Internet connectivity is important in just about every network today, and Windows 2000 can use a number of services to make Internet connectivity easier. Several services are available to implement Internet connectivity for a network:
Network Address Translation (NAT) provides a method of allowing Internet connectivity on a network with private IP addresses, eliminating the need for public addresses for every machine that accesses the Internet.
Internet Connection Sharing (ICS) is a simplified form of NAT that has easy configuration; it is also included with Windows 98/Me. ICS is best for small networks.
Microsoft Proxy Server 2.0 acts as a caching proxy and firewall for clients accessing Internet services.
NAT is included as part of Windows 2000; Microsoft Proxy Server 2.0 is a separate product available from Microsoft. At their most basic, both of these products provide an interface between a private network and the Internet. Which service to use depends on a number of factors:
- Security
NAT provides a global way of allowing Internet access, but does not provide security. If you need to provide different Internet access to different users or different access to different Internet resources, Proxy Server is a better solution.
- Routing and locations
NAT and ICS cannot be used on a routed network, unless separate NAT servers are used for each subnet. Proxy Server is a better solution for routed networks and for networks with multiple physical locations.
- Resource sharing
NAT does not provide for clients’ sharing resources with Internet-based clients; Proxy Server allows you to control this access.
Network Address Translation (NAT) is part of Windows 2000’s Routing and Remote Access Service. NAT, as discussed in Part IV, translates between public and private IP addresses. This provides the following benefits:
The private network is isolated from the Internet and secure from unauthorized access; only the NAT server is accessible from the Internet.
Private IP addresses can be used on most machines in the network, eliminating the difficulty of obtaining public IP addresses for all machines.
Acts as a simple DHCP server to assign addresses to clients from the pool of private addresses. This may eliminate the need for a separate DHCP server.
Forwards DNS requests, so clients on the private network can resolve Internet hostnames without the use of a local DNS server.
The technical details of configuring and using NAT are described in Part IV. The following sections discuss the factors you should consider when using NAT in your design for a network infrastructure.
The NAT server can be any Windows 2000 Server machine, and one NAT server should be used per network. The NAT server needs at least two network adapters: one for the local subnet and one for Internet access. These can be interfaces to similar networks (i.e., Ethernet) or dissimilar networks (i.e., Ethernet and DSL Internet).
The NAT server should be placed in the network with easy connectivity to the entire subnet; each NAT server can serve only one subnet. NAT servers do not require a consistent or dedicated IP address, because clients contact the NAT server using DHCP broadcasts.
As mentioned above, a NAT server can perform the services of a basic DHCP server for a single subnet. The NAT server issues addresses from the private range of 192.168.0.1-255 by default and responds to broadcasts in the same way as a DHCP server.
You can configure whether the NAT server assigns IP addresses. Client configuration for NAT is the same as for DHCP: with Windows clients, simply set the Obtain an IP Address Automatically option.
The NAT server can also be configured to forward local DNS requests to a public DNS server (often, the DNS server of an ISP). This eliminates the need for a local DNS server. When this feature is enabled, the NAT server specifies its own address as the DNS server when it configures clients.
NAT should not be used to forward DNS requests if a DNS server is already present on the network. Instead, the local server can communicate with Internet-based DNS servers as needed to resolve external hostnames.
An essential part of Internet connectivity is the ability for Internet servers to send data back to the client that requested it, and NAT allows for this. However, in the default configuration, NAT does not allow external clients to access computers on the private network.
If you wish to make one or more computers accessible from the public network, you can use one or both of the following NAT features:
- Address pools
If you have more than one public address available, you can set aside an address to be mapped to a specific private network address.
- Special ports
You can also set up a mapping for requests sent to a specific port number on the NAT server to be sent to a specific IP address and port number in the local network. This is useful for allowing Internet access to an internal web or other server.
NAT is reasonably secure by default, allowing access only to the NAT machine and any other addresses or ports you have specifically made available. You can enhance NAT’s security by following these guidelines:
Use IP filtering on the Internet connection or on the NAT machine’s interface to the private network.
Use Windows 2000’s VPN features in combination with NAT to control user access to the network via the Internet.
NAT can be optimized to provide better Internet connectivity and faster response times. Follow these guidelines to optimize your NAT design:
Consider dedicating a machine to NAT. On smaller networks you can use this machine for other services, such as DHCP.
Add additional modems or additional Internet connections to provide redundancy and increase bandwidth.
Dial-up Internet connections are affordable, but there is a significant delay when dialing. Consider a permanent Internet connection: DSL, in particular, is often equally affordable.
Microsoft Proxy Server 2.0 is the latest version of Microsoft’s proxy server product. Previous versions were included with Windows NT 4.0’s Option Pack; Windows 2000 Server does not include Proxy Server, but it is available separately from Microsoft.
A proxy server provides access to the Internet or a public network, similar to NAT. However, proxy servers also add the following features:
Security based on individual users, nodes, or Internet addresses
Caching for HTTP and FTP requests
Support for networks that span multiple subnets or locations
Microsoft Proxy Server 2.0 supports the new features of Windows 2000, including Active Directory integration. Proxy Server can also use Windows 2000’s IPSec feature to authenticate and encrypt data.
A single proxy server is sufficient for small to medium networks. The proxy server should be placed within the private network and provided connectivity to the Internet or public network.
For larger networks, multiple proxy servers can be used. These can either offer services to separate subnets or act together as a proxy chain. This allows secondary proxies to add caching and availability to the main proxy server.
Proxy server clients can be configured to connect with the proxy server in one of three ways:
- Proxy server client (WinSock Proxy)
Windows machines can use this client to automatically contact the proxy server for any IP request other than to the local network.
- SOCKS proxy
For non-Windows machines, SOCKS supports a number of protocols and provides an alternative to the Windows-specific client.
- Web proxy (HTTP/FTP)
With no client software, clients can simply contact the proxy server through a web browser. This works only for HTTP and FTP protocols.
One of the key advantages to using Proxy Server for Internet connectivity rather than NAT is the built-in security features. Proxy Server’s security can be configured in one of two ways:
- Active Directory integration
Proxy Server can be integrated with the Windows 2000 Active Directory, and users and groups in the Directory can be used to control Internet access.
- Non-Active Directory
In networks based on operating systems other than Windows 2000, Active Directory integration cannot be used. Instead, the proxy server computer’s local users and groups can be used to secure Internet access.
Proxy Server 2.0 supports packet filtering, which allows you to restrict access to specific source or destination addresses, ports, or protocols. This allows you to specify exactly which sites can be accessed (grant access) or which cannot be accessed (deny access).
Domain filters , another Proxy Server feature, allow you to restrict access to Internet sites by domain name or IP address. As with packet filters, domain filters can be set to grant all access or deny all access by default, and you can specify exceptions to this rule.
The Web Publishing feature of Proxy Server allows the proxy server to act as a gateway for incoming HTTP and FTP requests. After passing the proxy server’s security tests, these requests are forwarded to the specified internal web or FTP server.
This feature provides two main benefits: first, it allows the proxy server’s security mechanisms to prevent inappropriate access to the web server. Second, it allows you to operate one or more web or FTP servers on the internal network, without the need for public IP addresses.
Because a proxy server acts as the single gateway between a private network and the public Internet, a failure in the proxy server or its network connection can affect the whole network. The best way to prevent this is to have at least two proxy servers acting in an array. This not only improves performance, but also allows one proxy server to serve the entire network if the other fails.
For incoming requests, a proxy array also provides redundancy. In addition, the load balancing feature of Microsoft Proxy Server 2.0 allows incoming requests to be divided evenly between servers to prevent a slowdown of any one server. Round-robin DNS entries can also provide load balancing.
As the network grows, a proxy server can become a bottleneck, either for internal requests to access the Internet for or Internet-based access to an internal web or FTP server. Caching is one important way you can improve proxy server performance.
Proxy server supports two caching methods: passive caching, which simply caches requests as they are handled, and active caching, which anticipates requests and updates often-requested resources automatically. Use passive caching to conserve bandwidth; use active caching to provide increased performance.
Multiple servers may be needed if a single network is unable to quickly handle all requests. These can be configured in an array, or you can create a hierarchical arrangement with proxy servers in remote locations to minimize WAN traffic.