Connecting Your Network to the Internet

Connecting Your Network to the Internet

Operating System

Connecting Your Network to the Internet

Deployment Scenario

Abstract

In today’s business, being connected to the marketplace and to your customers means getting connected to the Internet. Windows 2000 makes it easier to securely connect your network to the Internet, enabling your employees to access the information they need. This guide outlines the steps to provide secure shared Internet access to Microsoft® Windows® 2000-based clients that are directly attached to a medium-sized private network.

Connecting Your Network to the Internet

© 2000 Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft

must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any

means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as

expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, Windows, Windows NT and the Windows logo are

registered trademarks of Microsoft Corporation.

Other product or company names mentioned herein may be the trademarks of their respective owners.

Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA

0200

Connecting Your Network to the Internet

CONTENTS INTRODUCTION ............................................................................. 1

Scenario Requirements

Scenario Tasks 2 2

INTERNET CONNECTION SETUP TASKS .................................... 3 Overview 3 Establishing an Internet account with an ISP 3 Configuring Windows 2000 Server for Internet Access 4 Assigning IP addresses 4 To Enable Routing 6 Creating a Dedicated Internet Connection 7 Creating a Demand-Dial Internet Connection 7 Demand Dial Internet configuration 10 Updating the local DNS server for Internet naming resolution 12

CONCLUSION ............................................................................... 15

SUMMARY ..................................................................................... 16

FOR MORE INFORMATION .......................................................... 17 Windows 2000 Web Site Resources 17

Connecting Your Network to the Internet

Connecting Your Network to the Internet

INTRODUCTION In today’s business, being connected to the marketplace and to your customers

means getting connected to the Internet. Microsoft® Windows® 2000 makes it easier to securely connect your network to the Internet, enabling your employees to access the information they need. Connecting a medium-sized office network to the Internet has traditionally been a difficult process requiring separate machines and extensive knowledge of network devices. For many, making a connection to the Internet seemed costly and difficult to manage.

With Windows 2000 Server, making a connection to the Internet is easy, secure, and can be accomplished with relatively inexpensive hardware and basic Internet service provider (ISP) services.

This guide is intended for users of medium-sized Windows 2000 domain-based networks who want to set up Internet access and share it with local area network clients. It assumes a basic understanding of domain-based networks, Domain Naming Services (DNS), and Dynamic Host Configuration Protocol (DHCP). This guide is not intended as a comprehensive review of all routing features of Windows 2000, rather, it is a focused guide of the basic Internet gateway capabilities.

Connecting Your Network to the Internet

Scenario Requirements

This document will walk you through setting up a Windows 2000-based server as an Internet connection server that shares access with a local area network. This guide builds on the network configuration in the “Upgrading a Windows NT Domain to Windows 2000 Active Directory” deployment scenario guide. (It shows how to configure a single domain-based Windows 2000 network with DNS and DHCP services enabled.)

To connect to the Internet, this guide assumes you have an active account with an ISP and a physical connection to the Internet. This could be a dial-up connection, like an analog modem or ISDN, or a dedicated connection like a cable modem or Digital Subscriber Line (DSL).

To configure the server for Internet access sharing, you will need to install the Routing and Remote Access Services (RRAS) that is included with the Optional Windows 2000 components package. To install this component on your Windows 2000 Server, click Start, point to Programs, point to Administrative Tools, click Configure your server, click Networking and click Routing. Follow the

instructions on this page to install the RRAS. You must have network administrator rights to configure this setup.

Scenario Tasks

In this guide you perform the following tasks:

Setup and Management Tasks Network setup and configuration using the Internet

Connection services. Includes an overview of common

ISP authentication issues incurred when using the

wizard.

Configuration and setup of Routing and Remote Access Service edge of network gateway

Connecting Your Network to the Internet

INTERNET CONNECTION

SETUP TASKS Overview

Routing and Remote Access Service (RRAS), integrated in Windows 2000 Server, provides a variety of capabilities such as connecting remote users, connecting office networks, and connecting networks to the Internet. This guide shows you how to configure your Windows 2000 Server to provide a basic outbound connection to the Internet that can be shared with other computers on your internal network. To set up your network for Internet access, you need to:

1. Establish an Internet account with an ISP.

2. Configure Windows 2000 Server for Internet access.

3. Update your local DNS server for Internet naming resolution.

Establishing an Internet account with an ISP

You must establish an account with an Internet service provider (ISP) to access the Internet. An ISP provides the following information to configure your server and network environment:

Account username and password. Used for authentication purposes. Assigned IP Address. This is your public IP address associated with your account. This can be statically or dynamically assigned. ISP DNS Server Address. Used to forward DNS requests for Internet names to the ISP’s DNS server. Modem Access Number. The ISP’s access number if you are connecting

through demand dial.

Note: If you plan to host a Web server or a remote access server, you need to request a static IP address or have an ISP that supports Dynamic DNS. Outbound Internet traffic will work with a dynamically assigned IP address but external computers will not be able to connect to your network over the Internet.

Before you set up Internet sharing, check with your ISP about any licensing limitations on shared access through a single ISP connection.

Connecting Your Network to the Internet

Configuring Windows 2000 Server for Internet Access Select a computer on your network domain that will perform as the Internet

connection server. This computer requires Windows 2000 Server with Routing and Remote Access Services (RRAS) installed and two network connections: one to the internal network and one that will connect to the Internet. The internal connection should be a Network Interface Card (NIC) while the external connection can either be a NIC or a modem, depending on the type of connection required.

Assigning IP addresses

If your server is already connected to the network, the Internal NIC should already have an IP address that was dynamically assigned by the local DHCP server.

Because this server will be used as the Internet Connection Server, you will need to assign a static IP address to the Internal NIC. This static IP address should be

selected from the DHCP Excluded Address Range defined in the DHCP New Scope Wizard, explained in “Upgrading a Windows NT Domain to Windows 2000 Active Directory” deployment guide

To communicate the server’s new role as an Internet gateway to all clients on the network, you will also need to add this static IP address to the Router (Default Gateway) list in the New Scope Wizard.

For this guide, we assume that the Internal NIC is assigned a reserved static IP Address of 10.10.1.90. We also assume that the ISP assigned a static public IP address of 169.254.0.20 to your company. The public IP address should be assigned to the external Internet connection. To assign IP addresses to NICs,

1. Select Start, point to Settings, point to Network and Dial Up Connections,

right click the name of the network interface (Internal Connection) and select Properties.

Connecting Your Network to the Internet

2. In the General tab, select TCP/IP and click Properties. Click Use the

following IP address and type in the assigned IP address. Click OK to accept the changes.

3. Repeat these steps for the External Internet Connection NIC but assign the

static IP address provided by your ISP.

Note: When you have two NICs installed on the Server, you can identify the Internal and External NICs. Unplug the network connection cables from both NICs. Take the cable that is connected to your LAN and plug it back into a NIC. Right click My Network Places and click Properties. The icon that is illuminated is your active Internal Connections NIC. You can rename this NIC by right clicking and selecting Rename.

RRAS can be configured to provide the following networking services:

Internet Connection Server provides secure access to the Internet for all client computers on the local area network. Remote Access Server allows computers to remotely connect to the private network using modem dial-up connections. Virtual Private Network Server provides secure remote access over the Internet, rather than over dial-up connections. Network Router expands your network by providing connectivity to other

Connecting Your Network to the Internet

networks.

To Enable Routing

1. Click Start, point to Programs, point to Administrative Tools, and click

Routing and Remote Access.

2. Right click the server, in this case Litware1(local), and choose Configure

Routing and Remote Access Service from the menu. The Routing and Remote Access Setup Wizard appears. Click Next to view choices for several default server roles.

3. Select Internet Connection Server and click

Next. Choose Set up Router with

the Network Address Translation (NAT) routing protocol as shown below.

4. Select a method for Internet connection.

Internet Connection Sharing is more appropriate for smaller networks such as the home network or the small office. Medium-sized networks should enable the routing and NAT features for Internet access sharing. The NAT feature relies on a single IP address for the public Internet and translates all internal client traffic to and from this IP address.

By setting up NAT, companies benefit by:

Lowering cost. NAT technology allows you to share a single public IP address

with many internal clients, avoiding the cost of setting up multiple public Internet address accounts.

Increasing security. By hiding the IP addresses of internal clients and servers

Connecting Your Network to the Internet

from the Internet, NAT provides an increased level of intranet security.

Note: RRAS can configure Internet connections that are created on demand or remain operational at all times. If you are setting up Demand Dial, skip the next section and proceed to the “Creating a Demand-Dial Internet Connection” section below.

Creating a Dedicated Internet Connection

In this scenario, we have two NICs, one Internal and the other External. The Internal NIC is connected to the network and has the static IP address of 10.10.1.90. The External NIC should be configured with the IP address assigned to you by your ISP, in this case 169.254.0.20. (We defined this earlier in the section “Assigning Reserved IP Addresses with DHCP”.)

1. Select Use the selected Internet connection, click the NIC connected to the

Internet and click Next as shown below.

2. Click Finish setup.

You have finished configuring your RRAS server as an Internet Connection Server with a dedicated network connection. Skip the next section unless you are planning to create a demand-dial Internet connection.

Creating a Demand-Dial Internet Connection

Instead of having a constant connection to the Internet, you may choose to connect only when your internal network users require access. RRAS can automate the connection process whenever someone tries to access the Internet. In this scenario, we have a modem for External Internet connectivity instead of a NIC. The external modem will require the ISP’s modem access telephone number.

Connecting Your Network to the Internet

1. Follow steps 1 through 4 in the Enable Routing section above. In the Internet

Connection dialog box, choose Create a new Demand-Dial Internet

Connection as shown below.

2. Click Next to apply changes and start the Demand Dial Interface Wizard.

3. Enter a descriptive name for the new Demand Dial interface and click Next.

4. Choose Connect using a modem, ISDN adapter, or other physical device and

click Next.

5. Select a modem as the connection device and click Next as shown below.

Connecting Your Network to the Internet

6. Enter the telephone phone number provided by your ISP and click Next.

7. Choose the desired protocols and security. You can customize this connection

with scripting and custom authentication. You will not be able to choose routing for protocols that are not installed on the system. Select Route IP packets on this interface and click Next as shown below.

8. Specify Dial-Out credentials for the remote router as shown below. This is your

Connecting Your Network to the Internet

ISP user name and password that will authenticate you with their systems. Click Next

to continue.

Note: ISPs who are not using Microsoft technology will not require a Domain and Domain password. If this applies to your ISP, you will need to leave these fields blank. If you supply a domain when none is required, authentication will fail.

9. Click Finish to complete the Demand Dial Interface Wizard.

Demand Dial Internet configuration

To complete the Demand Dial Internet configuration, you need to assign the static IP address to this external modem interface as shown below.

1. In the Routing and Remote Access Console, click Routing Interfaces. In the

panel on the right, right click the demand dial interface (ex. “ToISPRouter” ) and select Properties.

2. Select the Networking Tab and click Internet Protocol (TCP/IP). Click

Properties.

Connecting Your Network to the Internet

3. Select Use the following IP address, type the static IP address provided by

your ISP and click OK as shown below.

Connecting Your Network to the Internet

Congratulations. You have now completed configuring demand dial connections to the Internet. Similar to the Dedicated Internet configuration, this server now has a static Internal IP address reserved in the DHCP server and a static External IP address provided by the ISP. We now need to communicate this information to the client machines in the network by configuring the NICS and Modem Interfaces with the appropriate IP addresses. Updating the local DNS server for Internet naming resolution Before network clients can access the Internet, the network needs to know how to resolve Internet domain names. For example, if someone types in their Internet browser, the network should know to forward the name to the ISP’s DSN server for resolution.

To configure name resolution forwarding to the ISP’s DNS server:

1. Log on to the DNS Server as the Administrator. From the Start menu, point to

Programs, point to Administrative Tools, and click DNS.

2. Expand the DNS Server so that you see the Forward Lookup Zones and the

Reverse Lookup Zones. Expand the Forward Lookup Zones folder.