Implementing Internet Connections
E-mail and Web sites have evolved into being important mechanisms for a vast number of organizations. Internet connectivity or connections support a company’s business in a number of ways. Company employees use the Internet to exchange e-mail with other employees at different branch offices, and with business partners and suppliers; to access the LAN when working from home; to conduct research using the Web; and mobile users utilize the Internet to remotely access the LAN.
Each organization would have different requirements when it comes to Internet connections. Some organizations might to host its own Web site or e-mail; and then there may be occasions where this can be provided by a third-party entity.
To connect the LAN to the Internet, you can use a router which routes traffic to the Internet, and from the Internet; or a translation service such as Network Address Translation (NAT) to translate private internal network traffic to public traffic which can be routed on the Internet. A routed connection to the Internet utilizes a routing device or router to pass traffic between the private network and the public network or Internet. Hardware routers are dedicated routing devices thats sole purpose is to provide a routing capability for the organization. Software routers run as a service on a computer residing within the network. The requirements for a computer to run as a software router are a connection to the internal private network or LAN, and a connection to the public network or Internet. The Routing and Remote Access Service (RRAS) of Windows Server 2003 can be used to enable a computer to run as a software router. The computer running as a software router with the necessary connections is called a multi-homed network computer. For computers located on the LAN to use a routed connection to connect to the Internet, valid IP addresses have to be obtained an Internet Service Provider (ISP), and assigned to computers residing in the private network through manual configuration or through the DHCP service.
The Network Address Translation (NAT) translation service can be used to translate internal addresses to public addresses which can be routed on the Internet. The computer performing the role of the NAT server must have a network adapter card configured with the internal private IP addresses connecting the internal private client computers, and a network adapter configured with the public IP address which connects to the Internet. A full NAT implementation through Routing and Remote Access is the recommended approach. This NAT implementation offers all the NAT features.
Internet Connection Sharing (ICS) is a service integrated with Windows that provides Internet connectivity to hosts using an interface. ICS should be used for very small networks only. ICS can be considered a simplified basic version of NAT.
Virtual private networks (VPNs) enable users to connect to a remote private network through the Internet. Many companies supply their own VPN connections through the Internet. Through their ISPs, remote users running VPN client software are assured private access in a publicly shared environment. By using analog, ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over extensive shared infrastructures. Email, and database and office applications use these secure remote VPN connections. A VPN gateway is a connection point that connects two LANs which are connected by a nonsecure network such as the Internet. A VPN gateway connects to either a single VPN gateway, or to multiple VPN gateways to extend the LAN. With Internet-based VPNs, the remote client connects to the Internet and then utilizes VPN client software to establish a connection with the VPN server. All communications between the client and VPN server are encrypted and encapsulated into packets before being transmitted over the Internet. Windows Server 2003 has a VPN component included with Routing and Remote Access service (RRAS) of Windows Server 2003 that enables you to configure a Windows Server 2003 computer as a VPN server. You can also configure router-to-router VPNs if you want to connect two physically separated LANs. Router-to-router VPNs are also typically called demand-dial connections. Using demand-dial connections for small remote sites that only require intermittent VPN connectivity is ideal. An alternative to using demand-dial connections is the utilization of a persistent connection to the Internet. Dedicated leased lines are classed as being persistent connections. This means that the connections are permanent connections, and remain open all the time. A VPN server set up to use persistent Internet connections can make the connection available to VPN clients.
You can use remote access policies to secure demand-dial connections. A remote access policy can be defined to control whether or not a user is allowed to connect to the VPN server. Remote access policies contain conditions which you specify through the Routing and Remote Access management console.
Planning for Internet Connections
Before you can implement an effective Internet connection strategy, there are a few factors that you need to consider and a few Internet connectivity requirements which you need to determine:
- Bandwidth: You need to determine thequantity of bandwidth needed for users to perform their necessary tasks. To determine the bandwidth needed by users, you have to determine the number of users which will most likely be accessing the Internet concurrently, the applications which will be used by these users, and the tasks which users will perform. Different e-mail types have different bandwidth requirements. E-mail is the common cause of available bandwidth being depleted. VoIP creates additional traffic that in turn has bandwidth requirements.
- Internet connection type: There are a number of different WAN technologies which can be used for Internet connections:
- Dial-up modem connection
- Integrated Services Digital Network (ISDN): ISDN Basic Rate Interface (BRI) and ISDN Primary Rate Interface (PRI)
- Cable television networks (CATV)
- DSL connections
- Leased lines
- Frame Relay
- Determine the router type for Internet connectivity.
- Determine the number of users which will need Internet connections.
- Determine the locations of computers that need Internet connectivity: The location of computers has an impact on the where routers and other Internet connection devices are placed, whether the router should be connected to the backbone network, and whether the Internet connection devices should be located within a single area.
- Determine the applications that users will run. You should attempt to determine the functions users will perform using Internet applications, and then attach bandwidth requirements to each of these functions.
- Determine which ISP to utilize: Some ISPs can support different WAN connection types, and can also offer a range of different levels of bandwidth.
- Determine redundancy for the Internet Connectivity design: The nature of the business of the company would determine whether redundancy is needed or not. You should identify internal services which are dependent on the availability of Internet connectivity and then calculate the cost factor associated with a loss of Internet connectivity.
- Determine the security requirements: The security requirements for your Internet connectivity design should be determined by the security requirements organization. You can limit the bandwidth which users can utilize and the sites that users can access. You can also specify a time period for which users can access the Internet.
Implementing and Configuring Internet Connections
Internet connectivity can be established in various ways:
- Remote access server
- Network Address Translation (NAT)
- Internet Connections Sharing (ICS)
- A direct connection by using a device such as a modem or network card.
There are a number of mechanisms and technologies provided by Microsoft that enable you to implement Internet connections. Connecting the LAN to the Internet can be achieved through translated connections using Network Address Translation (NAT), or through routed connections. To connect branch offices and to make the organization’s network accessible from remote locations, virtual private networks (VPNs) and router-to-router VPNs can be utilized. Demand-dial connections or persistent connections can be used. The Point-to-Point Tunneling Protocol (PPTP) VPN tunneling protocol or the Layer 2 Tunneling Protocol (L2TP) VPN tunneling protocol can be used to establish VPN connections. Remote access policies can be used to manage your VPN connections, and secure these connections. Authentication and encryption methods can be used to secure VPN connections. Internet Authentication Service (IAS) can also be used to provide centralized user authentication, authorization, and accounting and auditing. IAS can be integrated with the Remote Access and Routing Service (RRAS) of Windows Server 2003.
How to configure a translated Internet connection
- Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access management console.
- In the left console pane, select the RRAS server that you want to work with.
- From the Action menu, click Configure and Enable Routing and Remote Access.
- The Routing and Remote Access Server Setup Wizard initiates.
- Click Next on the Routing and Remote Access Server Setup Wizard welcome page.
- On the Configuration page, select the Network Address Translation (NAT) option, and then click Next.
- On the NAT Internet Connection page, you have to select the connection method which NAT will use to connect to the Internet:
- Use this public interface to connect to the Internet option.
- Create a new demand-dial interface to the Internet option.
- If you want to enable NAT security, leave the Enable security on the selected interface by setting up Basic Firewall option selected. The option is enabled by default. Click Next.
- On the Ready to Apply Selections page, click Next.
- Click Finish.
- Click Yes to start the Routing and Remote Access service.
How to allow inbound Internet connections
- Click Start, Administrative Tools, and then click Routing and Remote Access to open the Routing and Remote Access management console.
- Locate the interface that you want to configure.
- Right-click the interface and then select Properties from the shortcut menu.
- Click the Special Ports tab.
- Under Protocol, select TCP or UDP and then click the Add button.
- Enter the port number of the incoming traffic in Incoming Port.
- Select On This Address Pool Entry, and provide the public IP address of the incoming traffic.
- Enter the port number of the private network resource in Outgoing Port.
- Enter the private network resource’s private IP address in Private Address.
- Click OK.
How to activate the ICS service to allow Internet connections
- Access the network adapter which connects to the Internet.
- Open the Properties dialog box, and click the Advanced tab.
- Select the Allow other network users to connect through this computer’s Internet connection option.
- For creation of a dial-up Internet connection, click the Establish a dial-up connection whenever a computer on the network attempts to access the Internet option.
- Click OK.
How to establish an Internet connection through ICS
- Navigate to Internet Explorer.
- Select the I Want To Set Up My Internet Connection Manually option or the I Want To Connect Through A Local Area Network (LAN) option. Click Next.
- Select Connect Through A Local Area Network (LAN). Click Next.
- Uncheck the Automatic Discovery Of Proxy Server (Recommended) checkbox. Click Next.
- Click Yes to proceed with creating an Internet e-mail account, and follow the prompts of the Wizard to set up the account OR click No if you do not want to create an Internet e-mail account now. Click Next.
- Click Finish.
How to configure a VPN server to allow VPN connections
- Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
- In the console tree, select the server that you want to configure.
- Right-click the server, and then click Configure And Enable Routing And Remote Access from the shortcut menu.
- The Routing and Remote Access Server Setup Wizard starts.
- Click Next on the Routing and Remote Access Server Setup Wizard Welcome page.
- On the Configuration page, select Virtual Private Network (VPN) access and NAT, and then click Next.
- Click Finish when the Completing the Routing and Remote Access Server Setup Wizard page appears.
- Click Yes to start Routing and Remote Access Service (RRAS).
How to configure a VPN client
- On the client computer open Control Panel.
- Right-click Network Connections and then select Open from the shortcut menu.
- Click New Connection Wizard to start the New Connection Wizard.
- Click Next on the Welcome to the New Connection Wizard page.
- On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.
- Click Virtual Private Network Connection, and click Next.
- Enter a name for the connection and click Next.
- Specify the external IP address of the VPN server, or the FQDN of the VPN server, and then click Next.
- Select the Anyone’s use – If you want the connection to be available to everyone who uses the computer and then click Next.
- When the Completing the New Connection Wizard page appears, click Finish.
- The logon dialog box is displayed after you click the Finish button to complete the New Connection Wizard.
How to configure VPN connection permissions for user accounts
- Click Start, Administrative Tools, and then click Computer Management to open the Computer Management console.
- Double-click Local Users and Groups.
- Double-click Users.
- Double-click the specific user account that you want to grant access for, to open the Properties dialog box of the user.
- Click the Dial-in tab.
- Click Allow access, and then click OK.
- On the client computer, access the Network Connections folder, and then double-click the VPN connection that you want to configure.
- Specify the user account credentials, and then click Connect.
How to create a demand-dial interface
- Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
- In the console tree, select Network Interfaces.
- From the Action menu, click New Demand-dial Interface.
- The Demand-dial Interface Wizard starts.
- Click Next on the Demand-dial Interface Wizard Welcome page.
- Enter a name for the demand-dial interface and then click Next.
- On the Connection Type page, choose the Connect using virtual private networking (VPN) option and click Next.
- On the VPN Type page, select the VPN protocol which you want to use and then click Next. You can leave the Automatic selection default option unchanged.
- On the Destination Address page, provide the IP address that corresponds to the public interface of the remote gateway and then click Next.
- On the Protocols And Security Page, select the Route IP packets on this interface checkbox, and click Next.
- On the Static Routes For Remote Networks page, click the Add button to add a static route in the Static Route dialog box.
- Click OK and then click Next.
- On the Dial Out Credentials page, specify the username, password and domain for authentication purposes and click Next.
- Click Finish on the Completing the Demand-dial Interface Wizard page.
How to limit remote access by connection type
- Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
- In the console tree, expand the server’s node and then right-click Remote Access Policies and select New Remote Access Policy from the shortcut menu.
- The New Remote Access Policy Wizard starts.
- Click Next on the New Remote Access Policy Wizard Welcome page.
- On the Policy Configuration Method page, click the Set up a custom policy option.
- Enter a name in the Policy name box, and then click Next.
- On the Policy Conditions page, click the add button to add a condition.
- When the Select Attribute dialog box opens, specify the desired attribute and then click the Add button.
- Click Next on the Policy Conditions page.
- On the Permissions page, click the Deny remote access permission option and then click Next.
- When the Profile page appears, use the Edit button if you want to change the profile. Click Next.
- Click Finish to create the new remote access policy
How to configure inbound packet filters
You can configure demand-dial filters, and inbound and outbound packet filters to manage both inbound and outbound access to resources through the VPN tunnel. For packet filters, the rules used can be based on the Source address, Destination address, Source TCP port, Destination TCP port, Source UDP port, Destination UDP port, and Protocol type.
To configure inbound packet filters
- Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
- In the console tree, select the server that you want to configure.
- Expand the IP Routing node to display the General sub-node.
- Click the General sub-node.
- In the details pane of the Routing And Remote Access console, select the demand dial interface.
- Click the Action menu and then select the Properties command.
- When the demand-dial interface Properties dialog box opens, select Inbound Filters on the General tab.
- When the Inbound Filters dialog box opens, click New.
- The Add IP Filter dialog box opens.
- Specify the desired parameters for the inbound filter.
- Click OK.
How to install IAS
- Open Control Panel
- Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
- The Windows Components Wizard starts.
- Click Networking Services, and then click Details.
- In the Networking Services dialog box, select the checkbox for Internet Authentication Service in the list.
- Click OK. Click Next. Click Finish.
How to enable IAS authentication
- Click Start, Administrative Tools, and then click Routing And Remote Access to open the Routing And Remote Access management console.
- In the console tree, right-click the server that you want to configure and then select Properties from the shortcut menu.
- Switch to the Security tab.
- From the Authentication provider drop down list, select the RADIUS Authentication option.
- Click Configure.
- Click Add to include a RADIUS server in the list.
- When the Add RADIUS Server dialog box opens, provide the name of the RADIUS server and click OK. Click OK again to close the Properties dialog box.
- Click OK to acknowledge that the RRAS service has to be restarted.
- In the Routing and Remote Access management console, right-click the server and select All Tasks, and then Restart from the shortcut menu.
How to enable EAP authentication on the IAS server
- Click Start, Administrative Tools, and then click Internet Authentication Service to open the Internet Authentication Service management console.
- In the left pane, select Remote Access Policies.
- In the right pane, click Connections to Microsoft Routing and Remote Access Server.
- From the Action menu, click Properties.
- Click Edit Profile to navigate to the Edit Dial-in Profile dialog box.
- Switch to the Authentication tab.
- This is where you can specify the order in which EAP types are negotiated, and enable/disable non-EAP authentication methods.
- Click the EAP Methods button to add, remove, or view existing EAP types.
- Click OK.
Troubleshooting Internet Connection Problems
You can use the Netsh command-line utility to troubleshoot Internet connection problems. Windows Server 2003 diagnostic commands are included for Netsh. A few useful Netsh diag command contexts are listed here:
- Connect ieproxy: Used to establish or drop, and verify a connection with the proxy specified in Internet Explorer’s Properties window.
- PING adapter: Used to verify whether connectivity exists via a specific adapter. If you want to test connectivity via all network adapters, use no parameters.
- PING gateway: Used to verify whether connectivity exists with the default gateways defined in the specific adapter’s TCP/IP Properties window.
- PING ieproxy: Used to verify connectivity with the proxy specified in Internet Explorer’s Properties window.
- Show gateway: For listing all Internet gateways for a particular adapter.
- Show ieproxy: For listing all Internet proxy servers for the particular adapters.
- Show mail: For listing the Outlook Express mail server set up on the local computer.
- Show modem: For listing information specific to the modem.
You can use Network Diagnostics to collect information on hardware and software, to identify connectivity problems, and to isolate issues associated with configuration settings for network adapters, modems, and network clients; Internet service configuration settings for proxies, newsgroups and e-mail; default gateways and IP addresses; and DNS, DHCP, and WINS configuration settings.
How to use Network Diagnostics,
- Click Start, and then click Help And Support
- Click Tools from the Support Tasks area.
- Select Help and Support Center Tools.
- Select Network Diagnostics.
- To start a Network Diagnostics scan on the local computer environment, click Scan Your System.
- To add and remove categories of data collected; click Set Scanning Options in the Network Diagnostics window.
You can use Device Manager to troubleshoot hardware issues relating to network adapters, modems, and other devices. Device Manager is the graphical utility that displays all the devices installed on the system. Device Manager can be used for the following:
- To enable or disable devices
- Change hardware settings and advanced settings for a particular device
- You can use Device Manager to view information specific to devices and device drivers, and when troubleshooting devices.
How to use Device Manager to troubleshoot hardware issues
- Open Device Manager
- Open the Properties window of the device which you want to troubleshoot.
- Check the status of the device.
- For basic troubleshooting tips, click the Troubleshoot button.
- For modem issues, check the information on the Diagnostics tab.
An Internet connection problem can be a problem relating to either of the following:
- Hardware being utilized
- Network connectivity
- Name resolution
When troubleshooting Internet connection problems, start by first verifying the following:
- Check that the hardware such as network adapter, modem, or whatever other device you are using to establish your Internet connections is connected and operational.
- When dial-up connections are utilized, check the number and credentials which are used.
- When a gateway is used for Internet connections, ensure that the actual gateway is functioning.
- When a proxy server is used for establishing Internet connections, ensure that outgoing traffic is allowed.
- When name resolution issues exist, verify that the DNS servers are available, and that DNS is configured correctly.
When troubleshooting router-to-router VPN connection problems:
- Check whether the Router option and the LAN option are enabled on VPN server.
- Ensure that the VPN server is configured to handle the appropriate number of connections.
- Check that the VPN server has the Enable IP Routing option selected.
- The VPN connection should have the proper permissions on the dial-in properties of the user account and in the remote access policies.
When troubleshooting translated Internet connection problems:
- Check whether the private LAN interfaces and your public interface to the Internet have been added to the NAT routing protocol.
- Check whether the interface configured for the Internet is configured for translation. Ensure that the Enable Translation Across This Interface option is enabled in the Internet Interface Properties dialog box.
- Verify the following on the NAT/Basic Firewall tab of the private interface’s properties: The Private Interface Connected To Private Network option under the Interface Type area of the tab has to be selected.
- Verify that the Allow Clients On This Interface To Access Any Shared Networks option in the Home Network Interface Properties dialog box is enabled.
- Verify that the correct Static Packet Filters options have been selected. The settings are configured using the NAT/Basic Firewall tab of the private interface’s properties.
- You can check the mappings of NAT clients in the NAT Mappings Table. In the NAT/Basic Firewall pane of the Routing and Remote Access management console, simply right-click the interface.
- If you want to determine which process or application is the owner of a specific connection or if you want to view client mappings, use the Netstat utility.
Comments - One Response to “Implementing Internet Connections”
Sorry but comments are closed at this time.