Good Monday folks – I am the publisher of the 70-282-centric Microsoft Small Business Specialist Primer and I like to post up passages as a virtual book reading. It’s a lot of fun 🙂
Configure Access Using NAT
Small businesses use private networking as a tool for sharing resources, such as an Internet connection. SBS 2003 has built-in NAT functionality called a “Basic Firewall” that is enabled through the Routing and Remote Access Service and requires two NICs to make NAT functional. The Premium Edition comes with ISA Server 2000, which uses a Secure NAT client.
How NAT Works
A user on the network requests information from the Internet. The computer
will send TCP/IP or UDP datagram packets that contain information about the
computer (source) to the destination server, so the destination server knows where to send back the requested information. Before the datagram packet leaves the network, the SBS server will change the outgoing packet header and change the address of the source to point to the SBS server. This way, SBS hides the real source, and by using only its own IP address appears to be the only computer at that location. When the destination server returns the requested data packets, the SBS server receives the packet and remaps it back to the client. The server running (RRAS) acts as a network address translator and allows for all client commuters to share a single IP connection, shielding their true identity from the Internet.
NAT comes with both SBS 2003 Standard and Premium Edition (in Premium you would use ISA Server 2000). Even though NAT is configured by RRS, in SBS 2003, you enable NAT by running the EICW (Configure E-mail and Internet Connection Wizard). When configuring the CEICW, you will get to the Firewall Settings screen. By checking the Enable Firewall radio button, you will enable NAT. At this point, a pop-up window will appear and advise you that it is stopping services to configure ISA Server 2000 before you continue with the CEICW.
IMPORTANT: For NAT to create the Basic Firewall, you must have at least two NIC cards installed.
ISA Firewall Clients
Firewall clients redirect outbound Internet traffic through the firewall. An ISA Server 2000 machine can support three firewall clients, each of which are discussed in this section:
- Web Proxy
Client computers that do not have firewall client software are Secure NAT (secure
network address translation) clients. Secure NAT clients benefit from many
features of ISA Server , including most access control features, except for high-
Chapter 6 Securing Windows Small Business Server 2003
level protocol support and user-level authentication. Secure NAT clients do not require special software, but should configure the default gateway to point to the ISA Server. ISA Server client functionality is dependent on the proper configuration of the ISA Server itself. If the server has difficulty resolving hostnames or reaching the Internet, so will the clients. Since ISA operates in conjunction with Windows 2003, the internal and external DNS server names should be provided. The proxy service is enabled on all of the ISA Server machine’s internal IPs by default at port 8080, including 127.0.0.1, the localhost IP.
SecureNAT clients, which are essentially handled by the firewall service, benefit from:
- Application filters that can modify the protocol stream to allow handling of complex protocols.
- Site and content rules that can be applied by way of the firewall service that passes all HTTP requests to the Web Proxy Service.
Despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism, ISA Server 2000 rules can still be applied to Secure NAT clients, including protocol usage policies, destination, and content type.
Web Proxy clients are computers that have a Web browser application, which
complies with HTTP 1.1 and is configured to use the Web proxy service of ISA
Web browser settings on the client can be configured manually on the client or automatically by installing the firewall client and configuring the Web browser through the ISA Server 2000 Management console. There you can configure:
- The ISA Server 2000 and port to which the client should connect.
- Automatic discovery.
- Computers that the web browser should access directly.
- A backup route if the ISA Server 2000 machine is unavailable.
Harry Brelsford, CEO at SMB Nation
MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)