Internet Secrets - DMC Cisco Networking...

Chapter 8

Internet Secrets

In This Chapter� Learning how to connect to the Internet

� Understanding Virtual Private Networks (VPN)

� Understanding Point-to-Point Tunneling Protocol (PPTP)

� Configuring Internet Explorer for Proxy Server and HTTPS (Secure)

This chapter could easily be an entire book. In fact, there are many bookson the Internet (you can see many of these books listed at

www.idgbooks.com). More important, let me set the tone for this chapter sothat you will know what to expect. The Internet is necessarily discussed inalmost every chapter of this book. So I am using this chapter to answer a fewquestions about the Internet, ones that I frequently encounter as a practicingWindows 2000 Server consultant.

Obviously the history of the Internet has been covered in more texts thanyou or I care to count, so I’ll leave that topic alone. But it is interesting tonote that the Internet is creating its own history each day. Its short life todate suggests that there are untold opportunities for you to capitalize on theInternet. But for you to do that, you first need to successfully attach yourWindows 2000 server to the Internet. You have several ways to do this. In thischapter, after installing Remote Access Service, I’ll proceed with the dial-upapproach and work toward more complex Internet configurations.

Configuring Remote Access ServiceHail to Windows 2000 Server, for it has simplified many tasks from its NTpredecessors, including the installation and configuration of Remote AccessService (RAS). But first, a quick history lesson. You will recall that RemoteAccess Server (RAS) has been part of the remote networking solution set inMicrosoft’s networking family since the earliest days of Windows NT Server(at which time it would only interact with the NetBEUI protocol).

4620-1 ch08.f.qc 10/28/99 12:22 PM Page 281

RAS has made something of a political comeback in the networkingcommunity. For years, RAS enjoyed mixed reviews at best for its unreliablesupport for modem-based dial-in and dial-out activity. However, with theadvent of Virtual Private Networks (VPNs), RAS is back. It actually managesthe VPN function very well in Windows 2000 Server, and I will discuss thislater in this chapter.

Well, RAS has come a long way in Windows 2000 Server. The RAS installationis much more intuitive, starting with the Windows 2000 Configure Your Serverscreen (see Figure 8-1). Following are the steps to configure Remote AccessService for inbound Internet-based traffic. This sets the foundation for theVirtual Private Networking (VPN) discussion later.

Figure 8-1: Windows 2000 Configure Your Server

STEPS:Configure Remote Access Service

Step 1. From the Windows 2000 Configure Your Server screen, select theNetworking link in the left pane and then select Remote Access.Select the “Open” link to launch the Routing and Remote Access MMC.

Right-click the server object in the left pane (for example, TCI1)and select Configure and Enable Routing and Remote Access fromthe secondary menu (see Figure 8-2).

282 Part II: TCP/IP■ ■

4620-1 ch08.f.qc 10/28/99 12:22 PM 82

Figure 8-2: Configure and Enable Routing and Remote Access selection

Step 2. The Welcome screen of the Routing and Remote Access ServerSetup Wizard appears. Click Next.

Step 3. The Common Configurations screen appears (see Figure 8-3).Select Remote Access Server. Click Next.

Figure 8-3: Remote Access Server

Be very careful about selecting the Network router option. First of all, thereare many compelling reasons, such as advanced configuration management,to use true routers (such as Cisco) on your Windows 2000 network. Second, itenables two-way routing of network traffic to and from the Internet (if you’reconnected directly to the Internet) and overrides the safeguards imposed byMicrosoft Proxy Server’s local address table (LAT).

Continued

Chapter 8: Internet Secrets 283■ ■

4620-1 ch08.f.qc 10/28/99 12:22 PM Page 283

STEPS:Configure Remote Access Service (continued)

Step 4. The Remote Client Protocols screen appears (see Figure 8-4).Select the appropriate button to accept or elect to add morenetworking protocols for remote access. Click Next.

Figure 8-4: Remote Client Protocols screen

Step 5. The IP Address Assignment screen appears (see Figure 8-5). Aftermaking your selection, click Next.

Figure 8-5: IP Address Assignment screen

Step 6. The Managing Multiple Remote Access Servers screen appears(see Figure 8-6). The screen allows you to elect to manage all RASservers from a central point. This election clearly depends onwhether you are managing a smaller LAN with only one RAS


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 284

server (in which case the answer would be “No”) or managing aRAS server farm (in which case the answer would be “Yes”). Makea selection and click Next.

Figure 8-6: Managing Multiple Remote Access Servers screen

Step 7. Click Finish on the Completing the Routing and Remote AccessServer Setup Wizard to complete the RAS configuration (see Figure8-7). You will be returned to the Routing and Remote Access MMC.Select the WAN Miniport and click the Configure button. Select theRemote access (inbound) checkbox and enter the number ofMaximum ports you want to allow (see Figure 8-7). The default is five for Maximum ports, which means you’ve configured fivevirtual circuits for your Virtual Private Network (VPN). That means up to five VPN connections can exist at one time.

Figure 8-7: Finishing the RAS configuration


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 285

Take a moment to look over the RAS configuration you have created byexpanding the objects in the left pane of the Routing and Remote AccessMMC. For example, if you select the Ports object in the left pane (below theserver object), you will see the WAN Miniports that have been created withVPN support in the right pane (see Figure 8-8).

Figure 8-8: Ports

The L2TP ports relate to having the Remote Access Server use InternetProtocol security (IPSEC), a topic I cover in Chapter 13.

If you right-click on the Ports object in the left pane and select Properties fromthe secondary menu, a Port Properties dialog box will be displayed that providesdetailed information on the ports and allows you to modify the configurations(see Figure 8-9).

Figure 8-9: Ports Properties


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 286

The number of maximum ports you configure will create the denominator forthe multiplexing algorithm used in Windows 2000 Server VPN scenarios. Huh?Simply stated, if you configure five ports, and you have five VPN sessionsoccurring simultaneously, the five sessions collectively divide the WANbandwidth you have. For example, if your WAN link were a 256Kbpsconnection, this bandwidth would be divided amongst the active VPNsessions. Be sure to consider that fact when you decide on the maximumports to configure. Perhaps you only want a few (say two) ports configured toprotect your WAN-related bandwidth!

To modify the configuration, select the Configure button while one of thedevices is selected. The Configure Device screen will appear. Note in Figure8-10, the PPTP WAN Miniport is configured for inbound connections only.This occurs because the Remote access connections (inbound only)checkbox is selected.

Figure 8-10: Port configuration

With a right-click on the Remote Access Policies object, and by selecting New,Remote Access Policy from the secondary menu, you can create a RAS policythat meets your needs. For example, you can establish day and timerestrictions that a user can or cannot access your network via a VPNconnection (see Figure 8-11).

Dial-Up ConnectionHistorically, RAS has been presented in the context of dial-in users. But didyou know that RAS is used to expedite connections to the Internet as well? I’llexplore RAS’s role in Windows 2000 Server starting with a simple dial-upscenario.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 287

Figure 8-11: Time of day constraints

A simple dial-up connection to the Internet assumes that you have performedseveral tasks:

■ You have correctly installed a modem via the Phone and Modem Optionsapplet under the Control Panel.

■ You have installed the TCP/IP protocol. This was discussed in Chapter 4.

■ You have a valid Internet user account with the Internet service provider(ISP) of your choice. This should be a dial-up account that supports PPP,not SLIP. Such accounts for individuals with unlimited use average $20 to$25 per month. Business dial-up accounts are more expensive, but caneasily be found for under $100 per month, with $50 per month being the average.

■ You have installed and configured RAS using the preceding steps (in theConfiguring Remote Access Service section).

■ It is also important that the dial-out RAS capabilities be configured to usethe TCP/IP protocol for an Internet connection scenario (again, see thepreceding discussion in the Configuring Remote Access Service section).

■ You have configured a network and dial-up connection. These steps areexplained in the text that follows.

Creating and configuring a dial-up connection to the Internet can bedramatically easier if you request the setup configuration information fromyour ISP. By working closely with your ISP, you can save time whenconfiguring your dial-up Internet connection.

Every ISP that I’ve worked with will provide setup instructions on their Webpage to assist you (see Figure 8-12). What information isn’t provided on theirWeb page can usually be obtained with a quick telephone call to the ISP’stechnical support group. In fact, the ease with which you obtain the


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 288

configuration information that you need is a leading indicator of how strongyour relationship with the ISP will be.

Figure 8-12: An ISP dial-up configuration FAQ

Configuring a network and dial-up connection

Assuming that you’ve addressed each of the prerequisite points justdescribed, it is now time to configure a dial-up connection.

STEPS:To configure a dial-up connection

Step 1. Launch the Network and Dial-up Connections applet in ControlPanel. The Network and Dial-up Connections screen will appear.

Step 2. Double-click the Make New Connection button. The Welcome tothe Network Connection Wizard appears. Click Next.

Step 3. The Network Connection Type screen appears (see Figure 8-13).Select the Dial-up to the Internet radio button. Click Next. TheInternet Connection Wizard appears (see Figure 8-14).

Continued


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 289

STEPS:To configure a dial-up connection (continued)

Figure 8-13: Network Connection Type screen

Figure 8-14: Internet Connection Wizard

The Internet Connection Wizard (ICW) first made its appearance in SmallBusiness Server (SBS) and, having proved popular, was imported to Windows2000 Server. I discuss SBS in Chapter 16.

Step 4. The Setting up your Internet connection screen appears. You willselect between connecting to the Internet with a phone andmodem or from a local area network (LAN). After making yourselection, click Next.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 290

Step 5. The Step 1 of 3: Internet account connection information screenappears (see Figure 8-15). Enter the telephone number for yourInternet Service Provider (ISP).

Figure 8-15: Internet account connection information

Microsoft claims “Most ISPs do not require advanced settings” on theInternet account connection information screen. This is not true. In fact,more often than not, you will need to click the Advanced button to provideDNS server information.

Step 6. Click the Advanced button. The Advanced Connection Propertiesdialog box will be displayed. Select the Addresses tab (see Figure8-16). Complete the address information as required and click OK.

Figure 8-16: Advanced Connection Properties — Addresses

Continued


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 291

STEPS:To configure a dial-up connection (continued)

It is here that you will provide IP address information and DNSinformation relating to your ISP connection. In most cases, your IPaddress is dynamically assigned when you’re just a good old enduser; if you’re using a dedicated dial-up connection for yourserver and it’s running Microsoft Exchange (and the Internet MailService), you’ll most likely have a dedicated IP address tofacilitate your e-mail routing (MX record-related).

Also note on the Connection tab of the Advanced ConnectionProperties that Point to Point Protocol (PPP) is selected bydefault. This is typically correct, as few ISPs now support SerialLine Internet Protocol (SLIP) connections.

Step 7. Assuming you completed any advanced configurations, you arenow back at the Step 1 of 3: Internet account connectioninformation screen. Click Next.

One final word on telephone numbers. Be advised that you mayneed to enter the full ten-digit telephone number for additionaltelephone numbers supported by your ISP within the samegeneral geographic area. With the advent of area coderedistricting, ten-digit telephone numbers may be needed to placea call within your city (or even the same neighborhood!). Forexample, in Seattle, the metropolitan area now has several areacodes, including 206, 425, 360, and 253. You only need to dial thearea code and the telephone number to place a call locally; you donot need to precede the area code with a “1” when calling thesearea codes within the Seattle area.

Step 8. The Step 2 of 3: Internet account logon information screenappears. Enter your ISP logon name and password. Click Next.

Step 9. The Step 3 of 3: Configuring your computer screen appears.Provide a connection name and click Next.

Step 10. The Set Up Your Internet Mail Account screen appears. It is hereyou would configure your POP e-mail account. To be honest, inmost cases with Windows 2000 Server it is unlikely you would beconfiguring a POP e-mail account at the server. You are more likelyto use a Microsoft Exchange-based e-mail account (let’s be serioushere!). Select Yes or No and click Next.

Step 11. Assuming you selected No in Step 10, the Complete Configurationscreen will appear. Click Finish to complete dial-up configurationvia the ICW.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 292

The preceding steps to configure an Internet dial-up connection willautomatically modify your Internet Explorer (IE) configuration to use the newdefault dial-up connection that you have created. If you are on a network andusing a full-time Internet connection, this will come as a big surprise to you.To fix this undocumented misconfiguration, simply launch IE and selectInternet Options from the Tools menu. Select the Connections tab. Note theAlways dial my default connection radio button was automatically selectedfor you as a result of the steps you just performed. I recommend that youselect the Dial whenever a network connection is not present radio button.

Dialing the InternetIt is now time to call your ISP, successfully connect, and start using theInternet. There is no greater test in the eyes of your users than the ability toconnect to and use the Internet. In fact, it’s unlikely users have much interestin the settings covered in this chapter; they just want to use the Internet. Myadvice on connecting to the Internet? Be sure to test this feature severaltimes under different conditions and times of day before announcing yournew Internet connection. There is nothing more disconcerting than toimplement many of the Internet dial-up settings displayed in this chapteronly to have your users call and say, “I can’t get my Internet e-mail.” Properand extensive testing of the Internet dialing capability will prevent such calls.

Assuming that you have successfully configured your network and dial-upconnection (the steps earlier in this chapter), you are now ready to connectto the Internet.

STEPS:To connect to the Internet via Network and Dial-UpConnections

Step 1. Launch the Network and Dial-Up Connection applet from Control Panel.

Step 2. Double-click the connection you want to use (for example,NWLink).

Step 3. The Connect dialog box appears (see Figure 8-17). Confirm theuser name and password you will use to connect to the Internet.Click the Dial button.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 293

Figure 8-17: Connect dialog box

Step 4. After a few moments, you should be successfully connected to theInternet via your ISP.

You are now ready to browse with your Web browser.

If you have any troubles with your Internet dial-up connection, click theProperties button on the Connect dialog box. You may then double-check yousettings on the General, Options, Security, Networking, and Sharing tabs.

Dial-up connection statusOften, it is desirable to know whether or not you are still connected to theInternet or to know the speed at which you are connected. Just observing thedancing activity light on an external modem is not helpful.

You can monitor your Internet connection activity via the Routing andRemote Access MMC. Simply expand the server object in the left pane (forexample, TCI1) and click Ports so that all of the ports are listed in the rightpane (see Figure 8-18).


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 294

Figure 8-18: Routing and Remote Access MMC

Then double-click the port which is responsible for your Internet connection(for example, Sportster 28800...Modem). The Port Status dialog box will bedisplayed (see Figure 8-19). I have found the Port Status dialog box to beuseful for more than just confirming my connection, connection speed, andcall duration. It has been invaluable when working with technical supportfrom the ISP to troubleshoot connection problems.

The Port Status dialog box replaces Dial-Up Networking Monitor fromWindows NT Server’s Control Panel. You might recall Port Status was a tabsheet in Dial-Up Networking Monitor (the other two tab sheets wereSummary and Preferences).


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 295

Figure 8-19: Port Status dialog box

Port Status does not update dynamically, so you don’t have to press F5 oropen and close it repeatedly for screen refreshes. You may recall that theStatus tab sheet in Windows NT Server 4.0’s Dial-Up Networking Monitor didupdate dynamically.

Dial-up networking with ISDN modemsConnecting to the Internet via Network and Dial-up Connections with an ISDNmodem is not very different from connecting via an analog modem. Twoitems must be addressed. First, make sure you have ordered and workedclosely with your local telephone company to ensure that you have a fullyfunctional and tested ISDN line at your location. Second, be sure to correctlyinstall your ISDN modem on your Windows 2000 server. It will most likely benecessary to use the Windows 2000 Server drivers on the driver disk thatships with your ISDN modem.

Note that the preceding discussion applies to ISDN modems, not ISDNrouters. ISDN routers are discussed in the text that follows.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 296

Digital and Wide Area Network Internet Connections

Certainly one of the most popular, reliable, and robust ways for Windows2000 servers to connect to the Internet is directly via a digital networkconnection. But the term “directly” can mean a lot of different things. I willdiscuss five Internet/network connection scenarios, but understand thatdepending on how you design your Windows 2000 Server network, there aremany different ways to connect to the Internet.

Scenario 1: ISDN routerAn ISDN router (see Figure 8-20) is a low-cost solution for many businessesthat enables a robust connection using either one (64Kbps) or two (128Kbps)ISDN channels to connect to your ISP. Typically, ISPs offer an ISDN connectionsolution that may act as dial-on-demand where the ISDN router calls the ISPand establishes a connection every time Internet-bound activity is detectedby the ISDN router. These ISDN dial-on-demand arrangements usually have amonthly connect hour limit (say 200 hours), after which the business payssomething like $10 per hour for each additional connection hour. Such dial-on-demand arrangements can often cost under $200 per month. Another ISDNrouter-based solution is a full-time connection to the ISP, which by definitionassures unlimited connection hours. This type of arrangement typicallystarts at $300 per month, but the charges may vary widely between ISPs.

Figure 8-20: An ISDN router connection path to the Internet

*Ethernet*Ethernet

ISP-side

INTERNETISP Host

Windows 2000 Server204.6.107.200

ISDN Router

ISP's ISDN Router

DNS Servers198.137.231.1192.135.191.1

DNS ServersLAN Port204.6.107.199


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 297

This router-based Internet connection solution requires that you make two entries on your Windows 2000 server for the connection to be fullyfunctional. It also requires that your ISDN router be properly programmed toaccommodate LAN and real Internet IP addresses and dial the ISP. First, youwill need to make sure that the default gateway value for the TCP/IPconfiguration is populated with the address of the router’s LAN port. Second,you will need to complete the DNS fields on the DNS tab sheet with the DNSIP address values provided by your ISP.

Note that in the remaining four Internet/network connection scenarios, it will be necessary to populate the default gateway and DNS fields in a similar manner. The key point to remember is that the default gateway field istypically the LAN port of the router (unless you are instructed otherwise,such as in a firewall scenario) and the DNS IP address values are the DNSservers used by the ISP. And in each of these scenarios, significantprogramming of the routers is required. Don’t kid yourself otherwise.

Scenario 2: ISDN and WAN combinationAn ISDN connection may be combined with a WAN (see Figure 8-21) by smallcompanies that may have an existing corporate WAN and want the Internetconnection to be separate. I’ve seen this type of implementation in olderbusiness firms where old-guard CEOs and the like believe a separate Internetconnection is the safest connection. And who is to say that they are wrong?Such a scenario also centralizes all Internet traffic through a single point,typically the home office of the company.

Scenario 3: Direct Frame Relay connectionDirect Frame Relay (Figure 8-22) is one of the most popular Windows 2000Server Internet connection scenarios. Here, the ISP is connected via a framerelay WAN connection. This is a straightforward solution that enablesdifferent types of communications standards such as fractional T1, full T1, oreven faster solutions to be easily implemented.

Many old timers in the WAN connectivity area still consider a frame relayconnection to be the most robust connection of all, even when compared tosuch new offerings as DSL and cable modems. However, note that I didn’t sayframe relay was the cheapest, but perhaps the most reliable.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 298

Figure 8-21: An ISDN and WAN connection to the Internet

Figure 8-22: A frame relay connection between customer and ISP

Frame RelayCloud

INTERNET


ISP Host

RouterLAN Port204.6.107.199

EthernetEthernetISP's RouterRouter

Customer's LAN

Ethernet - Home Office

ISP-side

INTERNET

Frame RelayCloud

ISP Host


ISDN Router

ISP's ISDN Router

DNS Servers198.137.231.1192.135.191.1

DNS ServersLAN Port204.6.107.199

Ethernet - Home Office

Branch Ethernet

Branch OfficeRouter

Corporate WANRouter

Customer's LAN/WAN

Branch Ethernet


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 299

Scenario 4: WAN connectionA WAN connection (Figure 8-23) is another popular Internet connectionscenario for Windows 2000 Server networks. Here the ISP is a node on thecompany WAN. Simply stated, other nodes such as branch offices connectdirectly to the ISP without having to route Internet-bound traffic through thehome office. With sufficient firewall protection in place, this is a both a viableand desirable solution.

Figure 8-23: An Internet connection via a company WAN

Scenario 5: WAN over the Internet (VPN)A WAN over the Internet is an increasingly popular connection scenariowhere each company node is also a node on the Internet. That is, thecompany WAN uses the Internet as its network backbone in a safe and secure manner.

Such a scenario demands that the ISP be reliable, as it plays a central role inthis solution. It is not a good idea to shop for ISPs by price alone when lookingat implementing a virtual private network (VPN) solution (see Figure 8-24).

Frame RelayCloud

INTERNET


ISP Host

RouterLAN Port204.6.107.199

EthernetEthernetISP's RouterRouter

Customer's LAN

Branch Office EthernetBranch Office Ethernet

Branch Office EthernetBranch Office Ethernet

Branch Office Router

Branch Office Router


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 300

Figure 8-24: A company VPN over the Internet

The good news is that everyone enjoys a robust connection to the ISP andthus the Internet. That will keep the Web surfers happy.

VPNs are further discussed in the next section on Virtual Private Networks.

Scenario 6: DSL connectionsAnother popular broadband connection to the Internet today is DigitalSubscriber Lines (DSL). Using telephone lines (copper wire), you can make ahigh speed, full-time connection to the Internet for a surprisingly low cost (aslow as $30 per month for full-time connection to the Internet).

Internet

ISPRouter

ISPRouter

ISPRouter

Router

Router

Windows 2000 Server

Branch Office

Router

Windows 2000 Server

Branch Office


Main

Virtual Private Network


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 301

Implementing a DSL solution is easy. It’s the old two NIC-a-roo trick. That is, you place two network adapters in your Windows 2000 server. The firstnetwork adapter is for the internal LAN (say 10.0.0.x). The second NIC card isfor the direct connection, using a crossover cable to the DSL router (a.k.a.modem, bridge). Figure 8-25 shows the most common DSL implementation.

Figure 8-25: Common DSL implementation

Depending on your telephone company, ISP and DSL router manufacturer,you may be using the DSL router as a modem or a bridge. You’ll know you’reusing the DSL router as a router when you explicitly program the LAN and WAN ports with IP addresses and perhaps enable network addresstranslation (NAT) so your SMTP-based e-mail can flow through to your mailserver. You can tell you’re using your DSL router as a modem or bridge if youperform virtually no configuration tasks and you just plug it in, enablingtraffic to flow through it without any activity performed against the traffic(for example, routing).

Many telephone companies are in the business of providing DSL services (seeFigure 8-26). In fact, I can say that it’s most likely the fastest growing segmentof telephone company services today. Why? You’re already wired for it inyour business and home if you have a telephone line connected and arelocated near one of the telephone company’s central offices.

You typically must be within 15,000 linear cable feet of a telephonecompany’s central office to qualify for DSL service. This isn’t a good old “as-the-crow-flies” measurement. Rather, it’s within 15,000 feet of cable, and giventhe odd twists and turns cable runs can snake themselves into, 15,000 feet forthe purposes of measuring DSL eligibility is going to be significantly less thanyou would imagine if you were to get into your car, drive to the neighborhoodcentral office (CO), and determine your drive was less than three miles orapproximately 15,000 feet.

Internet

Windows 2000Server

NIC #1InternalNetwork

NIC #2Connects to

DSLRouter/Bridge

TelcoDSL

Service

DSLRouterBridge

Telco ISP


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 302

Figure 8-26: US West DSL Service

The 15,000-foot CO-related DSL eligibility limitation mentioned previously issubject to change as telephone companies perfect the delivery of DSLservices, develop better communication algorithms and, best of all, placerepeaters between you and the CO to regenerate the DSL signal! In otherwords, the 15,000-foot value is likely to increase to 20,000 feet or more in the near future.

Scenario 7: Cable modemsA viable alternative to DSL service when seeking a high-speed and low-costconnection to the Internet is the use of cable modems. Cable modems, as the name implies, are network communication devices that connect yourcomputer to the coaxial TV cable you’ve probably become addicted to (notthe cable, but the cable service!). Dollar for dollar, cable modem-basedInternet connections compare with DSL services when it comes to speed,cost, and reliability (not that all three components can’t be improved). And inmany ways, the cable modem infrastructure is similar to DSL (two networkadapters, communications intermediary), as seen in Figure 8-27.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 303

Figure 8-27: Cable modem service

But there are subtle differences between cable modem and DSL service. I’vefound the following to be true:

■ Bursty caching. Cable modem service is much more bursty than DSL. Ifound this out when a DSL-based VPN could accommodate entries intothe corporate database without falling behind the keystrokes. The samescenario with cable modem service found the users getting ahead of thekeyboard (that is, the character typed didn’t appear on the screen forseveral seconds).

■ Multiplexed situation. You are one with your neighbors in a cable modemscenario. Why? Because you are dividing that coaxial cable with yourteenage kids watching MTV-2, your neighbor’s cable modem session, andthat sports nut down the block watching ESPN. Simply stated, with cablemodem service, you split the available bandwidth with everyone usingthe cable service on your block. That means, of course, that you willsuffer poor performance via the cable modem connection as more andmore neighbors log on to the Internet using the same approach.

With cable modems, if possible, attempt to do your Internet computingsession during non-peak hours such as midday when fewer neighbors arewatching cable TV. It makes a dramatic difference in the performance you willenjoy with your cable modem service.

■ Primarily home use. The cable service providers have positioned cablemodem services for use by homes, not businesses. One workaround forthis is to run a small business from home, which won’t raise thesuspicions of the cable company.

■ No Internet hosting. Because cable modem services are multiplexedsolutions and are oriented to home use, the cable companies are verystrict that you should not run a bona fide Internet server on the host

Internet

Windows 2000Server

NIC #1InternalNetwork

NIC #2Connects to

CableModem

CableModemService

CableModem

CableServiceProvider

ISP(Note this is

often thesame

as cableservice provider)


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 304

computer you’ve attached to the cable modem service. In other words,don’t be runnin’ a WWW or FTP server from your Windows 2000 Serverat your home office when you have a cable modem service.

It’s another case of necessity being the mother of invention. Consider thefollowing the next time you’re in the middle of the boonies and you don’tqualify for DSL service: try cable modem service! That’s exactly what I did fora branch office of a not-for-profit that was literally located miles down acountry road. It quickly became apparent that DSL wouldn’t work, but TCIprovided cable modem service in the area. The service was ordered andimplemented, enabling the end result, creating a VPN back to the home office,to be successfully achieved at a relatively low cost compared to frame relay.My point is that you should consider cable modem service when nothing else works.

Several cable companies, including TCI (see Figure 8-28), are now providingcable modem services. To be brutally honest, the rollout of cable modemservice is lagging significantly behind that of DSL services. Part of the reasonis that cable companies must make significant infrastructure upgrades toaccommodate cable modem service (such as making the flow of informationtwo-way instead of one-way).

Figure 8-28: TCI cable modem service


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 305

Virtual Private NetworksI’ll never forget that day. There I was, sitting in the IS Director’s office at aleading water cutting tool manufacturer. I was being quizzed relentlessly over the pluses and minuses of Windows NT Server 4.0, which at that timehad just been released. The question posed was to name the top new featuresin Windows NT Server 4.0. After striking out with the obvious answers suchas the new Windows 95-like GUI desktop, I gave up. The correct answer, in theeyes of the IS Director, was that Point-to-Point Tunneling Protocol (PPTP) wasthe top new feature in Windows NT Server 4.0.

My experience that day spawned a lingering curiosity to learn more aboutPPTP and VPNs and to visit sites that have successfully deployed thissolution. Whereas in the Windows NT days, finding successfully deployedVPNs were a challenge, I can report with great excitement that in the era ofWindows 2000 Server, VPNs are now commonplace.

Defining Virtual Private NetworkingIt is now possible to feel connected to your company’s network whileworking from home or traveling on the road via a virtual private network(VPN). More importantly, network administrators appreciate the securityprovided by the point-to-point tunneling protocol (discussed next). As youwould expect, the virtual nature of a VPN means that you do not have to belocated within the four walls of your company. You can be outside,connecting to the company network via the Internet. Read on.

Defining PPTPPPTP is really nothing more than a network communications protocol thatpermits the secure transfer of data from a remote site, such as a branchoffice, to a host server (typically the main server at the home office).Implementing this solution creates a virtual private network running overTCP/IP-based networks, such as the Internet. PPTP may be implemented overthe Internet with dial-up connection or LAN/WAN digital connections asdiscussed in the previous section. In fact, Scenario 5 depicted a VPN thatshows a typical PPTP implementation (see Figure 8-24).

Security is implemented via encryption. The encryption occurs when thedata is prepared for transmission over the Internet “tunnel” and the datapackets are encapsulated by PPTP.

Because of this encapsulation, the underlying LAN or network at the ends ofthe VPN may actually use any of three networking protocols: TCP/IP, NetBEUI,or IXP/SPX. Contrary to popular belief, the VPN clients do not need to useTCP/IP on their internal LANs.


4620-1 ch08.f.qc 10/28/99 12:22 PM Page 306

It is also important to understand that your ISP must support PPTP. The listof ISPs that provide such support is growing. When Windows NT Server 4.0was first released, there was only one ISP in the Seattle area (Microsoft’shometown) that provided such support. Now it is an exception to find an ISPthat doesn’t support PPTP. Even the granddaddy of them all, CompuServe,supports PPTP (believe it or not!).

The PPTP server must be Windows 2000 Server or Windows NT Server 4.0.PPTP clients may be Windows 2000 Server, Windows 2000 Professional,Windows NT Server 4.0, Windows NT Workstation 4.0, or Windows 98/95.Many resources are available for learning about how to implement PPTP over the Internet. Your ISP will provide you with specific PPTP configurationparameters, such as IP addresses, use of PPTP filtering, and so on. SearchingMicrosoft support area on its Web site (www.microsoft.com) will yieldseveral pages on PPTP configurations.

PPTP was installed on a Windows 2000 Server in the first part of this chapterin the Configuring Remote Access Service section. You will also need toinstall PPTP and VPN functionality on the client machine that will “VPN” intothe corporate network. Here are the steps for implementing PPTP on aWindows 98 workstation.

STEPS:To install PPTP on a Windows 98 client

Step 1. Launch the Network applet in Control Panel.

Step 2. Select the Add button.

Step 3. Select Adapters. Select Microsoft as the manufacturer and thenselect the Microsoft Virtual Private Networking Adapter as shownin Figure 8-29. Click OK and, if necessary, provide the path to theWindows 98 source files.

Figure 8-29: The Microsoft Virtual Private Networking Adapter

Continued


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 307

STEPS:To install PPTP on a Windows 98 client (continued)

Step 4. If you have already installed TCP/IP, click OK at the Networkdialog box and reboot your Windows 98 machine. If necessary,install the TCP/IP protocol.

Step 5. Log on to your Windows 98 workstations and launch Dial-upNetworking from My Computer.

Step 6. Double-click Make New Connection. The Make New Connectiondialog box will appear.

Step 7. Complete the name and device fields in manner similar to Figure8-30. It is important you select Microsoft VPN Adapter in theSelect a device field. Click Next.

Figure 8-30: Make New Connection dialog box

Step 8. On the next screen, type in the host name or IP address (seeFigure 8-31). This is the Internet-side IP address of the Windows2000 Server network adapter card. This address is akin to dialing atelephone number to reach the VPN-capable Windows 2000Server. It is also the address that is configured as an RAS-capabledevice. Click Next.

For reasons I can’t fully explain, I have had much greater success trying toVPN into a Windows 2000 Server using an IP address than the host name.Somewhere, somehow the name resolution is going south on the ether.


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 308

Figure 8-31: Host name or IP address

Step 9. Click Finish. You have completed the Windows 98 client-side VPNconfiguration.

You are now ready to implement a VPN between a PPTP server and a client.Here is how you would accomplish that. First, confirm the Windows 2000Server and the workstation you intend to use have been properly set up. Youare then ready to initiate a VPN session between remote host and Windows2000 Server.

STEPS:To create a VPN session between a Windows 98 client andWindows 2000 Server

Step 1. From Dial-up Networking on the Windows 98 client, launch theVPN dialer you just created (for example, Corporate VPN). TheConnect To dialog box will appear.

Step 2. Enter your Windows 2000 domain user name and password (seeFigure 8-32). Confirm the IP address or host name of the VPN-enabled Windows 2000 Server you will contact.

Continued


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 309

STEPS:To create a VPN session between a Windows 98 client andWindows 2000 Server (continued)

Figure 8-32: Connect To dialog box

Step 3. Click Connect. An attempt to connect to your Windows 2000Server will be made. If successful, you will be logged on to thedomain. You have now established an RAS-based VPN sessionwith a Windows 2000 Server.

Another way to tell that you have successfully connected via a VPN sessionto a Windows 2000 Server is to look for the tell-tale network connection iconon the right side of your Windows 98 task bar. You know what I’m talkingabout — those little green dual computers!

Step 4. Many sites that use VPN solutions further extend the VPN sessionby having the remote client (for example, the Windows 98 client)attach to and make use of a Terminal Server (a.k.a. MicrosoftWindows Terminal Server) on the company network. Assumingyou plan to do this and have installed the Windows TerminalServer client on your Windows 98 client, it is now time to launchthe Terminal Server Client (see Figure 8-33) found in the TerminalServer Client program group.


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 310

Figure 8-33: Terminal Server Client

Step 5. Enter the Terminal Server name or IP address (for example,10.0.0.4) in the Server field and click Connect. A Terminal Serversession will be launched and the logon screen will appear (seeFigure 8-34). Note that I’ve had more luck trying to connect to aTerminal Server via its IP address than its NetBIOS name (go figure!).

Figure 8-34: Terminal Server session logon

Step 6. Logon with your domain user name and password. Onceauthenticated, you will be presented with a bona fide TerminalServer session desktop (see Figure 8-35). You are now ready to accomplish your work.

Continued


4620-1 ch08.f.qc 10/28/99 12:23 PM 1

STEPS: To create a VPN session between a Windows 98 client andWindows 2000 Server (continued)

Figure 8-35: Terminal Server session desktop

Want a final look at “VPNing,” as I like to call the verb form of this activity? InFigure 8-36, you can see the packet capture, via Network Monitor, of a VPNsession between two Windows 2000 servers over the Internet.

You will note the first several packets in the capture related to TCP and SMBsession establishment. Once the VPN session is established, the data isencrypted and can’t be read with Network Monitor. I cover packet analysisand Network Monitor in Chapter 19.


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 312

Figure 8-36: Packet capture of Windows 2000 Server-based VPN session

Internet Explorer SecretsI would be remiss if the Web browser topic wasn’t at least addressed in thischapter. On the other hand, it is important not to repeat the work of othersthat will teach you how to use a browser. Such browser basic books are listedat IDG Book’s Web site (www.idgbooks.com).

I assume that you know how to use a browser to access information on theInternet. This assumption includes the ability to type an address, or URL, inthe address field of Internet Explorer (IE) to get to a Web site on the Internet.

Here’s an important secret that’s worth sharing. It’s an actual experience thatI’ve had at client sites involving IE. The situation was this: A law firmadministrator was responsible for managing the firm’s money market accountat one of the online stock brokerages (such as e*trade). Like many networksthat are connected to the Internet, this firm used a proxy server to protectitself from intruders. But not only did the law firm need the firewallprotection of Proxy Server, but as I learned, an IS configuration modificationwas required to permit the client to access the firm’s confidential tradingaccount information (which was an HTTPS secure session).


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 313

When implementing an Internet connection via a proxy server, it is necessaryto configure the proxy settings in IE so that browsing activity is directedthrough the proxy server and HTTPS is permitted. To do this, complete thefollowing steps.

STEPS:Configure Proxy Server and HTTPS support

Step 1. Select Internet Options from the Tools menu in IE (Figure 8-37).

Figure 8-37: Internet Options — Connections

Step 2. Select the LAN Settings button.

Step 3. Select the Use a proxy server checkbox.

Step 4. Select the Advanced button. The Proxy Settings dialog box willappear.

Step 5. Complete all of the fields with the appropriate Proxy Server IPaddress (or host name) and Port value (see Figure 8-38). You mayalso select the Use the same proxy server for all protocolscheckbox after populating the HTTP field to auto-populate each ofthe remaining fields except the Socks field. Click OK. You will bereturned to the Local Area Network (LAN) Settings dialog box.


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 314

Figure 8-38: Proxy Settings dialog box

Step 6. Click OK. You will be returned to the Internet Options dialog box.

Step 7. Click OK. You will be returned to IE. You must close and open IEfor the new changes to take effect.

It is common to only configure the HTTP setting in the Proxy Settings dialogbox when using a proxy server on a network with IE. But many sites useHTTPS, which is the Secure field on the Proxy Settings dialog box. If theSecure field is left blank, you cannot access sites such as online stockbrokerages. And that was exactly the problem at the law firm. Once I “fixed”the Secure field in IE’s Proxy Settings, the legal administrator was once againable to manage the law firm’s money. That was an important victory for me,the Windows NT Server consultant.

The Proxy client configuration in Microsoft Small Business Server (SBS)leaves the Secure field blank (even though it populates the remaining Typefields in the Proxy Settings dialog box). So if you want to access HTTPS siteson an SBS client, you will need to manually configure the Secure setting onyour IE browsers. SBS is discussed in Chapter 16 of this book.


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 315

SummaryThis chapter covered the following:

� Configuring Remote Access Service

� Dial-Up Connection

� Digital and Wide Area Network Internet connections

� Virtual Private Networks

� Internet Explorer secrets

� Configuring Internet Explorer for Proxy Server and HTTPS (Secure)


4620-1 ch08.f.qc 10/28/99 12:23 PM Page 316

Internet Secrets - DMC Cisco Networking...

Documents

Transcript of Internet Secrets - DMC Cisco Networking...