ICS

Discussion in 'Server Networking' started by Herb Martin, Jan 9, 2005.

  1. Herb Martin

    Herb Martin Guest

    Although Win2000+ SERVERS have ICS, they also have
    the more flexible NAT built in with RRAS.

    NAT is only slightly more difficult to understand and
    provides a great deal more flexibility and a few more
    features but ICS still works.

    You cannot use ICS if you are going to use Active
    Directory or otherwise have an Internal DNS system.
    Assuming a single internal subnet.

    It's going to be using addresses in the 192.168.0.x
    range because that is what ICS supports.

    With ICS, you must make your clients DHCP
    (obtain IP automatically) clients OR you must
    configure them with an address in the (upper
    part) of 192.168.0.xxx -- suggest 250+ if you
    must put in a manual address but automatic is
    better.

    They will automatically be set to use the ICS
    machine as their Default Gateway and DNS
    server -- if you have another internal DNS
    server this doesn't work correctly.

    Try it and if it doesn't work try some of these:

    ping www.yahoo.com

    If that doesn't work try:

    ping 68.142.226.34
    (this is yahoo)

    If this works and the previous doesn't then
    you have ICS working in general but DNS
    name resolution failing for the Internet and this
    means you probably don't have the Win2003
    server set to use ONLY the outside DNS***

    If that doesn't work try:

    tracert www.yahoo.com
    (and report results)

    If that doesn't work try (from both a client and the
    server):

    ipconfig /all

    (Cut and paste the output and send here)


    *** If you are going to use AD directory
    then you really cannot use ICS and must use
    NAT instead because you need internal DNS
    and even if you try to use that on the ICS
    machine you will find that ICS and DNS
    server (the real one interfere.)

    FYI:
    If this is your ONLY Windows server it
    probably doesn't belong as the router/ICS
    machine (too dangerous) but should have
    another firewall/router/NAT/ICS do that
    job.
     
    Herb Martin, Jan 9, 2005
    #1
    1. Advertisements

  2. Herb Martin

    Jim Guest

    Thanks Herb

    this is my output (translated from dutch):



    Windows IP-configuration



    Host-name . . . . . . . . . . . .: dikkelul

    Primair DNS-suffix. . . . .:

    Nodetype . . . . . . . . . . : mixed

    IP-routing enabled. . . . .: no

    WINS-proxy enabled. . . . . : no

    DNS-suffixsearchlist. . . . : mshome.net



    Ethernet-adapter LAN-connection 3:



    Verbindingsspec. DNS-achtervoegsel: mshome.net

    description. . . . . . . . . . .:

    3Com Gigabit LOM (3C940)

    physical address. . . . . . . . . . . : 00-0C-6E-5D-90-A0

    DHCP enabled. . . . . . . . . : yes

    Autom. configuration enabled : yes

    IP-address. . . . . . . . . . . . . : 192.168.0.158

    Subnetmask. . . . . . . . . . . : 255.255.255.0

    Standardgateway. . . . . . . . . : 192.168.0.1

    DHCP-server . . . . . . . . . . . : 192.168.0.1

    DNS-servers . . . . . . . . . . . : 192.168.0.1

    Lease received. . . . . . . . . : Monday, 10 January 2005 1:27:54 AM

    Lease expires . . . . . . . . . : Monday, 17 January 2005 1:27:54
    AM


    so summary:
    i got the network working with windows 2003 server which has internet
    connection, i enabled ics on this one
    but my windows xp client which is on the network can't reach the internet

    ch T
     
    Jim, Jan 9, 2005
    #2
    1. Advertisements

  3. Herb Martin

    Tom Guest

    Hi

    I have a network with windows 2003 server with ICS enabled. I have run the
    network wizard on my windows xp client. What is the next step in order to
    get hte internet working in my browser?

    ch Tom
     
    Tom, Jan 9, 2005
    #3
  4. Herb Martin

    Herb Martin Guest

    Usually I prefer it just pasted in BUT this is
    good because my Nederlands was never fluent
    and I have forgotten most of it -- but I do love
    ^ empty(is bad)........^^^^^^^^
    Irrelevant to this problem but needs to be fixed
    if this is a DOMAIN machine.
    Ok, I can only GUESS the above is the internal CLIENT.

    Why? It doesn't have address 192.168.0.1 and it is
    a DHCP client.

    But I really need to see the ICS-server too.

    But more importantly (first) did you try my ping tests?
    Tracert? etc.
    What actually happens when you do these tests
    from the internal XP client?

    Try it and if it doesn't work try some of these:

    ping www.yahoo.com

    If that doesn't work try:

    ping 68.142.226.34
    (this is yahoo)

    If this works and the previous doesn't then
    you have ICS working in general but DNS
    name resolution failing for the Internet and this
    means you probably don't have the Win2003
    server set to use ONLY the outside DNS***

    If that doesn't work try:

    tracert www.yahoo.com
    (and report results)

    or if that fails completely:

    tracert 68.142.226.34
    (and report results)
     
    Herb Martin, Jan 9, 2005
    #4
  5. Herb Martin

    Bren Guest

    Hi Herb

    As you seem to know what you're talking abou with Windows Server RRAS I
    thought I might ask you a quick quetion.

    I currently have a small network that I run using Windows Server 2003, 5x
    Windows XP Pro Clients and 1x Netgear ADSL Gateway Router. I have found major
    difficulties administering the network from home, the network is not one that
    I manage on-site full-time. I want the server to be VPN accessbile from
    across the internet and so far the only ay i can see to do that would be to
    make the server run as the Router/NAT/Firewall/Web Server. How big a security
    risk does this pose? I have very efficient security programs in use which i
    monitor and update constantly.
    I have used TSC to dial into the server but this access is to limited, i
    need full network client access.

    Hoping you can help.

    Cheers
     
    Bren, Jan 9, 2005
    #5
  6. Herb Martin

    Herb Martin Guest

    Yes, the main issue is that the only ADDRESS you can
    "see" (i.e., route to) across the Internet is that of the outmost
    box, or the Firewall (NetGear in this case.)
    Putting the Windows server outside is a bad practice
    unless THAT machine is dedicated to the Router role
    AND/or you know precisely what you are doing.

    It also means that you maintain ALL of the current
    security hotfixes on it (daily or sooner) and trust that
    Microsoft will fix problems before the crackers can
    find them AND attack you in particular.

    The same is true for the NetGear but there is far less
    to attack, the code is simplere so less likely to be
    buggy, and NetGear isn't in the sights of crackers
    who love to hate Microsoft systems.

    Having said that, I maintain such dedicated RRAS
    routers -- they are NOT however Domain controllers,
    nor do the operate as external file servers etc.

    Also note you are MUCH better off (in general) if
    you use the NetGear with VPN solution but you must
    use STRONG encryption AND VERY strong passwords.

    Anything less than COMPLEX with 15 characters does
    not meet my current standards. (I have seen 14 character
    passwords broken in under 20 seconds one after the other.)
    I don't know what that is or means without more
    context.
    Is that Terminal Services or something else?

    Terminal Services gives you pretty much full access
    and is about as simple and roughly as secure as the
    VPN idea.
     
    Herb Martin, Jan 10, 2005
    #6
  7. Herb Martin

    Tom Guest

    Herb

    i tried all the test and none of them succeeded. The previous settings were
    from my internal client and these are from my ICS server:



    Windows IP Configuration



    Host Name . . . . . . . . . . . . : TOM

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : Yes

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network
    Connection

    Physical Address. . . . . . . . . : 00-11-11-95-18-A2

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.0.1

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . :



    PPP adapter bef:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

    Physical Address. . . . . . . . . : 00-53-45-00-00-00

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 203.122.212.191

    Subnet Mask . . . . . . . . . . . : 255.255.255.255

    Default Gateway . . . . . . . . . : 203.122.212.191

    DNS Servers . . . . . . . . . . . : 192.231.203.132

    192.231.203.3

    NetBIOS over Tcpip. . . . . . . . : Disabled


    thanks

    Tom
     
    Tom, Jan 11, 2005
    #7
  8. Herb Martin

    Herb Martin Guest

    It works much better if you show me the output.

    All failed, doesn't really give me anything to
    work with except to suggest you check your
    wiring and cabling.

    Ok, unless this above is a BUG in ICS (I vaguely
    remember there was some such in Win2000 but
    I don't think this is) then the above is the problem
    (or the symtom of the real problem.

    Check the Ping and the Tracert commands FROM
    the ICS-Server also.

    They will probably fail as well. Your PPP connection
    is set to ITSELF as the default gateway with a mask
    of 255.255.255.255 so unless this is a bug in the
    display it makes no sense.

    If you were checking it when the PPP connection was
    DOWN, then you have to get it running (connected)
    before any of this is going to have a chance to work.

    You can also set it to autoconnect but let's get it
    running until we see it work.
     
    Herb Martin, Jan 11, 2005
    #8
  9. Herb Martin

    Tom Guest

    Herb

    tracert www.yahoo.com gives(translated):

    'could not find the name of the target system www.yahoo.com'

    and

    tracert 68.142.226.34 :


    Busy tracing the route from 68.142.226.34 through a maximum of 30 hops



    1 * * * Time-out bij opdracht.

    2 * * * Time-out bij opdracht.

    3 * * * Time-out bij opdracht.

    4 * * * Time-out bij opdracht.

    5 * * * Time-out bij opdracht.

    6 * * * Time-out bij opdracht.

    7 * * * Time-out bij opdracht.

    8 * * * Time-out bij opdracht.

    9 * * * Time-out bij opdracht.

    10 * * * Time-out bij opdracht.

    11 * 249 ms 251 ms so-0-0-0.bbr2.Washington1.Level3.net
    [64.159.1.158]

    12 247 ms 247 ms 246 ms ge-3-0-0-53.gar1.Washington1.Level3.net
    [4.68.121.66]

    13 247 ms 247 ms 247 ms 63.210.29.230

    14 250 ms 251 ms 251 ms v4.bas2.re2.yahoo.com [206.190.33.18]

    15 250 ms 247 ms 249 ms p3.www.re2.yahoo.com [68.142.226.34]



    The trace is completed.

    Looks like he can still reach the Yahoo server ! what can you make of this?

    thanks

    Tom
     
    Tom, Jan 12, 2005
    #9
  10. Herb Martin

    Herb Martin Guest

    this?


    IP is routable to the internet from whatever
    box this is and DNS resolution
    is not correctly configured.

    You really have to give me clear indications
    of WHICH machine you use so that I can compare
    results to the correct IPConfig /all ouput.

    Do you have any of the "XP or Win2003" firewall
    (or other 3rd party firewalls) enabled? On which
    NICs?

    DNS name resolution is broken to the Internet.

    Are you trying to run DNS server AND ICS on
    the same box (doesn't work.)
    You don't need to tracert (usually) when PING
    works, and since tracert works here PING would
    likely have worked also.
    Those timeouts may be (probably are) routers that
    don't support ICMP/tracert responses.
     
    Herb Martin, Jan 12, 2005
    #10
  11. Herb Martin

    Tom Guest

    The previous tracert was from my windows xp client..
    everything works on the ICS server. How do i disable my DNS? i have no
    windows firewalls installed.

    Ch Tom

     
    Tom, Jan 13, 2005
    #11
  12. Herb Martin

    Herb Martin Guest

    Stop the DNS services in the Services control panel
    (and set it to MANUAL for startup so that it will not
    restart next time you boot.)

    BUT, recognize you may be better off with the DNS
    server AND using NAT instead of ICS.

    Is there an AD domain involved? If so you NEED that
    DNS (probably.)

    Have you tried nslookup from the client to both the
    ICS (as DNS server), and to the ISP as DNS server?

    nslookup www.yahoo.com 192.168.0.1
    nslookup www.yahoo.com 192.231.203.132
    nslookup www.yahoo.com 192.231.203.3

    The goal is to prove or disprove which of the DNS
    server can/cannot resolve names.
    (ignore any initial NSLookup errors about the SERVER
    IF you can get the ANSWERS to the above questions.)


    --
    Herb Martin

     
    Herb Martin, Jan 13, 2005
    #12
  13. Herb Martin

    Tom Guest

    ok forget about the ics, which steps do i have to take to install the NAT on
    my windows 2003 server in order to get internet on my windows xp client?

    ch Tom
     
    Tom, Jan 14, 2005
    #13
  14. Herb Martin

    Todd J Heron Guest

    Todd J Heron, Jan 14, 2005
    #14
  15. Herb Martin

    Herb Martin Guest

    Let's be clear -- NAT is a bit more trouble to
    setup the first time or two, but it is vastly more
    flexible and in the long run easier to use over
    time IF you are willing to go through the trouble
    to learn a little bit.

    Follow Todd's link for the article.

    In general, type this in BUILT-IN help:

    [ NAT checklist ]

    Here are some keys: NAT is built in to all Win2000+
    servers.

    (turn of ICS on that external interface.)

    Open the RRAS console, configure the machine as a Router.

    Add your external and internal interfaces to the NAT
    component.

    External/Public takes a LITTLE setup, Internal/Private
    NIC is trivial.

    Oh, and NAT doesn't supply either DNS or DHCP
    automatically so these are now your responsibility:

    [ DNS checklist ]

    [ DHCP checklist ]
     
    Herb Martin, Jan 14, 2005
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.