More on NT as an Internet Gateway

Thank you for all the letters about my June column, "Unlock Your Gateway to the Internet." The interest this column has generated prompts me to return to the topic of Windows NT as an Internet gateway and to point you, if you haven't found it yet, to Mary Madden and Ed Tittel's excellent July article, "Easy Access to the Internet." It gets down to the buttons-and-dialogs level that I didn't have time to cover.

Continuing the Story
If you're just joining us, the scenario is that you have a LAN in your office and an Internet connection through an Internet Service Provider (ISP). On an NT server or workstation, you can create a router that will let any PC on your network access the Internet, so that Internet mail, newsgroups, the Web, and so on are available to everyone in the office.

Many readers tell me that they can't figure out why they can communicate between their computer and their network's gateway, or between the gateway and the Internet, but not directly between the computers on the LAN and the Internet. The usual reason is that they don't have InterNIC-approved addresses.

Visualize the pieces of this system: your LAN, your gateway/router, your ISP's gateway/router, and the Internet. If you make up a bunch of random IP addresses, no one knows about them but you. Suppose you choose the range from 4.1.1.0 through 4.1.1.15. Now if you ping my gateway at 199.34.57.1 from one of your made-up addresses, 4.1.1.10, your router must shoot that ping packet over the WAN connection to the ISP's router.

Many people say they can see the modem's send data light flash, indicating that the packet has gone out--but nothing returns. The message goes from your router to the ISP's router, which looks in its routing tables to find where to send a message for network 199.34.57.0. The routing tables direct your ISP's router to Digital Express, my main ISP, and the ping gets to my router.

My router isn't configured in paranoid mode (unlike Microsoft's gateway), so it responds to your ping: My router generates a different IP packet directed at IP address 4.1.1.10. My ISP's router says, "Hmmm... Where can I find 4.1.1.10?" It looks in its routing table, and as a matter of fact, finds that Bolt, Baranek, and Newman (BBN), one of the first firms involved in creating the Internet, owns the entire 4.0.0.0 network. Result: My response to your ping goes to BBN, not you, and you see no response.

The moral is that you can't just make up a block of IP addresses, because your addresses must exist in all the routing tables of all the ISPs in the world. You have to apply to InterNIC, the group that coordinates new IP addresses, and your ISP can help you get a block of addresses. (To learn how this application process works, see Richard Reich, "Registering a Domain Name Is Easy," September 1996.) You can't just take one IP address and share it with your whole company.

Proxy Servers
Or can you? Well, yes, you can with a proxy server. (For information about Microsoft's new proxy server, see Mark Joseph Edwards, "Microsoft's Internet Access Server," September 1996, and "Configuring Internet Access Server," on page 153.) A proxy server is a computer that acts as a relaying point between computers on a local network and the Internet.

How's a proxy server different from a router/gateway? All a router does is pick up IP packets from its Ethernet connection and then resend them over the WAN connection. The router doesn't understand whether the IP packet is carrying Web communications, FTP data, or email messages. The Web browser on your PC says, "Hey, www.microsoft.com, let me see your home page." The router just gets the message to www.microsoft.com and has no concept of what HTTP is.

In contrast, a proxy server doesn't relay simple IP packets--it relays particular higher-level requests. Here's a simplified explanation. First, you reconfigure your Web browser so that it can no longer directly access the Internet. Instead, your browser must make its Web requests to the proxy server, which then interprets those requests.

Suppose you have a PC named MYPC and a proxy server named PROXY. You tell your Web browser to use PROXY as a proxy server. You then point the Web browser to www.microsoft. com, and you get Microsoft's home page. But under the hood, the Web browser on MYPC is saying directly to PROXY, "PROXY, please go get the page at www.microsoft.com." PROXY does so, and www.microsoft.com thinks it's communicating with a machine named PROXY; www.microsoft.com has no idea that it is actually meeting the needs of a different machine, MYPC.

Advantages and Disadvantages
Proxy servers are great. First, they require only one InterNIC-issued IP address. The addresses inside your company's network can be bogus; some proxy servers let you communicate with them via Internet Packet eXchange (IPX). In that case, your Web browser converses with the proxy server in IPX, and the proxy server talks to the outside Internet resources in IP. Second, a proxy server acts as a simple firewall--although I've never been very clear as to why an NT-based network needs a firewall when connected to the Internet--NT is, after all, a secure operating system, right? (To decide about the answer to this question, see John Enck, "Confronting Your Network Security Nightmares," on page 81.)

Proxy servers have the potentially severe disadvantage that they are Internet application-specific. Some proxy servers I've seen can support only Web and FTP. A tardis (time synchronizer), CUSeeMe (video teleconferencing), or Talk site probably doesn't work over a proxy server; ping doesn't work over any proxy server I know of. The three proxy servers I've heard of are WinGate, FireDoor, and Internet Access Server (IAS--Catapult). You can get more information about WinGate, a Windows 95-based product that works under NT, at www.com-on.dk/qbik/wingate.htm. All I know about FireDoor is its universal resource locator (URL): www.ozemail. com.au/~equival/. (A reader told me about it, but I haven't been able to access the site to find out more.) I have the beta for Microsoft's IAS, and I'm getting used to it. I'll talk about it when I have more experience with it.

MPR Confusion
Readers tell me that another source of confusion is Microsoft's Multi-Protocol Routing (MPR). Many people have searched Microsoft's Web site for it. MPR is on the FTP site, ftp.microsoft. com/bussys/winnt/winnt-public/fixes/ usa/NT351/ussp4, which the Web site doesn't index. You need at least Service Pack 2 (SP2) for MPR to work. I'm using SP4 and haven't encountered any problems. Just load MPR and install the Routing Information Protocol (RIP) IP routing module. You won't use RIP in your Internet gateway, but the software seems to improve the static routing behavior of NT's IP stack--which is why I recommend RIP.

Gateway Setup
When setting up a gateway, be methodical and take small steps that you can easily test. First, set up InterNIC-valid IP addresses on your local network. Make sure the PCs on your LAN can ping each other and the gateway machine's NIC. If your network has only one subnet, remember not to set a default gateway on the PCs on the LAN or the NIC on the gateway machine­after all, the PCs can't go anywhere, so why tell them a router is available?

Next set up the Remote Access Service (RAS) connection on the gateway. Make sure you can dial up your ISP, and while you're sitting at the gateway machine, ping the outside world. The gateway machine must also still be able to ping the PCs on the local LAN. If it can't, check the PriorityBasedOnSubNet Registry parameter in hkey_local_ machine\system\currentcontrolset\services\rasman\ppp\ipcp.

Then connect the gateway's right brain (the LAN connection) to its left brain (the WAN connection). Three Registry settings do this, and they are all in hkey_local_machine\system\currentcontrolset\services.

The first setting is IpEnableRouter, its type is reg_dword, and it goes in TCP/IP\Parameters. Give it a value of 1 to tell the gateway to route IP packets.

The second setting is DisableOtherSrcPackets, it's also reg_dword, and goes in RasArp\Parameters. Set its value to zero, or all messages that come back from the Internet will go to the gateway machine and stop. This setting is necessary in order for the messages to navigate all the way back to the machines on the local network.

The third parameter is not always necessary­the symptom that means you need this parameter is the ability to ping the LAN before you make the RAS connection, but not after. This parameter is PriorityBasedOnSubnet, another reg_dword. Its value needs to be 1, and it goes in RasMan\PPP\IPCP. You'll probably have to add these parameters­you're not likely to find any of them already in the Registry.

When in Doubt
Some people tell me they can get their connection to work only if they check Use Default Gateway on Remote System on the RAS connection. Others agree with my observation that the routing works only if you don't check it--so try both ways. If you do check the box, you're more likely to have to experiment with PriorityBasedOnSubNet. If you don't check this option, you have to enter a ROUTEADD statement from a command prompt to tell the gateway that the RAS connection is the doorway to the Internet. Once the gateway is working, go to all machines but the gateway and insert the IP address of the gateway's NIC as each workstation's default gateway.

Thanks again for all the mail. I think these suggestions will make building your gateway easier. Best of luck, and happy Internetting!