Network connection with proxy server - further question

A customer has proposed the network configuration

http://fp.martinunderwood.f9.co.uk/n...20original.gif

Rob Morley has confirmed that it should work, but I want to check exactly
how I should configure the equipment.

Let's assume that the "wireless ethernet hub" is a bog-standard ADSL
wireless router - Dlink DSL-G604T, for example.

Normally this would come with NAT and DCHP server turned on. I presume in
this configuration I'd need to turn those off.

The ADSL router will be given an IP address by the ISP - let's say it's
81.1.2.3. What IP address should I give the proxy server - another address
in the same subnet? Or do I give the server the IP address that would
normally be allocated automatically to the ADSL side of router if this was a
conventional NAT router network?

I presume I still give the PCs IP addresses in the 192.168.x.x subnet,
either statically or from DHCP on the server. Do I give the server's NIC an
additional IP address in this subnet and get DCHP to handout the gateway
address set to this server's address?

Presumably I turn on Routing in Win 2K Server on the server and tell it to
route between 192.168.x.x and 81.1.2.x subnets?

Because NAT is turned off on the router, PCs cannot talk directly via the
router to the internet (as would be the case in a normal NAT router
network), but they talk to the server and this routes the traffic to the
81.1.2.3 address and hence to the internet.

All traffic on any of the Ethernet ports or the wireless access point needs
to go to the port that the server is connected to - which is not normally
the case for a switch. Does this require the router to be configured
specially - and how?

What additionally needs to be done to make the server act as a proxy server
as well as a router? I imagine I configure IE on each client to use the
server (by its address in 192.168.x.x) as the proxy. What about the server -
is there a proxy component in W2K Server?


Am I making things unnecessarily complicated for myself by getting the ADSL
router to perform two independent tasks - a) ADSL modem; b) wireless hub?
Would I be better separating them as in

http://fp.martinunderwood.f9.co.uk/n...th%20proxy.gif

That way the ADSL-to-server connection is by a dedicated ADSL modem (which
presumably passes all traffic unhindered) and then I have two completely
separate NICs in the server, one with the public address and the other with
the private address. And then I connect the client PCs to the normal ports
and the server to the uplink port of the switch, such that the PCs don't see
each other's traffic but the server sees all traffic.


Is there anyone who's done this who's prepared to "hold my hand" as I work
out how to set it all up? If so, my email address is
(E-Mail Removed) (replace "f666" with "f9" - "666" because
spammers are the spawn of the devil!)




Martin Underwood

In article <1107973330.25d41d94c73c60a920c46b6515866488@teran ews>,
"Martin Underwood" (E-Mail Removed) says...
> A customer has proposed the network configuration
>
> http://fp.martinunderwood.f9.co.uk/n...20original.gif
>
> Rob Morley has confirmed that it should work, but I want to check exactly
> how I should configure the equipment.
>
> Let's assume that the "wireless ethernet hub" is a bog-standard ADSL
> wireless router - Dlink DSL-G604T, for example.
>
> Normally this would come with NAT and DCHP server turned on. I presume in
> this configuration I'd need to turn those off.

Why?
>
> The ADSL router will be given an IP address by the ISP - let's say it's
> 81.1.2.3. What IP address should I give the proxy server - another address
> in the same subnet? Or do I give the server the IP address that would
> normally be allocated automatically to the ADSL side of router if this was a
> conventional NAT router network?

The router gets its WAN IP address dynamically allocated by the ISP,
and the LAN address will be a default setting in firmware like
192.168.1.1 The proxy and other LAN machines obviously need to be in
the same subnet as the LAN address of the router.
>
> I presume I still give the PCs IP addresses in the 192.168.x.x subnet,
> either statically or from DHCP on the server. Do I give the server's NIC an
> additional IP address in this subnet and get DCHP to handout the gateway
> address set to this server's address?

You could, but why? I thought you were talking about running
everything through a proxy, in which case there is no need for a
gateway.
>
> Presumably I turn on Routing in Win 2K Server on the server and tell it to
> route between 192.168.x.x and 81.1.2.x subnets?

Why?
>
> Because NAT is turned off on the router, PCs cannot talk directly via the
> router to the internet (as would be the case in a normal NAT router
> network), but they talk to the server and this routes the traffic to the
> 81.1.2.3 address and hence to the internet.

Leave NAT turned on, just disable access from all machines but the
proxy server.
>
> All traffic on any of the Ethernet ports or the wireless access point needs
> to go to the port that the server is connected to - which is not normally
> the case for a switch. Does this require the router to be configured
> specially - and how?

Eh? The proxy server is on the LAN, the client machines are
configured to use the proxy, the switch will treat it just like any
other LAN traffic.
>
> What additionally needs to be done to make the server act as a proxy server
> as well as a router? I imagine I configure IE on each client to use the
> server (by its address in 192.168.x.x) as the proxy. What about the server -
> is there a proxy component in W2K Server?
>
I expect you're supposed to use something like MS Internet Security
and Acceleration Server 2000. Squid is a popular open source proxy
that has been ported to Win2k.
>
> Am I making things unnecessarily complicated for myself by getting the ADSL
> router to perform two independent tasks - a) ADSL modem; b) wireless hub?
> Would I be better separating them as in
>
> http://fp.martinunderwood.f9.co.uk/n...th%20proxy.gif
>
> That way the ADSL-to-server connection is by a dedicated ADSL modem (which
> presumably passes all traffic unhindered) and then I have two completely
> separate NICs in the server, one with the public address and the other with
> the private address. And then I connect the client PCs to the normal ports
> and the server to the uplink port of the switch, such that the PCs don't see
> each other's traffic but the server sees all traffic.
>
That would be a better way of doing it.
>
> Is there anyone who's done this who's prepared to "hold my hand" as I work
> out how to set it all up? If so, my email address is
> (E-Mail Removed) (replace "f666" with "f9" - "666" because
> spammers are the spawn of the devil!)
>
I've never played with ADSL, VPN, Win2k Server or ISA Server. I'd be
more inclined to use one of the Linux based distros that are designed
to do this job. Take a look at IPCop http://www.ipcop.org/

"Rob Morley" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) t...
> In article <1107973330.25d41d94c73c60a920c46b6515866488@teran ews>,
> "Martin Underwood" (E-Mail Removed) says...
>> A customer has proposed the network configuration
>>
>> http://fp.martinunderwood.f9.co.uk/n...20original.gif
>>
>> Rob Morley has confirmed that it should work, but I want to check exactly
>> how I should configure the equipment.
>>
>> Let's assume that the "wireless ethernet hub" is a bog-standard ADSL
>> wireless router - Dlink DSL-G604T, for example.
>>
>> Normally this would come with NAT and DCHP server turned on. I presume in
>> this configuration I'd need to turn those off.
>
> Why?
>>
>> The ADSL router will be given an IP address by the ISP - let's say it's
>> 81.1.2.3. What IP address should I give the proxy server - another
>> address
>> in the same subnet? Or do I give the server the IP address that would
>> normally be allocated automatically to the ADSL side of router if this
>> was a
>> conventional NAT router network?
>
> The router gets its WAN IP address dynamically allocated by the ISP,
> and the LAN address will be a default setting in firmware like
> 192.168.1.1 The proxy and other LAN machines obviously need to be in
> the same subnet as the LAN address of the router.
>>
>> I presume I still give the PCs IP addresses in the 192.168.x.x subnet,
>> either statically or from DHCP on the server. Do I give the server's NIC
>> an
>> additional IP address in this subnet and get DCHP to handout the gateway
>> address set to this server's address?
>
> You could, but why? I thought you were talking about running
> everything through a proxy, in which case there is no need for a
> gateway.
>>
>> Presumably I turn on Routing in Win 2K Server on the server and tell it
>> to
>> route between 192.168.x.x and 81.1.2.x subnets?
>
> Why?

I think I was thinking of turning NAT off as a way of preventing all the PCs
from accessing the WAN directly without going via the proxy - and hence
using the server to do the routing rather than using the router for this
job.

So you're saying let the router route between WAN and LAN, but make sure
that only the server's IP is routed and block any other IPs in the same
subnet (ie the client PCs' addresses)? Yes, I can see that this would be a
better solution. Do routers usually have the ability to control which
addresses are allowed through and which are blocked? I've never seen this
option - but them I've never really looked, either ;-)

>> Because NAT is turned off on the router, PCs cannot talk directly via the
>> router to the internet (as would be the case in a normal NAT router
>> network), but they talk to the server and this routes the traffic to the
>> 81.1.2.3 address and hence to the internet.
>
> Leave NAT turned on, just disable access from all machines but the
> proxy server.
>>
>> All traffic on any of the Ethernet ports or the wireless access point
>> needs
>> to go to the port that the server is connected to - which is not normally
>> the case for a switch. Does this require the router to be configured
>> specially - and how?
>
> Eh? The proxy server is on the LAN, the client machines are
> configured to use the proxy, the switch will treat it just like any
> other LAN traffic.
>>
>> What additionally needs to be done to make the server act as a proxy
>> server
>> as well as a router? I imagine I configure IE on each client to use the
>> server (by its address in 192.168.x.x) as the proxy. What about the
>> server -
>> is there a proxy component in W2K Server?

Er, yes. Temporary brainfade there!

> I expect you're supposed to use something like MS Internet Security
> and Acceleration Server 2000. Squid is a popular open source proxy
> that has been ported to Win2k.
>>
>> Am I making things unnecessarily complicated for myself by getting the
>> ADSL
>> router to perform two independent tasks - a) ADSL modem; b) wireless hub?
>> Would I be better separating them as in
>>
>> http://fp.martinunderwood.f9.co.uk/n...th%20proxy.gif
>>
>> That way the ADSL-to-server connection is by a dedicated ADSL modem
>> (which
>> presumably passes all traffic unhindered) and then I have two completely
>> separate NICs in the server, one with the public address and the other
>> with
>> the private address. And then I connect the client PCs to the normal
>> ports
>> and the server to the uplink port of the switch, such that the PCs don't
>> see
>> each other's traffic but the server sees all traffic.
>>
> That would be a better way of doing it.
>>
>> Is there anyone who's done this who's prepared to "hold my hand" as I
>> work
>> out how to set it all up? If so, my email address is
>> (E-Mail Removed) (replace "f666" with "f9" - "666"
>> because
>> spammers are the spawn of the devil!)
>>
> I've never played with ADSL, VPN, Win2k Server or ISA Server. I'd be
> more inclined to use one of the Linux based distros that are designed
> to do this job. Take a look at IPCop http://www.ipcop.org/


The customer is specifically thinking of using W2K server: that was in his
design spec that he asked me to review.

In article <420e738e$0$92231$(E-Mail Removed)>,
"Martin Underwood" (E-Mail Removed) says...
<snip>
>
> So you're saying let the router route between WAN and LAN, but make sure
> that only the server's IP is routed and block any other IPs in the same
> subnet (ie the client PCs' addresses)? Yes, I can see that this would be a
> better solution. Do routers usually have the ability to control which
> addresses are allowed through and which are blocked? I've never seen this
> option - but them I've never really looked, either ;-)

My cheapo D-Link router can allow or block outgoing access by IP or
MAC address, so I expect pretty much anything will have similar
options.

<snip>
>
> The customer is specifically thinking of using W2K server: that was in his
> design spec that he asked me to review.
>
Probably best to ask in a Windows group then.