One of Windows 2000's most useful networking features is Network Address Translation (NAT) support. NAT, which the Internet Engineering Task Force (IETF) Request for Comments (RFC) 1631 defines, is a routing protocol that lets an Internet-connected device share its Internet connection with the rest of the network. The protocol provides this functionality by translating the IP header of TCP and UDP packets from IP addresses on the internal network to a single routable address on the Internet-connected interface. In addition to providing Internet-connection sharing, NAT technology enables security for internal LANs because Internet hosts can't reach the private addresses assigned to the machines behind a NAT-enabled device.
In Win2K, two software components provide NAT features: Internet Connection Sharing (ICS), which Win2K Professional and all Win2K server products include, and the NAT routing protocol, which Win2K server products provide as part of RRAS. If you're running Win2K Pro in a small office/home office (SOHO) environment and need to share your Internet connection with multiple computers, you'll definitely want to take a look at Win2K's ICS component. (For a comparison of ICS and NAT, see "Related Articles in Previous Issues.")
Win2K's ICS is similar to its cousin of the same name in Windows Me and Windows 98 Second Edition (Win98SE) but is even easier to configure and implement. ICS works with all types of Internet connections, including LAN adapters connected to routers (e.g., xDSL, frame relay, ISDN) and dial-up connections over modems and ISDN terminal adapters. In addition, Win2K Pro automatically installs ICS, so it's readily available on your Win2K Pro system.
Setting up ICS is a fairly simple task. To enable ICS on an existing dial-up or secondary network connection, right-click the connection's icon in Network and Dial-Up Connections and select Properties. On the Sharing tab of the resulting dialog box, select the Enable Internet Connection Sharing for this connection check box. If the existing connection is a dial-up connection (e.g., modem, ISDN terminal adapter), you'll also see an Enable on-demand dialing check box. Select this option if you want to have Win2K automatically establish an Internet connection whenever the OS detects traffic destined for the Internet. This option is particularly useful and provides seamless Internet connectivity for your SOHO LAN because it establishes a connection regardless of whether the Internet-bound traffic was generated locally or by another machine on the network.
Next, configure each of your network clients to use DHCP. This configuration will cause the clients to obtain IP addresses from the ICS feature's built-in DHCP server, the DHCP Allocator, and enable clients to access the Internet.
While you're at it, also configure the clients' browsers. From the Microsoft Internet Explorer (IE) Tools menu, select Internet Options. On the resulting dialog box's Connections tab, in the Dial-Up Settings section, ensure that the Never dial a connection check box is selected, just in case the machine previously used a dial-up connection and was configured to dial on demand. Next, click Settings, and in the Automatic Configuration section of the resulting dialog box, select the Automatically detect settings check box and clear the Use automatic configuration script check box. In the Proxy Server section, clear the Use a proxy server check box. After you reboot your clients, your shared Internet connection should be up and running.
Understanding ICS's Laws and Limitations
As you can see, the ICS configuration process isn't very involved. However, this apparent simplicity is a result of some inflexibility that isn't immediately obvious to new users. Make sure that you understand ICS's limitations before you implement it on your network.
First, be aware that ICS provides a scaled-down DHCP server and DNS and WINS proxy servers, none of which you can disable. As a result, you should never enable ICS on Win2K servers acting as domain controllers (DCs) or those running DHCP or DNS services (or networks running these services) because ICS's operation will interfere with them. This warning also applies to Active Directory (AD)based Win2K domains because they must include DNS services.
Second, ICS is fairly inflexible in its required network configuration: After you enable it, ICS automatically configures the Win2K system acting as the Internet gateway so that the internal LAN adapter has an IP address of 192.168.0.1 with a class C subnet mask of 255.255.255.0. To make your LAN clients work with the ICS-enabled system, you must configure them to be on the same 192.168.0.x subnet and use the ICS-enabled machine as their default gateway. The easiest (and Microsoft-recommended) way to accomplish this setup is to simply configure the clients to use DHCP, which causes them to pick up the correct IP addressing information from the ICS-enabled system. The ICS machine will provide both DNS and WINS proxy services to LAN clients in this configuration, so you should ensure that the DNS and WINS server addresses on the ICS machine are correct.
Customizing an ICS Configuration
Assuming that the requirements of your network environment permit you to commit to ICS's configuration constraints and you followed the configuration instructions, you should have a shared Internet connection at this point. The only truly advanced configuration option possible with ICS is customizing ICS to let it work with specific types of applications and services over the Internet connection.
Although ICS's NAT routing functionality works with most applications, you're likely to have problems with applications that are based on the IP address of the client PC and don't function properly when the address is translated to that of the ICS system (e.g., applications that use IP Security—IPSec, remote procedure call—RPC, Lightweight Directory Access Protocol—LDAP, or SNMP). Some applications are inherently incompatible with ICS's NAT functionality and won't work under any circumstances, but you might be able to use the NAT Editor tool to customize your ICS configuration so that it's compatible with other applications.
To access NAT Editor, go to the Sharing tab you previously used to enable ICS on your network connection and click Settings. Go to the Applications tab of the Settings dialog box to find NAT Editor.
To add a custom application and make it work with NAT, you'll need to provide information about the application. Specifically, you must know the remote listening port that servers hosting the application use, whether the application uses TCP or UDP traffic or both, and the TCP or UDP response ports for the traffic coming back to network clients from the remote server.
The application vendor might provide this information in an FAQ or similar document on its Web site. If it doesn't, you might be able to find the information by scouring Internet newsgroups and search engines. You can also check Web sites that provide information about advanced ICS configuration (e.g., Practically Networked at http://www.practicallynetworked.com/sharing/sharing.htm, InfiniSource at http://www.infinisource.com/ics.html, Keith Gamard's site at http://members.home.com/kgamard/win2ktip.htm#ics).
The other customization you might want to implement in your ICS configuration is the ability for Internet-based users to access services running on machines on your internal LAN. To do so, navigate to the Network and Dial-Up Connection's Sharing tab and click Settings. On the resulting dialog box's Services tab, Win2K includes a list of several of the most popular types of IP services, including FTP, IMAP4 and IMAP3, SMTP, POP3, and Telnet. To let outside users access a particular service, select the service's check box and enter the server's DNS name or IP address in the resulting dialog box. If the service isn't listed but you know its port number, click Add and enter the relevant information in the resulting dialog box, which Figure 1 shows.
A Final Note
If you have one of the many Point-to-Point Protocol over Ethernet (PPPoE) DSL connections that many ISPs use these days, you might run into a problem related to the Maximum Transmission Unit (MTU) size of the IP stack on your ICS-enabled computer. The problem typically manifests as an inability to browse some Web sites, send emails with attachments, and similar maladies. This problem is a known concern, and you can fix it by manually adjusting the MTU size through the registry. For more information, see the Microsoft article, "PPPoE with ICS Requires MTU Setting Below 1492 on the ICS Clients" (http://support.microsoft.com/support/kb/articles/q259/7/83.asp).
|Related Articles in Previous Issues|
| You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.|
"Windows 2000's Network Address Translation," February 2000, InstantDoc ID 7882
Inside Out, "Beyond Internet Connection Sharing," December 2000, InstantDoc ID 16011