Welcome to article number 26 in my 70-240 in 15 minutes a week series. This week's article covers a variety of smaller topics including Internet Connection Sharing (ICS), Network Address Translation (NAT), and the Internet Authentication Service
(IAS) in Windows 2000. This includes a look at the similarities and differences between NAT and ICS, and how the use of IAS as a RADIUS server affects various aspects of the Windows 2000 remote access environment. This article again falls into the networking services portion of the series.
The material to be covered in the article includes:
- Internet Connection Sharing (ICS)
- Network Address Translation (NAT)
- Windows 2000 Implementation of RADIUS (IAS)
Internet Connection Sharing
A service first provided by Microsoft in its Windows 98 operating system, Internet Connection sharing is meant to allow a single Internet connection to be shared amongst multiple computers on a small network with minimal configuration. In Windows 2000, ICS is implemented via the actual sharing of a network interface, which has a 'real' IP address, either via a dial-up or fixed network connection. It is important to remember that ICS (which is available in both Windows 2000 Professional and Server) is mainly meant as a solution for small and home offices, and not larger enterprise environments.
How ICS actually works is quite simple. The machine on which ICS is configured is actually acting as a Network Address Translation (NAT) server. In a nutshell, Network Address Translation is usually used to translate between two connected ranges of IP addresses, usually one that is using a public IP address, and the other which is using a private address range. The 'external' interface has a real IP address, and the internal interface is given the private address 192.168.0.1. The system also acts as a sort of mini DHCP server, handing out IP addresses in the 192.168.0.0/24 range to clients on the internal network. To that end, clients use the addresses received, pointing to the 192.168.0.1 interface as their default gateway. The ICS system also does a DNS proxy function, meaning that all client hostname resolution requests will be forwarded to the ICS system for resolution via the configured external DNS parameters.
The actual configuration of ICS couldn't possibly be simpler. The key is to remember that you will require at least two interfaces on the ICS box. This might be accomplished using two network cards, or perhaps a network card and a dial-up connection such as one made via an ISDN adapter or analog modem. Remember the connection that you wish to 'share' is the one that will have the external IP address. If this is your modem, go into the properties of the connection object that you have created to connect to your ISP and share it as I have outlined below. If it were a second network card, you would access the Sharing tab of the appropriate Local Area Connection, and configure that instead. The sharing of a dial-up connection appears as is shown below:
Note the properties in the screen above. Enabling ICS is as simple as checking a checkbox, but you also have to decide whether or not you wish to enable on-demand dialing, which basically would enable the connection should a client on the external network make a request to an Internet-based resource. What you choose here would depend on the level of control that you wish to have over the Internet connection.
By default, ICS is configured such that all requests made to the external interface for resources inside your network are denied by default. This helps to protect your network from outside users. However, in many cases companies might be hosting FTP or Website internally, which they wish the outside world to be able to access. For these cases, you can configure options in the Settings area, as shown below:
These setting can include standard services such as those shown above (FTP, SMTP, etc), or can include custom applications that you can define on the applications tab. Note that these will allow you to specify an external port that will 'listen' for requests on the external interface, and then forward them to the appropriate internal address that you specify, as shown below:
Possibly the single most important thing to remember when running ICS is that all other internal DHCP servers must be removed, since ICS will be handling the DHCP server functionality on the network. Having other DHCP servers present may lead to conflicts.