Re: (PM) NT + PM + non-routable IP block

Steve Bourne (sbourne@livingston.com)
Wed, 10 Jun 1998 01:19:54 -0700

>a. am not sure whether this problem would be better of asked to
> to the NT experts of the PM experts, possibly both.
>
>b. have a customer using non-routable IPs (Block 192.168.x) for
> their LANs. They wish to have a proxy service for their users,
> which will dial-in to our POP (PM2) and also be responsible for
> carrying mail for their domain.
>
>c. They are currently using MS-Back Office's MS-Proxy
>
>d. We now give them a dynamically assigned IP, which probably they
> should be given a static IP.
>
>Question:
>
>Is there a mechanism to route non-routeable IP LANs through
><something> in NT to routeable IP networks? I was seriously thinking
>RRAS but tried it out and really funny things happened. Connections
>would be setup, the gateway would get two ip's (one from our side, one
>from theirs, as well as the LAN card) and then when we would ping,
>from the lan to the wan, it would go out the dial-up channel AND NEVER
>RETURN.

Absolutely. RRAS is ROUTING the packets, bypassing the proxy server. The
packets are going out with the source IP address (192.168.x.x) intact; such
packets cannot be routed back to your network.

>What would you recommend in this case we do? The customer lan is
>geographically distributed over a large campus using FDDI and uses
>DHCP, but prefers not to have real-IPs as this is a secure facility.
>
>I would have though IP masquerading would be possible through NT4 with
>SP3!

That's what the proxy server does, when you're not bypassing it by routing
around the proxy.

MS Proxy server does NOT *route* packets; it is a PROXY server (i.e. - it
re-issues the TCP/UDP/IP packet with its own IP and a unique port address.
Proxy means "to act on behalf of"). Routing MUST BE DISABLED between the
network interfaces or the proxy server is effectively circumvented. In
addition, your use of private, non-routable addresses prevents normal
network access via routing; only a proxy server or NAT/NAPT server will
enable Internet access in this case.

If this large WAN has a single transfer point to the Internet, then the
proxy server should work just fine. It should have two network interfaces
(one for the internal network and one for the "external" (Internet)
network. Routing between the interfaces MUST BE DISABLED, and the passing
of Internet service requests should be handled and controlled by the the
proxy server.

In addition, to support inbound connections the internal mail server must
have the Winsock proxy client software loaded. Inbound connections for
delivery of mail will not work without it. A means of storing mail
destined for the target network and a way to "kick" the mail out when the
proxy server is "up" is also required; look into ETRN for this
functionality (A newer SMTP function).

RRAS will enable the dial-up network connectivity, while the proxy server
will provide address/port translation and access control.

WARNING, WILL ROBINSON!! DANGER - DANGER!!
This is a COMPLICATED subject, and a fundamental understanding of TCP, UDP,
and IP is REQUIRED to enable such services while maintaining a secure
network.
MS Proxy server comes with complete docs. You might want to spend some
serious quiet time reading these docs; this will clarify a number of issues.

BTW - Lucington is working on a solution for these cases, so stay tuned!!
Same BAT time, same BAT channel...

Steve Bourne
Technical Instructor
Lucent RABU

Steve Bourne 1-925-730-2742
Technical Instructor sbourne@livingston.com
Lucent Remote Access Business Unit www.livingston.com

"Use the FORK, Luke..."

An often mis-quoted request uttered by Obi Wan late one night
while he and young Skywalker dined at the local Denny's.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>