Defining a Client Connectivity Strategy |
Small Office/Home Office (SOHO) networks are used primarily in home offices that might be part of a larger corporation but yet remain apart from it. The SOHO can use two technologies that allow connections between the clients on the SOHO and either the Internet, the corporate network, or both. These technologies are Internet Connection Sharing (ICS) and network address translation (NAT).
SOHO networks are usually peer-to-peer networks. This type of network is a single subnet that is used to conveniently connect clients together, excluding the need for routers, DHCP servers, or WINS servers. This is ideal for home offices where a user needs to use more than one computer, and also needs to be able to share resources from one computer to another, such as files, applications, or printers.
The following section gives an explanation of the benefits, requirements, and deployment of both types of technologies.
A SOHO needs to have the ability to administer and organize its own internal network structure as well as to connect to and maintain a secure Internet connection.
Windows 2000 offers the SOHO the ability to auto-assign private IP addresses to internal computers, through a function called Automatic Private IP Addressing (APIPA). You can also assign addresses to the SOHO while connecting to the Internet. This is done through a service called network address translation (NAT). NAT enables private IP addresses to be translated into public IP addresses for traffic to and from the Internet. This keeps the internal network secure from the Internet, while saving the SOHO user the time and expense of getting and maintaining a public address range. Table 22.1 represents what might be required to implement a SOHO network.
Table 22.1 Small Office/Home Office Design
Network Component | Method |
---|---|
Windows 2000 Server | Ensure the server hardware meets the specifications listed in the Windows 2000 HCL. |
LAN Medium | Use 10 or 100BaseT unshielded twisted pair cable, 10 or 100BaseT hubs, or 10 or 100BaseT network adapters. See the HCL for network adapter compatibility requirements. |
Internet Connectivity | Use ICS, NAT, or a routed connection to the Internet. Use POTS, ISDN, fractional T1 line, cable modem, or DSL. |
Internal Client Connectivity | Use Automatic Private IP Addressing (APIPA), ISP assigned, or static IP addresses. |
Network Protocols | TCP/IP |
Internet Connection Sharing (ICS) is a simple package consisting of DHCP, network address translation (NAT), and DNS. You can use ICS to connect your SOHO to the Internet, providing a simple, one-step configuration permitting a translated connection, that in turn allows all of the computers on the network to access e-mail, Web sites, FTP sites, and so on. ICS provides network address translation (see the following section), automatic IP addressing, and name resolution services for all of the computers on the SOHO network. ICS provides the following:
You can configure ICS on new or preexisting remote access or LAN connections using a single check box that enables connection sharing. To use ICS, you must have a computer with a network connection to a local ISP and a network interface card or adapter for connection to the peer-to-peer network. ICS is enabled on the connection to the local ISP, and gets its IP address from the ISP. When ICS is enabled on the connection, the network adapter is automatically configured with a static IP address of 192.168.0.1, which is part of the IP address range of 192.168.0.0 to 192.168.254.254. The computers that are behind the ICS system also receive IP addresses from this range.
Note
Be aware that after ICS is enabled, no further configuration of services, such as DNS or IP addressing, is allowed on the network. These services are all implemented by the ICS system.
Network address translation (NAT) differs from ICS, providing similar features, but more flexibility. It also requires more steps to set up. One of the major differences between NAT and ICS is that NAT requires, at a minimum, Windows 2000 Server, whereas ICS can be configured from Windows 2000 Professional or Windows 98 Second Edition. You load and configure NAT from the Windows 2000 Routing and Remote Access Manager.
NAT provides the following:
Manual Configuration This permits the user a more versatile method of configuring translated remote access connections.
Multiple public IP addresses NAT can use more than one range of public addresses.
Configurable address range NAT allows manual configuration of IP addresses and subnet masks, whereas ICS uses a fixed IP address range. Any range of IP addresses can be configured using the NAT properties in Routing and Remote Access Manager. A DHCP allocator provides the mechanism for distributing IP addresses, the same way that DHCP does this. NAT can also use IP addresses distributed from a DHCP server by selecting the Automatically assign IP addresses by using DHCP check box in the NAT properties sheet.
DNS and WINS proxy Name resolution can be established by using either DNS or WINS. You can configure this by selecting the appropriate check boxes in the NAT properties sheet under the Name Resolution tab.
Multiple network interfaces You can distribute NAT functionality on more than one network interface by adding the interface to NAT in the Routing and Remote Access Manager.
Networks using NAT can also initiate VPN connections using the PPTP. This enables small businesses, or even SOHO networks in which NAT is installed, to initiate secure remote access connections with a corporate network.
Note
Do not use NAT on a network with other Windows 2000 Server domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP because of possible conflict with other services.
Do not connect NAT directly to a corporate network because Kerberos authentication, IPSec, and Internet Key Encryption (IKE) will not work.
Windows 2000 Server, Windows 2000 Professional, and Windows 98 can self-assign an IP address from the 169.254.0.0/16 address range when no DHCP servers are detected on the network. Windows 3.11, Windows NT 3.51, and Windows NT 4.0 can also get an IP address from this range, but need to obtain them from an APIPA server. APIPA can be set up to distribute IP addresses from the this range by simply running the Routing and Remote Access Manager, adding and configuring NAT, adding the interface that distributes the IP addresses, then reconfiguring the IP address range in the NAT properties with the address range previously listed. For more information about APIPA, see "Determining Network Connectivity Strategies" in this book.
Note
The only clients that are able to participate in APIPA are Windows 98 and Windows 2000 Professional clients. All other systems require a server that runs the Windows 2000 Routing and Remote Access service, which distributes the APIPA addresses to them.
In the sections following, there are two examples that show how you can implement a SOHO.
This is the home example where there are five computers on the SOHO. The SOHO uses ICS to connect to the Internet, and uses the Internet to connect to the corporate network through a PPTP tunnel. The IP address range used by the clients is distributed by the ICS computer. If a connection to corporate is needed by one of the clients, a VPN profile is configured on the client that needs the connection and a PPTP tunnel is then begun through the Internet to the corporate network. Figure 22.4 shows this network.
Figure 22.4 Home Network
This example is a "strip-mall" SOHO, where the clients access the corporate network through a server running Routing and Remote Access. The clients on the network access the Internet through the corporate network. Figure 22.5 depicts this network.
Figure 22.5 "Strip-mall" Network