Absolutely. RRAS is ROUTING the packets, bypassing the proxy server. The
packets are going out with the source IP address (192.168.x.x) intact; such
packets cannot be routed back to your network.
>What would you recommend in this case we do? The customer lan is
>geographically distributed over a large campus using FDDI and uses
>DHCP, but prefers not to have real-IPs as this is a secure facility.
>
>I would have though IP masquerading would be possible through NT4 with
>SP3!
That's what the proxy server does, when you're not bypassing it by routing
around the proxy.
MS Proxy server does NOT *route* packets; it is a PROXY server (i.e. - it
re-issues the TCP/UDP/IP packet with its own IP and a unique port address.
Proxy means "to act on behalf of"). Routing MUST BE DISABLED between the
network interfaces or the proxy server is effectively circumvented. In
addition, your use of private, non-routable addresses prevents normal
network access via routing; only a proxy server or NAT/NAPT server will
enable Internet access in this case.
If this large WAN has a single transfer point to the Internet, then the
proxy server should work just fine. It should have two network interfaces
(one for the internal network and one for the "external" (Internet)
network. Routing between the interfaces MUST BE DISABLED, and the passing
of Internet service requests should be handled and controlled by the the
proxy server.
In addition, to support inbound connections the internal mail server must
have the Winsock proxy client software loaded. Inbound connections for
delivery of mail will not work without it. A means of storing mail
destined for the target network and a way to "kick" the mail out when the
proxy server is "up" is also required; look into ETRN for this
functionality (A newer SMTP function).
RRAS will enable the dial-up network connectivity, while the proxy server
will provide address/port translation and access control.
WARNING, WILL ROBINSON!! DANGER - DANGER!!
This is a COMPLICATED subject, and a fundamental understanding of TCP, UDP,
and IP is REQUIRED to enable such services while maintaining a secure
network.
MS Proxy server comes with complete docs. You might want to spend some
serious quiet time reading these docs; this will clarify a number of issues.
BTW - Lucington is working on a solution for these cases, so stay tuned!!
Same BAT time, same BAT channel...
Steve Bourne
Technical Instructor
Lucent RABU
Steve Bourne 1-925-730-2742
Technical Instructor sbourne@livingston.com
Lucent Remote Access Business Unit www.livingston.com
"Use the FORK, Luke..."
An often mis-quoted request uttered by Obi Wan late one night
while he and young Skywalker dined at the local Denny's.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>