Establish external trust over a NAT device

  • Thread starter Thread starter Leif P
  • Start date Start date
L

Leif P

Hi,

I have seen several posts on the internet claiming that it is not possible
to create an external trust between 2 windows server 2003 domains over a NAT
device.

I read this article: http://support.microsoft.com/kb/172227 as it should be
possible if the NAT device also replaces the NETBios owner IP address.

Is it possible to create an external trust over a NAT device if the NAT
device replaces the owner IP address in the NETBios packets??

Leif P
 
For a tust to work you'll need a lot more than just netbios traffic.The BEST
way is to use NAT devices (also called routers) that will allow you to set
up an IPSec tunnel between networks, otherwise your trust will be more or
less useless because Windows PPTP VPNs connect hosts to networks, not
networks to networks.

....kurt
 
Kurt said:
For a tust to work you'll need a lot more than just netbios traffic.The
BEST way is to use NAT devices (also called routers) that will allow you
to set up an IPSec tunnel between networks, otherwise your trust will be
more or less useless because Windows PPTP VPNs connect hosts to networks,
not networks to networks.
Click to expand...

While I agree with the first part about setting up a tunnel, the
latter part is wrong.

Both Windows PPTP and L2TP can be used to setup fully functioning
Router-Router connections which can be used to tunnel traffic.

IPSec tunnels are moderately HARDER to setup since this is not
covered in the RRAS Console and must be setup more or less
manually.

Of course the difficulty of setting up any kind of tunnel will vary on
a purpose built router, but Windows (especially Server) can do this
quite well.

Doesn't change the recommendation probably but the details were just
not correct.
 
Thanks Herb,

Of course you are right. I probably should have said "usually". Of course
the PPTP tunnel itself is capable carrying any kind of traffic in either or
both directions, but most implementations I've seen pretty much spec a
server which allows multiple individual connections to be made. I have
successfully shared a PPTP client connection which allows the whole side
access, but I've not found where the windows client can do this as a part of
its regular decorum (at least not from the usual "wizard"). There are some
brands of routers that support PPTP client and server modes, but even they
generally recommend IPSec for fully bi-directional network-to-network. I
would be really interested in how to set this up using a Windows RRAS server
and a Windows client if you have any links.

Thanks,

....kurt


Herb Martin said:
Kurt said:
For a tust to work you'll need a lot more than just netbios traffic.The
BEST way is to use NAT devices (also called routers) that will allow you
to set up an IPSec tunnel between networks, otherwise your trust will be
more or less useless because Windows PPTP VPNs connect hosts to networks,
not networks to networks.
Click to expand...

While I agree with the first part about setting up a tunnel, the
latter part is wrong.

Both Windows PPTP and L2TP can be used to setup fully functioning
Router-Router connections which can be used to tunnel traffic.

IPSec tunnels are moderately HARDER to setup since this is not
covered in the RRAS Console and must be setup more or less
manually.

Of course the difficulty of setting up any kind of tunnel will vary on
a purpose built router, but Windows (especially Server) can do this
quite well.

Doesn't change the recommendation probably but the details were just
not correct.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
...kurt
Click to expand...
Click to expand...
 
Kurt said:
Thanks Herb,

Of course you are right. I probably should have said "usually". Of course
the PPTP tunnel itself is capable carrying any kind of traffic in either
or both directions, but most implementations I've seen pretty much spec a
server which allows multiple individual connections to be made. I have
successfully shared a PPTP client connection which allows the whole side
access, but I've not found where the windows client can do this as a part
of its regular decorum (at least not from the usual "wizard"). There are
some brands of routers that support PPTP client and server modes, but even
they generally recommend IPSec for fully bi-directional
network-to-network. I would be really interested in how to set this up
using a Windows RRAS server and a Windows client if you have any links.
Click to expand...

On workstations it is merely by sharing the PPTP with ICS.

On Server you can (optionally) use the RRAS to do almost
the same but with better control, by creating the PPTP or
L2TP and routing over it with or without NAT on that connection.

You could actually do this by enabling ROUTING manually but
few people even realize that a workstation can be a router.

The major difference between the 'workstation' version and the
Server RRAS capabilities are the idea of "demand dial routes"
which kick in ONLY when the connection is in place AND
can be used by the routing software to CAUSE the connection
to be enabled.

This last requires giving the "dial" (connecting) router the
username (with password) in its connection configuration that
match an INTERFACE NAME and Account on the ANSWERING
router.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks,

...kurt


Herb Martin said:
Kurt said:
For a tust to work you'll need a lot more than just netbios traffic.The
BEST way is to use NAT devices (also called routers) that will allow you
to set up an IPSec tunnel between networks, otherwise your trust will be
more or less useless because Windows PPTP VPNs connect hosts to
networks, not networks to networks.
Click to expand...

While I agree with the first part about setting up a tunnel, the
latter part is wrong.

Both Windows PPTP and L2TP can be used to setup fully functioning
Router-Router connections which can be used to tunnel traffic.

IPSec tunnels are moderately HARDER to setup since this is not
covered in the RRAS Console and must be setup more or less
manually.

Of course the difficulty of setting up any kind of tunnel will vary on
a purpose built router, but Windows (especially Server) can do this
quite well.

Doesn't change the recommendation probably but the details were just
not correct.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
...kurt



Hi,

I have seen several posts on the internet claiming that it is not
possible to create an external trust between 2 windows server 2003
domains over a NAT device.

I read this article: http://support.microsoft.com/kb/172227 as it
should be possible if the NAT device also replaces the NETBios owner IP
address.

Is it possible to create an external trust over a NAT device if the NAT
device replaces the owner IP address in the NETBios packets??

Leif P
Click to expand...
Click to expand...
Click to expand...
 
That's what I've been able to do in the past, which actually works very
well. I've never tried NAT (rather than ICS), but I'm sure the results would
be just as good. I suppose you could have a server on both ends and a client
on both ends and share both client connections. I have been known to grumble
when people answer the question, "How do I get ICS to work?" with, "Forget
it - buy a router." I don't want to sound like I'm doing the same thing by
suggesting hardware over Windows built-in functionality for a VPN solution.
But for a trust between sites (and the suggestion therefore of a relatively
continuous flow of traffic), I would still feel comfortable recommending a
pair of VPN capable routers. If you use identical hardware at both ends and
just accept the defaults there's really not much to configure except the
private network numbers and the shared secret. There's also the fact that
even a fairly cheap ($200) router will likely have much better throughput
which may or may not be an issue depending on availableWAN bandwidth. I WILL
give the Windows PPTP thing a try as a bi-directional solution though.

Thanks,

....kurt


Herb Martin said:
Kurt said:
Thanks Herb,

Of course you are right. I probably should have said "usually". Of course
the PPTP tunnel itself is capable carrying any kind of traffic in either
or both directions, but most implementations I've seen pretty much spec a
server which allows multiple individual connections to be made. I have
successfully shared a PPTP client connection which allows the whole side
access, but I've not found where the windows client can do this as a part
of its regular decorum (at least not from the usual "wizard"). There are
some brands of routers that support PPTP client and server modes, but
even they generally recommend IPSec for fully bi-directional
network-to-network. I would be really interested in how to set this up
using a Windows RRAS server and a Windows client if you have any links.
Click to expand...

On workstations it is merely by sharing the PPTP with ICS.

On Server you can (optionally) use the RRAS to do almost
the same but with better control, by creating the PPTP or
L2TP and routing over it with or without NAT on that connection.

You could actually do this by enabling ROUTING manually but
few people even realize that a workstation can be a router.

The major difference between the 'workstation' version and the
Server RRAS capabilities are the idea of "demand dial routes"
which kick in ONLY when the connection is in place AND
can be used by the routing software to CAUSE the connection
to be enabled.

This last requires giving the "dial" (connecting) router the
username (with password) in its connection configuration that
match an INTERFACE NAME and Account on the ANSWERING
router.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks,

...kurt


Herb Martin said:
For a tust to work you'll need a lot more than just netbios traffic.The
BEST way is to use NAT devices (also called routers) that will allow
you to set up an IPSec tunnel between networks, otherwise your trust
will be more or less useless because Windows PPTP VPNs connect hosts to
networks, not networks to networks.

While I agree with the first part about setting up a tunnel, the
latter part is wrong.

Both Windows PPTP and L2TP can be used to setup fully functioning
Router-Router connections which can be used to tunnel traffic.

IPSec tunnels are moderately HARDER to setup since this is not
covered in the RRAS Console and must be setup more or less
manually.

Of course the difficulty of setting up any kind of tunnel will vary on
a purpose built router, but Windows (especially Server) can do this
quite well.

Doesn't change the recommendation probably but the details were just
not correct.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

...kurt



Hi,

I have seen several posts on the internet claiming that it is not
possible to create an external trust between 2 windows server 2003
domains over a NAT device.

I read this article: http://support.microsoft.com/kb/172227 as it
should be possible if the NAT device also replaces the NETBios owner
IP address.

Is it possible to create an external trust over a NAT device if the
NAT device replaces the owner IP address in the NETBios packets??

Leif P
Click to expand...
Click to expand...
Click to expand...
 
Back
Top