Will I need client access licenses for
all computers using a Windows router?
No. Microsoft does not require
additional CALs for computers making use of Windows 2000 routers because users are
not logging onto the server. In general, any Windows service that makes use
of anonymous authentication, or does not require any authentication, can be used without
purchasing additional CALs. This includes services such as DNS, DHCP, RRAS,
websites, SMTP, ect. ISA licensing for its routing features works
the same for slightly different reasons. Even though ISA server may be asking
for authentication, it is licensed per processor. Out of the box, ISA
server standard edition also allows unlimited connections to a box with one processor
to its routing features.
What is the biggest improvement in Windows
2003 over Windows 2000 Server?
Windows Server 2003 comes with a firewall. This feature adds additional security
to your server and network. Other noted improvements in Server 2003 are a built
in pop service, enhanced DFS, and a more robust web server service.
Can a Windows router
be used as a non-NAT router?
Server has all the functionality required to serve as a major addition to your
organizations routing infrastructure. It does not have to use NAT. It
does support routing protocols such as RIP and OSPF.
Where can I find out
how to configure my Windows 2000 or 2003 as a router?
In the Central
Ohio area, Network Decisions can be tasked to install the router for you. However,
Microsoft Windows Server is easy to configure for routing, NAT, DHCP, firewall, and
DNS services. For step by step instructions on Windows 2003 server NAT from
here. For information on using Windows 2000
as a non-NAT router, download the NSA Microsoft
Windows 2000 Router Configuration Guide. (This
PDF make take up to 30 seconds to render). A presentation overview on
enterprise VPN/Wireless configuration is available from Microsoft here: Deploying
a Secure Mobile Network Access Infrastructure (This
has concepts that apply to major rollouts. Small office and home users should
not be put off by the terminology or details. Smaller scale secure VPNs and
Wireless networks can be rolled out in far simpler fashion). Information
on ISA server can be found here. Detailed configuration
and troubleshooting information is always available through searches at www.Microsoft.com.
How does the DHCP
service know which DHCP scope should be used for each NIC?
DHCP service looks at the static IP assigned to each NIC. It assigns IP address
out on NICs that are within the the same IP range as the DHCP scope. Consider
this example: You are using the standard Microsoft DHCP service and have
disabled the one included in the NAT configuration. You have 4 internal NICs.
You have created four DHCP scopes/subnets. Scope one assigns addresses
withing the subnet 10.1.1.1 to 10.1.1.254 with a subnet mask of 255.255.255.0.
Scope two uses the range 10.1.2.1 to 10.1.2.254 with a subnet mask of 255.255.255.0.
Scopes 3 and four continue in the same pattern. To get a particular NIC to assign
address out from only scope one, simply assign it a static IP within that scope such
as 10.1.1.1. Then create an exclusion within the scope so that the IP address
you assigned to the NIC is not leased out to any other computer via DHCP.
Should I use the standard
DNS and DHCP services or the scaled down versions included in the NAT service?
In general, if
you are using multiple NICS and subnets, or planning to in the future, you will want
to disable the NAT versions of DNS and DHCP and use the standard versions included
in the server software. If you plan on possibly upgrading to ISA server
in the future, you will also want to use the standard DHCP and DNS services. When
you upgrade to ISA, you will have to turn off NAT to use ISA's secure NAT.
If you are using one subnet, the NAT versions will be your best choice.
My DHCP service keeps
turning off on my stand alone Windows router. Why?
is happening because the DHCP service on your stand alone, non-domain, workgroup
oriented Windows router is detecting another DHCP server on the same subnet.
Disable the other DHCP servers on the subnet, or stop using the one on your
My Active Directory
Domain will not let me get DHCP leases from the Windows router. Why?
is happening because the DHCP service on your Windows router is not authorized in
active directory. Authorize the server so active directory can tell the network
your Windows router is allowed to assign DHCP leases to clients. Authorization
has to be done whether the device giving the leases has joined the
domain or not.
Can I use my ISPs
DHCP on my external NIC and still use NAT?
If you are using active directory, and have joined your Windows router to the domain,
remember to authorize your ISPs DHCP server in active directory.
Can ISA Server be
installed on Windows 2003 Server?
Windows Server 2003 uses the same version of ISA server as Microsoft Windows
server 2000 uses. There is not currently a 2003 version of ISA server.
You can upgrade your Windows 2000 based ISA Server to 2003 or do a fresh
install. Using 2003 server with ISA server does require a patch provided by
making the decision to run ISA on a 2003 server read the instructions on this link
including all potential issues and bug fixes.
How are RIP and OSPF
activated on an ISA Server?
and OSFP are added to an interface through the standard RRAS console on an ISA server.
Enable RRAS as a manually configured server. Under IP Routing, right click on
the general tab and choose "add protocol". Add the RIP or OSFP protocol. Once
added, the protocol will appear as an option in the RRAS console under IP Routing. Right
click on the protocol and choose "new interface". Choose the inferface you want
to enable the routing protocol on.
do I perform port forwarding on Windows 2000 and 2003 Servers to publish my internal
servers to the internet? Microsoft
has step-by-step instructions on how to publish your internal servers to the
internet using RRAS here.
How do I publish internal
servers using Microsoft ISA Server?
step-by-step instructions on how to publish your internal servers to the internet
using Microsoft ISA Server here.
Do not put the firewall client on internal servers. Servers should be
ISA Secure NAT clients.
How do I add a route
to a Windows router or ISA server?
In the RRAS console,
expand the "IP routing" element. You will see a selection labeled "static routes".
Right click on "static routes" and choose "new static route". A window
will open asking for input. You will be required to choose the interface on
which you are adding the route, the destination network, the destination network's
mask, the metric, and the gateway. The gateway is the next hop on the way
to the destination network, or if the destination network is a local subnet, the interface
it is on. The metric is a value used to assign preference for cases
where there are multiple routes available. Routes can also be added
through the command line. Detailed instructions are available from Microsoft here.
When I configure my
Windows RRAS router as a VPN server, I lose all network connectivity. How can
I use it as a router and a VPN server?
configuring your Windows RRAS router, do not choose the VPN server option, unless
you only want it to be a VPN server and nothing else. The VPN option creates
packet filters which screen out all other protocols other than the VPN protocols.
To use the server as a VPN server and router, you could choose the manually configured
server option. This will automatically set the server up as a functioning VPN
server and allow you to add whatever other services or feature you require.
How do I game through
To begin gaming fast,
without adding protocol and content rules for each game, do the following: If
ISA is in firewall or integrated mode, install the firewall client on your client
PC. Set up an allow all "protocol rule" on the server. Set up an allow
all "site and content rule" on the server. Creating these "allow all" policies will
maintain your firewall protection and remove the default protocol and site restrictions
for outgoing traffic. It is possible to have these "allow all" rules
in effect, and then to add individual protocol and content restrictions on top of
them to lock down the system as required. If you are filtering by Windows
groups or usernames on the ISA server, you will have difficulty downloading server
lists for some online games.
Where can I purchase
the hardware and software needed for a Microsoft RRAS or ISA routing solution?
The hardware and
software packages needed for a Microsoft routing solution are available from the Network
Decisions Router Page.
My video card is not
working properly with Server 2003. How do I set it up to allow gaming and
DirectX on the server?