Connection sharing on demand

[Luiz Borges]

Hi,
I have a network in my office with about 20 desktops running XP Pro and
some of them running Win98, they all have internet connection through
ICS on an old PC running Win98.

Now, I need a way to restrict the internet connection without restring
LAN access, so I'm thinking in make that old PC run Win2000 (as I don't
think Win98 will handle what I need) to run a DHCP server to provide
basic LAN connectivity, AND providing some sort of dial-up-like
connection to internet. So any user who have a logon to connect on the
internet can sit in any of the terminals and just dial-in to get
connected.

I think that can be done with some sort of "reversed" VPN (you connect
to get out, and not in), but that seems kind lame. Maybe NAT is the
answer, but I have no idea on how to implement that.

How can that be done?

Thanks in advance,
Luiz Borges

 

[Kurt]

I think you could do it with a second computer.

1) Put the ICS box (private side) on a different subnet than the LAN - ICS
defaults to 192.168.0.1, but you can change it without problems.
2) Put a Windows 2000 box with a NIC on each subnet (one on the LAN subnet
and the other on the ICS box's subnet.
3) Set up the W2K box to accept VPN connections. The default client setup is
to use the default gateway on the remote network I believe - but double
check that.
4) Create accounts on the VPN server for users you want to have Internet
access. I believe W2K allow either 5 or 10 Simultaneous VPN connections, but
check me on that, too. If you need more, you'll need a Server OS or a Linux
solution or something (check out Cyberguard's free PPTP VPN Server for
Linux). You could also use the VPN server box to hand out DHCP addresses on
the local LAN if you use a server OS or Linux.

When users start their computers, they'll get a DHCP address. When they need
Internet access they'll start the VPN (desktop shortcut). They'll need to
enter their username/password to connect. They'll use the default gateway on
the remote network (which would be the ICS box) to connect to the Internet.
Be sure to use a static pool for VPN connections and supply a default
gateway.

Should work!

....kurt

 

[Luiz Borges]

That's exactly what I thought, but I want to use only one server if
possible (the network is kind small), also I don't think ICS is the
best solution (problems with ports, etc), that's why I thought of a
NAT...
I think that if I use Windows 2000 Server (to provide lan conectivity)
with RRAS (to provide internet access) this might work, but I'm not
sure. Neither I know how to use the RRAS with NAT...
Anymore suggestions?

Luiz Borges

 

[Kurt]

ICS is much easier to set up than NAT, and actually IS NAT with a single
configuration. I don't think you could do it on a single box though, I don't
know how you could accept VPN connections and NAT those to the Internet on
the same box at the same time. W2K server would be the best since you can
add licenses and have as many connections as you need.

....kurt

 

[Andreware]

That's exactly what I thought, but I want to use only one server if
possible (the network is kind small), also I don't think ICS is the
best solution (problems with ports, etc), that's why I thought of a
NAT...
I think that if I use Windows 2000 Server (to provide lan conectivity)
with RRAS (to provide internet access) this might work, but I'm not
sure. Neither I know how to use the RRAS with NAT...
Anymore suggestions?

Luiz Borges

I have a Windows 2000 Server (well did have a Windows 2000 Server, I
canned it yesterday night/this morning (12am) in favor of upgrading a
workstation to Windows 2003 Server) and use RRAS.

I have two NICs, one is plugged into the cable modem, and one is plugged
into the switch/hub/whatever you want to call it.

I'm using a Windows xp Professional box with ICS to temporarily hold my
network over until I get the '03 Server up and running. Again, two
NICs, just like in the server, only in a workstation.

Basically, it doesn't matter. Yes, ICS has some (or rather IS a)
security holes. In fact, if some daring hacker attempted to open FTP or
SMTP (or even HTTPS or UPnP for that matter) right now on the
workstation, they'd get in. I've been getting messenger spam every few
minutes for the past few hours, too.
(http://www.grc.com/stm/shootthemessenger.htm)

Basically, it's up to you. I personally feel that my setup (the RRAS or
ICS option) is better and less expensive. You could even just upgrade
the 98 box to XP Pro (or even Home if I remember correctly) and slap
another network card in it, right click the Internet card in Network
Connections, go to 'Sharing', and check the box. That's it, my
workstations were instantly back on (within minutes of my server's
shut-off).