some questions about RRAS configuration

Hello,

I have to install a RRAS server under Win2003 R2

This will be used to connect a private LAN to the Internet using a permanent
internet connection via an ISP Router

What I have read so far about RRAS configuration assumed that the RRAS
server was itself directly connected to the internet (one networkcard using
Dial-Up...)

But my environment is a ISP router to which I need to connect the RRAS
server.
So basically I need to do this:

Client(PrivIP)---->(PrivIP)RRAS(PubIP)--->(PubIP)ISPRouter(PubIP)--->Internet

The functionality needed on the RRAS Server is this:
-NAT
-DHCP Server
-DNS Forwarder
-Firewall

I understand that I need to install the RRAS for "NAT" :
Then my plan is to assign the RRAS one private IP to the inside LAN and one
of the public IPs that we are given by our ISP to the other interface
On the RRAS, I would need to set the default Gateway to the IP-Nr of the ISP
Router..?
And the ISP Router's default GW must point to the RRAS..?
For DNS  I would assign the ISP's DNS Server to the RRAS ? RRAS will then
act as as DNS forwarder / proxy for the clients ?

And if I install RRAS for NAT - do I need to configure any "Remote access
policies" ? Or "Remote Access Loging" ?


I have read about 3ry party software NAT router like NAT32 - when would I
use something like NAT32 instead of RRAS..?

Thank you very much

Heinz

Hi Heinz,Your scenario is typical for ISA Server 2006.

Hi Heinz,

Your scenario is typical for ISA Server 2006. However, Microsoft recently
released Forefront Threat Management Gateway 2010 which is the new
generation of ISA server. However, TMG works on 64-bit Win 2008.

Anyway, for a small network you can use NAT feature built into WIn 2003
RRAS.

The other answers inline...


Yes, external network interface can be Dial-Up modem (demand dial
interface).


Yes, this is OK, although I suppose that ISP will allocate only one public
IP address to you. In that case, there will be:

Client(PrivIP)--->(PrivIP)RRAS(PrivIP)--->(PrivIP)ISPRouter(PubIP)--->Internet
Example:
10.10.1.100/24->10.10.1.1(RRAS)10.41.1.2/30->10.41.1.1(RTR)(PubIP)->INet

NAT - OK
DHCP Server - OK, but any internal server can do.
DNS Forwarder - OK, but any internal server can do.
Firewall - OK

OK


OK. You will have to sort this with ISP. See example above, you may be given
private IP.


Yes.


No. If the ISP router is on your location, the def GW on internal interface
is not defined (blank). On the external interface it points to another ISP's
router.
If the ISP router is in ISP's location, you will not have access to it
anyway.


You can install DNS on RRAS. If you are not hosting any services (web, mail
etc), bind it so that it listens only on the internal interface. Configure
forwarder to the ISP's DNS server. Configure all internal clients to use
RRAS internal IP as DNS.


No, you do not


The default logging is OK,


If it is ADSL, it can be configured for router mode. But ISP's are rather
unhelpfull about this config. Some even say it is unsupported. However, you
may use your favorite Internet search to find how to configure ADSL Router
Mode

Hi,thank you very much for your answers.

Hi,

thank you very much for your answers.

If I  use a proxy like ISA 2006 then the users would need a proxy-setting in
their internetbrowsers - right?
This is a problem in my environment (I can not use policies etc.)...a
default gateway (RRAS server) I can distribute using DHCP... but a proxy...?

thank you

In line...Not quite.

In line...


Not quite. You can configure your network so that default gateway targets
ISA Server's internal address. This type of connection is unauthenticated.

ISA Server also knows two more types of clients:
a) Web proxy clients. This is the type that you configure in web browser.
b) Firewall client. You need to install a piece of client software (can be
done with Group Policy).

These two types of access can be authenticated.

Simple rule - choose only one type of access on each client.


You're welcome

Hello,I have installed ISA2006 SP1(Standard Edition)The ISA server has two

Hello,

I have installed ISA2006 SP1(Standard Edition)
The ISA server has two networkcards, one to the Internet the other one to
the internal LAN.
Clients from the internal LAN can access the internet through the ISA - but
only if the client sets its proxysetting in Internetexplorer to the ISA
Server.

If I understood your post correctly, the client should be able to connect to
the internet through the ISA without using a proxysetting - if the ISA is
acting as the default gateway?
I have configured the ISA's internal IP-Nr  as the default gateway for the
clients - but the clients can not access the internet.
I can not see any connection attempts in the ISA's monitoring.

Any idea what I must do if I want to connect clients to the internet through
ISA without setting a proxyserver in the clients browser?

thank you
Heinz

In line ...Yes that is correct.

In line ...


Yes that is correct. This type of client ISA client is called "Secure NAT
client".


It may be that your ISA Server is configured to require authentication. In
that case Secure NAT client cannot work. Secure NAT client is only capable
of establishing anonymous connections.

Perhaps the following article will help you. There are many more articles on
this excellent web site.
http://www.isaserver.org/tutorials/The_SecureNAT_Client.html


You're welcome and

Good luck

Hello,now it works - thank you for your help!

Hello,

now it works - thank you for your help!

Now I wonder if it is possible to get some reporting / logging when using
SecureNAT clients :-)
I understand that I wont get Usernames or URLs in any reports or logs - but
now, when I create a report in ISA this report is empty, no IP-Nr or traffic
is in the report.

I can see some information like IP-Numbers  etc. in the (raw-)logfiles, but
I see nothing in the reports that I can create in ISA, all reports that I
have created are empty.

thank you

Down...You can get reports, but instead of names, you will get IP addresses.

Down...


You can get reports, but instead of names, you will get IP addresses.
It is simplest to schedule daily report, which runs at 1:00 AM (IIRC). Just
run the wizard.

I guess you have to wait for at least 24 hours untill you get reports.

You can always get live view of traffic (packets passing thru ISA Server).
Just go to www.isaserver.org . There is wealth of information there.
Some articles are about ISA 2004, but they apply to ISA 2006. ISA 2000 is
older and different architecture than ISA2004/2006, but some princples from
2000 still apply (like types of ISA Server clients).


You're welcome.

....thank you, I will check www.isaserver.

....


thank you, I will check www.isaserver.org for some realtime traffic monitor

Heinz