Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Internet Secrets Chapter 8

advertisement 
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 281
Chapter 8
Internet Secrets
In This Chapter
Learning how to connect to the Internet
Understanding Virtual Private Networks (VPN)
Understanding Point-to-Point Tunneling Protocol (PPTP)
Configuring Internet Explorer for Proxy Server and HTTPS (Secure)
T
his chapter could easily be an entire book. In fact, there are many books
on the Internet (you can see many of these books listed at
www.idgbooks.com). More important, let me set the tone for this chapter so
that you will know what to expect. The Internet is necessarily discussed in
almost every chapter of this book. So I am using this chapter to answer a few
questions about the Internet, ones that I frequently encounter as a practicing
Windows 2000 Server consultant.
Obviously the history of the Internet has been covered in more texts than
you or I care to count, so I’ll leave that topic alone. But it is interesting to
note that the Internet is creating its own history each day. Its short life to
date suggests that there are untold opportunities for you to capitalize on the
Internet. But for you to do that, you first need to successfully attach your
Windows 2000 server to the Internet. You have several ways to do this. In this
chapter, after installing Remote Access Service, I’ll proceed with the dial-up
approach and work toward more complex Internet configurations.
Configuring Remote Access Service
Hail to Windows 2000 Server, for it has simplified many tasks from its NT
predecessors, including the installation and configuration of Remote Access
Service (RAS). But first, a quick history lesson. You will recall that Remote
Access Server (RAS) has been part of the remote networking solution set in
Microsoft’s networking family since the earliest days of Windows NT Server
(at which time it would only interact with the NetBEUI protocol).
4620-1 ch08.f.qc
282
10/28/99
12:22 PM
Page 282
Part II: TCP/IP
■
■
RAS has made something of a political comeback in the networking
community. For years, RAS enjoyed mixed reviews at best for its unreliable
support for modem-based dial-in and dial-out activity. However, with the
advent of Virtual Private Networks (VPNs), RAS is back. It actually manages
the VPN function very well in Windows 2000 Server, and I will discuss this
later in this chapter.
Well, RAS has come a long way in Windows 2000 Server. The RAS installation
is much more intuitive, starting with the Windows 2000 Configure Your Server
screen (see Figure 8-1). Following are the steps to configure Remote Access
Service for inbound Internet-based traffic. This sets the foundation for the
Virtual Private Networking (VPN) discussion later.
Figure 8-1: Windows 2000 Configure Your Server
STEPS:
Configure Remote Access Service
Step 1.
From the Windows 2000 Configure Your Server screen, select the
Networking link in the left pane and then select Remote Access.
Select the “Open” link to launch the Routing and Remote
Access MMC.
Right-click the server object in the left pane (for example, TCI1)
and select Configure and Enable Routing and Remote Access from
the secondary menu (see Figure 8-2).
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 283
283
Chapter 8: Internet Secrets
■
■
Figure 8-2: Configure and Enable Routing and Remote Access selection
Step 2.
The Welcome screen of the Routing and Remote Access Server
Setup Wizard appears. Click Next.
Step 3.
The Common Configurations screen appears (see Figure 8-3).
Select Remote Access Server. Click Next.
Figure 8-3: Remote Access Server
Be very careful about selecting the Network router option. First of all, there
are many compelling reasons, such as advanced configuration management,
to use true routers (such as Cisco) on your Windows 2000 network. Second, it
enables two-way routing of network traffic to and from the Internet (if you’re
connected directly to the Internet) and overrides the safeguards imposed by
Microsoft Proxy Server’s local address table (LAT).
Continued
4620-1 ch08.f.qc
284
10/28/99
12:22 PM
Page 284
Part II: TCP/IP
■
■
STEPS:
Configure Remote Access Service
Step 4.
(continued)
The Remote Client Protocols screen appears (see Figure 8-4).
Select the appropriate button to accept or elect to add more
networking protocols for remote access. Click Next.
Figure 8-4: Remote Client Protocols screen
Step 5.
The IP Address Assignment screen appears (see Figure 8-5). After
making your selection, click Next.
Figure 8-5: IP Address Assignment screen
Step 6.
The Managing Multiple Remote Access Servers screen appears
(see Figure 8-6). The screen allows you to elect to manage all RAS
servers from a central point. This election clearly depends on
whether you are managing a smaller LAN with only one RAS
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 285
Chapter 8: Internet Secrets
285
■
■
server (in which case the answer would be “No”) or managing a
RAS server farm (in which case the answer would be “Yes”). Make
a selection and click Next.
Figure 8-6: Managing Multiple Remote Access Servers screen
Step 7.
Click Finish on the Completing the Routing and Remote Access
Server Setup Wizard to complete the RAS configuration (see Figure
8-7). You will be returned to the Routing and Remote Access MMC.
Select the WAN Miniport and click the Configure button. Select the
Remote access (inbound) checkbox and enter the number of
Maximum ports you want to allow (see Figure 8-7). The default
is five for Maximum ports, which means you’ve configured five
virtual circuits for your Virtual Private Network (VPN). That
means up to five VPN connections can exist at one time.
Figure 8-7: Finishing the RAS configuration
4620-1 ch08.f.qc
286
10/28/99
12:22 PM
Page 286
Part II: TCP/IP
■
■
Take a moment to look over the RAS configuration you have created by
expanding the objects in the left pane of the Routing and Remote Access
MMC. For example, if you select the Ports object in the left pane (below the
server object), you will see the WAN Miniports that have been created with
VPN support in the right pane (see Figure 8-8).
Figure 8-8: Ports
The L2TP ports relate to having the Remote Access Server use Internet
Protocol security (IPSEC), a topic I cover in Chapter 13.
If you right-click on the Ports object in the left pane and select Properties from
the secondary menu, a Port Properties dialog box will be displayed that provides
detailed information on the ports and allows you to modify the configurations
(see Figure 8-9).
Figure 8-9: Ports Properties
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 287
Chapter 8: Internet Secrets
287
■
■
The number of maximum ports you configure will create the denominator for
the multiplexing algorithm used in Windows 2000 Server VPN scenarios. Huh?
Simply stated, if you configure five ports, and you have five VPN sessions
occurring simultaneously, the five sessions collectively divide the WAN
bandwidth you have. For example, if your WAN link were a 256Kbps
connection, this bandwidth would be divided amongst the active VPN
sessions. Be sure to consider that fact when you decide on the maximum
ports to configure. Perhaps you only want a few (say two) ports configured to
protect your WAN-related bandwidth!
To modify the configuration, select the Configure button while one of the
devices is selected. The Configure Device screen will appear. Note in Figure
8-10, the PPTP WAN Miniport is configured for inbound connections only.
This occurs because the Remote access connections (inbound only)
checkbox is selected.
Figure 8-10: Port configuration
With a right-click on the Remote Access Policies object, and by selecting New,
Remote Access Policy from the secondary menu, you can create a RAS policy
that meets your needs. For example, you can establish day and time
restrictions that a user can or cannot access your network via a VPN
connection (see Figure 8-11).
Dial-Up Connection
Historically, RAS has been presented in the context of dial-in users. But did
you know that RAS is used to expedite connections to the Internet as well? I’ll
explore RAS’s role in Windows 2000 Server starting with a simple dial-up
scenario.
4620-1 ch08.f.qc
288
10/28/99
12:22 PM
Page 288
Part II: TCP/IP
■
■
Figure 8-11: Time of day constraints
A simple dial-up connection to the Internet assumes that you have performed
several tasks:
■ You have correctly installed a modem via the Phone and Modem Options
applet under the Control Panel.
■ You have installed the TCP/IP protocol. This was discussed in Chapter 4.
■ You have a valid Internet user account with the Internet service provider
(ISP) of your choice. This should be a dial-up account that supports PPP,
not SLIP. Such accounts for individuals with unlimited use average $20 to
$25 per month. Business dial-up accounts are more expensive, but can
easily be found for under $100 per month, with $50 per month being
the average.
■ You have installed and configured RAS using the preceding steps (in the
Configuring Remote Access Service section).
■ It is also important that the dial-out RAS capabilities be configured to use
the TCP/IP protocol for an Internet connection scenario (again, see the
preceding discussion in the Configuring Remote Access Service section).
■ You have configured a network and dial-up connection. These steps are
explained in the text that follows.
Creating and configuring a dial-up connection to the Internet can be
dramatically easier if you request the setup configuration information from
your ISP. By working closely with your ISP, you can save time when
configuring your dial-up Internet connection.
Every ISP that I’ve worked with will provide setup instructions on their Web
page to assist you (see Figure 8-12). What information isn’t provided on their
Web page can usually be obtained with a quick telephone call to the ISP’s
technical support group. In fact, the ease with which you obtain the
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 289
289
Chapter 8: Internet Secrets
■
■
configuration information that you need is a leading indicator of how strong
your relationship with the ISP will be.
Figure 8-12: An ISP dial-up configuration FAQ
Configuring a network and
dial-up connection
Assuming that you’ve addressed each of the prerequisite points just
described, it is now time to configure a dial-up connection.
STEPS:
To configure a dial-up connection
Step 1.
Launch the Network and Dial-up Connections applet in Control
Panel. The Network and Dial-up Connections screen will appear.
Step 2.
Double-click the Make New Connection button. The Welcome to
the Network Connection Wizard appears. Click Next.
Step 3.
The Network Connection Type screen appears (see Figure 8-13).
Select the Dial-up to the Internet radio button. Click Next. The
Internet Connection Wizard appears (see Figure 8-14).
Continued
4620-1 ch08.f.qc
290
10/28/99
12:22 PM
Page 290
Part II: TCP/IP
■
■
STEPS:
To configure a dial-up connection
(continued)
Figure 8-13: Network Connection Type screen
Figure 8-14: Internet Connection Wizard
The Internet Connection Wizard (ICW) first made its appearance in Small
Business Server (SBS) and, having proved popular, was imported to Windows
2000 Server. I discuss SBS in Chapter 16.
Step 4.
The Setting up your Internet connection screen appears. You will
select between connecting to the Internet with a phone and
modem or from a local area network (LAN). After making your
selection, click Next.
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 291
291
Chapter 8: Internet Secrets
■
■
Step 5.
The Step 1 of 3: Internet account connection information screen
appears (see Figure 8-15). Enter the telephone number for your
Internet Service Provider (ISP).
Figure 8-15: Internet account connection information
Microsoft claims “Most ISPs do not require advanced settings” on the
Internet account connection information screen. This is not true. In fact,
more often than not, you will need to click the Advanced button to provide
DNS server information.
Step 6.
Click the Advanced button. The Advanced Connection Properties
dialog box will be displayed. Select the Addresses tab (see Figure
8-16). Complete the address information as required and click OK.
Figure 8-16: Advanced Connection Properties — Addresses
Continued
4620-1 ch08.f.qc
292
10/28/99
12:22 PM
Page 292
Part II: TCP/IP
■
■
STEPS:
To configure a dial-up connection
(continued)
It is here that you will provide IP address information and DNS
information relating to your ISP connection. In most cases, your IP
address is dynamically assigned when you’re just a good old end
user; if you’re using a dedicated dial-up connection for your
server and it’s running Microsoft Exchange (and the Internet Mail
Service), you’ll most likely have a dedicated IP address to
facilitate your e-mail routing (MX record-related).
Also note on the Connection tab of the Advanced Connection
Properties that Point to Point Protocol (PPP) is selected by
default. This is typically correct, as few ISPs now support Serial
Line Internet Protocol (SLIP) connections.
Step 7.
Assuming you completed any advanced configurations, you are
now back at the Step 1 of 3: Internet account connection
information screen. Click Next.
One final word on telephone numbers. Be advised that you may
need to enter the full ten-digit telephone number for additional
telephone numbers supported by your ISP within the same
general geographic area. With the advent of area code
redistricting, ten-digit telephone numbers may be needed to place
a call within your city (or even the same neighborhood!). For
example, in Seattle, the metropolitan area now has several area
codes, including 206, 425, 360, and 253. You only need to dial the
area code and the telephone number to place a call locally; you do
not need to precede the area code with a “1” when calling these
area codes within the Seattle area.
Step 8.
The Step 2 of 3: Internet account logon information screen
appears. Enter your ISP logon name and password. Click Next.
Step 9.
The Step 3 of 3: Configuring your computer screen appears.
Provide a connection name and click Next.
Step 10. The Set Up Your Internet Mail Account screen appears. It is here
you would configure your POP e-mail account. To be honest, in
most cases with Windows 2000 Server it is unlikely you would be
configuring a POP e-mail account at the server. You are more likely
to use a Microsoft Exchange-based e-mail account (let’s be serious
here!). Select Yes or No and click Next.
Step 11. Assuming you selected No in Step 10, the Complete Configuration
screen will appear. Click Finish to complete dial-up configuration
via the ICW.
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 293
Chapter 8: Internet Secrets
293
■
■
The preceding steps to configure an Internet dial-up connection will
automatically modify your Internet Explorer (IE) configuration to use the new
default dial-up connection that you have created. If you are on a network and
using a full-time Internet connection, this will come as a big surprise to you.
To fix this undocumented misconfiguration, simply launch IE and select
Internet Options from the Tools menu. Select the Connections tab. Note the
Always dial my default connection radio button was automatically selected
for you as a result of the steps you just performed. I recommend that you
select the Dial whenever a network connection is not present radio button.
Dialing the Internet
It is now time to call your ISP, successfully connect, and start using the
Internet. There is no greater test in the eyes of your users than the ability to
connect to and use the Internet. In fact, it’s unlikely users have much interest
in the settings covered in this chapter; they just want to use the Internet. My
advice on connecting to the Internet? Be sure to test this feature several
times under different conditions and times of day before announcing your
new Internet connection. There is nothing more disconcerting than to
implement many of the Internet dial-up settings displayed in this chapter
only to have your users call and say, “I can’t get my Internet e-mail.” Proper
and extensive testing of the Internet dialing capability will prevent such calls.
Assuming that you have successfully configured your network and dial-up
connection (the steps earlier in this chapter), you are now ready to connect
to the Internet.
STEPS:
To connect to the Internet via Network and Dial-Up
Connections
Step 1.
Launch the Network and Dial-Up Connection applet from
Control Panel.
Step 2.
Double-click the connection you want to use (for example,
NWLink).
Step 3.
The Connect dialog box appears (see Figure 8-17). Confirm the
user name and password you will use to connect to the Internet.
Click the Dial button.
4620-1 ch08.f.qc
294
10/28/99
12:22 PM
Page 294
Part II: TCP/IP
■
■
Figure 8-17: Connect dialog box
Step 4.
After a few moments, you should be successfully connected to the
Internet via your ISP.
You are now ready to browse with your Web browser.
If you have any troubles with your Internet dial-up connection, click the
Properties button on the Connect dialog box. You may then double-check you
settings on the General, Options, Security, Networking, and Sharing tabs.
Dial-up connection status
Often, it is desirable to know whether or not you are still connected to the
Internet or to know the speed at which you are connected. Just observing the
dancing activity light on an external modem is not helpful.
You can monitor your Internet connection activity via the Routing and
Remote Access MMC. Simply expand the server object in the left pane (for
example, TCI1) and click Ports so that all of the ports are listed in the right
pane (see Figure 8-18).
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 295
Chapter 8: Internet Secrets
■
295
■
Figure 8-18: Routing and Remote Access MMC
Then double-click the port which is responsible for your Internet connection
(for example, Sportster 28800...Modem). The Port Status dialog box will be
displayed (see Figure 8-19). I have found the Port Status dialog box to be
useful for more than just confirming my connection, connection speed, and
call duration. It has been invaluable when working with technical support
from the ISP to troubleshoot connection problems.
The Port Status dialog box replaces Dial-Up Networking Monitor from
Windows NT Server’s Control Panel. You might recall Port Status was a tab
sheet in Dial-Up Networking Monitor (the other two tab sheets were
Summary and Preferences).
4620-1 ch08.f.qc
296
10/28/99
12:22 PM
Page 296
Part II: TCP/IP
■
■
Figure 8-19: Port Status dialog box
Port Status does not update dynamically, so you don’t have to press F5 or
open and close it repeatedly for screen refreshes. You may recall that the
Status tab sheet in Windows NT Server 4.0’s Dial-Up Networking Monitor did
update dynamically.
Dial-up networking with ISDN modems
Connecting to the Internet via Network and Dial-up Connections with an ISDN
modem is not very different from connecting via an analog modem. Two
items must be addressed. First, make sure you have ordered and worked
closely with your local telephone company to ensure that you have a fully
functional and tested ISDN line at your location. Second, be sure to correctly
install your ISDN modem on your Windows 2000 server. It will most likely be
necessary to use the Windows 2000 Server drivers on the driver disk that
ships with your ISDN modem.
Note that the preceding discussion applies to ISDN modems, not ISDN
routers. ISDN routers are discussed in the text that follows.
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 297
Chapter 8: Internet Secrets
297
■
■
Digital and Wide Area Network
Internet Connections
Certainly one of the most popular, reliable, and robust ways for Windows
2000 servers to connect to the Internet is directly via a digital network
connection. But the term “directly” can mean a lot of different things. I will
discuss five Internet/network connection scenarios, but understand that
depending on how you design your Windows 2000 Server network, there are
many different ways to connect to the Internet.
Scenario 1: ISDN router
An ISDN router (see Figure 8-20) is a low-cost solution for many businesses
that enables a robust connection using either one (64Kbps) or two (128Kbps)
ISDN channels to connect to your ISP. Typically, ISPs offer an ISDN connection
solution that may act as dial-on-demand where the ISDN router calls the ISP
and establishes a connection every time Internet-bound activity is detected
by the ISDN router. These ISDN dial-on-demand arrangements usually have a
monthly connect hour limit (say 200 hours), after which the business pays
something like $10 per hour for each additional connection hour. Such dialon-demand arrangements can often cost under $200 per month. Another ISDN
router-based solution is a full-time connection to the ISP, which by definition
assures unlimited connection hours. This type of arrangement typically
starts at $300 per month, but the charges may vary widely between ISPs.
ISP-side
ISP Host
DNS Servers
198.137.231.1
192.135.191.1
INTERNET
ISP's ISDN Router
DNS Servers
LAN Port
204.6.107.199
ISDN Router
*Ethernet
Windows 2000 Server
204.6.107.200
Figure 8-20: An ISDN router connection path to the Internet
4620-1 ch08.f.qc
298
10/28/99
12:22 PM
Page 298
Part II: TCP/IP
■
■
This router-based Internet connection solution requires that you make
two entries on your Windows 2000 server for the connection to be fully
functional. It also requires that your ISDN router be properly programmed to
accommodate LAN and real Internet IP addresses and dial the ISP. First, you
will need to make sure that the default gateway value for the TCP/IP
configuration is populated with the address of the router’s LAN port. Second,
you will need to complete the DNS fields on the DNS tab sheet with the DNS
IP address values provided by your ISP.
Note that in the remaining four Internet/network connection scenarios, it
will be necessary to populate the default gateway and DNS fields in a
similar manner. The key point to remember is that the default gateway field is
typically the LAN port of the router (unless you are instructed otherwise,
such as in a firewall scenario) and the DNS IP address values are the DNS
servers used by the ISP. And in each of these scenarios, significant
programming of the routers is required. Don’t kid yourself otherwise.
Scenario 2: ISDN and WAN combination
An ISDN connection may be combined with a WAN (see Figure 8-21) by small
companies that may have an existing corporate WAN and want the Internet
connection to be separate. I’ve seen this type of implementation in older
business firms where old-guard CEOs and the like believe a separate Internet
connection is the safest connection. And who is to say that they are wrong?
Such a scenario also centralizes all Internet traffic through a single point,
typically the home office of the company.
Scenario 3: Direct Frame Relay connection
Direct Frame Relay (Figure 8-22) is one of the most popular Windows 2000
Server Internet connection scenarios. Here, the ISP is connected via a frame
relay WAN connection. This is a straightforward solution that enables
different types of communications standards such as fractional T1, full T1, or
even faster solutions to be easily implemented.
Many old timers in the WAN connectivity area still consider a frame relay
connection to be the most robust connection of all, even when compared to
such new offerings as DSL and cable modems. However, note that I didn’t say
frame relay was the cheapest, but perhaps the most reliable.
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 299
Chapter 8: Internet Secrets
■
299
■
ISP-side
DNS Servers
198.137.231.1
192.135.191.1
INTERNET
ISP Host
ISP's ISDN Router
DNS Servers
LAN Port
204.6.107.199
ISDN Router
Branch Ethernet
Frame Relay
Cloud
Ethernet - Home Office
Corporate WAN
Router
Branch Office
Router
Customer's LAN/WAN
Windows 2000 Server
204.6.107.200
Figure 8-21: An ISDN and WAN connection to the Internet
Router
LAN Port
204.6.107.199
INTERNET
Frame Relay
Cloud
ISP Host
Ethernet
Router
Windows 2000 Server
204.6.107.200
ISP's Router
Customer's LAN
Figure 8-22: A frame relay connection between customer and ISP
4620-1 ch08.f.qc
300
10/28/99
12:22 PM
Page 300
Part II: TCP/IP
■
■
Scenario 4: WAN connection
A WAN connection (Figure 8-23) is another popular Internet connection
scenario for Windows 2000 Server networks. Here the ISP is a node on the
company WAN. Simply stated, other nodes such as branch offices connect
directly to the ISP without having to route Internet-bound traffic through the
home office. With sufficient firewall protection in place, this is a both a viable
and desirable solution.
Branch Office Ethernet
Branch Office Router
Router
LAN Port
204.6.107.199
INTERNET
Frame Relay
Cloud
ISP Host
Ethernet
Router
ISP's Router
Branch Office Router
Windows 2000 Server
204.6.107.200
Branch Office Ethernet
Customer's LAN
Figure 8-23: An Internet connection via a company WAN
Scenario 5: WAN over the Internet (VPN)
A WAN over the Internet is an increasingly popular connection scenario
where each company node is also a node on the Internet. That is, the
company WAN uses the Internet as its network backbone in a safe and
secure manner.
Such a scenario demands that the ISP be reliable, as it plays a central role in
this solution. It is not a good idea to shop for ISPs by price alone when looking
at implementing a virtual private network (VPN) solution (see Figure 8-24).
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 301
Chapter 8: Internet Secrets
301
■
■
Router
ISP
Router
Internet
Router
Windows 2000 Server
Branch Office
ISP
Router
ISP
Router
Router
Windows 2000 Server
204.6.107.200
Main
Windows 2000 Server
Branch Office
Virtual Private Network
Figure 8-24: A company VPN over the Internet
The good news is that everyone enjoys a robust connection to the ISP and
thus the Internet. That will keep the Web surfers happy.
VPNs are further discussed in the next section on Virtual Private Networks.
Scenario 6: DSL connections
Another popular broadband connection to the Internet today is Digital
Subscriber Lines (DSL). Using telephone lines (copper wire), you can make a
high speed, full-time connection to the Internet for a surprisingly low cost (as
low as $30 per month for full-time connection to the Internet).
4620-1 ch08.f.qc
302
10/28/99
12:22 PM
Page 302
Part II: TCP/IP
■
■
Implementing a DSL solution is easy. It’s the old two NIC-a-roo trick. That
is, you place two network adapters in your Windows 2000 server. The first
network adapter is for the internal LAN (say 10.0.0.x). The second NIC card is
for the direct connection, using a crossover cable to the DSL router (a.k.a.
modem, bridge). Figure 8-25 shows the most common DSL implementation.
NIC #1
Internal
Network
NIC #2
Connects to
DSL
Router/Bridge
Telco
DSL
Service
Internet
Windows 2000
Server
DSL
Router
Bridge
Telco
ISP
Figure 8-25: Common DSL implementation
Depending on your telephone company, ISP and DSL router manufacturer,
you may be using the DSL router as a modem or a bridge. You’ll know you’re
using the DSL router as a router when you explicitly program the LAN
and WAN ports with IP addresses and perhaps enable network address
translation (NAT) so your SMTP-based e-mail can flow through to your mail
server. You can tell you’re using your DSL router as a modem or bridge if you
perform virtually no configuration tasks and you just plug it in, enabling
traffic to flow through it without any activity performed against the traffic
(for example, routing).
Many telephone companies are in the business of providing DSL services (see
Figure 8-26). In fact, I can say that it’s most likely the fastest growing segment
of telephone company services today. Why? You’re already wired for it in
your business and home if you have a telephone line connected and are
located near one of the telephone company’s central offices.
You typically must be within 15,000 linear cable feet of a telephone
company’s central office to qualify for DSL service. This isn’t a good old “asthe-crow-flies” measurement. Rather, it’s within 15,000 feet of cable, and given
the odd twists and turns cable runs can snake themselves into, 15,000 feet for
the purposes of measuring DSL eligibility is going to be significantly less than
you would imagine if you were to get into your car, drive to the neighborhood
central office (CO), and determine your drive was less than three miles or
approximately 15,000 feet.
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 303
Chapter 8: Internet Secrets
303
■
■
Figure 8-26: US West DSL Service
The 15,000-foot CO-related DSL eligibility limitation mentioned previously is
subject to change as telephone companies perfect the delivery of DSL
services, develop better communication algorithms and, best of all, place
repeaters between you and the CO to regenerate the DSL signal! In other
words, the 15,000-foot value is likely to increase to 20,000 feet or more in
the near future.
Scenario 7: Cable modems
A viable alternative to DSL service when seeking a high-speed and low-cost
connection to the Internet is the use of cable modems. Cable modems, as
the name implies, are network communication devices that connect your
computer to the coaxial TV cable you’ve probably become addicted to (not
the cable, but the cable service!). Dollar for dollar, cable modem-based
Internet connections compare with DSL services when it comes to speed,
cost, and reliability (not that all three components can’t be improved). And in
many ways, the cable modem infrastructure is similar to DSL (two network
adapters, communications intermediary), as seen in Figure 8-27.
4620-1 ch08.f.qc
304
10/28/99
12:22 PM
Page 304
Part II: TCP/IP
■
■
NIC #1
Internal
Network
NIC #2
Connects to
Cable
Modem
Cable
Modem
Service
Internet
Windows 2000
Server
Cable
Modem
Cable
Service
Provider
ISP
(Note this is
often the
same
as cable
service provider)
Figure 8-27: Cable modem service
But there are subtle differences between cable modem and DSL service. I’ve
found the following to be true:
■ Bursty caching. Cable modem service is much more bursty than DSL. I
found this out when a DSL-based VPN could accommodate entries into
the corporate database without falling behind the keystrokes. The same
scenario with cable modem service found the users getting ahead of the
keyboard (that is, the character typed didn’t appear on the screen for
several seconds).
■ Multiplexed situation. You are one with your neighbors in a cable modem
scenario. Why? Because you are dividing that coaxial cable with your
teenage kids watching MTV-2, your neighbor’s cable modem session, and
that sports nut down the block watching ESPN. Simply stated, with cable
modem service, you split the available bandwidth with everyone using
the cable service on your block. That means, of course, that you will
suffer poor performance via the cable modem connection as more and
more neighbors log on to the Internet using the same approach.
With cable modems, if possible, attempt to do your Internet computing
session during non-peak hours such as midday when fewer neighbors are
watching cable TV. It makes a dramatic difference in the performance you will
enjoy with your cable modem service.
■ Primarily home use. The cable service providers have positioned cable
modem services for use by homes, not businesses. One workaround for
this is to run a small business from home, which won’t raise the
suspicions of the cable company.
■ No Internet hosting. Because cable modem services are multiplexed
solutions and are oriented to home use, the cable companies are very
strict that you should not run a bona fide Internet server on the host
4620-1 ch08.f.qc
10/28/99
12:22 PM
Page 305
Chapter 8: Internet Secrets
305
■
■
computer you’ve attached to the cable modem service. In other words,
don’t be runnin’ a WWW or FTP server from your Windows 2000 Server
at your home office when you have a cable modem service.
It’s another case of necessity being the mother of invention. Consider the
following the next time you’re in the middle of the boonies and you don’t
qualify for DSL service: try cable modem service! That’s exactly what I did for
a branch office of a not-for-profit that was literally located miles down a
country road. It quickly became apparent that DSL wouldn’t work, but TCI
provided cable modem service in the area. The service was ordered and
implemented, enabling the end result, creating a VPN back to the home office,
to be successfully achieved at a relatively low cost compared to frame relay.
My point is that you should consider cable modem service when nothing
else works.
Several cable companies, including TCI (see Figure 8-28), are now providing
cable modem services. To be brutally honest, the rollout of cable modem
service is lagging significantly behind that of DSL services. Part of the reason
is that cable companies must make significant infrastructure upgrades to
accommodate cable modem service (such as making the flow of information
two-way instead of one-way).
Figure 8-28: TCI cable modem service
4620-1 ch08.f.qc
306
10/28/99
12:22 PM
Page 306
Part II: TCP/IP
■
■
Virtual Private Networks
I’ll never forget that day. There I was, sitting in the IS Director’s office at a
leading water cutting tool manufacturer. I was being quizzed relentlessly
over the pluses and minuses of Windows NT Server 4.0, which at that time
had just been released. The question posed was to name the top new features
in Windows NT Server 4.0. After striking out with the obvious answers such
as the new Windows 95-like GUI desktop, I gave up. The correct answer, in the
eyes of the IS Director, was that Point-to-Point Tunneling Protocol (PPTP) was
the top new feature in Windows NT Server 4.0.
My experience that day spawned a lingering curiosity to learn more about
PPTP and VPNs and to visit sites that have successfully deployed this
solution. Whereas in the Windows NT days, finding successfully deployed
VPNs were a challenge, I can report with great excitement that in the era of
Windows 2000 Server, VPNs are now commonplace.
Defining Virtual Private Networking
It is now possible to feel connected to your company’s network while
working from home or traveling on the road via a virtual private network
(VPN). More importantly, network administrators appreciate the security
provided by the point-to-point tunneling protocol (discussed next). As you
would expect, the virtual nature of a VPN means that you do not have to be
located within the four walls of your company. You can be outside,
connecting to the company network via the Internet. Read on.
Defining PPTP
PPTP is really nothing more than a network communications protocol that
permits the secure transfer of data from a remote site, such as a branch
office, to a host server (typically the main server at the home office).
Implementing this solution creates a virtual private network running over
TCP/IP-based networks, such as the Internet. PPTP may be implemented over
the Internet with dial-up connection or LAN/WAN digital connections as
discussed in the previous section. In fact, Scenario 5 depicted a VPN that
shows a typical PPTP implementation (see Figure 8-24).
Security is implemented via encryption. The encryption occurs when the
data is prepared for transmission over the Internet “tunnel” and the data
packets are encapsulated by PPTP.
Because of this encapsulation, the underlying LAN or network at the ends of
the VPN may actually use any of three networking protocols: TCP/IP, NetBEUI,
or IXP/SPX. Contrary to popular belief, the VPN clients do not need to use
TCP/IP on their internal LANs.
4620-1 ch08.f.qc
10/28/99
12:23 PM
Page 307
307
Chapter 8: Internet Secrets
■
■
It is also important to understand that your ISP must support PPTP. The list
of ISPs that provide such support is growing. When Windows NT Server 4.0
was first released, there was only one ISP in the Seattle area (Microsoft’s
hometown) that provided such support. Now it is an exception to find an ISP
that doesn’t support PPTP. Even the granddaddy of them all, CompuServe,
supports PPTP (believe it or not!).
The PPTP server must be Windows 2000 Server or Windows NT Server 4.0.
PPTP clients may be Windows 2000 Server, Windows 2000 Professional,
Windows NT Server 4.0, Windows NT Workstation 4.0, or Windows 98/95.
Many resources are available for learning about how to implement PPTP
over the Internet. Your ISP will provide you with specific PPTP configuration
parameters, such as IP addresses, use of PPTP filtering, and so on. Searching
Microsoft support area on its Web site (www.microsoft.com) will yield
several pages on PPTP configurations.
PPTP was installed on a Windows 2000 Server in the first part of this chapter
in the Configuring Remote Access Service section. You will also need to
install PPTP and VPN functionality on the client machine that will “VPN” into
the corporate network. Here are the steps for implementing PPTP on a
Windows 98 workstation.
STEPS:
To install PPTP on a Windows 98 client
Step 1.
Launch the Network applet in Control Panel.
Step 2.
Select the Add button.
Step 3.
Select Adapters. Select Microsoft as the manufacturer and then
select the Microsoft Virtual Private Networking Adapter as shown
in Figure 8-29. Click OK and, if necessary, provide the path to the
Windows 98 source files.
Figure 8-29: The Microsoft Virtual Private Networking Adapter
Continued
4620-1 ch08.f.qc
308
10/28/99
12:23 PM
Page 308
Part II: TCP/IP
■
■
STEPS:
To install PPTP on a Windows 98 client
(continued)
Step 4.
If you have already installed TCP/IP, click OK at the Network
dialog box and reboot your Windows 98 machine. If necessary,
install the TCP/IP protocol.
Step 5.
Log on to your Windows 98 workstations and launch Dial-up
Networking from My Computer.
Step 6.
Double-click Make New Connection. The Make New Connection
dialog box will appear.
Step 7.
Complete the name and device fields in manner similar to Figure
8-30. It is important you select Microsoft VPN Adapter in the
Select a device field. Click Next.
Figure 8-30: Make New Connection dialog box
Step 8.
On the next screen, type in the host name or IP address (see
Figure 8-31). This is the Internet-side IP address of the Windows
2000 Server network adapter card. This address is akin to dialing a
telephone number to reach the VPN-capable Windows 2000
Server. It is also the address that is configured as an RAS-capable
device. Click Next.
For reasons I can’t fully explain, I have had much greater success trying to
VPN into a Windows 2000 Server using an IP address than the host name.
Somewhere, somehow the name resolution is going south on the ether.
4620-1 ch08.f.qc
10/28/99
12:23 PM
Page 309
309
Chapter 8: Internet Secrets
■
■
Figure 8-31: Host name or IP address
Step 9.
Click Finish. You have completed the Windows 98 client-side VPN
configuration.
You are now ready to implement a VPN between a PPTP server and a client.
Here is how you would accomplish that. First, confirm the Windows 2000
Server and the workstation you intend to use have been properly set up. You
are then ready to initiate a VPN session between remote host and Windows
2000 Server.
STEPS:
To create a VPN session between a Windows 98 client and
Windows 2000 Server
Step 1.
From Dial-up Networking on the Windows 98 client, launch the
VPN dialer you just created (for example, Corporate VPN). The
Connect To dialog box will appear.
Step 2.
Enter your Windows 2000 domain user name and password (see
Figure 8-32). Confirm the IP address or host name of the VPNenabled Windows 2000 Server you will contact.
Continued
4620-1 ch08.f.qc
310
10/28/99
12:23 PM
Page 310
Part II: TCP/IP
■
■
STEPS:
To create a VPN session between a Windows 98 client and
Windows 2000 Server (continued)
Figure 8-32: Connect To dialog box
Step 3.
Click Connect. An attempt to connect to your Windows 2000
Server will be made. If successful, you will be logged on to the
domain. You have now established an RAS-based VPN session
with a Windows 2000 Server.
Another way to tell that you have successfully connected via a VPN session
to a Windows 2000 Server is to look for the tell-tale network connection icon
on the right side of your Windows 98 task bar. You know what I’m talking
about — those little green dual computers!
Step 4.
Many sites that use VPN solutions further extend the VPN session
by having the remote client (for example, the Windows 98 client)
attach to and make use of a Terminal Server (a.k.a. Microsoft
Windows Terminal Server) on the company network. Assuming
you plan to do this and have installed the Windows Terminal
Server client on your Windows 98 client, it is now time to launch
the Terminal Server Client (see Figure 8-33) found in the Terminal
Server Client program group.
4620-1 ch08.f.qc
10/28/99
12:23 PM
Page 311
311
Chapter 8: Internet Secrets
■
■
Figure 8-33: Terminal Server Client
Step 5.
Enter the Terminal Server name or IP address (for example,
10.0.0.4) in the Server field and click Connect. A Terminal Server
session will be launched and the logon screen will appear (see
Figure 8-34). Note that I’ve had more luck trying to connect to a
Terminal Server via its IP address than its NetBIOS name
(go figure!).
Figure 8-34: Terminal Server session logon
Step 6.
Logon with your domain user name and password. Once
authenticated, you will be presented with a bona fide Terminal
Server session desktop (see Figure 8-35). You are now ready
to accomplish your work.
Continued
4620-1 ch08.f.qc
312
10/28/99
12:23 PM
Page 312
Part II: TCP/IP
■
■
STEPS:
To create a VPN session between a Windows 98 client and
Windows 2000 Server (continued)
Figure 8-35: Terminal Server session desktop
Want a final look at “VPNing,” as I like to call the verb form of this activity? In
Figure 8-36, you can see the packet capture, via Network Monitor, of a VPN
session between two Windows 2000 servers over the Internet.
You will note the first several packets in the capture related to TCP and SMB
session establishment. Once the VPN session is established, the data is
encrypted and can’t be read with Network Monitor. I cover packet analysis
and Network Monitor in Chapter 19.
4620-1 ch08.f.qc
10/28/99
12:23 PM
Page 313
Chapter 8: Internet Secrets
313
■
■
Figure 8-36: Packet capture of Windows 2000 Server-based VPN session
Internet Explorer Secrets
I would be remiss if the Web browser topic wasn’t at least addressed in this
chapter. On the other hand, it is important not to repeat the work of others
that will teach you how to use a browser. Such browser basic books are listed
at IDG Book’s Web site (www.idgbooks.com).
I assume that you know how to use a browser to access information on the
Internet. This assumption includes the ability to type an address, or URL, in
the address field of Internet Explorer (IE) to get to a Web site on the Internet.
Here’s an important secret that’s worth sharing. It’s an actual experience that
I’ve had at client sites involving IE. The situation was this: A law firm
administrator was responsible for managing the firm’s money market account
at one of the online stock brokerages (such as e*trade). Like many networks
that are connected to the Internet, this firm used a proxy server to protect
itself from intruders. But not only did the law firm need the firewall
protection of Proxy Server, but as I learned, an IS configuration modification
was required to permit the client to access the firm’s confidential trading
account information (which was an HTTPS secure session).
4620-1 ch08.f.qc
314
10/28/99
12:23 PM
Page 314
Part II: TCP/IP
■
■
When implementing an Internet connection via a proxy server, it is necessary
to configure the proxy settings in IE so that browsing activity is directed
through the proxy server and HTTPS is permitted. To do this, complete the
following steps.
STEPS:
Configure Proxy Server and HTTPS support
Step 1.
Select Internet Options from the Tools menu in IE (Figure 8-37).
Figure 8-37: Internet Options — Connections
Step 2.
Select the LAN Settings button.
Step 3.
Select the Use a proxy server checkbox.
Step 4.
Select the Advanced button. The Proxy Settings dialog box will
appear.
Step 5.
Complete all of the fields with the appropriate Proxy Server IP
address (or host name) and Port value (see Figure 8-38). You may
also select the Use the same proxy server for all protocols
checkbox after populating the HTTP field to auto-populate each of
the remaining fields except the Socks field. Click OK. You will be
returned to the Local Area Network (LAN) Settings dialog box.
4620-1 ch08.f.qc
10/28/99
12:23 PM
Page 315
Chapter 8: Internet Secrets
■
315
■
Figure 8-38: Proxy Settings dialog box
Step 6.
Click OK. You will be returned to the Internet Options dialog box.
Step 7.
Click OK. You will be returned to IE. You must close and open IE
for the new changes to take effect.
It is common to only configure the HTTP setting in the Proxy Settings dialog
box when using a proxy server on a network with IE. But many sites use
HTTPS, which is the Secure field on the Proxy Settings dialog box. If the
Secure field is left blank, you cannot access sites such as online stock
brokerages. And that was exactly the problem at the law firm. Once I “fixed”
the Secure field in IE’s Proxy Settings, the legal administrator was once again
able to manage the law firm’s money. That was an important victory for me,
the Windows NT Server consultant.
The Proxy client configuration in Microsoft Small Business Server (SBS)
leaves the Secure field blank (even though it populates the remaining Type
fields in the Proxy Settings dialog box). So if you want to access HTTPS sites
on an SBS client, you will need to manually configure the Secure setting on
your IE browsers. SBS is discussed in Chapter 16 of this book.
4620-1 ch08.f.qc
10/28/99
316
12:23 PM
Page 316
Part II: TCP/IP
■
■
Summary
This chapter covered the following:
Configuring Remote Access Service
Dial-Up Connection
Digital and Wide Area Network Internet connections
Virtual Private Networks
Internet Explorer secrets
Configuring Internet Explorer for Proxy Server and HTTPS (Secure)
Related documents
Ch 8 QQ
Ch 8 QQ
GPRS Configuration for Windows-7
GPRS Configuration for Windows-7
File - Mr. Minger's Website
File - Mr. Minger's Website
Remote Access Policy
Remote Access Policy
Download
advertisement