Collaboration

Configure Internet Services Publishing with the Windows 2000 RRAS NAT service

Making internal services available to the external world might sound like a pain in the RRAS, but by using NAT and server publishing on a Windows 2000 RRAS server, you can host your own Internet services easily, and without relying on a third party.


The Windows 2000 Routing and Remote Access Service (RRAS) provides a number of invaluable networking services to large and small businesses. One especially valuable feature is the RRAS Network Address Translation (RRAS NAT) service, which lets you configure a single Internet connection that can be shared by all machines on your internal, private network.

The RRAS NAT server can perform both Port and Address Translation (PNAT), referred to as forward translation, and its opposite, referred to as reverse translation, service publishing, or server publishing. When you publish a service located on your internal network, you make that service available to external (Internet) clients. When a request comes in from an external network client, the RRAS NAT server forwards the request to a server on the internal network. For example, you can server-publish a Web server on your internal network. The Internet client browser sends a request to TCP port 80 on the external IP address of the RRAS NAT server. The RRAS NAT server receives the request and forwards it to the internal Web server’s TCP port 80.

The RRAS NAT service can also perform port redirection, with which the RRAS NAT service can accept requests on one port and forward them to an alternate port on the internal server. For example, you can accept HTTP requests on port 8888 on the external interface of the RRAS NAT server and forward them to port 80 on the internal network Web server.

I’ll go over how you can implement server publishing using the RRAS NAT service. Once you complete the necessary steps, you’ll be able to host your own Internet services and never again have to depend on a third-party provider for your mission-critical Internet services.

Preparing the server for RRAS NAT
The RRAS is installed by default on all Windows 2000 Server products, but the service isn’t functional until you enable it. When you enable RRAS, a wizard will walk you through configuring the server.

Before you enable RRAS, make sure the server is ready to perform the work. To publish network services, you need to make sure the server meets the following minimum requirements:
  • A dedicated connection to the Internet
  • A dedicated IP address or group of IP addresses configured on the external interface of the RRAS NAT server
  • An internal interface directly connected to the internal network
  • Routing table entries for all the internal network IDs
  • Windows 2000 Service Pack 2 or above installed

Dedicated Internet connection
A dedicated connection to the Internet is required; there’s not much point to publishing your internal network services to the Internet if you don’t plan to make them accessible to Internet hosts. This is not to say that you can’t use a dial-up interface to connect to the Internet. For example, you may have a dedicated ISDN connection to the Internet. The ISDN dedicated dial-up would count as a dedicated connection because it’s “always on.”

Dedicated IP address(es)
It’s vital that you have the same IP address, or group of IP addresses, bound to the external interface of the NAT server. In practice, this means you don’t want an external interface dependent on DHCP or IPCP for address assignment. The reason for the dedicated IP address requirement is that you want the option to bind a particular IP address to a particular service on the internal network.

Binding a particular IP address on the external interface of the RRAS NAT server to a particular server on the internal network is important when you need to publish SMTP servers on the internal network. Many Internet SMTP servers perform reverse DNS queries to confirm that the source IP address is the same as the address that resolves to a particular IP address on the external interface of the RRAS NAT server. If the name and IP address don’t match, your outgoing mail may be rejected.

Internet interface on the internal network
The internal interface is required because it’s used to communicate with the internal network clients and servers. You can’t install and configure the RRAS NAT on a unihomed computer. The computer must be multihomed with two or more network adapters to use the RRAS NAT service.

Configure routing table entries
You must create routing table entries for all your internal network IDs. The RRAS NAT server needs to know the correct path to send packets destined to segments on your internal network. If the RRAS NAT server doesn’t know to which gateway on your internal network to send a packet, the message won’t reach the server on the internal network.

Install the latest Windows 2000 service pack
The Windows 2000 RRAS had some issues when it was first released that have been fixed with Service Packs 1 and 2. You should always install the latest service pack before enabling RRAS.

Enabling RRAS NAT
Once the machine is prepared for the Windows 2000 RRAS, you can enable and configure the service by performing the following steps:
  1. Select Start | Programs | Administrative Tools. Click on Routing And Remote Access.
  2. In the left pane of the Routing And Remote Access console, right-click on your server name and click on the Configure And Enable Routing And Remote Access command.
  3. Read the text on the Welcome page and click Next.
  4. On the Common Configurations page (Figure A), select the Manually Configured Server option and click Next.

Figure A
Selecting the Manually Configured Server option

  1. Click Finish on the Completing The Routing And Remote Access Server Setup Wizard page.
  2. Click Yes in the dialog box that asks whether you want to start the service.

After RRAS starts, expand each node in the left pane of the Routing And Remote Access console. Note that the DHCP Relay Agent and IGMP services were installed. If you don’t need these features, just right-click on each one and click Delete. These features aren’t required for the RRAS NAT service to perform correctly.

Installing and configuring the RRAS NAT
The NAT service is considered to be a routing protocol by the Routing and Remote Access Service. To add the NAT routing protocol, perform the following steps:
  1. Right-click on the General node under the IP Routing node in the left pane of the Routing And Remote Access console and click New Routing Protocol.
  2. In the New Routing Protocol dialog box (Figure B), click on the Network Address Translation (NAT) protocol and click OK.

Figure B
Adding the NAT routing protocol

  1. Right-click on the Network Address Translation (NAT) node in the left pane of the Routing And Remote Access console and click New Interface.
  2. In the New Interface For Network Address Translation (NAT) dialog box (Figure C), select the interface that represents your internal interface and click OK.

Figure C
Adding the network interface

  1. In the Network Address Translation Properties dialog box (Figure D), select the Private Interface Connected To Private Network option and click OK.

Figure D
Selecting the private interface option

  1. Right-click on the Network Address Translation (NAT) node in the left pane of the Routing And Remote Access console and click New Interface.
  2. In the New Interface For Network Address Translation (NAT) dialog box, select the interface that represents your external interface and click OK.
  3. In the Network Address Translation Properties dialog box (Figure D), select the Public Interface Connected To The Internet option. Place a check mark in the Translate TCP/UDP Headers (Recommended) check box. This is required if you want to allow multiple internal network clients to access the Internet concurrently. Click Apply and then click OK.

These configuration steps allow internal network clients to access the Internet. At this point, go to an internal network client computer and see whether you can access the Internet. Make sure you configure the network client to use the internal interface of the NAT server as its default gateway. The client will also need a DNS server that can resolve Internet host names. If the internal network host is on a network segment remote from the internal interface of the NAT server, configure the machine’s default gateway for a router that forwards Internet-bound requests to the IP address on the internal interface of the NAT server.

Configuring server publishing using RRAS NAT

Figure E
Reserving IP addresses on the external interface of the RRAS NAT server


Now you’re ready to publish services on your internal network. Make a note of the services and IP address(es) you’re using on your internal network server(s). For example, if you’re publishing internal network Web servers with the IP addresses 10.0.0.2 and 10.0.0.3 on port 80, write that down. Do the same for all the services you want to publish. Then go through the following steps to publish your services (note that in this example, the external interface of the RRAS NAT server uses IP addresses in the 192.168.0.0/24 network ID for demonstration purposes only):
  1. In the right pane of the Routing And Remote Access console, right-click on the interface you configured for the NAT external interface and click Properties.
  2. Click on the Address Pool tab and click Add to add the IP addresses included in the block of public IP addresses assigned to you by your ISP.
  3. In the Add Address Pool dialog box, enter the Start Address, Mask, and End Address for your block. Click OK.
  4. In the Properties dialog box for the external interface (Figure E), click on the Reservations button.
  5. In the Add Reservation dialog box (Figure F), add the public IP address in the Reserve This Public IP Address text box that you want to reserve for a particular server on the internal network. Enter the private IP address of the internal network server in the For This Computer On The Private Network text box. Place a check mark in the Allow Incoming Sessions To This Address check box to allow server publishing for this address. This check box must be selected if you want to allow server publishing to this internal network address. Note that you’re not required to reserve an address to publish internal network servers. You only need to reserve an address if you want a particular internal network server to always present the same public IP address on the external interface of the RRAS NAT server. Click OK.

Figure F
Adding the IP address reservation

  1. Click OK in the Reserve Addresses dialog box.
  2. Now we’ll create a server publishing rule that publishes a Web server on the internal network. Click on the Special Ports tab and make sure the Protocol is set for TCP. Click Add.
  3. In the Add Special Port dialog box (Figure G), select On This Address Pool Entry and type in the IP address that you want to listen for your service. In this example, we want 192.168.1.225 to listen for HTTP requests for internal network server 10.0.0.2. Type the port that you want to listen on the external interface of the RRAS NAT server in the Incoming Port text box. Type the internal IP address of the server you want to publish in the Private Address text box. Type the port number the internal network server is listening on in the Outgoing Port text box. Click OK.

Figure G
Creating the server publishing entry

  1. Click OK in the external network connection’s properties dialog box.

The internal network server is available to Internet hosts after the special port is configured. When you configure special ports that use a specific address on the external interface, make sure you leave at least one address in your address pool free so that it can be used for outgoing requests that aren’t reserved for any particular computer on the internal network. This address will be used for forward translation for network clients not configured to publish services on your internal network.

As mentioned earlier, you can configure the RRAS NAT service to perform port redirection. This is a very handy tool to get around limitations created by your ISP that might prevent you from publishing an HTTP or FTP server. These ISPs block incoming requests to TCP 80 or TCP 21, which prevents Internet hosts from making requests on the well-known ports for the HTTP and FTP application protocols. Using port redirection, you can configure a special port that accepts requests on an alternate number and then forward the request to the internal network server. For example, if you wanted to publish an FTP site on an alternate port, you could configure the RRAS NAT service to listen on TCP port 2121 for FTP requests that would be forwarded to the internal server’s TCP port 21.

Conclusion
The Windows 2000 RRAS NAT service allows you to publish services on your internal network to users on the Internet. This lets you control your Internet services in a way that you could never accomplish by allowing third parties to host them. Publishing your own Internet services allows you to make your own Web, FTP, and mail services available on the Internet without incurring the costs of third-party providers. Best of all, the RRAS NAT service is built into Windows 2000 and doesn’t require any third-party add-ins.

Editor's Picks