Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Routing with Windows NT
View the book table of contents
Author: Emmett Dulaney
Vijay Sankar
Sharon E. Sankar
Published: June 1999
Copyright: 1999
Publisher: 29th Street Press
 


ROUTING AND REMOTE ACCESS SERVICES (RRAS)

RRAS runs only on NT 4.0 and 2000 Server. If you haven’t already done so, download the free software from http://www.microsoft.com/ntserver/. To make sure that the download proceeds smoothly, use Internet Explorer 4.01 or later. If you register with www.microsoft.com, you can use a download wizard that will alleviate some of the monotony of filling out forms repeatedly. If you are using 2000 Server, you don’t have to download RRAS because it is included. Let’s look at some of the features of this free software.

RRAS Features
(From here, we refer to the updated version, RRAS 2.0, as RRAS.) RRAS builds on the previous Multi-Protocol Routing (MPR-1) and RAS. With RRAS, you can have up to 16 network cards, 256 modems, and 48 interfaces for demand-dial.

RRAS supports the routing protocols RIP (Versions 1 and 2) and Open Shortest Path First (OSPF). The Point-to-Point Protocol (PPP) can be used to connect an NT Server to a different router or to another NT Server running RRAS. Once it is connected, RRAS can be turned on and the NT Server can act as a router. The demand-dial support for up to 48 interfaces allows your local network to automatically dial up to 48 networks if needed.

Objectives
Sounds great, you say. But how do you use just two network cards and an ISDN connection to connect your network to the Internet? How do you secure your network so that those friendly folks on the Internet aren’t accessing your internal network?

The ideal course is to make sure that you read the documentation, know NT well, understand routing concepts, know about the various security issues on the Internet, and have at least one good friend at your Internet Service Provider (ISP). In less than ideal circumstances, follow the procedures outlined below. These procedures will enable you to meet the following objectives:
  • Use the free RRAS update to do routing.
  • Eventually replace that trusted router that has worked very well so far.
  • Separate the network into an internal network and an external network. The external network has resources like a Web server and an FTP server that can be accessed from the Internet.
  • Allow outgoing connections to the Internet.
In the examples used to illustrate the procedures, we’ve listed our IP addresses so that the screen captures make sense. Please substitute your own addresses when you follow the steps. Don’t use the addresses listed here.

Implementation
It’s very important to make sure that you have details right: for example, you need the right IP network numbers for internal and external networks and network cards that are supported by NT’s hardware compatibility list. Make a list of the following numbers, substituting your network’s addresses for the ones from our example:
  • Internal network — 204.112.23.0, Subnet Mask: 255.255.255.0
  • External network — 204.112.22.0, Subnet Mask: 255.255.255.0
  • NT routers IP address — 204.112.22.11 for the external network, 204.112.23.11 for the internal network
  • Internet routers address at ISP: 204.112.102.58
  • Internet routers address at external network: 204.112.22.1
Figure 10.8 illustrates a small network that uses routing on an NT server to separate internal hosts from computers that are accessible through the Internet.

The internal network or intranet has various clients, applications servers like SQL Server 7.0, DHCP and WINS servers, and others. These systems can access a poor man’s “de-militarized zone” as shown in Figure 10.8. Access to the Internet may be through a regular router or through RRAS. We’ve found that RRAS is more commonly used inside intranets. It’s a good solution for companies that have a number of offices or locations within a limited geographical area and have access to ISDN, cable modems, or XDSL. RRAS lets you create a sophisticated demand-dial infrastructure.

Implementing RRAS on an NT Server
Follow these steps to implement RRAS on an NT Server:
  1. Before you download the RRAS executable — mpri386.exe (5683K for Intel platforms) — from http://microsoft.com/ntserver/, make sure that at least Service Pack 3.0 for NT Server 4.0 is installed. Don’t install RRAS on NT Workstation or previous versions of NT Server — you must have NT Server 4.0.
  2. Make sure that you have at least 50 MB of free disk space if you are using FAT and at least 40 MB free if you are using NTFS (use NTFS if possible).
  3. Check the IP Address dialog box on your soon-to-be RRAS server to ensure that the default gateway is set to nothing because you want to let the routing protocols define the best default route. (If you have set a default gateway on the IP Address dialog box, your routing may not work properly.) Also, if you have more than one network interface (as in our example) because you have two network cards, ensure that IP Forwarding is not enabled (as shown in Figure 10.9).
  4. Run mpri386 or the appropriate executable for your hardware platform. The configuration described here was done on two IBM 760ED ThinkPads with two network cards, although a ThinkPad would obviously be less than ideal in a production environment.
Ready for Routing
After you have completed the steps above, you are ready to route through the RRAS server. Begin by choosing Start Router from the Server menu. To select routing protocols, right-click the IP Routing below the server icon and add a routing protocol. In Figure 10.10, we’ve added RIP.

Right-click the routing protocol you’ve added and add an interface. In our example, we’ve added the Xircom interface. When you right-click the interface, the dialog box shown in Figure 10.11 appears.

On the General tab, you set the operation mode, the protocol for outgoing packets, and the protocol for incoming packets. If you want to reduce network traffic, you can select Auto-Static mode instead of Periodic Update mode when talking to Cisco routers.

Once you’ve set these options, switch to the Security tab (Figure 10.12).

(Reminder: As you configure this interface, use your own IP addresses.) In Figure 10.12, we’ve checked “Process only routes in the range listed” and selected a range of IP network numbers so that our router doesn’t process routes to networks that aren’t trusted. You may choose to ignore the options presented here and process all routes.

Special Note: To protect your router as well, after you select RIP for Internet Protocol (Figure 10.10), right-click, then select Configure RIP to bring up the dialog box in Figure 10.13.

You can choose to process all router announcements, process router announcements from specific routers, or discard announcements from specific routers. In this case, RRAS processes only router announcements from IP address 204.112.22.1.

Once you’ve set the options on the Security tab, switch to the Neighbors tab (Figure 10.14). You can choose to communicate with neighboring routers using the standard UDP packets — broadcasts or multicasts that RIP supports. In addition, you can send RIP packets to specific routers listed in the Neighbors list. You can also choose to send RIP packets only to specific neighboring routers. In Figure 10.14, the RRAS server will send RIP packets only to the router with an IP address of 204.112.22.1. Using the Neighbors list as we’ve done in Figure 10.14 minimizes traffic on your internal network because broadcasts aren’t used.

Next, switch to the Advanced tab (Figure 10.15). In Figure 10.15, we are overriding non-RIP routes with RIP-learned routes because of the configuration of our network. However, the default values listed for your installation should work.

Finally, make sure that your ISP knows to direct IP traffic to your network at their router. Test this by issuing a traceroute command. The best place to issue the command is a computer at the ISP’s site. In the following example, we’ve used a Telnet session to log on to a Unix computer and issued the command

traceroute 204.112.23.13

and received the response traceroute 204.112.23.11 (204.112.23.11), 30 hops max, 40 byte packets
1 manitoba.mbnet.mb.ca (204.112.178.1) 3 ms 2 ms 2 ms
2 idrouter.mbnet.mb.ca (204.112.54.130) 2ms 1 ms 1 ms
3 204.112.102.58 (204.112.102.58) 32 ms 32 ms 32 ms
4 web13.foretell.ca (204.112.23.13) 37 ms 26 ms 27 ms You can see that we were able to access a computer on internal network 204.112.23.0 from the Internet. To secure the internal network, you can set up input and output filters on each of the interfaces. The filters on RRAS seem to work very well. So far, performance tests on our network have shown that increase in CPU and memory utilization for about 120 filters has been minimal. RRAS seems to consume about 2.1 MB of memory and about 3 percent of CPU on this network.


CONCLUSION

RIP-1 and RIP-2, static routing, and remote access are provided as a part of RRAS. Additional routing protocols such as OSPF are also available, even though we haven’t seen NT used as an OSPF router in a large-scale production environment. If you are planning to use an NT Server just for remote access through dial-up connections, you may want to avoid installing RRAS and just stick with the version of RAS that is distributed on the NT CD-ROM. RRAS performance is comparable to that of a low-end router. In addition, because RRAS uses the familiar Windows interface for local and remote management with integrated NT security, it may be a good candidate for organizations with many small offices or locations.



Page: 1, 2, 3
 



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

EXCHANGE 2007 Mastery Series – May 29, 2008
3 Info-packed eLearning seminars for only $99! Learn the pros and cons of your mailbox high availability options, see real-world examples of Transport Rules, and get started with basic PowerShell commands with Mark Arnold, MCSE+M and Microsoft MVP.

Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the Windows IT Pro Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

SQL Server Magazine Master CD: Take the Experts with You!
Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Become a fan of Windows IT Pro on Facebook
Join the Windows IT Pro fan club on Facebook. Chat with other IT Pros, upload your pictures, check out what's up n' coming in the next issue and more!



Become a Response Point Specialist
Earn more with the small biz phone solution from Microsoft.

Get Started with Oracle on Windows DVD
Learn how Oracle gives you the power to grow by providing a scalable, easy-to-use platform for running your business at a price you can afford.

Agent-less Remote Backup Service, Free 30 Day Trial
Award winning remote backup service at a competitive price with no min GB/month. Sign up Now!
Windows IT Pro Home Register About Us Affiliates / Licensing Press Room Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing