Connecting Your Network to the Internet

with Windows Server 2003

Microsoft Corporation
Published: March 2003

Abstract
In today’s business world, being connected to the marketplace and to your customers means getting connected
to the Internet. Windows® Server 2003 makes it easier to securely connect your network to the Internet, enabling
your employees to access the information they need. This white paper describes the steps needed to provide
shared Internet access to Microsoft® Windows® XP-based clients that are directly attached to a medium-sized
private network using Windows Server 2003 and network address translation.
Microsoft® Windows® Server 2003 White Paper

The information contained in this document represents the current view of

Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES
NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION
IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual
property.
The example companies, organizations, products, people and events
depicted herein are fictitious. No association with any real company,
organization, product, person or event is intended or should be inferred.
© 2003 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows logo are
either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
 Microsoft® Windows® Server 2003 White Paper

Contents
Contents................................................................................................................. .......................3

Introduction..................................................................................................................... ..............1

Scenario Requirements................................................................................................... ............1

Scenario Tasks........................................................................................................... .................2

Internet Connection Setup Tasks......................................................................... .......................3

Establishing an Internet Account with an ISP ....................................................... ......................3

Configuring Windows Server 2003 for Internet Access................................................................ 3

Assigning IP Addresses ..................................................................................... .....................3

Configuring Routing and Remote Access for Network Address Translation.............................4

Creating a Dedicated Internet Connection.................................................................. .............5

Creating a Demand-dial Internet Connection.................................................................. .........7

Updating the Local DNS Server for Internet Naming Resolution ............................... ...............13

Conclusion.............................................................................................................................. ...13

Summary.................................................................................................................................... ..14

Related Links............................................................................................................................ ...15

 Microsoft® Windows® Server 2003 White Paper

Introduction
Connecting a medium-sized office network to the Internet has traditionally been a difficult process
requiring separate computers and extensive knowledge of network devices. For many, making a
connection to the Internet seemed costly and difficult to manage. With Windows Server 2003, making a
connection to the Internet is easier, more secure, and can be accomplished with relatively inexpensive
hardware and basic Internet service provider (ISP) services.

This white paper is intended for users of medium-sized Windows Server 2003 domain-based networks
who want to set up Internet access and share it with local area network clients. A basic understanding of
domain-based networks, Domain Name System (DNS), and the Dynamic Host Configuration Protocol
(DHCP) is assumed. This paper is not intended as a comprehensive review of all routing features of
Windows Server 2003; rather, it focuses on the basic Internet gateway capabilities.

Scenario Requirements
This document walks you through the setup of a Windows Server 2003-based server as an Internet
connection server that shares access with a local area network. It is assumed that in order to connect to
the Internet you have an active account with an ISP and a physical connection to the Internet. This
could be a dial-up connection (such as an analog modem or ISDN connection) or a dedicated
connection using a cable modem or Digital Subscriber Line (DSL).

To configure the server for Internet access sharing, you will need to configure the Routing and Remote
Access service to act as a network address translator (NAT). A NAT relies on a single public IP address
for the Internet and translates all internal client traffic to and from this IP address.

By setting up NAT, companies benefit in the following ways:

• Lower cost
NAT allows you to share a single public IP address with many internal clients, avoiding the cost of
setting up multiple public Internet address accounts.
• Increased security
By hiding the IP addresses of private network clients and servers from the Internet, NAT provides
an increased level of intranet security.

Connecting Your Network to the Internet with Windows Server 2003 1

 Microsoft® Windows® Server 2003 White Paper

Scenario Tasks
In this white paper, we will describe the following tasks:

Setup and Management Tasks
• Network setup and configuration using the
network address translation capability of
Routing and Remote Access
• Configuration and setup of Routing and
Remote Access service for a dedicated or
demand-dial connection to the Internet
• Configuration of the private network DNS
server to forward Internet name resolution
requests to an ISP DNS server

Connecting Your Network to the Internet with Windows Server 2003 2

 Microsoft® Windows® Server 2003 White Paper

Internet Connection Setup Tasks

The Routing and Remote Access service, which is integrated in Windows Server 2003, provides a
variety of capabilities such as connecting remote users, connecting office networks, and connecting
networks to the Internet. This white paper describes how to configure Windows Server 2003 to provide
a basic outbound connection to the Internet that can be shared with other computers on your internal
network.

To set up your network for Internet access, you need to:

1. Establish an Internet account with an ISP.

2. Configure Windows Server 2003 for Internet access.

3. Update your local DNS server for Internet naming resolution.

Establishing an Internet Account with an ISP

You must establish an account with an ISP to access the Internet. An ISP provides the following
information needed to configure your server and network environment:
• Account name and password. This is used for authentication purposes.

• Assigned IP address. This is your public IP address associated with your account. This can be
statically or dynamically assigned.

• ISP DNS server address. This is used to forward DNS requests for Internet names to the ISP’s DNS
server.

• Phone number. For demand-dial connections, this is the number for your ISP.

Note If you plan to host a Web server or a virtual private network (VPN) remote access server, you need to
request a static IP address or have an ISP that supports DNS dynamic update. Outbound Internet traffic will
work with a dynamically assigned IP address, but external computers will not be able to connect to your
network over the Internet.

Before you set up Internet sharing, check with your ISP about any licensing limitations on shared
access through a single ISP connection.

Configuring Windows Server 2003 for Internet Access

Select a computer on your network that will act as the Internet connection server. This computer
requires Windows Server 2003 with Routing and Remote Access configured and at least one network
adapter connected to your private network. For a dedicated connection to the Internet, an additional
network adapter must be installed. For a demand-dial connection to the Internet, install a modem or
ISDN adapter.

Assigning IP Addresses

If your server is already connected to the private network, the attached network adapter should already
have an IP address that was dynamically assigned by the local DHCP server. Because this server will
be used as the Internet connection server, you will need to assign a static IP address to the private

Connecting Your Network to the Internet with Windows Server 2003 3

 Microsoft® Windows® Server 2003 White Paper

network adapter. This static IP address should be excluded from the DHCP scope for the subnet to
which the Internet connection server is attached.

To communicate the server’s new role as an Internet gateway to all clients on the subnet attached to
the Routing and Remote Access server, you will also need to add this static IP address to the Router
(Default Gateway) DHCP option. For more information about how to add this option, see Windows
Server 2003 Help and Support. If your private network consists of multiple subnets, adjust your routing
infrastructure so that default route traffic is forwarded to the static IP address of the Internet connection
server's private network interface.

When you have two network adapters installed on the server computer, you must be able to identify
which network adapter is connected to the private network and the Internet. Therefore, it is a good idea
to rename the connections corresponding to the adapters with descriptive names, such as "Private
Network" and "Internet." This can be done from the Network Connections folder.

For this white paper, we assume that the private network adapter is named "Private Network" and is
assigned a reserved static IP Address of 10.10.1.90. We also assume that the ISP assigned a static
public IP address of 131.107.0.20 to your company. The public IP address should be assigned to the
Internet connection. To assign IP addresses to the LAN connections:
1. Log on the Routing and Remote Access server with an account that has administrator privileges.

2. Click Start, point to Settings, point to Network Connections, right-click the connection connected to
your private network, and then click Properties.

3. On the General tab, under This connection uses these items, double-click Internet Protocol
(TCP/IP).

4. On the General tab, click Use the following IP address and type the appropriate IP address and
subnet mask. Click OK to accept the changes to the TCP/IP protocol. Click OK to save changes to
the connection.

5. If you have a dedicated Internet connection, repeat these steps for the Internet connection, but
assign the static IP address provided by your ISP.

Configuring Routing and Remote Access for Network Address Translation

Routing and Remote Access can be configured to provide the following networking services:
• Remote access (dial-up or VPN) allows remote access clients to connect to this server through either
a dial-up connection or a secure virtual private network (VPN) connection.

• Network address translation (NAT) allows internal clients to connect to the network using one public
IP address.

• Virtual Private Network (VPN) access and NAT allows remote clients to connect to this server
through the Internet and local clients to connect to the Internet using a single public IP address.

• Secure connection between two private networks allows a connection between your network and a
remote network, such as a branch office.

• Custom configuration allows the selection of any of the features available in Routing and Remote
Access.

Connecting Your Network to the Internet with Windows Server 2003 4

 Microsoft® Windows® Server 2003 White Paper

For this deployment scenario, we are going to configure Routing and Remote Access to provide NAT
services using the following procedure:
1. Click
Start, point to Programs, point to Administrative Tools, and then click Routing and Remote
Access.

2. In
the contents pane, right click the server name and click Configure and Enable Routing and
Remote Access. The Routing and Remote Access Server Setup Wizard appears. Click Next to view
choices for several default server roles.

3. Select Network address translation (NAT) as shown in the following figure.

4. ClickNext. If you are using a dedicated Internet connection, see "Creating a dedicated Internet
connection." If you are using a demand-dial Internet connection, see "Creating a demand-dial
Internet connection."

Creating a Dedicated Internet Connection

In our example, we have two network adapters, one named Private Network and one named Internet.
The Private Network connection is connected to the internal network and has the static IP address of
10.10.1.90. The Internet connection is configured with the IP address 131.107.0.20.
1. Continuing the procedure from "Configuring Routing and Remote Access for network address
translation", on the NAT Internet Connection page, click Use this public interface to connect to
the Internet, and click the Internet connection. Leave the Enable security on the selected
interface by setting up Basic Firewall check box selected. This is shown in the following figure.

Connecting Your Network to the Internet with Windows Server 2003 5

 Microsoft® Windows® Server 2003 White Paper

2. ClickNext. On the Name and Address Translation Services page, click I will set up name and
address services later. Because you already have DNS and DHCP services operating on your
private network, you do not need the Routing and Remote Access server to provide these services.
This is shown in the following figure.

3. Click
Next. On the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish.

4. Toadd a default route, in the console tree, double-click IP Routing, right-click Static Routes, and
then click New Static Route.

5. InInterface, select the interface that corresponds to your dedicated Internet connection. In
Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following
figure.

Connecting Your Network to the Internet with Windows Server 2003 6

 Microsoft® Windows® Server 2003 White Paper

6. Click OK.

Steps 4-6 configure a default route, making all the locations on the Internet reachable from the
Routing and Remote Access server.

You have finished configuring your Routing and Remote Access server as a network address translator
with a dedicated Internet connection. Skip ahead to the "Updating the local DNS server for Internet
naming resolution" section.

Creating a Demand-dial Internet Connection

Instead of having a dedicated connection to the Internet, you may choose to connect only when your
private network users require access. Routing and Remote Access can automate the connection
process whenever someone tries to access the Internet. In this example, we are using a modem to
access the Internet instead of a network adapter.
1. Continuing the procedure from "Configuring Routing and Remote Access for network address
translation," on the NAT Internet Connection page, click Create a new demand-dial interface to
the Internet. Leave the Enable security on the selected interface by setting up Basic Firewall
check box selected. The basic firewall is a stateful firewall that monitors all outbound traffic and
dynamically creates inbound packet filters for the response traffic. This is shown in the following
figure.

Connecting Your Network to the Internet with Windows Server 2003 7

 Microsoft® Windows® Server 2003 White Paper

2. Click
Next. On the Network Selection page, click the connection that is connected to the private
network. This is shown in the following figure.

3. ClickNext. On the Name and Address Translation Services page, click I will set up name and
address services later. Because you already have DNS and DHCP services operating on your
private network, you do not need the Routing and Remote Access server to provide these services.
This is shown in the following figure.

Connecting Your Network to the Internet with Windows Server 2003 8

 Microsoft® Windows® Server 2003 White Paper

4. Onthe Ready to Apply Selections page, click Next. The Routing and Remote Access service is
configured and initialized and the Demand-Dial Interface Wizard is started.

5. On the Welcome to the Demand-Dial Interface Wizard page, click Next.

6. On the Interface Name page, type the name of the demand-dial interface. An example is shown in
the following figure.

7. Click
Next. On the Connection Type page, click Connect using a modem, ISDN adapter, or other
physical device. This is shown in the following figure.

Connecting Your Network to the Internet with Windows Server 2003 9

 Microsoft® Windows® Server 2003 White Paper

8. Click
Next. On the Select a Device page, click the modem used to dial your ISP. An example is
shown in the following figure.

9. Click
Next. On the Phone Number page, type the phone number to dial your ISP in Phone number
or address. An example is shown in the following figure.

Connecting Your Network to the Internet with Windows Server 2003 10

 Microsoft® Windows® Server 2003 White Paper

10.Click Next. On the Protocols and Security page, click Next.

11.Onthe Dial Out Credentials page, type the credentials used to make a connection to your ISP. An
example is shown in the following figure.

12.Click Next. On the Completing the Demand-Dial Interface Wizard page, click Finish.

13.In the console tree, click Network Interfaces.

14.In the details pane, double-click the newly created demand-dial interface.

15.Click the Networking tab, and then double-click Internet Protocol (TCP/IP).

16.Click
Use the following IP address, and then type the public IP address assigned by the ISP in IP
address. An example is shown in the following figure.

Connecting Your Network to the Internet with Windows Server 2003 11

 Microsoft® Windows® Server 2003 White Paper

17.Click OK to save changes to the TCP/IP configuration. Click OK to save changes to the demand-dial
interface.

18.Toadd a default route, in the console tree, double-click IP Routing, right-click Static Routes, and
then click New Static Route.

19.In Interface, select the interface that corresponds to your demand-dial connection to the Internet. In
Destination, type 0.0.0.0. In Network mask, type 0.0.0.0. An example is shown in the following
figure.

20.Click OK.

Steps 18-20 configure a default route, making all the locations on the Internet reachable from the
Routing and Remote Access server.

You have now completed configuring a demand-dial connection to the Internet. Similar to the dedicated
Internet configuration, this server now has a static private network IP address and a static public IP
address provided by the ISP.

Connecting Your Network to the Internet with Windows Server 2003 12

 Microsoft® Windows® Server 2003 White Paper

Updating the Local DNS Server for Internet Naming Resolution

Before network clients can access the Internet, your private network DNS server needs to know how to
resolve Internet domain names. For example, if someone types http://www.msn.com in an Internet
browser, the private network DNS server should forward the request to resolve the www.msn.com name
to the ISP DNS server.

To configure DNS name resolution forwarding to the ISP DNS server:

1. Log on to the DNS server computer with an account that has administrator privileges.

2. Click Start, point to Programs, point to Administrative Tools, and click DNS.

3. In the console tree, right-click the DNS server name and click Properties.

4. Clickthe Forwarders tab. In Selected domain's forwarder IP address list, type the IP address of
your ISP DNS server and click Add. Select the Do not use recursion for this domain check box.
An example is shown in the following figure.

5. Click OK to save changes to the DNS server properties.

You have now completed the process of configuring the local DNS server to forward Internet name
resolution requests to the external ISP DNS server.

Conclusion
Local area network clients now have access to the Internet through the Routing and Remote Access
server. To test this, clients should start a Web browser and begin accessing Web sites on the Internet.

Connecting Your Network to the Internet with Windows Server 2003 13

 Microsoft® Windows® Server 2003 White Paper

Summary
This white paper describes how to provide medium-sized networks with secure access to the Internet
using the network address translator (NAT) services of Windows Server 2003. By configuring Windows
Server 2003 as a NAT and updating the private network DNS server to forward Internet names to an
ISP DNS server, companies can quickly add Internet access to their networks. In addition, with NAT
technology hiding the internal client IP addresses, customers gain an increased level of Internet
security.

Connecting Your Network to the Internet with Windows Server 2003 14

 Microsoft® Windows® Server 2003 White Paper

Related Links
See the following resources for further information:
• Windows Server 2003 Networking and Communications Services Web site at
http://www.microsoft.com/windowsserver2003/technologies/networking/

• Windows VPN Web site at http://www.microsoft.com/vpn/

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003/.

Connecting Your Network to the Internet with Windows Server 2003 15