You can then set up a forwarder on the DNS Server so that any unresolved queries get forwarded to your ISP's DNS server.
The advantage to pointing clients to your own DNS server rather than to your ISP's DNS server is that doing so will provide your users with better performance. Your DNS server is local, so queries reach the server more quickly than they would reach a remote server. Furthermore, your DNS server has a built in cache so that popular Web sites do not have to be resolved each time a user visits them.
Setting Up NAT
Begin by selecting the Routing and Remote Access command from Windows' Administrative Tools menu. When you do, Windows will display the Routing and Remote Access console. Locate your server (just below the Server Status). There should be a big red dot to the left of the server, indicating that the server is currently inactive. Now, right click on the server and select the Configure and Enable Routing and Remote Access command from the resulting shortcut menu. When you do, Windows will launch the Routing and Remote Access Server Setup Wizard.
Click Next to bypass the wizard's Welcome screen. You will now see a screen that's similar to the one that's shown in Figure A. This screen allows you to select various configurations for Routing and Remote Access (RRAS). RRAS can be configured to do just about anything that you want, but Microsoft has included several templates to make the configuration process easier for common deployment types. Select the Network Address Translation (NAT) option and click Next.

Figure A: Select the Network Address Translation (NAT) option and click Next
The next screen that you will see, shown in Figure B, is a rather important one to pay attention to. The screen gives you the choice of selecting a network interface that is connected to the external network (usually the Internet) or to select a demand dial interface. In case you are wondering, demand dial is a feature that allows Windows to establish a dial-up connection when ever external connectivity is needed. For the purpose of this article, I am assuming that you have a broadband connection to the Internet. Additionally, I am assuming that the NIC that the broadband connection comes in through has a static IP address assigned to it. You will have to select that network interface.

Figure B: Select the NIC that connects the server to the outside world
Before you click Next, you should notice that there is a check box that allows you to enable a firewall for the connection. I recommend always selecting this option. The firewall will keep unwanted traffic out of your network. If you need to grant external users access to some service on your network, you have the option of configuring port forwarding to pass packets through the firewall to the desired network resource.
After you enable the RRAS firewall, click Next and you will see a screen asking you to select the network that will have shared Internet access. Although the dialog box uses some weird wording, it is basically just asking you to select the NIC that is attached to your private network. Make your selection, and click Next, followed by Finish to complete the process.


Posted by at 4 comments:

Configure a Windows Server 2003 VPN on the server side



 

Sometimes, simplicity is the best choice for both a technology solution and the corresponding tutorial that explains how to use the new solution. In this document, I will provide a clear, concise, systematic procedure for getting a Windows Server 2003-based PPTP VPN up and running. I'm using Windows Server 2003 with Service Pack 1 for this guide.
Add the Remote Access/VPN Server role to your Windows Server 2003 system
To add the Remote Access/VPN Server role, go to Start | All Programs | Administrative Tools | Configure Your Server Wizard. The first screen of this wizard is for informational purposes only and, thus, is not shown here. Click Next. The same goes for the second screen, which just tells you some things you need to have completed before adding new roles to your server.
On the third screen of the wizard, entitled Server Role, you're presented with a list of available roles for your server along with column that indicates whether or not a particular role has been assigned to this machine. Figure A shows you a screen from a server on which just the IIS Web server role has been added.
First Step
To add a new role, select the role and click Next
To add the Remote Access/VPN Server role to your server, select that role and click the Next button to move on to the next screen in the wizard, which provides you with a quick overview of the options you selected.
Second Step
The summary screen is pretty basic for this role
Take note: This selection just starts another wizard called the Routing and Remote Access Wizard, described further below.
The Routing and Remote Access Wizard component
Like most wizards, the first screen of the Routing and Remote Access wizard is purely informational and you can just click Next.
The second screen in this wizard is a lot meatier and asks you to decide what kind of remote access connection you want to provide. Since the goal here is to set up a PPTP-based VPN, select the "Virtual Private Network VPN and NAT" selection and click Next.
                        Third Step
Select the VPN option and click Next
The next screen of the wizard, entitled VPN Connection, asks you to determine which network adapter is used to connect the system to the Internet. For VPN servers, you should install and use a separate network adapter for VPN applications. Network adapters are really cheap and separation makes the connections easier to secure. In this example, I've selected the second local area network connection (see Figure D), a separate NIC from the one that connects this server to the network. Notice the checkbox labeled "Enable security on the selected interface by setting up Basic Firewall" underneath the list of network interfaces. It's a good idea to enable since option it helps to protect your server from outside attack. A hardware firewall is still a good idea, too.
                 Fourth Step
Select the network adapter that connects your server to the Internet
With the selection of the Internet-connected NIC out of the way, you need to tell the RRAS wizard which network external clients should connect to in order to access resources. Notice that the adapter selected for Internet access is not an option here.
              Fifth Step
Select the network containing resources needed by external clients
Just like every other client out there, your external VPN clients will need IP addresses that are local to the VPN server so that the clients can access the appropriate resources. You have two options (really three รข€" I'll explain in a minute) for handling the doling out of IP addresses.
First, you can leave the work up to your DHCP server and make the right configuration changes on your network equipment for DHCP packets to get from your DHCP server to your clients. Second, you can have your VPN server handle the distribution of IP addresses for any clients that connect to the server. To make this option work, you give your VPN server a range of available IP addresses that it can use. This is the method I prefer since I can tell at a glance exactly from where a client is connecting. If they're in the VPN "pool" of addresses, I know they're remote, for example. So, for this setting, as shown in Figure F below, I prefer to use the "From a specified range of addresses" option. Make your selection and click Next.
                       Sixth Step
Your choice on this one! I prefer to provide a range of addresses
If you select the "From a specified range of addresses" option on the previous screen, you now have to tell the RRAS wizard exactly which addresses should be reserved for distribution to VPN clients. To do this, click the New button on the Address Range Assignment screen. Type in the starting and ending IP addresses for the new range and click OK. The "Number of addresses" field will be filled in automatically based on your entry. You can also just enter the starting IP address and the number if IP addresses you want in the pool. If you do so, the wizard automatically calculates the ending IP address. Click OK in the New Address Range window; your entry appears in the Address Range Assignment window. Click Next to continue.
Seventh Step
You can have multiple address ranges, as long as they are all accessible
The next screen asks you to identify the network that has shared access to the Internet. This is generally the same network that your VPN users will use to access shared resources.
                        Eight Step
Pick the network adapter that gives you access to the Internet
Authenticating users to your network is vital to the security of your VPN infrastructure. The Windows VPN service provides two means for handling this chore. First, you can use RADIUS, which is particularly useful if you have other services already using RADIUS. Or, you can just let the RRAS service handle the authentication duties itself. Give users access to the VPN services by enabling dial-in permissions in the user's profile (explained below). For this example, I will not be using RADIUS, but will allow RRAS to directly authenticate incoming connection requests.
                       Ninth Step
Decide what means of authentication you want to provide
That's it for the RRAS wizard! You're provided with a summary screen that details the selections you made.
                    Tenth Step
The RRAS wizard summary window
This also completes the installation of the Remote Access/VPN Server role.
User configuration
By default, users are not granted access to the services offered by the VPN; you need to grant these rights to each user that you want to allow remote access to your network. To do this, open Active Directory Users and Computers (for domains) or Computer Management (for stand alone networks), and open the properties page for a user to whom you'd like to grant access to the VPN. Select that user's Dial-In properties page. On this page, under Remote Access Permissions, select "Allow access". Note that there are a lot of different ways to "dial in to" a Windows Server 2003 system; a VPN is but one method. Other methods include wireless networks, 802.1x, and dial-up. This article assumes that you're not using the Windows features for these other types of networks. If you are, and you specify "Allow access", a user will be able to use multiple methods to gain access to your system. I can't go over all of the various permutations in a single article, however.
                                           Eleventh Step
Allow the user access to the VPN
Up and running
These are the steps needed on the server to get a VPN up and running. Of course, if you have devices such as firewalls between your VPN server and the Internet, further steps may be required; these are beyond the scope of this

 
Posted by at No comments:
Subscribe to: Posts (Atom)