Connecting Remote Offices

You can use your Microsoft Windows XP Professional–based computer to configure a remote office network connecting computers and other devices in your home, in your small business, or in the branch office of a larger corporation. You can also establish and maintain a connection between your remote office and private networks, such as your organization’s main office, and the Internet.

For information on how to obtain the Windows XP Professional Resource Kit in its entirety, please see https://www.microsoft.com/mspress/books/6795.asp.

Bb457119.3squares(en-us,TechNet.10).gif

On This Page

Related Information
Overview
Understanding Connection Types
Managing Outgoing Connections
Managing Incoming Connections
Configuring Home Networks
Managing Home and Small Office Local Connections
Securing the Remote Network
Sharing an Internet Connection
Using the Windows Firewall
Troubleshooting Remote Network Connections
Additional Resources

  • For more information about TCP/IP, see “Configuring TCP/IP” on the companion CD.

  • For more information about troubleshooting network and dial-up connections with diagnostic tools, see Chapter 27, “Understanding Troubleshooting.”

  • For more information about remote access server, see “Remote Access Server” in the Internetworking Guide of the Microsoft Windows 2000 Server Resource Kit.

  • For more information about connecting remote offices, deploying remote access services, and deploying virtual private networks, see the Deploying Network Services book of the Microsoft Windows Server™ 2003 Deployment Kit.

Overview

For the purposes of this chapter, a remote office is defined as any home office, branch office, or sole office of a small business connected to either a private network or to the Internet. In this chapter, attention is paid to the local connections within a remote office as well as to the connections from that office to either a private network or to the Internet.

Local Connections in a Remote Office

You can link several computers and other devices in a remote office together to form a local area network (LAN) that functions as a workgroup (also known as a peer-to-peer network). The LAN can be based on any of the several technologies that are covered in this chapter, and it allows the sharing of resources, such as printers or disks. In such an environment, a Windows XP Professional–based computer can allow several home devices to connect to school or the workplace, or it can link multiple systems at the same remote location to a central site or main office. Windows XP Professional, with its Internet Connection Sharing (ICS) functionality, allows the sharing of an Internet connection. By using a single telephone line, digital subscriber line (DSL) line, or cable modem, all the devices within the home or small office can connect to the Internet, thereby reducing the cost of access for the entire home or office.

There are now numerous technologies that you can use to connect Windows XP Professional–based computers and other devices within your home and small office, including traditional LAN technologies:

  • Ethernet

  • Token Ring

  • Fiber Distributed Data Interface (FDDI)

Windows XP Professional also supports newer technologies such as:

  • 802.11x for wireless LANs

  • Home Phoneline Network Adapter (HPNA)

  • Infrared Data Association (IrDA) protocols

  • Direct cable connection

  • IP over ATM

  • Asynchronous Transfer Mode (ATM) LAN Emulation (LANE)

  • Microsoft Ethernet permanent virtual connection (PVC)

Remote Connections to a Private Network

You can use a Windows XP Professional–based computer to connect to a private network so that you can work at home, at a field office, or at another remote location. You can dial directly to a private network by using either an analog phone line with a modem or an Integrated Services Digital Network (ISDN) phone line. You can maintain a persistent connection to the private network by using either Frame Relay or a leased line such as T1. A third approach that has been gaining in popularity allows you to access a private network by means of an encrypted virtual private network (VPN) connection over the Internet.

Connecting to the Internet

Typically, you can connect to the Internet using an analog phone line with a modem or an ISDN phone line. Another option that is growing in popularity is a high-speed broadband connection using either cable modem or DSL. Whatever your choice, each system can directly connect to the Internet by using its own public IP address (statically or dynamically assigned) or, as was mentioned earlier, one Windows XP Professional–based computer can function as a gateway, providing shared Internet access to all the systems on your small LAN.

What’s New

Windows XP Professional builds on the Microsoft Windows 2000 local networking, dial-up, and other remote connection functionality and adds the following features:

  • IEEE 802.1D Transparent Bridge

Users can add multiple LAN segments (usually made of different media types) to create a single IP subnet.

  • ICS Discovery and Control

Private network clients can locate the ICS host, know its status, and control its Internet connection.

  • Windows Firewall

An upgraded firewall provides basic security for the computer, or when used in conjunction with ICS, for the remote office network.

Understanding Connection Types

To place the connectivity needs of the remote office in perspective, Table 25-1 includes both commonly used connection types as well as some of those less often used in the remote office environment.

Table 25-1 Connection Types

Connection Type

Communication Method

Example

Remote access

  • Dial-up modem

  • ISDN

  • X.25

  • Point-to-Point Protocol over Ethernet (PPPoE)

  • Microsoft Ethernet PVC

Connection to an organization’s network or the Internet by using dial-up access.

VPN

  • Point-to-Point Tunneling Protocol (PPTP)

  • Layer Two Tunneling
    Protocol (L2TP)

Secure connection to a corporate network over an existing connection to the Internet.

Local

  • Ethernet

  • Token Ring

  • FDDI

  • LAN Emulation

  • HPNA

  • 802.11x

  • IP over ATM

  • IrDA

Connection within a corporate network. (Ethernet is most suitable for Small
Office/Home Office LAN.)

WAN

  • T-Carrier leased lines

  • Cable modem

  • DSL

  • Dial-up

  • Frame Relay

Persistent connections between geographically dispersed areas.

Direct cable

  • USB

  • Serial cabling

  • Direct parallel cabling

  • Infrared link

  • IEEE 1394 (FireWire)

Direct data transfer between two devices
(for example, information synchronization
between a handheld Microsoft Windows
CE–based computer and a desktop
computer).

Incoming

  • Dial-up

  • VPN

  • Direct connections

Connections from other computers to dial in to this computer.

Remote Access Connection Types

Remote access allows remote clients running Windows to access a network. You can use the following remote access connection types.

Dial-Up Modem

Dial-up modem is the most commonly used form of remote access connection. Also called a slow link, an analog dial-up connection makes use of the PSTN rather than a dedicated circuit or some other type of private network.

ISDN

Integrated Services Digital Network (ISDN) technology makes it possible to offer telephone customers digital data and voice services using a single wire by dividing the capacity of the wire into separate channels. A basic rate ISDN line can offer speeds of up to 128 kilobits per second (Kbps) using two 64 Kbps channels. An ISDN line must be installed by the phone company at both the server site and the remote site. In most instances, ISDN is used for intermittent, dial-up connectivity rather than for a persistent or permanent connection.

X.25

X.25 is a standard that defines the connection between a terminal and a packet-switching data network. When X.25 originated in the early 1970s, the noisy, copper-based telephone infrastructure dictated devoting a great deal of overhead to ensure packet reliability. Media reliability improvements since then, including optical fiber lines, has made the costly focus on data-link reliability unnecessary. ISDN and Frame Relay have largely replaced X.25 as preferred remote connectivity solutions. X.25, however, remains a widely accepted worldwide data communications standard. Consequently, X.25 continues to be used, often in tandem with newer technologies. X.25 is supported in Windows XP Professional.

PPPoE

Point-to-Point Protocol (PPP) is a  set of framing and authentication protocols included with Windows remote access to ensure interoperability with third-party remote access software.

PPP over Ethernet (PPPoE) provides the ability to connect a network of hosts over a simple bridging access device to a remote access concentrator. With this model, each host uses its own PPP connection and the user is presented with a familiar user interface. Access control, billing, and type of service can be accomplished on a per-user, rather than a per-site, basis.

To provide a point-to-point connection over Ethernet, each PPP session must learn the Ethernet address of the remote peer, as well as establish a unique session identifier. PPPoE includes a discovery protocol that allows this to take place.

Microsoft Ethernet PVC

Microsoft Ethernet PVC provides support for Ethernet and IP data encapsulation over ATM. This enables the encapsulation and transport of IP or Ethernet packets over ATM between a client connected by means of an ATM permanent virtual connection to a supporting infrastructure. To accomplish this, Microsoft Ethernet PVC acts as a bridging Ethernet adapter for the TCP/IP protocol or a routing adapter for the TCP/IP protocol alone and uses the PVC on the ATM or internal ADSL adapter to transfer encapsulated data.

Windows XP Professional supports the two encapsulation methods defined in RFC 2684: LLC Encapsulation and VC Multiplexing. Both Ethernet and IP protocols are supported using either encapsulation method on both bridged and routed PDUs (protocol data units). For example, protocols supported by Microsoft Ethernet PVC in Windows XP Professional include PPPoE (PPP over Ethernet), L2TP (Layer Two Tunneling Protocol), Ethernet, or Ethernet encapsulated in IP.

A typical situation in which Microsoft Ethernet PVC might provide remote connectivity for a home or small office involves using an internal ADSL modem. In Windows XP Professional, you configure the ADSL modem as Microsoft Ethernet PVC. As shown in Figure 25-1, the ADSL modem connects by means of the Public Switched Telephone Network (PSTN) to a Digital Subscriber Line Access Multiplexer (DSLAM) located at the service provider, most likely the central office of the local telephony carrier. The DSLAM either bridges the encapsulated data directly to a network or connects to an external bridge, router, or ATM switch located at the service provider. A connection can then be made to the targeted network, such as a corporate office or the Internet.

Figure 25-1 Connectivity with Ethernet PVC

Figure 25-1 Connectivity with Ethernet PVC

For information about configuring Ethernet PVC, see Windows XP Professional Help and Support Center.

VPN Connection Types

A virtual private network (VPN) connection simulates a secure private link over a shared public infrastructure such as the Internet by encapsulating and encrypting all traffic from the remote access client to the VPN server. VPN offers affordable, secure access for home and small offices over any networking technology that transports IP packets. A Windows XP Professional remote access VPN connection makes use of one of two tunneling protocols to encapsulate all traffic.

PPTP

Point-to-Point Tunneling Protocol (PPTP), while developed by Microsoft and others, is an open industry standard that supports the tunneling of PPP frames. PPP frames can include IP and other networking protocols. Although L2TP used in conjunction with the IP security (IPSec) protocol provides greater security, PPTP is considerably easier to set up. PPTP uses Point-to-Point Protocol (PPP) authentication, compression, and encryption and can provide good security when used with Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) and a strong password. Companies can use PPTP to outsource their remote dial-up needs to an Internet service provider (ISP) or other carrier to reduce cost and complexity.

L2TP

Layer Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol with roughly the same functionality as PPTP. In Windows XP Professional, L2TP is designed to run natively over IP networks. Like PPTP, L2TP encapsulates PPP frames, which in turn encapsulate the frames of other protocols, thereby allowing users to run applications remotely that are dependent upon specific network protocols. Figure 25-2 demonstrates how an L2TP tunnel can connect a remote computer to a private network. That tunnel can be configured to run over the Internet or an intermediary private network.

Figure 25-2 L2TP tunneling

Figure 25-2 L2TP tunneling

The use of L2TP, in tandem with IPSec, provides data authentication, data integrity, and data encryption that greatly improves security when sending data over nonsecure networks. For more information about IPSec, see “IPSec” later in this chapter.

Note UDP Ports 500 and 1701 need to be open when using L2TP with IPSec for encryption.

For more information about VPNs, see Windows XP Professional Help and Support Center.

Local Connection Types

Local connection types, in this context, refer to the following LAN technologies.

Ethernet

Ethernet, the 10-megabits-per-second (Mbps) standard for LANs, is the connection type used for most LANs. In this context, the term Ethernet can also include the 100-Mbps standard and the 1-gigabit-per-second (Gbps) standard. For 10-Mbps and 100-Mbps Ethernet, hosts connected to a shared media contend for network access using a collision detection scheme.

Token Ring

Token Ring is a shared access LAN technology that operates very differently from Ethernet. The term generally refers to the IEEE 802.5 standard, largely based on the token passing technology developed by IBM in the 1970s.

A token ring network consists of nodes wired into a physical ring. Each node (or device) passes a control message (token) to the next node. Whichever node has the token is entitled to send a message. Although Token Ring is fully supported by Windows XP Professional, it tends to be more complex and expensive than Ethernet. For this reason, it is rarely used in a home or small office.

FDDI

Fiber Distributed Data Interface (FDDI) is a 100-Mbps token-passing topology that operates in a similar fashion to Token Ring, but unlike Token Ring, FDDI is designed to be used with fiber-optic cabling. For redundancy, FDDI employs a dual-counter rotating ring. Data is generally transmitted on a primary ring. The secondary ring is used if the primary ring fails. Like Token Ring, FDDI is supported by Windows XP Professional, although it is unlikely to be used to connect nodes within a small office or home office LAN.

LAN Emulation

LAN Emulation (LANE) is  a group of software components that allows Asynchronous Transfer Mode (ATM) to work with Ethernet or Token Ring networks and applications. Using LANE, you can run your traditional LAN-aware applications and protocols on an ATM network without modification.

LANE provides an intermediate step between fully using ATM and not using ATM at all. For example, LANE allows your current system and software to run on ATM, and it facilitates communication with nodes attached to legacy networks. You can increase the speed of data transmission for current applications and protocols when ATM is used over high-speed media. However, LANE does not take advantage of ATM features such as Quality of Service (QoS).

IP over ATM

IP over ATM is a group of components that do not necessarily reside in one place, providing services not usually available on an ATM switch. (For the purposes of this discussion, it is assumed the IP over ATM server services reside on a Windows 2000–based server.)

IP over ATM provides several advantages over LANE. For example, it can support Quality of Service (QoS) connections, which are required by multimedia and other time-sensitive network applications. IP over ATM also provides lower overhead (because it requires no media access control [MAC] header) and a large IP packet size (9180 bytes).

The core components required for IP over ATM are roughly the same as those required for LANE, as both approaches require the mapping of a connectionless medium to a connection-oriented medium, and vice versa. In IP over ATM, an IP ATMARP (ATM Address Resolution Protocol) server on each IP subnet maintains a database of IP and ATM addresses and provides configuration and broadcast emulation services.

Although Windows XP Professional supports both LANE and IP over ATM, it is unlikely that a small branch office or home office LAN would employ either technology.

Home Phoneline Network Adapter (HPNA)

Windows XP Professional supports HPNA, a networking technology that uses existing telephone wiring in your home to connect devices without interrupting standard telephone service.

802.1x for Wireless LANs

Windows XP Professional SP2 improves and builds upon the wireless support provided in Windows 2000. Windows XP Professional includes support for automatic switching between different access points (APs) when roaming, autodetection of wireless networks, and automatic wireless configuration—allowing for zero client configuration. Additional security is also provided by the integrated support for WPA, the inclusion of an 802.1x client implementation in Windows XP Professional, and the inclusion of wireless device authentication support in the Windows Remote Authentication Dial-In User Service (RADIUS) server, Internet Authentication Service (IAS).

For more information about wireless LANs, see Chapter 21, “Wireless Networking.”

IrDA

The Infrared Data Association (IrDA) has defined a group of short-range, high speed, bidirectional wireless infrared protocols, generically referred to as IrDA. IrDA allows a variety of wireless devices to communicate with each other. Cameras, printers, portable computers, desktop computers, and personal digital assistants (PDAs) can communicate with compatible devices using this technology.

Current IrDA standards are:

  • Serial Infrared (SIR) physical layer specification, which provides for serial infrared connections running at speeds up to 115.2 Kbps. High-speed physical layer specifications have been approved by IrDA that support data speeds of 1.152 Mbps and 4 Mbps.

  • IR Link Access Protocol, which provides a reliable point-to-point link, which effectively replaces a three-wire serial cable connection.

  • IR Link Management Protocol, which provides for multiple sessions over a single point-to-point connection.

IrDA also specifies an Information Access Service that a device can use to determine the services offered by another device.

Infrared link, along with both serial cabling and direct parallel cabling, can be used to synchronize information between a handheld Windows CE–based computer and a desktop computer.

Direct Cable Connections

Direct Cable Connection (DCC) represents  several technologies, which can each allow two devices to communicate with one another. They include the Universal Serial Bus (USB), serial (or null modem) cable, and the high-speed port-to-port transmission standard, IEEE 1394, also known as FireWire.

Infrared connections are sometimes also included in this category, but they are listed separately here because they also share some characteristics of more conventional network topologies.

When you install and configure DCC networking functionality on your Windows XP Professional–based computer, serial ports with external devices attached are listed as available for DCC connection. If you select a serial port that has an attached device, you disable the port and cannot use it for DCC networking, even though the device functions normally. If a modem is installed on the serial port, that port is removed from the list of available DCC ports. Examples of external devices include:

  • Infrared devices

  • Smart-card readers

USB

The Universal Serial Bus (USB) provides device-to-device connectivity without the need to restart your computer. USB 1.1 is a serial bus with a bandwidth of up to 12 Mbps designed to connect peripherals to a personal computer. USB 2.0 is a newer standard that supports data transfers at rates up to 480 Mbps. USB can connect up to 127 peripherals—such as external CD-ROM drives, printers, modems, mice, and keyboards—to the system through a single, general-purpose port. This is accomplished by chaining peripherals together. USB supports hot plugging and multiple data streams. A USB port is usually located on the back of your computer near the serial port or parallel port.

Serial Cabling

A serial (or null-modem) cable, as the name implies, emulates modem communication. It eliminates the modem’s need for asynchronous communications between two computers over short distances. When the host computer is at the same location as the target computer, or when you need to put a local host computer with remote access server capabilities between the target and a remote host, a serial cable is used to connect the serial ports of the target system to that of the local host.

Direct Parallel Cabling

A parallel cable can also be used to enable file transfers between two computers. Parallel cable connections are faster than serial cable connections because parallel cables transfer data one byte at a time. Windows XP Professional supports the following parallel cables for use with Direct Cable Connection:

  • Standard or basic 4-bit cables

  • Enhanced Capabilities Port (ECP) cables

  • Universal Cable Module cables

IEEE 1394 (Firewire)

IEEE 1394 (or FireWire) is  a standard for ports developed by the Institute of Electrical and Electronics Engineers (IEEE) that lets you connect high-speed digital devices, such as digital video cameras and audio/video editing equipment. FireWire provides transmission speeds of 98 Mbps to 393 Mbps.

Wide Area Network Connection Types

Wide area network (WAN) refers to a  communications network that uses links provided by telecommunications service providers and connects geographically separated areas. In most instances, WAN refers to persistent connections as opposed to short-term ones (such as Analog Dial-Up and ISDN). WAN connection types include:

  • T-Carrier line

  • Cable modem

  • DSL

  • Frame Relay

T-Carrier Line

The leased line has traditionally been a fast, permanent alternative to dial-up remote access. In most instances, this has been in the form of a T-Carrier line, such as a T1 or fractional T1 line that transmits digital data at a maximum of 1.544 Mbps by using the telephone-switching network. E1, transmitting digital data at a maximum of 2.048 Mbps, is the European counterpart of T1. Today, this legacy technology is being challenged by several other solutions that appear to be more cost effective and easier to install. T-Carrier leased lines are, nonetheless, still a corporate standard in widespread use and are supported by Windows XP Professional with the appropriate T-Carrier adapter and driver.

Cable Modem

Cable modems, with  throughput up to 30 Mbps, provide two-way, high-speed connectivity to the Internet and, by means of a VPN connection, to private networks as well. Cable modem technology employs the same coaxial lines that transmit cable television, accomplishing data transmission at speeds that makes it ideal for transferring large amounts of digital information rapidly, including complex files such as video clips, audio files, and large amounts of data.

Note Because cable modem is based upon a shared network contention topology, bandwidth is not always available on demand and download speeds can differ.

Cable connectivity operates at higher speeds than leased lines and is more affordable and easier to install. When the cable infrastructure is in place in an area, a firm can easily connect by using the installation of a cable modem or router. Cable modems do not use the telephone system infrastructure and, consequently, there are no local-loop charges.

Perhaps the biggest obstacle preventing widespread cable adoption by businesses is availability. Eighty-five percent of all households in the United States are outfitted for cable reception and a growing number of those now support cable transmission. In contrast, few office buildings support either.

DSL

Digital subscriber line (DSL)  technology provides dedicated, high-speed Internet access by using copper telephone lines. DSL partitions the telephone line and dedicates the partition so that it is always available for data transmission. Thus, DSL provides high-speed Internet access without interfering with regular phone service.

A DSL circuit is much faster than an analog modem (up to 64 Kbps) or ISDN (BRI; up to 128 Kbps) connection, even though the wires coming into the subscriber’s premises are the same (copper) as used for regular phone service. One form of digital subscriber line, Asymmetric Digital Subscriber Line (ADSL), for example, provides a one-way data channel to the subscriber at up to 6.4 Mbps and an upstream flow of 640 Kbps.

Like a leased line such as a T1, DSL is a dedicated connection providing continuous Internet and e-mail access, but, unlike a leased line, DSL does not require the installation of a special cable, nor does it require the costly local-loop charges of a T1. Use of a private phone line makes DSL more secure than cable, whose lines are shared by many users. In addition, unlike cable, DSL allows companies to increase their bandwidth on request.

Frame Relay

Frame Relay is a  virtual circuit–based packet-switching technology that permits WAN implementations of up to DS3 speeds (44.7 Mbps). It uses virtual circuits (VCs) that are either statically configured by a service provider or created dynamically when needed. Most implementations of Frame Relay use permanent virtual circuits (PVCs). Although technically not a leased line, from the point of view of the end user, a permanent virtual connection performs just like a leased line. It is always available for data transmission and there is no connection maintenance. The circuit is permanently mapped by using the service provider’s network and does not change unless there is a failure in the service provider’s switching network. A switched virtual circuit (SVC), less common in the world of Frame Relay, behaves more like a dial-up modem or ISDN connection although it is faster. It processes call setup, call maintenance, and call breakdown any time it is used.

Incoming Connection Types

By creating an incoming connection, a computer running Windows XP Professional can act as a remote access server. You can configure an incoming connection to accept the following connection types: dial-up (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct cable connection as shown in Table 25-1. On a Windows XP Professional–based computer, an incoming connection can accept up to three incoming calls, up to one of each of these types. This can be an effective, low-cost option in a telecommuter’s home office or a remote office to which the corporate network occasionally needs to send data.

For more information about setting up and configuring incoming connections, see “Managing Incoming Connections” later in this chapter.

Connection-Defined Connections

All the connections that appear in the Network Connections folder contain a set of features that you can use to create a link between your computer and another computer or network. These features establish end-to-end connectivity, define authentication negotiation, and set data encryption rules for connections configured for remote access. For example, you might configure a dial-up connection with the following settings:

  • A standard modem, capable of 56 Kbps, for dialing.

  • A phone number to dial.

  • Any encrypted authentication protocol. Your computer will negotiate with the remote access server to decide whether to use Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP), or Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2).

  • Data encryption required (when dialing the corporate network, for example).

  • TCP/IP protocol enabled, with the address obtained automatically.

When you double-click this connection, it dials the number by using the specified modem. The connection allows the session to continue only if the remote access server uses one of the specified encrypted authentication protocols and if the remote access server encrypts data. When connected, the remote access server assigns the connection a unique IP address. This ensures a unique and nonconflicting address for the connection so that you can access remote network resources, such as file shares. Properties of a dial-up connection provide all the parameters required to dial the connection, negotiate password and data handling rules, and provide remote network connectivity.

Unlike a remote connection, you can modify a local area connection at any time, but you cannot manually create a new one. A local area connection is created for each network adapter detected by the Plug and Play service.

Setup automatically creates a local area connection for each network adapter. This connection is preconfigured with the services needed for file and print sharing and the TCP/IP protocol. All other types of connections can be created by using Create a new connection in the Network Connections folder.

Managing Outgoing Connections

You can configure your Windows XP Professional–based computer to initiate a remote connection. Such a connection can be any one of a number of types, including:

  • A dial-up connection to the Internet, using analog modem, ISDN, or X.25

  • A broadband connection to the Internet, using PPPoE, cable modem, DSL, or a leased line

  • A direct dial-up or broadband connection to a private network

  • A VPN connection, using the Internet to exchange data with a private network

It is also possible to use your Windows XP Professional–based computer to establish a connection locally with another device in your office.

Local area connections can be configured at any time. The network adapter is detected; the connection is created and placed in the Network Connections folder.

Along with a display of existing connections, the Network Connections folder contains a list of network tasks, including Create a new connection, which you can double-click to start the New Connection Wizard. Use the New Connection Wizard to create dynamic connections, including Internet connections, VPN connections to the workplace, direct connections to another computer, and incoming connections. Outgoing connections contact a remote access or VPN server by using a configured access method—such as a LAN, dial-up modem, or ISDN line—to establish a connection with the network.

Whether you are connected locally (by a LAN), remotely (by dial-up, ISDN, and so on), or both, you can configure a connection so that it performs any network function that you want. For example, you can print to network printers, access network drives and files, browse other networks, and access the Internet. If you are upgrading to Windows XP Professional from Microsoft Windows Millennium Edition (Me), Microsoft Windows 98 or Microsoft Windows NT Workstation version 4.0, Network Connections dynamically detects Dial-Up Networking phone books and creates a connection for each phone book entry.

Note Certain conditions, such as a malfunctioning network adapter, can keep your connection from appearing in the Network Connections folder.

Using the New Connection Wizard to Choose Connection Types

The New Connection icon always appears in the Network Connections folder. It starts the New Connection Wizard, which guides you through the process of creating all connection types, except for local area connections. The steps in the wizard guide you through the configuration options for each type of connection. The wizard enables you to select among three common connection types. Each connection type is then automatically configured with the most appropriate defaults for most cases. Figure 25-3 shows the three connection types: Connect to the Internet, Connect to the network at my workplace, and Set up an advanced connection. In addition, Windows XP Service Pack 1a adds a fourth option, Set up a home or small office network, that lets you start the Network Setup Wizard, which is described later in this chapter in “Configuring Home Networks.”

Figure 25-3 New Connection Wizard

Figure 25-3 New Connection Wizard

Internet Connection

Select this connection type to start the Internet Connection Wizard and connect to the Internet. File and Printer Sharing for Microsoft Networks is disabled, protecting your computer’s file and print shares from computers on the Internet. The Internet Connection Wizard allows you to select a dial-up or broadband connection.

Dial-up connection

By selecting the dial-up connection, you can configure your Windows XP Professional–based computer to access the Internet for a finite period of time using a dial-up technology such as a dial-up analog modem, ISDN, or X.25. A modem or comparable piece of data circuit-terminating equipment (DCE) should be installed within or attached to your computer before such a logical configuration is attempted.

The Internet Connection Wizard automatically connects you to the Microsoft Referral Service to help you select an ISP if you select Dial-up to the Internet and either of the following:

  • I want to sign up for a new Internet account. (My telephone line is connected to my modem.)

  • I want to transfer my existing Internet account to this computer. (My telephone line is connected to my modem.)

The Microsoft Referral Service automates the process and provides the phone numbers to you.

Before you create an Internet connection, check with your Internet service provider (ISP) to verify the required connection settings. A connection to your ISP might require one or more of the following settings:

  • A specific IP address

  • Domain Name System (DNS) addresses and domain names

  • Other optional settings

Broadband connection

Select Broadband Connection to configure your Windows XP Professional–based computer for a persistent connection to the Internet using a faster broadband technology such as PPPoE, cable modem, DSL, or a leased line such as a T1. Unless you supply specific information about your broadband connection, Windows XP Professional dynamically detects and configures your broadband connection, assuming that the device necessary to establish such a connection is already in place.

Connecting to the Network at My Workplace

Select this connection type to connect to a private network from home, a field office, or another location.

Direct connection

This option allows you to connect directly by dial-up or broadband into a corporate (or other private) network.

Internet connection

This option allows you to access the corporate network by means of the Internet by creating a secure VPN connection. Depending upon how the VPN server has been configured, the VPN connection uses either PPTP or L2TP as its tunneling protocol.

Advanced Connection

Select the Advanced Connection type for two other selections.

Set Up This Computer to Accept Incoming Connections

Select this option to configure a Windows XP Professional–based computer to act as a remote access server accepting incoming connections. For more information about configuring a Windows XP Professional–based computer to act as a remote access server, see “Managing Incoming Connections” later in this chapter.

Connecting Directly to Another Computer

Select this option to connect your Windows XP Professional–based computer directly to another computer by means of a parallel, serial, or infrared port-to-port connection.

You can designate your computer to act either as the Host or the Guest computer. The Host makes data available to another computer. The Guest is the computer that accesses data on the Host computer.

To connect directly to another computer

  1. In Control Panel, click Network and Internet Connections.

  2. In Network and Internet Connections, click Network Connections.

  3. In Network Connections, under Network Tasks, click Create a new connection. In the New Connection Wizard, click Next.

  4. Select Set up an advanced connection, and then click Next.

  5. In the Advanced Connection Options dialog box, select Connect directly to another computer, and then click Next.

  6. Select Host, and then click Next.

  7. In the Connection Device dialog box, select the appropriate device for this connection and then click Next.

  8. In the Users allowed to connect dialog box, select the check box next to the name of the user to whom you want to assign the right to connect this computer and then click Next.

    Note that a disabled account affects the user’s ability to connect. (If you want to add a user name to the account list, click Add and then type the User name, Full name, Password, and Password confirmation of the user.)

  9. In the Completing the Network Connection Wizard dialog box, type the connection name in the text box, and then click Finish.

What Can I Configure?

Group Policy enforces specified requirements for user environments. For example, by using Group Policy, you can enforce local and domain security options, specify logon and logoff scripts, and redirect user folder storage to a network location. Local Group Policy can be applied at the local computer or workgroup level. In the domain environment, Group Policy can be applied using Active Directory, the directory service included with Windows 2000 and Windows Server 2003.

For more information about Group Policy in Windows XP Professional, see Chapter 17, “Managing Authorization and Access Control.”

Your ability to configure connections depends on several factors, including your administrative rights, whether a connection was created by using Only for myself or For all users in the New Connection Wizard, and which Group Policy settings are applied to you.

Configuration Privileges

If you are logged on as an administrator or as a member of the Network Configuration Operators local group, the New Connection Wizard prompts you to select whether a connection that you are creating is For all users or Only for myself. If you select For all users, this connection is available to any user who logs on to that computer, and only an administrator who is logged on to that computer can modify the connection. If you select Only for myself, only you can modify or use it.

Group Policy settings, which are designed to help manage large numbers of users in enterprise environments, can be used to control access to the Network Connections folder, and the connections in it. Settings can be used that enable or disable the option to create connections, delete connections, or modify connection properties. For more information about these Group Policy settings, see Chapter 23, “Connecting Clients to Windows Networks.”

Note If you choose Log on using dial-up connection when you start your Windows XP Professional session, you see only the For all users connections. This is because before you log on, you are not authenticated to the network. After you have logged on and your identity is authenticated, you see the Only for myself connections.

Configuring Remote Connections

Because all services and communication methods are configured within the connection, you do not need to use external management tools to configure dial-up, VPN, or direct connections. For example, the settings for a dial-up connection include the features to be used before, during, and after connecting. These include the modem you use for dialing, the type of password authentication and data encryption you use upon connecting, and the remote network protocols you use after connecting.

Because settings are established per connection, you can create different connections that apply to different connection scenarios and their specific needs. For example, you can configure a connection with a static TCP/IP address when you dial into your corporate office. You might also have a connection configured for an ISP. If your ISP allocates IP addresses using PPP, set the TCP/IP settings for the connection to Obtain an IP address automatically.

Connection status, which includes the duration and speed of a connection, is viewed from the connection itself; you do not need to use an external status tool. All connections are configured by right-clicking the connection and then clicking Properties. For more information about configuring connections, see Windows XP Professional Help and Support Center.

Configuring Advanced Settings

The settings in the Advanced menu of the Network Connections folder allow you to choose from a range of advanced settings, including operator-assisted dialing, dial-up preferences, bridge creation (Layer 2 connectivity), and network identification options. Another option allows you to install optional networking components such as the Simple Network Management Protocol (SNMP) service or the printing service. You can also modify the order in which connections are used by network services, or the order in which your computer uses network protocols and providers.

Operator-Assisted Dialing

If you choose this setting, automatic dial-up settings can be overridden where intervention is required. Typically, you can use this setting where you have to call by using a manually operated switchboard to establish your dial-up connection.

Dial-Up Preferences

The settings in Dial-up Preferences affect connection creation privileges, Autodial options, and callback options.

You can enable or disable Dial-up Preferences on your users’ desktops by using the Enable the Dial-up Preferences item on the Advanced menu Group Policy setting.

Autodial

The Autodial tab on the Dial-up Preferences page lists the available locations where you can enable Autodial. Autodial maps and maintains network addresses to connection destinations, which allows the destinations to be automatically dialed when referenced, whether from an application or from a command prompt. To enable Autodial for a location, select the check box next to the location. To disable Autodial for a connection, clear the check box next to the location.

The following is an example of how Autodial works:

  1. You are not connected to your ISP, and you click an Internet address that is embedded in a word processing document.

  2. You are asked to choose the connection used to reach your ISP, that connection is dialed, and then you access the Internet address.

  3. The next time you are not connected to your ISP and you click the Internet address in the word processing document, the connection that you selected the first time is automatically dialed.

The Autodial feature works only when the Remote Access Auto Connection Manager service is started. Remote Access Auto Connection Manager is installed by default in Windows XP Professional–based computers that are not members of a domain and in Microsoft Windows XP Home Edition.

To start the Remote Access Auto Connection Manager service

  1. Right-click My Computer, and then click Manage.

  2. In the console tree, double-click Services and Applications, and then click Services.

  3. In the details pane, right-click Remote Access Auto Connection Manager, and then click Start.

Callback

The Callback tab on the Dial-up Preferences page provides you with cost advantages. Callback instructs your dial-up server to disconnect your initiating call after authenticating your credentials and then call you back, thereby reducing your phone charges.

Callback behavior is determined by a combination of the settings that you specify in Network Connections, and by the user account settings you designate. Table 25-2 illustrates callback behavior based on these settings.

Table 25-2 Callback Behavior

Callback Setting   on the Calling Computer

Callback Setting on the User Account

Behavior

No callback

No callback

The connection stays up.

No callback

Set by caller

The remote access server offers callback, the client declines, and the connection stays up.

No callback

Always callback to

The remote access server offers callback, the client declines, and the remote access server disconnects the connection.

Ask me during dialing when the server offers

No callback

The connection stays up.

Ask me during dialing when the server offers

Set by caller

The Callback dialog box appears on your computer. Type the current callback number in the dialog box, and then wait for the server to disconnect and return the call.

Optionally, you can press ESC at this point to cancel the callback process and remain connected.

Ask me during dialing when the server offers

Always callback to

The remote access server disconnects and then returns the call by using the number specified on the remote access server.

Always call me back at the number(s) below

No callback

The connection stays up.

Always call me back at the number(s) below

Set by caller

The remote access server disconnects and then returns the call by using the number specified in Network Connections.

Always call me back at the number(s) below

Always callback to

The remote access server disconnects and then returns the call by using the number specified on the remote access server.

After your call reaches the remote access server, the server determines that your user name and password are correct and then acts, based upon preconfigured Network Connections and remote access server callback settings.

Callback can also provide security advantages to your network. Requiring callback to a particular number enhances network security by ensuring that only users from specific locations can gain access to the server. Dropping the call and then immediately calling back to the pre-assigned callback number makes impersonation more difficult. You cannot use this aspect of callback if you are dialing in from multiple locations.

The settings in Callback indicate the conditions under which you want to use the feature. For example, you can configure callback to prompt you for a phone number during the dialing process, or you can specify that callback always call you back at a specific number.

Callback options can also be configured on a per-user basis on the dial-up properties of a user account. The Always Callback to server setting overrides Network Connections settings. Therefore, if you have specified Ask me during dialing when the server offers in Network Connections, but your user account designates Always Callback to (with a corresponding phone number), callback does not prompt you for a number when you dial in; it always calls you back at the number specified on the server. For more information about how to configure your callback options, see Windows XP Professional Help and Support Center.

If you have specified No callback but the user account is set to Always Callback to, you cannot connect. With this combination of settings, the remote access server requests callback, your computer refuses, and then the remote access server disconnects your connection. If your computer is configured to accept incoming connections, you can enforce callback options on that computer. For more information about configuring incoming connections, see “Managing Incoming Connections” later in this chapter.

Dynamic Multiple Device Dialing

The PPP Multilink Protocol (MP), defined in RFC 1990, combines multiple physical links into a logical bundle, called multilink lines, and the resulting aggregate link increases your connection bandwidth. Network Connections can dynamically control the use of these multilink lines through a combination of support for MP and Bandwidth Allocation Protocol (BAP). BAP is a PPP control protocol that is used on an MP connection to dynamically manage links. This procedure can be accomplished by dialing over multiple ISDN, X.25, or analog modem lines.

To dial multiple devices, both your connection and your remote access server must have MP enabled. BAP enables the dynamic use of multiple-device dialing by allocating lines only as they are required, thereby limiting communications costs to the bandwidth requirements. You can realize a significant efficiency advantage by doing this. The conditions under which extra lines are dialed, and underused lines are disconnected, are configured by using the Options property page of a dial-up connection. For more information, see article 307849, “How to Set Up Multiple-Device (Multilink) Dialing in Windows XP,” in the Microsoft Knowledge Base at https://support.microsoft.com.

Network Identification

Network Identification displays your  computer name and the workgroup or domain to which the computer belongs. You can change the name of your computer, or join a domain by changing the settings on the System Properties sheet.

To change the name of your computer
  1. In Control Panel, click Performance and Maintenance.

  2. In Performance and Maintenance, click System.

  3. Click the Computer Name tab.

  4. In the Computer description text box, you can type a name for the computer (for example, “Mary’s Computer”), and then click Apply.

  5. The computer name appears under Full Computer Name. To change that name, click Change.

  6. In Computer Name Changes, type the new computer name and then click OK.

  7. In the Computer Name Changes dialog box, enter the name and password of an account with permission to rename this computer in the domain. Click OK.

Advanced Settings

Windows XP Professional uses network providers and bindings in the order specified in the Advanced Settings dialog box.

To open the Advanced Settings dialog box
  1. In Control Panel, click Network and Internet Connections.

  2. In Network and Internet Connections, click Network Connections.

  3. In Network Connections, select the appropriate LAN or High Speed Internet connection.

  4. On the Advanced drop-down menu, click Advanced Settings.

By changing your provider order, and by changing the order of protocols bound to those providers, you can improve performance. For example, suppose your LAN connection is enabled to access Novell NetWare and Microsoft Windows networks—which use IPX and TCP/IP, respectively—but your primary connection is to a Microsoft Windows network that uses TCP/IP. You can move Microsoft Windows Network to the top of the Network Providers list on the Provider Order tab and move Internet Protocol (TCP/IP) to the top of the File and Printer Sharing for Microsoft Networks binding on the Adapters and Bindings tab.

Note Microsoft Windows XP 64-Bit Edition does not support Client Service for NetWare.

An administrator can enable or disable the Advanced Settings option by using the Enable the Advanced Settings item on the Advanced menu setting in the Microsoft Management Console (MMC) Group Policy snap-in. For more information about Advanced Settings, see Chapter 23, “Connecting Clients to Windows Networks.”

Optional Networking Components

Optional networking components support network operations that are not automatically installed with Windows XP Professional. The components consist of the following:

  • Management and Monitoring Tools

    • Simple Network Management Protocol (SNMP)

    • WMI SNMP Provider

  • Networking Services

    • RIP Listener

    • Simple TCP/IP Services

    • Universal Plug and Play

  • Other Network File and Print Services

    • Print Services for UNIX
To configure optional networking components
  1. In Control Panel, click Add or Remove Programs.

  2. In Add or Remove Programs, click Add/Remove Windows Components.

  3. In the Windows Components Wizard, select the networking components you want to add and then click Next.

  4. When the wizard completes, click Finish.

Deploying Connection Manager

Connection Manager 1.3 is a client dialer, included in Windows XP Professional, whose several advanced features make it a superset of basic dial-up networking. Microsoft Windows 2000 Server and Windows Server 2003 include a set of tools that enables a network manager to deliver preconfigured connections to network users. These tools are the Connection Manager Administration Kit (CMAK) and Connection Point Services (CPS).

Connection Manager provides support for local and remote connections to your service provider by using a network of access points, such as those available worldwide by means of ISPs. If your service provider requires secure connections over the Internet, you can also use Connection Manager to establish VPN connections. Connection Manager’s features are covered in greater detail in Table 25-3. Two features new to Windows XP Professional—Access Points and Improved Help—are included in Table 25-3.

Table 25-3 Connection Manager Features

Feature

Description

Branding

Enables the graphics, icons, messages, Help, and phone book support in Connection Manager to be customized to provide an identity that is unique to a service or corporation. For example, you can include custom logos, customer support, and phone book information to identify and represent a company.

Custom actions and monitored applications

Custom functionality, including original programs, can be incorporated to enhance the connection experience of users. These programs can be automatically run at various points during the connection process, such as when users log on or log off. Monitored applications can be set up to automatically disconnect after the original program closes.

Multiple instances of Connection Manager 1.3

Allows remote users to run more than one Connection Manager service profile at a time. For example, users can run an Internet solution at the same time they run a corporate VPN tunnel.

Multiple user support for each service profile

Supports users who share computers. User profiles allow two or more people to use the same computer and the same service profile. Credentials are maintained, based on the logon ID of the user, so users do not have to re-enter them for each connection.

Simplified distribution

CMAK Wizard can be used on a Windows 2000–based server or Windows Server 2003–based server to automatically build a service profile, the customized software required for a user to run Connection Manager on Windows XP Professional. The service profile is created as an executable file that can be distributed on compact disc or downloaded to the client.

Access Points

Used to save frequently used connection settings.

Improved Help

Provides informational balloon help for Access Points and Dialing Rules.

Additional Connection Manager client features introduced in Windows XP Professional include connection logging, VPN server selection, terminal window support, automatic route addition, and improved ISDN support.

CMAK

A network administrator can use CMAK to tailor the appearance and behavior of a connection made with Connection Manager. Using CMAK, an administrator can develop client dialer and connection software that allows users to connect to the network by using only the connection features that the administrator defines for them. Connection Manager supports a variety of features that both simplify and enhance implementation of connection support for you and your users, most of which can be incorporated using the CMAK Wizard.

CMAK allows you to build profiles customizing the Connection Manager installation package that you deliver to your customers so that Connection Manager reflects the identity of your organization. It allows you to determine which functions and features you want to include and how Connection Manager appears to your customers.

For more information about CMAK and the configuration of connection manager service profiles, see “Customizing Connection Management and Settings” in the Microsoft Internet Explorer 5 Resource Kit of the Microsoft Windows 2000 Server Resource Kit.

CPS

Connection Point Services (CPS) work in conjunction with Connection Manager to automate the process of updating users’ computers with new Points of Presence (POP) entries. Each POP entry supplies a telephone number that provides dial-up access to an Internet access point.

CPS consists of Phone Book Service, a tool for distributing phone books, and Phone Book Administrator, a tool for creating and maintaining your phone book files. The phone books provide users with complete POP information, so they can connect to different Internet access points rather than being restricted to a single POP during travel.

CPS eliminates a user’s need to contact technical support to obtain changes in POP information and reconfigure their client dialer software.

Accessing Network Resources

Network Connections provides access to your network, based on the user name and, in the case of PPP connections, password credentials that you supply. This access does not imply privilege to use resources on the network. The network access control process confirms your access rights each time that you attempt to access any network resource. For more information about authentication and access control methods, see “Authentication” later in this chapter.

After you have connected to your network, access to network resources, such as files and printers, might be affected by one or more of the following administrative controls on both your own computer and on the resources you are trying to access.

File and Printer Sharing

File and Printer Sharing is established by each resource, and permissions depend on user name or group membership.

Group Policy

Group Policy enforces specified requirements for your users’ environments. For example, by using Group Policy, you can enforce local and domain security options, specify logon and logoff scripts, and redirect user folder storage to a network location.

Local Group Policy

Local Group Policy can be applied at the local computer or workgroup level. In the domain environment, Local Group Policy is overridden by domain-based Group Policy.

Note If your computer is connecting to a domain-protected network, you must have a user account on that network before you can be granted access to network resources that are protected by domain-based access control lists (ACLs).

For more information about Group Policy and Local Group Policy, see Chapter 23, “Connecting Clients to Windows Networks.”

Managing Incoming Connections

By configuring a Windows XP Professional–based computer to accept incoming connections, you permit other computers to dial in to your computer. Plug and Play automatically detects and enumerates devices, such as modems and COM ports.

Note Callback options, discussed in “Callback” earlier in this chapter, can be enforced only if your computer has been configured to accept incoming connections.

To configure your computer to accept incoming connections

  1. In Control Panel, click Network and Internet Connections.

  2. Click Network Connections.

  3. Under Network Tasks, click Create a new connection to start the New Connections Wizard.

    The first time you start the New Connections Wizard, the Location Information dialog box appears, requesting country or region, area code and, if necessary, a carrier code and an outside access number. You also need to indicate whether your phone system uses tone or pulse dialing. After typing this information in the dialog box, click OK.

  4. In New Connection Wizard, click Next.

  5. On the Network Connection Type dialog box, select Set up an advanced connection and then click Next.

  6. On the Advanced Connection Options page, select Accept incoming connections and then click Next.

    This allows other computers to connect to your Windows XP Professional–based computer by means of the Internet, a phone line, or a direct cable connection.

  7. On the Devices for Incoming Connections page, select the check box next to each device you want to use for incoming connections and then click Next.

  8. On the Incoming Virtual Private Connection page, select Allow virtual private connections, and then click Next.

    This enables a virtual private connection so that another computer can use the Internet or another public network to access your computer. For this to occur, your computer must have a known name or an IP address on the Internet.

  9. On the User Permissions page, select the check box next to each existing user name you want to add, or click Add for each new user you want to add. Click Next.

    This specifies the name of each user you permit to access your computer.

  10. On the Networking Software page, select the check box next to each type of networking software that should be enabled for incoming connections. Click Next, and then click Finish.

    This allows your computer to accept connections from other kinds of computers. The components listed by default include TCP/IP, File and Print Sharing for Microsoft Networks, QoS Packet Scheduler, and Client for Microsoft Networks.

Configuring Home Networks

Using Windows XP Professional, you can easily set up a home office network between desktops without using a server. Its Microsoft Windows NT–style user account management and permissions offer an environment ready-made for secure home and small office networking. You can also integrate other hardware devices such as printers, scanners, or cameras into your home network. The Network Setup Wizard guides you through the process of setting up your home network, including Internet Connection Sharing (ICS), naming your workgroup, and naming your computer.

You can use Home Networking to:

  • Share an Internet connection with all the computers on your home network.

  • Work on files stored on any computer on the network.

  • Share printers from any computer.

  • Play multiplayer games.

  • Use one computer to secure your entire network and protect your Internet connection.

In addition, Windows XP Professional is compatible with previous versions of Windows. You can introduce Windows XP Professional into a peer-to-peer network configured between clients running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition (Me), or you can introduce clients running Windows 95, Windows 98, or Windows Me into a Windows XP Professional network.

You can set up one computer to communicate to the Internet using Internet Connection Sharing. ICS provides access to the public network (the Internet) for all computers in your home network to communicate with the Internet at the same time. The computers that do not have a direct Internet connection, called clients, rely on the host computer to provide access to the Internet. The ICS host computer manages network addressing. Besides providing Internet access, the ICS host computer in your network assigns itself a permanent private address and acts as a Dynamic Host Configuration Protocol (DHCP) server for ICS clients, assigning a unique address to each ICS client and, therefore, providing a way for computers to communicate with other computers on the network.

For more information about ICS, see “Sharing an Internet Connection” later in this chapter.

Successfully setting up your home network is a two-part process:

  1. Install and configure the appropriate hardware on each computer.

  2. Run the Windows XP Professional Network Setup Wizard on each computer in your home network.

Before you run the Network Setup Wizard, be sure you have addressed these concerns:

  • The Network Setup Wizard is supported only on computers running Windows XP Professional, Microsoft Windows XP Home Edition, Windows Me, or Windows 98.

  • Before setting up your home network, make sure that the ICS host computer has the Internet connection configured.

  • Before running the Network Setup Wizard, install a network adapter in your Windows XP Professional–based computer. If you plan to enable ICS, you will need two network connections.

  • When planning to run the Network Setup Wizard, make sure your computer is not a member of a domain. These setup options do not appear on a Windows XP–based computer that is a domain member.

Home Network Hardware Requirements

Make sure your network hardware, such as devices and cables, is installed and set up correctly before you run the Network Setup Wizard. When planning your home or small office network, pick the type of hardware to use for connecting your computers. In the business world, the standard network connection technology is Ethernet, which requires a network adapter and dedicated physical cabling. Depending on its complexity, an Ethernet network might also require other interconnecting devices to perform the negotiation the configuration requires.

There are several components that you need to create a home network:

  • Computers.

    You need two or more computers for a network.

  • Network adapter.

    Often called a network interface card, a network adapter connects your computers to the network and allows your computers to communicate with each other.

  • Network hubs and cables.

    A hub connects multiple computers at a central location. A hub is typically used when connecting two or more computers to an Ethernet network. A hub is not required if you are going to connect your computers through your phone lines using Home Phoneline Networking Alliance (HomePNA) devices or if you use wireless adapters. Using Ethernet or HPNA, you need cables to connect to either a hub or the phone lines. An alternative to using a hub is to use an Ethernet switch, a device that provides full-bandwidth connection between two connected devices, as compared to a hub, which shares bandwidth between all connected devices.

  • Modem.

    This includes 28.8 or 56 Kbps analog modems, wireless modems, ISDN adapters, Digital Subscriber Line (DSL) adapters, and cable modems.

In addition, you’ll want to make sure that the computers on your network meet the following minimum requirements:

  • The computer sharing its Internet connection is running Windows XP Home Edition or Windows XP Professional. This is called the host computer.

  • The Network Setup Wizard can be run only on computers using Windows 98, Windows Me, Windows XP Home Edition, or Windows XP Professional.

After you install all the required hardware in each of your computers, you can run the Home Networking Wizard.

Home Network Configuration Instructions

In Windows XP Professional, setup of the ICS host and client computers is greatly simplified by using the Network Setup Wizard. Run the Network Setup Wizard on the ICS host computer first. Then run the wizard on the client computers. After you answer some basic questions, the wizard configures the computers to operate correctly on the network.

When running the Network Setup Wizard, be aware of the following:

  • You must run the Network Setup Wizard on every computer in your network.

  • Run the Network Setup Wizard on the host computer first. The host computer is the one that will share its Internet connection. When the Network Setup Wizard is run on subsequent computers, it automatically looks for a host computer that has shared its Internet connection.

  • To run the Network Setup Wizard in Windows 98 or Windows Me, you must use a Windows XP Professional or Windows XP Home Edition CD-ROM. You can also use a Microsoft Windows XP–based computer with Network Setup Wizard to create Network Setup Wizard diskettes for use on other computers.

  • To start the Network Setup Wizard on a Windows XP Professional–based computer, in Control Panel, click Network and Internet Connections, and then click Network Connections. Under Common Tasks, click Network Setup Wizard.

    Note You must be logged on as an administrator or a member of the Administrators group to complete this procedure.

To configure other computers on your home network
  1. Insert the Windows XP Professional or Windows XP Home Edition operating system CD.

  2. Under What do you want to do?, click Perform additional tasks.

  3. In Perform additional tasks, click Set up a home or small office network.

  4. In the dialog box welcoming you to the Network Setup Wizard, click yes to continue.

  5. Follow the instructions on your screen.

Managing Home and Small Office Local Connections

A local area connection is automatically created for each network adapter in your computer that is detected by Plug and Play. After a network adapter is installed, it is detected by the Plug and Play service. Network Connections enumerates the adapter and populates the Network Connections folder with a local area connection. Because local area connections are dependent upon a network card being recognized in the computer, they cannot be created by using Create a new connection.

For the adapter to be detected and the connection created, Plug and Play, Network Connections, and Remote Procedure Call (RPC) services must be started. All these services start automatically; no user interaction is required.

A local area connection might not appear in the Network Connections for any of the following reasons:

  • The network adapter was removed. A local area connection appears only if an adapter is detected.

  • The installed network adapter is malfunctioning.

  • If your network adapter is a legacy adapter that is not detected by the Add Hardware Wizard or Plug and Play, you might need to use the Add Hardware Wizard to set up the adapter manually in Device Manager before you see a local area connection in the Network Connections folder.

  • If the network adapter driver is not recognized, the adapter appears in Device Manager but you cannot see a local area connection. If your network adapter driver needs to be updated, use the Update Driver feature in the adapter’s property sheet.

If your computer has one network adapter but you need to connect to multiple LANs (for example, you use Dynamic Host Configuration Protocol [DHCP] at work but a static IP address configuration at home), you can configure TCP/IP with an alternate configuration. With an alternate configuration, your computer first tries to locate a DHCP server, and then if one is not found, it configures TCP/IP with the static configuration. For further information on alternate address configuration, see Chapter 24, “Configuring IP Addressing and Name Resolution.”

Note Windows XP Professional peer-to-peer networking can comfortably handle as many as 10 computers. (Microsoft added a software limitation to Windows XP Professional to prevent you from peer-to-peer networking more than 10 computers. Beyond 10 computers, you will want to configure a Windows 2000 Server–based computer or a Windows Server 2003–based computer as a domain controller.)

Use the network adapters that are supported by Windows XP Professional and listed in the Hardware section of the Windows Catalog at https://www.microsoft.com/windows/catalog.

Clients, Services, and Protocols

By default, the following clients, services, and protocols are installed with a local area connection:

  • Clients.

    Client for Microsoft Networks (allows you to access file and print shares of other Windows–based computers)

  • Services.

    File and Print Sharing for Microsoft Networks (allows you to share your own computer resources) and QoS Packet Scheduler (enforces QoS parameters for a particular data flow)

  • Protocols.

    TCP/IP, with automatic addressing enabled

Any other clients, services, and protocols, including Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), must be installed separately.

For information about configuring TCP/IP for a local area connection, see “Configuring TCP/IP” on the companion CD.

Local Area Connection Status

Like other connections, the appearance of the local area connection icon changes according to the status of the connection. The icon appears in the Network Connections folder, or if the network cable is disconnected, an additional icon appears on the taskbar. If a network adapter is not detected by your computer, a local area connection icon does not appear in the Network Connections folder. Table 25-4 describes the different local area connection icons.

Table 25-4 Local Area Connection Icons

Icon

Description

Location

G25zs01.eps

The local area connection is active.

Network Connections folder

G25zs02.eps

The cable is unplugged from your computer, or from the wall or hub.

Network Connections folder

G25zs03.eps

The cable is unplugged from your computer, or from the wall or hub.

Taskbar

G25zs04.eps

The driver is disabled.

Network Connections folder

None

The network adapter was not detected.

No icon appears in the Network Connections folder

To view the status of a local area connection
  1. Right-click the local area connection, and then click Status.

    The General tab in the Local Area Connection Status dialog box, which is visible by default, provides information about the connection including its status, its duration, its speed, and the number of packets sent and received.

  2. The Support tab on the Local Area Connection Status dialog box displays data, including address type, IP address, subnet mask, and default gateway. Clicking the Details button displays a summary of advanced network data, including the network adapter’s physical (or MAC) address and the IP addresses of DHCP, DNS, and WINS servers. The Support tab is the equivalent to the Winipcfg.exe tool provided with Windows Me, Windows 98, and Windows 95.

  3. To automatically enable the Status monitor each time the connection is active, right-click the local area connection, click Properties, and then select the Show icon in taskbar when connected check box. By default, the Status monitor is disabled for local area connections but enabled for all other types of connections.

WAN Adapters

Permanent connection WAN adapters—such as T1, Frame Relay, and ATM—also appear in the Network Connections folder as local area connections. For these adapters, some settings are autodetected and some need to be configured. For example, for a Frame Relay adapter, the appropriate management protocol, Committed Information Rates (CIR), Data Link Connection Identifiers (DLCIs), and line signaling must be configured. For these settings, contact your Frame Relay service provider. Default settings might vary according to the adapter.

The Network Bridge

The Network Bridge provides an IEEE 802.1D transparent bridge for grouping network interfaces at the media access control (MAC) sublayer of the OSI data-link layer. The bridge implements the spanning tree algorithm for prevention of bridged loops in the LAN segment topology.

A bridge in Windows XP Professional simplifies the setup and administration of a subnetted home network. The classic model of a subnetted IP network involves:

  • Assigning each network segment a subnet identifier (ID)

  • Correctly assigning IP addresses and subnet masks, and configuring packet forwarding on the computers connecting the subnets

  • Configuring name resolution servers

Bridging the LAN segments that make up a home network simplifies the situation by creating a single subnet. The entire home network can then operate with a single subnet. DHCP client computers on any LAN segment in the home network automatically obtain an IP address, subnet mask, and default gateway from the host computer on which ICS is enabled.

Note Bridging is a MAC-layer activity, making use of a single subnet ID. ICS is a network-layer activity, employing a single public IP address. The two are not related. However, the Network Bridge works only with TCP/IP.

Securing the Remote Network

You can configure your dial-up, virtual private network (VPN), and direct connections to enforce various levels of password authentication and data encryption. Authentication methods range from unencrypted to custom, such as the Extensible Authentication Protocol (EAP). EAP provides flexible support for a wide range of authentication methods, including smart cards, certificates, one-time passwords, and public keys. You can also specify the type of data encryption, depending on the type of authentication protocol (MS-CHAP, MS-CHAPv2, or Extensible Authentication Protocol-Transport Level Security [EAP-TLS]) that you choose. Finally, if you have sufficient permissions, you can configure callback options to save telephone charges and increase dial-up security.

Advanced settings—such as Autodial, callback preferences, network identification, and binding order—are configured on the Advanced menu in the Network Connections folder. Optional networking components, such as the SNMP service, can also be installed on the Advanced menu. For more information about callback options and other advanced settings, see “Managing Outgoing Connections” earlier in this chapter.

If your Windows XP Professional–based computer connects to a Windows 2000–based server or Windows Server 2003–based server, the remote access permissions granted to your computer by the server are based on the dial-up settings of your user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in granting remote access permissions and specifying connection requirements and restrictions. If the settings of your connection do not match at least one of the remote access policies, the connection attempt is rejected, regardless of your dial-up settings.

The network administrator can configure Windows 2000 Server or Windows Server 2003 user accounts and domains to provide security by forcing encrypted authentication and encrypted data for remote communications. For more information about Windows 2000 security, see Windows 2000 Server Help. For more information about Windows Server 2003 security, see the Help and Support Center in Windows Server 2003.

Authentication

For dial-up, virtual private network (VPN), and direct connections, Windows XP Professional authentication is implemented in two processes: interactive logon and network authorization. Successful user authentication depends on both of these processes.

Interactive Logon Process

The interactive logon process confirms a user’s identity to either a domain account or a local computer. Depending on the type of user account and whether the computer is connected to a network protected by a domain controller, the process can vary as follows:

  • A domain account.

    A user logs on to the network with a password or smart card, using credentials that match those stored in Active Directory. By logging on with a domain account, an authorized user can access resources in the domain and any trusting domains. If a password is used to log on to a domain account, Windows XP Professional uses the Kerberos V5 protocol for authentication. If a smart card is used instead, Windows XP Professional uses Kerberos V5 authentication with certificates.

  • A local computer account.

    A user logs on to a local computer, using credentials stored in Security Accounts Manager (SAM), which is the local security account database. Any workstation can maintain local user accounts, but those accounts can be used only for access to that local computer.

Network Access Control

The network access control process confirms the user’s identity to any network service or resource that the user is attempting to access. To provide this type of access control, the Windows 2000 or later security system supports many different mechanisms, including the Kerberos V5 protocol, Secure Socket Layer/Transport Layer Security (SSL/TLS), and, for compatibility with Microsoft Windows NT version 4.0, the NTLM protocol.

Note NTLM is a Microsoft protocol that serves as default for authentication in Windows NT version 4.0. It is retained in Windows XP Professional, Windows 2000, and Windows Server 2003 for compatibility with clients and servers that are running Windows NT 4.0 and earlier. It is also used to authenticate logon attempts to stand-alone computers that are running Windows XP Professional, Windows 2000, or Windows Server 2003.

Users who have logged on to a domain account do not see network access control challenges during their logon session. Users who have logged on to a local computer account might have to provide credentials (such as a user name and password) every time they access a network resource.

Logging On Using Domain Credentials

The credentials that you use to initially log on to your computer are also the credentials that are presented to a domain when attempting to access a network resource. Therefore, if your local logon and network authorization credentials differ, you might be prompted to provide Active Directory domain credentials each time you access a network resource. You can avoid this by logging on to your computer by using your domain name, your domain user name, and your domain password before you try to connect to a network resource. If you log on without being connected to the network, Windows 2000 Server or Windows Server 2003 recognizes that your credentials match a previous successful logon attempt, and you receive the following message: “Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information.” Whenever you connect to your network, your cached credentials are sent to your domain and you can access network resources without having to provide your password again.

Authentication Protocols

You can use Network Connections with the following authentication protocols and methods.

PAP

Password Authentication Protocol (PAP) uses plaintext (unencrypted) passwords and is the least sophisticated authentication protocol. PAP is typically used when your connection and the server cannot negotiate a more secure form of validation. You might need to use this protocol when you are attempting to connect to a non-Windows-based server.

SPAP

Shiva Password Authentication Protocol (SPAP) uses a two-way encryption scheme to encrypt passwords. By using SPAP, Shiva clients can dial in to computers running Windows 2000 Server, Windows Server 2003, and Windows XP Professional clients can dial in to Shiva network access servers.

CHAP

The Challenge Handshake Authentication Protocol (CHAP) negotiates a secure form of encrypted authentication by using Message Digest 5 (MD5), an industry-standard hashing scheme. A hashing scheme is a method for transforming data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. CHAP uses challenge-response with one-way MD5 hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network. By supporting CHAP and MD5, Network Connections can authenticate users to almost all third-party PPP servers.

Note If your server requires you to use PAP, SPAP, or CHAP, you cannot use data encryption for dial-up or PPTP connections.

If the connection is configured to require data encryption, and connects to a server that is only configured for PAP, SPAP, or CHAP authentication, the client terminates the connection.

MS-CHAP

Microsoft created Microsoft Challenge-Handshake Authentication Protocol 
(MS-CHAP), an extension of CHAP, to authenticate remote Windows-based workstations. Like CHAP, MS-CHAP uses a challenge-response mechanism.

Where possible, MS-CHAP is consistent with standard CHAP. Its response packet is in a format specifically designed for networks with computers running Windows XP Professional, Windows XP Home Edition, Windows 2000, Windows Server 2003, Windows NT, Windows Me, Windows 98, and Windows 95.

A version of MS-CHAP is available specifically for connecting to a Windows 95–based computer. It is available as part of the Windows Dial-up Networking 1.3 Performance and Security Upgrade for Windows 95. This is required only if your connection is being made to a Windows 95–based computer.

MS-CHAPv2

Windows XP Professional also includes Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2). This protocol provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges,
MS-CHAPv2 supports only a newer, more secure, version of the MS-CHAP password change process.

In Windows XP Professional and Windows 2000, both dial-up and VPN connections can use MS-CHAPv2. Windows NT 4.0, Windows 98, and Windows 95–based computers can use only MS-CHAPv2 authentication for VPN connections.

For VPN connections, Windows 2000 Server and Windows Server 2003 offer MS-CHAPv2 before offering MS-CHAP. Updated Windows-based clients accept MS-CHAPv2 when it is offered and MS-CHAP is enabled. Dial-up connections are not affected.

EAP

The Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point Protocol (PPP). EAP was developed in response to an increasing demand for remote access user authentication that uses third-party security devices. EAP provides an infrastructure to support additional authentication methods within PPP. By using EAP, support for any number of authentication methods might be added, including token cards, one-time passwords, public key authentication using smart cards, certificates, and others. EAP is a critical technology component for secure VPN connections because it offers stronger authentication methods (such as public key certificates) that are more secure against brute-force attacks, dictionary attacks, and password guessing than older password-based authentication methods.

PEAP

The Protected Extensible Authentication Protocol (PEAP) is an EAP type that addresses a security concern in EAP by a secure channel that is both encrypted and integrity-protected using TLS. Because the TLS channel protects the negotiation that EAP uses, and authenticates the network access request, password-based authentication protocols, such as WPA, that might otherwise be susceptible to offline dictionary attack, can be used for authentication in wireless environments.

Certificate authentication

A certificate is an encrypted set of authentication credentials, including a digital signature from the certification authority that issued the certificate. In the certificate authentication process, your computer presents its user certificate to the server, and the server presents its computer certificate to your computer, enabling mutual authentication. As shown in Figure 25-4 and Figure 25-5, if a user certificate is installed either in the certificate store on your computer or on a smart card, and EAP-TLS is enabled, you can use certificate-based authentication in a single network logon process. This provides tamper-resistant storage of authentication information.

Figure 25-4 Authentication tab on the Local Area Connection Properties sheet

Figure 25-4 Authentication tab on the Local Area Connection Properties sheet

Figure 25-5 Smart Card or other Certificate Properties dialog box

Figure 25-5 Smart Card or other Certificate Properties dialog box

Certificates are validated by verifying the digital signature by means of a public key. The public key is contained in a trusted authority root certificate of the certification authority that issued the certificate. These root certificates are the basis for certificate verification and are supplied only by a system administrator.

Smart cards

A smart card is a credit card–sized device that is inserted into a smart card reader, which is either installed internally in your computer or connected externally to your computer.

Certificates can reside either in the certificate store on your computer or on a smart card. When setting the security options of a connection, you can use a smart card or other certificate, and you can specify particular certificate requirements. For example, you can specify that the server’s certificate must be validated.

When you double-click New Connection in the Network Connections folder, if a smart-card reader is installed, Windows XP Professional detects it and prompts you to use it as the authentication method for the connection. If you decide not to use the smart card at the time you create a connection, you can later modify the connection to use another certificate or authentication method.

How the Remote Access Authentication Process Works

Your computer dials a remote access server. Depending on the authentication methods you have chosen, one or more of the following might happen:

  • If you are using PAP or SPAP:
  1. Your computer sends its password as plaintext (PAP) or using two-way encryption (SPAP) to the server.

  2. The server checks the account credentials against the user database.

  • If you are using CHAP or MS-CHAP:
  1. The server sends a challenge to your computer.

  2. Your computer sends an encrypted response to the server.

  3. The server checks the response against the user database.

  • If you are using MS-CHAPv2:
  1. The server sends a challenge to your computer.

  2. Your computer sends an encrypted response and a challenge to the server.

  3. The server checks the response against the user database and sends back an encrypted challenge response.

  4. Your computer verifies the encrypted challenge response.

  • If you are using certificate-based authentication:
  1. The server requests credentials from your computer and sends its own computer certificate.

  2. If you configured your connection to Validate server certificate, it is validated. If not, this step is skipped.

  3. Your computer presents its user certificate to the server.

  4. The server verifies that the user certificate is valid and that it has not been revoked.

  • If the account is valid and permitted through the dial-up properties of the user account and remote access policies, the server authorizes the connection.

  • If the connection is authorized, the server accepts your connection.

  • If callback is enabled, the remote access server calls your computer back and repeats the authentication process.

    Note If you are using an L2TP-enabled VPN connection, IP Security (IPSec) performs a computer-level authentication and provides encryption before any of these steps take place. For more information about IPSec, see “Data Encryption” later in this chapter.

Data Encryption

Think of data encryption as a key you use to lock valuables in a strong box. Sensitive data is encrypted by using a key algorithm, which renders the data unreadable without the key. Data encryption keys are determined when your computer connects to the computer on the other end. Data encryption can be initiated by your computer or by the server to which you are connecting.

For dial-up, VPN and direct connections, Network Connections supports two types of encryption: Microsoft Point-to-Point Encryption (MPPE), which uses Rivest-Shamir-Adleman (RSA) RC4 encryption, and an implementation of Internet Protocol security (IPSec) that uses Data Encryption Standard (DES) encryption. Both MPPE and IPSec support multiple key strengths for encryption.

Server controls are flexible. They can be set to deny the use of encryption or require a specific encryption strength. By default, most servers are set to allow encryption and allow clients to choose their encryption strength. The system administrator can set encryption requirements on a Windows 2000 or Windows Server 2003 remote access server or VPN server by using the encryption settings on the profile of a remote access policy.

The encryption method used by a VPN connection depends on the type of protocol used by the server to which it connects. If the VPN connection is using PPTP, MPPE is used. If the VPN connection is using L2TP, IPSec encryption methods and strengths are used. If the VPN connection is configured for an automatic server type (which is the default selection), PPTP is attempted first, followed by L2TP.

MPPE

Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up connections or PPTP VPN connections. Strong (128-bit key) and standard (56-bit key or 40-bit key) MPPE encryption levels are supported. MPPE provides data security between your computer and your dial-up server (for dial-up PPP connections) and between your computer and your PPTP-based VPN server (for VPN connections).

To use MPPE-based data encryption for dial-up or VPN connections, the client and server must use the MS-CHAP, MS-CHAPv2, or EAP-TLS authentication methods. These authentication methods generate the keys used in the encryption process.

IPSec

IP security (IPSec) is a suite of cryptography-based protection services and security protocols. Because it requires no changes to applications or protocols, you can easily deploy IPSec for existing networks.

The Windows XP Professional implementation of IPSec is based on industry standards developed by the Internet Engineering Task Force (IETF) IPSec working group.

IPSec provides computer-level authentication, as well as data encryption, for L2TP-based VPN connections. IPSec provides per-packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (captured packets cannot be interpreted without the encryption key). In contrast, PPTP provides only per-packet data confidentiality. IPSec negotiates a secure connection between your computer and the VPN server before an L2TP connection is established, which secures user names, passwords, and data.

Note UDP Ports 500 and 1701 need to be open when using L2TP with IPSec for encryption.

IPSec encryption does not rely on the PPP authentication method to provide initial encryption keys. Therefore, L2TP connections use all standard PPP-based authentication protocols—such as EAP-TLS, MS-CHAPv2, MS-CHAP, EAP-MD5, CHAP, SPAP, and PAP—to authenticate the user after the secure IPSec communication is established. However, the use of EAP-TLS or MS-CHAPv2 is recommended.

Encryption is determined by the IPSec security association (SA). An SA is a combination of a destination address, security protocol, and unique identification value, called a Security Parameters Index (SPI). The available encryptions include:

  • Data Encryption Standard (DES), which uses a 56-bit key.

  • Triple DES (3DES), which uses three 56-bit keys. It is designed specifically for high-security environments.

Sharing an Internet Connection

The Internet Connection Sharing (ICS) feature in Windows XP Professional provides a simple solution to allow all the computers on a home or small business network to share the same connection to the Internet.

You can use the Internet Connection Sharing (ICS) feature of Network Connections to connect your remote office network to the Internet. For example, you might have a home network with only one of the home network computers connected to the Internet by using a dial-up connection. By enabling ICS on the computer that uses the dial-up connection, you provide Internet access to all the computers on your home network, with only one computer physically connected to the Internet.

After ICS is enabled and users verify their networking and Internet options, remote office network users can use applications, such as Microsoft Internet Explorer and Microsoft Outlook Express, as if they were already connected to the Internet. If the ICS host computer is not already connected to the Internet, it dials the ISP and creates the connection so that the user can reach the specified Web address or resource.

Using ICS, you designate one remote office computer as the ICS host computer. Typically, this is the computer with the fastest outgoing connection, such as a DSL or cable modem. Use the ICS host computer to establish the connection to the Internet. All other computers on your remote office intranet—referred to from this point as “clients” to distinguish them from the ICS host computer—use the shared connection on the ICS host computer to access the Internet. In general, this is a three-step process:

  1. Configure the ICS host computer for Internet access. How you set up the ICS host computer depends on whether it uses an analog modem or ISDN connection, or a DSL or cable modem connection to the outside world.

  2. Enable Internet Connection Sharing on the ICS host computer to provide Internet access to everyone on the branch intranet.

  3. Configure your client computers for dynamic IP addressing.

To use the Internet Connection Sharing feature, users on your remote office network must configure TCP/IP on their local area connection to obtain an IP address automatically. ICS provides network address translation, IP address allocation, and DNS name resolution services for all computers on your remote office network or home network that are configured for automatic addressing.

The following protocols, services, interfaces, and routes shown in Table 25-5 are configured when you enable Internet Connection Sharing.

Table 25-5 Settings for Internet Connection Sharing

Item

Configuration

IP address 192.168.0.1

Configured with a subnet mask of 255.255.255.0 on the network adapter that is connected to the small office/home office network

Autodial feature

Enabled

Static default IP route

Created when the dial-up connection is established

Internet Connection Sharing service

Started automatically

DHCP allocator

Enabled with the default range of 192.168.0.2 to 192.168.0.254 and a subnet mask of 255.255.255.0

DNS proxy

Enabled

Note Throughout this chapter, remote office is defined as any home office, branch office, or sole office of a small business connected to either a private network or to the Internet.

For a detailed scenario about setting up ICS in a branch office network, see “ICS Scenario: Connecting Your Branch Office’s Intranet to the Internet” later in this chapter.

Using DHCP with ICS

The computer functioning as your ICS host maintains two connections. At least one of these connections, the one that connects the ICS host computer to the other computers within the remote office, is by means of a network adapter. The other connection, whether by means of a second network adapter or a modem, connects your network to the Internet. You need to ensure that ICS is enabled on the connection that connects your remote office network to the Internet. As a result, the ICS host computer, through its local network connection, appropriately allocates TCP/IP addresses to its own users; the shared connection connects the network to the Internet; and users outside your remote office network are not at risk of receiving inappropriate addresses from your local network. By enabling ICS on a connection, the ICS host computer becomes a Dynamic Host Configuration Protocol (DHCP) allocator for the remote office network. DHCP distributes IP addresses and other configuration information to users as they start up. If ICS is enabled on the wrong network adapter, users outside your local network might be granted IP addresses by your network DHCP allocator, causing problems on their own networks.

There are groups of IP addresses that are specifically reserved for small networks. One of the groups of IP addresses is used by ICS—192.168.0.1 through 192.168.0.254. These addresses are used with a subnet mask of 255.255.255.0.

Understanding the IP addressing scheme and using it appropriately can be difficult. The DHCP service enables the ICS host computer to assign IP addresses to its clients automatically. By default, when ICS is installed, the DHCP service begins assigning addresses to computers on the network.

Your ISP might use a DHCP service to assign your computer a dynamic IP address when you connect to the Internet. Quite possibly, each time your computer connects to the Internet, a different but unique IP address might be assigned to it. Keep in mind that the DHCP dynamic address assignment, referred to here, does not affect the ICS private adapter, which always has the same address.

If your ICS host computer has two adapters—one for the device connecting you to the Internet and another for connecting to your remote office network—an IP address of 192.168.0.1 is always assigned to the network adapter connected to your network. This address is assigned permanently and is referred to as a static IP address because it does not change. Next, the DHCP client service is loaded into memory so that a dynamic IP address can be assigned to the computer’s external adapter by your ISP.

Each client computer on your remote office network must request an IP address from your ICS computer. It is important that the ICS host computer remains on all the time or is started prior to starting the other computers on your network. Otherwise, the client computers will be unable to obtain an IP address.

For more information about DHCP, see Chapter 24, “Configuring IP Addressing and Name Resolution.”

Note Internet Connection Sharing does not work with some versions of AOL. For more information, contact AOL.

ICS Scenario: Connecting Your Branch Office’s Intranet to the Internet

This scenario describes how to connect a branch office of a corporation to the Internet. It also explains the differences between setting up an analog modem or ISDN connection, and setting up a cable modem or DSL connection. This scenario also discusses how to configure a computer on the intranet of a branch office to use a VPN to connect to the corporate network. Figure 25-6 shows the initial configuration for a branch office.

Figure 25-6 Initial configuration of a branch office

Figure 25-6 Initial configuration of a branch office

The Internet Connection Sharing (ICS) feature in Windows XP Professional provides a simple solution to allow all computers on a local intranet to share the same outgoing connection to the Internet.

Note Never turn off the ICS computer while any of the clients are running, as the ICS computer provides IP address configuration, name resolution services, and a gateway to the Internet. If you do lose power to the ICS computer, the other remote office clients cannot access the Internet because the shared connection on the ICS computer is not available.

Configuring the ICS Computer

How you configure the ICS host computer depends on whether it connects to the Internet using an analog modem or ISDN connection, or a high-speed device such as a DSL or cable modem.

Note The ICS host computer automatically assigns IP addresses, forwards DNS names to the Internet for resolution, and assigns itself as the default gateway for connecting to the Internet. If any clients on the remote office’s intranet are providing these functions, Internet Connection Sharing might not work.

Configuring an ICS computer with an analog modem or ISDN connection

In this configuration, the ICS computer connects to the Internet using an analog modem or ISDN connection. The ICS computer and all other computers in the branch office are connected to that office’s intranet using network adapters. Figure 25-7 shows how an Internet connection is shared using an analog modem or an ISDN connection.

Figure 25-7 Internet Connection Sharing using an analog modem or ISDN connection

Figure 25-7 Internet Connection Sharing using an analog modem or ISDN connection

Install the analog modem (or make sure you have a modem installed) on the ICS computer you want to use to access the Internet. If you are installing an analog modem in the ICS computer for the first time, Windows XP Professional Plug and Play automatically detects and configures the analog modem.

Open the Network Connections folder, and then double-click New Connection Wizard. The New Connection Wizard sets up the connection to your Internet service provider (ISP). Configure the connection by using the settings provided by your ISP.

After the wizard has created the new connection to your ISP, Windows XP Professional adds a new icon for the connection in the Network Connections folder. Test the new Internet connection by connecting to your ISP and verifying that you can browse the World Wide Web.

Check the configuration of the clients as described later in this section. Finally, verify the shared ICS connection by browsing the World Wide Web from one of the clients on the remote office intranet.

Configuring an ICS computer with a DSL or cable modem connection

In this configuration, the ICS computer connects to the Internet using a network adapter connected to a high-speed DSL or cable modem. The ICS computer connects to the other computers in the branch office’s intranet using a second network adapter. The rest of the computers in the branch office connect to the local intranet using other network adapters. Figure 25-8 shows how an Internet connection is shared by using a DSL or cable modem connection.

Figure 25-8 Internet Connection Sharing using a DSL or cable modem connection

Figure 25-8 Internet Connection Sharing using a DSL or cable modem connection

Rename the local area connection on the ICS computer that you want the branch office intranet (“Office Intranet,” for example) to use to access the Internet, and then install the second network adapter to connect to the DSL or cable modem connection. If you are installing the second network adapter for the first time, Plug and Play automatically detects and configures it.

Next, right-click the connection icon in the Network Connections folder to view the Properties of the new connection. Configure the connection by using the settings provided by your ISP. Click the Advanced tab, and then select the Allow other users to connect through this computer’s Internet connection check box.

Rename the new external connection to the Internet to differentiate it from the branch office’s intranet, and then test the new Internet connection by connecting to your ISP and verifying that you can browse the Web.

Finally, check the configuration of the clients (as described in the following section) and then verify the shared ICS connection by browsing the Web from one of the clients.

Configuring remote office client computers for ICS

To verify that the network settings on each client in the remote office are configured properly to use the new ICS computer to connect to the Internet, do the following:

  • Verify that the local area connection to the branch office intranet uses the Client for Microsoft Networks, File and Printer Sharing, and Internet Protocol (TCP/IP) components. (These are the default settings in Windows XP Professional and Windows XP Home Edition.)

  • Verify that the TCP/IP properties for the connection are configured to obtain an IP address and a DNS server address automatically. (These are the default settings in Windows XP Professional.)

  • After the ICS computer has been initially configured and tested, restart all the clients. Do not restart the ICS computer.

    Tip If you have trouble accessing the Internet from a client, verify that the Internet browser for the client is configured to connect using the LAN. If this is not the problem, ping the ICS computer by typing ping 192.168.0.1 at the command prompt. If this also fails, verify the physical connection from the client to the office intranet. Finally, you can use the Support tab of a Local Area Connection Status dialog box to view details of the IP configuration of the client. Alternatively, open a command prompt, and type ipconfig for IP configuration details.

The only necessary modification for client applications is to configure Internet Explorer to use the branch office LAN connection to the Internet.

Configurations to avoid

ICS is designed to enable a computer to be a translating gateway to the Internet. Some cable modem or DSL configurations duplicate this function. To properly use ICS, do not connect a cable or DSL modem, the ICS computer, and all the other clients on the branch office intranet directly into a network hub.

You can use this type of configuration when your ISP has assigned a static IP address to each client on your intranet. When you use a network hub, ICS is not needed for Internet access. However, in this configuration, you must disable File and Printer Sharing on all computers to prevent access to your computers from Internet users. Most remote offices avoid this configuration because it disables file and printer sharing between the clients on the remote office’s intranet.

Some cable or DSL modems provide a built-in network hub. In this scenario, do not connect the network adapters of all the computers on your intranet directly into the cable modem.

Creating a VPN connection to the corporate network

As network administrator of the branch office, you want to configure a few individual clients for access to the corporate network to send and receive e-mail, install software updates, transfer files, and otherwise access network servers and company-wide resources.

You can create a virtual private network (VPN) connection from one of the branch office’s clients that tunnels through the Internet to the corporate network by using PPTP (L2TP connections cannot be made from branch office intranet client computers). It is a safe, secure way of connecting directly to the corporate network from a computer on the branch office network. Figure 25-9 shows how one client on the office intranet is connected to a corporate network by means of a PPTP-based VPN tunnel.

Figure 25-9 Connect a remote office client to the corporate network using a PPTP-based VPN connection

Figure 25-9 Connect a remote office client to the corporate network using a PPTP-based VPN connection

Do not create a VPN connection to the corporate network from the ICS computer. If you do, then by default all traffic from the ICS computer, including traffic from intranet clients, is forwarded over the VPN connection to the corporate network. This means that Internet resources are not reachable and that all branch office computers will send data over a logical connection by using the credentials of the ICS computer user, a questionable security practice.

The first time you start a new VPN connection, it takes a few moments to connect using PPTP, and then it tries to connect using L2TP and IPSec. Subsequent connections do not take as long because the VPN connection remembers which VPN protocol was successful for the initial connection.

After the VPN connection is made, the client on the remote office’s intranet has access to the shared resources (such as file servers and printers) on the corporate network.

Likewise, while the client is connected to the corporate network using a VPN, the client is logically disconnected from the Internet unless the corporate network provides its own Web access. To access the Web through the corporate network, a client must be configured to use the rules established for Web access from the corporate network. For example, many corporations use a proxy server. In this scenario, you need to configure the browser of the client to use the corporate proxy server to access the Web. You can configure Internet Explorer to use specific proxy settings with specific Internet connections. After doing so, the client can easily shift between accessing the Internet by using the shared connection on the ICS computer or by using a VPN connection through the corporate network.

Using the Windows Firewall

The Windows XP SP2 Windows Firewall provides a solution for both novice and advanced users to protect desktop computers from passive and active Internet network threats, while still providing a rich Internet experience and ease of integration for the system within a remote office network.

Windows Firewall is a stand-alone feature and is enabled by default. It is necessary to run Windows Firewall on a home computer on the shared adapter to protect your home network. On a corporate computer, Windows Firewall will be enabled or disabled according to corporate policy; on a home network that is running a third-party firewall, it might be necessary to disable Windows Firewall. Windows Firewall is included with all editions of Windows XP SP2.

For more information on Windows Firewall, see Chapter 22, “Implementing Windows Firewall.”

Troubleshooting Remote Network Connections

The following sections describe common troubleshooting issues with the Network Connections feature in remote office environments as well as the relevant troubleshooting tools provided with Windows XP Professional.

Troubleshooting Tools

There are many tools within Windows XP Professional that allow you to monitor modem or Point-to-Point Protocol (PPP) activity and diagnose network and dial-up connections, including:

  • PPP logging

  • Modem logging

  • Modem diagnostics

  • Netdiag

  • Device Manager

PPP Logging

PPP logging records the series of programming functions and PPP control messages during a PPP connection. The PPP logs are a valuable source of information when you are troubleshooting the failure of a PPP connection.

Note Routing and Remote Access service must be restarted for changes in logging settings to take effect.

To enable PPP logging on the client that is initiating the connection, use the Netsh command-line tool. The syntax for the command is:

netsh set ras tracing * enabled

Conversely, if you want to stop PPP logging, the command syntax is:

netsh set ras tracing * disabled
Modem Logging

By using Phone and Modem Options in Control Panel, you can record a log of commands as they are sent to your modem by communication programs or the operating system. On Windows XP Professional, logging is always turned on and the log is overwritten at the beginning of every session unless you select the Append to Log check box.

Note Commands sent to the modem are captured in the file systemroot\ModemLog_Model.txt. In this file path, Model is the name of the modem as it appears in the list of installed modems on the Modems tab of Phone and Modem Options.

Modem Diagnostics

When you query a modem, Windows XP Professional runs the commands and displays the results, as shown in Table 25-6. You can verify whether your modem is working properly by using the diagnostic queries that are available by means of Phone and Modem Options in Control Panel.

Table 25-6 Modem Query Commands and Responses

Command

Response

ATQ0V1E0

Initializes the query.

AT+GMM

Identifies the modem model (ITU V.250 recommendation is not supported by all modems).

AT+FCLASS= ?

Identifies the fax classes supported by the modem, if any.

AT#CLS=?

Shows whether the modem supports the Rockwell voice command set.

ATIn

Displays manufacturer’s information for n = 1 through 7. This provides information such as the port speed, the result of a checksum test, and the model information. Check the manufacturer’s documentation for the expected results.

Device Manager

Device Manager provides information about how the hardware on your computer is installed and configured. It can help you determine the source of resource conflicts and the status of COM ports. You can also use Device Manager to check the status of your hardware and update device drivers, such as modem drivers, on your computer.

To open Device Manager
  1. Right-click My Computer.

  2. Click Manage.

  3. In Computer Management window, select Device Manager in the console tree.

Troubleshooting Common Local Area Configuration Problems

The following section describes a common local area–related problem that you might encounter, and possible causes and solutions for it.

No response when using a local area network connection

There are two possible causes for the lack of response when using a LAN connection:

  • There might be problems with your network adapter. Check the appearance of the local area connection icon in the Network Connections folder. Depending on the status of the local area connection, the icon appears in different ways. Use Device Manager to verify that your network adapter is working correctly.

  • The LAN cable might not be plugged into the network adapter. If this is the case, a status icon is displayed in the taskbar. Check to make sure the LAN cable is inserted into the network adapter.

Troubleshooting Common Remote Access Configuration Problems

The following sections describe common remote access–related problems that you might encounter, and possible causes and solutions for them.

Modem not working
  • The modem is not connected properly or is turned off. Verify that the modem is connected properly to the correct port on your computer. If the modem is external, verify that the power is on.

  • The modem cabling is faulty. Do not use the 9-to-25-pin converters that are included with most mouse hardware because some of them do not carry modem signals. To be safe, use a converter made especially for this purpose.

  • You dialed the wrong number, or you dialed the correct number but forgot to dial an external line-access number, such as 9. Verify that the number is correct as dialed.

  • The modem is incompatible. If you have access to another computer with an Internet connection, check the list of compatible modems in the Hardware Compatibility List link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

  • You do not have a valid user account, or you do not have remote access permission. Verify that your user account has been established and that you have remote access permission.

  • The telephone line does not accommodate your modem speed. Select a lower bits-per-second (bps) rate or find a direct line.

  • The line you are trying to use is digital. Most modems work only with analog phone lines. Verify that you have analog phone lines installed or, if you have digital phone lines installed, verify that the servers and clients have digital modems.

  • Your modem cannot negotiate with the modem of the server. Try using the same type of modem as the server.

  • The remote access server is not running. Verify that the remote access service is not running. The administrator needs to carefully check the error and audit logs to see why the service stopped. After the problem is fixed, restart the service. If the service is running, the administrator needs to check whether other remote access clients can connect properly. If other clients can connect, the problem might be specific to your workstation.

When trying to connect, an error message indicates that the remote access server is not responding
  • The line you are dialing is affecting the speed. If you can connect to your remote access server by using more than one number, try another number and see if the speed improves.

  • At higher data rates, your modem is incompatible with the modem of the server. Select a lower bps rate.

  • The modem appears to have a problem connecting. If there is a lot of static on the phone line, this might be preventing the modem from connecting at a higher data rate. Select a lower bps rate.

  • The modem and telephone line are not operating correctly. This might be the result of dropped sessions caused by excessive static on the telephone line. Although the symptoms might be different than the previous problem, the cause might be the same. You can use modem diagnostics to confirm correct modem operation.

  • Your modem software needs to be updated. Check with your modem manufacturer for modem software updates.

  • There is some kind of switching equipment between the client and server that prevents the two modems from negotiating at a higher data rate. Adjust the speed of your modem to a lower data rate.

  • The quality of your line is insufficient. Contact your telephone company to verify the quality of your line.

  • The remote access server is not running properly. Try connecting to the same server from another workstation. If other workstations are having the same problem, there might be problems with server applications or hardware. If other clients don’t have the same difficulty, the problem could be specific to your workstation.

  • The remote access server is not running. This might be caused by the modem’s tendency to connect at a lower data rate than specified. Verify that the server is running.

Connections to a remote access server keep getting dropped
  • The remote access server disconnected you because of inactivity. Try calling again.

  • Call waiting is disrupting your connection. Verify that the phone has call waiting. If so, disable call waiting, and then try calling again.

  • Someone picked up the phone. Picking up the phone automatically disconnects you. Try calling again.

  • Your modem cable is disconnected. Verify that the modem cable is connected properly.

  • Your modem software needs to be updated. Check with your modem manufacturer for modem software updates.

  • Your modem settings need to be changed because of a remote access server change. Verify the modem settings.

Connections are disconnecting abnormally
  • The remote access server is not running. Verify that the server is running.

  • Your modem cannot negotiate correctly with the modem of the remote access server. The serial port of the computer cannot match the speed you have selected. Try to connect at a lower initial port speed.

  • Your modem software needs to be updated. Check with your modem manufacturer for modem software updates.

When trying to connect, a hardware error message is received
  • The external modem is turned off. Verify that the external modem is turned on. If the external modem is turned off, turn it on and redial.

  • Your modem is not functioning properly. Start modem logging to test the connection.

  • Your cable is incompatible. If your modem communicates by using Hyper Terminal, but not through Network Connections, the cable that attaches your modem to the computer is probably incompatible. You need to install a compatible cable.

Connections do not appear in the Network and Dial-up Connections folder
  • The folder might need to be refreshed. Press F5 to refresh the folder.
Conflicts between serial ports are causing connection problems
  • The serial ports are conflicting. COM1 and COM3 share interrupt request (IRQ) 4. COM2 and COM4 share IRQ 3. To avoid such serial communications problems, do not use COM1 and COM3 simultaneously, or COM2 and COM4 simultaneously. For example, avoid using Network Connections on COM1 and Terminal on COM3.

  • This rule applies if you are using a serial mouse in addition to other serial communications programs such as Network Connections. The rule does not apply if you are using an intelligent serial adapter, such as a DigiBoard serial adapter.

When trying to connect by using ISDN, a “No Answer” message is received
  • The line is busy. Try calling later.

  • A poor line condition (for example, too much static) interrupted your connection. Wait a few minutes, and then try dialing again.

  • Your ISDN switching facility is busy. Try again later.

  • Your phone number is not configured correctly. In some cases, each B channel on an ISDN line has its own number, although in other cases both B channels share a single number. Contact your telephone company to determine how many numbers your ISDN line has.

  • If you are located in the United States or Canada and using ISDN, your Service Profile Identifier (SPID) is configured incorrectly. The SPID normally consists of the phone number with additional digits added to the beginning, the end, or both. The SPID helps the switch understand what type of equipment is attached to the line and routes calls to appropriate devices on the line. If an ISDN channel requires an SPID but it is not entered correctly, the device cannot place or accept calls. Verify that the SPID is entered correctly.

  • You did not enable line-type negotiation, or a connection cannot be made with the line type you selected. Enable line-type negotiation.

  • There is a problem with the hardware. Verify that the ISDN adapters are installed and configured correctly.

  • Your DigiBoard adapter is too old. If you do not have the latest PCIMAC-ISA DigiBoard adapter, serial number A14308 or greater, contact DigiBoard for a replacement.

  • The remote server did not answer because it is turned off or the modem is not connected. Contact that server’s system administrator.

Connections made by using X.25 fail
  • The dial-up packet assembler/disassembler (PAD) is configured with the wrong X.3 parameters or serial settings. If the remote access server is running and you cannot connect to it directly by using an X.25 smart card or an external PAD, modify the dial-up PAD X.3 parameters or serial settings. If they are available, obtain the correct settings.

  • New Pad.inf entries are incorrect. Check other Pad.inf entries for direct connections and external PADs, and view the comments that appear with them. You might need a line analyzer or a terminal program to see the response for the PAD.

  • Your modem is incompatible. If the modem that connects to a dial-up PAD connects at a lower speed than it should, replace the modem with a compatible one.

  • The leased line for the remote access server is congested. This could be caused by congestion on the leased line for the remote access server. Typically, in such an instance, a connection has been established but the network drives are disconnecting. As a result, you might be dropping sessions or getting network errors.

    • For example, four clients connecting at 9600 bps (through dial-up PADs) require a 38,400-bps (four times 9600) leased line on the server. If the leased line does not have adequate bandwidth, it can cause timeouts and degrade performance for connected clients. This is most likely the case if all bandwidth is dedicated to Routing and Remote Access.

    • Keeping all this in mind, verify that the speed of the leased line can support all the COM ports at all speeds clients use to dial in.

PPTP connections fail
  • TCP/IP connectivity problems are keeping you from connecting to the PPTP server. You can use the ipconfig and ping commands to verify the reachability of the server. Keep in mind that ping will typically fail to a VPN server because of packet filtering at the server.

  • A legacy Winsock Proxy client, used in Proxy Server 2.0, is active. The Winsock Proxy service requires a protocol definition to identify valid network protocols when access control is enabled. The WinSock Proxy service uses the defined protocols to determine which Windows Sockets applications can be used to access the Internet. A VPN connection cannot operate with an active Winsock Proxy client. Winsock Proxy immediately redirects packets to the proxy server before they can be processed by a virtual private network connection for encapsulation. Disable the Winsock Proxy client. One alternative is to upgrade Proxy Server 2.0 to Microsoft ISA Server 2000 or later, allowing you to run the computer as an ISA Server Firewall client.

  • You do not have the appropriate connection and domain permissions on the remote access server. Obtain appropriate permissions.

  • If you are using TCP/IP, you do not have a unique public IP address. Obtain an authorized public IP address.

  • Name resolution problems are keeping you from resolving names to IP addresses. Specify fully qualified domain names or IP addresses in your connection.

  • You cannot connect to the PPTP-based VPN server with your DSL modem. Configure the DSL modem to pass TCP port 1723 and IP protocol 47 (most cannot by default). This must occur before a PPTP connection can be established. Some DSL modems refer to this as PPTP passthrough.

  • You cannot connect to the L2TP-based VPN server with your DSL modem. Configure the DSL modem to pass UDP port 500 and IP protocol 50 (most cannot by default). This must occur before an IPSec SA can be established.

Connections made by using PPP or TCP/IP tools fail
  • The server does not support Link Control Protocol (LCP) extensions. If you cannot connect to a server by using PPP, or the remote computer terminates your connection, the server might not support LCP extensions.

  • IP header compression is keeping TCP/IP tools from running. If you successfully connect to a remote server by using PPP but TCP/IP tools do not work, the problem might be IP header compression.

To disable LCP extensions
  1. In Network Connections, click the dial-up or VPN connection you want to configure.

  2. Under Network Tasks, click Change settings of this connection.

  3. On the Networking tab, click Settings, and then clear the Enable LCP extensions check box.

To disable IP header compression
  1. In Network Connections, click the dial-up connection you want to configure.

  2. Under Network Tasks, click Change settings of this connection.

  3. On the Networking tab, click Internet Protocol (TCP/IP) and then click Properties.

  4. Click Advanced, and then clear the Use the IP Header Compression check box.

Troubleshooting Common Internet Access Configuration Problems

The following sections describe common Internet access–related problems that you might encounter, and possible causes and solutions for them.

ICS connections fail
  • The wrong network adapter is shared. An ICS host computer needs two connections. One connection, typically a network adapter, connects to the computers on the home (or small office) network and the other connection connects the home network to the Internet. Ensure that ICS is enabled on the connection that connects your home network to the Internet.

  • TCP/IP is not installed on home network computers. By default, the TCP/IP protocol is installed on computers running Windows XP Professional and Windows XP Home Edition, Windows 2000, Windows Server 2003, Windows Me, Windows 98, and Windows NT 4.0. If users on your home network are running operating systems other than these, verify that TCP/IP is installed on their computers.

  • Users on your home network fail reach the Internet. TCP/IP is incorrectly configured on home network computers. Verify that the following TCP/IP settings are established on home network local area connections:

    • IP address. Obtain an IP address automatically (by using DHCP).

    • DNS server. Obtain DNS server address automatically.

    • Default gateways. None specified.

    For computers running Windows 95, Windows 98, or Windows NT 4.0, you can find the TCP/IP settings in Network Control Panel.

  • Internet Connection Sharing is not started. Use the Services and Applications section of the Computer Management console tree to verify that the Internet Connection Sharing service is started. If “stopped” appears as the service status, click Start and OK to start the service.

  • The Internet Connection Sharing computer is not properly configured for name resolution. If computers on the remote office network cannot resolve names to IP addresses, you might need to configure the DNS name resolution services on the ICS host computer. Check the name resolution configuration of the ICS host computer by using the ipconfig command.

    If your remote office accesses the Internet through an ISP, there are two ways that your ISP can configure name resolution:

    • Statically assigning name servers.

      You must manually configure the TCP/IP protocol with the IP address (or addresses) of the name servers provided by the ISP. If you have statically assigned name servers, you can run the ipconfig command at any time to get the IP addresses of your configured name servers.

    • Dynamically assigning name servers.

      Manual configuration is not required. The IP addresses of the name servers provided by the ISP are dynamically assigned whenever you dial the ISP. If you have dynamically assigned name servers, you must run the ipconfig command after a connection to the ISP has been made.

  • The protocol used by a game played on the Internet is not translatable. Try running the game application from the ICS computer. If the game works from the ICS computer but not from a computer on the home network, the game might not be translatable.

  • Internet users cannot see services on your home network, such as a Web server. Verify that the ICS service, including port numbers and IP addresses, is configured correctly.

  • Users on your home network cannot reach the Internet sites by using friendly names. This is a DNS resolution problem. Users on your home network must use fully qualified domain names or IP addresses when accessing Internet resources.

For more information about Internet Connection Sharing, see Windows XP Professional Help and Support Center.

Applications do not run properly on a laptop connecting to an ISP

The Winsock Proxy client might be preventing your applications from running properly. If you are a mobile user and use your portable computer in your corporate environment, your applications might not be able to locate the resources or servers they need. Disable the Microsoft Winsock Proxy client (WSP Client in Control Panel) when you use the same computer to dial to an ISP or other network.

Connections to my ISP succeed, but connections to the Internet do not

DNS options might need to be configured. Check with your ISP to see whether you need to configure DNS settings for that connection. For example, you might need to specify a preferred or alternate DNS server IP address, rather than letting the DNS server IP address be assigned dynamically.

Additional Resources

These resources contain additional information and tools related to this chapter.

  • “Configuring TCP/IP” on the companion CD, for more information about TCP/IP

  • Chapter 27, “Understanding Troubleshooting,” for more information about troubleshooting network and dial-up connections with diagnostic tools

  • “Remote Access Server” in the Internetworking Guide of the Microsoft Windows 2000 Server Resource Kit, for more information about remote access server issues