CS & IT Solutions

The following is a list of the steps you need to perform to configure and enable the built-in Windows 2003 server. Before you start, you need to make sure that you actually have the FTP server installed. Depending on what server role you selected during the Windows 2003 server install process, you may or may not have FTP installed.

To check if the FTP server is installed, in the Control Panel, go to Add/Remove programs -> Add/Remove Windows Components. Then make sure Application Server is checked. Click the Details button and make sure Internet Information Services (IIS) is checked. Clicked Details on this again and make sure File Transfer Protocol (FTP) Service is checked. If not, check all of these and click OK to install them.

To enable the FTP service, go to the start menu -> Administrative Tools -> Internet Information Services (IIS) Manager.

Tree open your server in the Internet Information Services list. Here my server is called “DEDICATED”. Then tree open FTP Sites and right-click Default FTP Site (Stopped). Click Properties from the context menu.

On the dialog, choose the Security Accounts tab. Make sure to uncheck Allow anonymous connections. We don’t want to allow anonymous access to the FTP server or we will have spammers, porn-servers, and who knows what else on here in a matter of days. We only want to allow authenticated user accounts to connect.

When you uncheck this box, you will see a dialog like this. Basically, this is just telling you that since you don’t want to allow anonymous access, you will have to login with a UserName and Password. Since FTP is not a secure protocol, these credentials will be passed in clear text and there is a remote possibility that someone could see the credentials. In other words, this is saying, make sure that you don’t use base windows accounts that you want to be secure. I recommend using a dummy ftp account that you change on a regular basis instead. Just click Yes on this dialog.

On the Home Directory tab, set the path to where you want your FTP files to be placed. NOTE: By default the path is set to inetpub\ftproot. If you want to allow users to create directories and add files instead of just downloading, make sure the Write box is checked. Then click OK to apply all these changes.

Now we want to start our FTP service. Right-click the Default FTP Site (Stopped) in the tree view and select Start to run the FTP server.

Setting Up FTP Directories & Permissions

The previous tasks are all you need to do if you want to just put files in the mail FTP directory. But sometimes you want to set up specific directories for users that actually put the files in different directories than the default directory. The way you do this is to set up a “pointer” directory in your default inetpub\ftproot that will just be an empty folder (FTP Service requires this for a virtual directory). Here, I created a new folder in my default FTP root folder called “MyFtpFolderPointer”.

Now, we create a folder where we actually want our files to be placed when they are uploaded/downloaded. So I put a folder in the C:\ drive and called it “MyNewFtpDirectory”. This is the place where the FTP files will actually go and the folder we created in the previous step will point to this folder.

Now go back to the Internet Information Services (IIS) Manager and right-click the Default FTP Site. Choose New -> Virtual Directory… to start the virtual directory wizard.

Click Next to start the wizard.

Name your alias for this virtual directory the EXACT same name you named the Virtual Directory folder we created in the FTP root since this is the one we want to point to the C:\ drive folder. So here, we name our Virtual Directory “MyFtpFolderPointer”. Click Next.

Now we tell this virtual directory what it’s actual path should be. So point this path to the folder where you actually want the FTP files to go. It can be any path you want. Here we put the path to our folder on C:\MyNewFtpDirectory. Click Next.

If you want users to be able to both download and upload files to this FTP directory, check both the Read and Write boxes. Click Next.

Click Finish to complete the wizard and apply the virtual directory settings.

There are a few other things you might need to:

• Check your Firewall rules. By default, FTP used Port 21 so you will need make sure that your Windows Firewall (if that is what you are using) is configured to allow Port 21 for FTP.
• Create a new user account that is for FTP only to be used to login to your FTP server.

Now, to connect to this FTP server and test it out, you can use the tutorials here:

Using Windows as an FTP Client

Connect to FTP with Mac OS X

Remember to have the “Write” box checked on the virtual directory if you want to allow users to upload files as well as download them.

Thanks to Ben Hodson, source http://www.devtoolshed.com/content/configure-ftp-server-windows-2003-server

The following are the steps you would need to take if you want to configure a VPN on a Windows 2003 server where you only have a single network card (NIC) exposed to the Internet. What we will do here is configure a site-to-site VPN so that clients can connect securely while still allowing other types of web traffic such as HTTP (port 80) and/or RDP (port 3389) to connect. This method sets up a secure tunnel for clients while allowing other types of web-based services to still be open and exposed on the same network card.

Normally, when you set up a VPN, you should use a dedicated network card and a dedicated card for other traffic. In most cases, a site-to-site VPN would be the only service set up on a single network card and the firewall would be controlled by an external firewall in front of the server. But Microsoft does provide a way to configure Windows Server 2003 to allow VPN and other web services on the same card.

The way to do this is to have the VPN be the front facing network service exposed to the Internet. Then we configure Windows 2003 to run Network Address Translation (NAT) services to manage the traffic coming in from this card. The big problem is that you usually have to have a remote firewall configured in front of this server. But Microsoft provides a useful component in the NAT services called “Basic Firewall”. This has a similar interface to Windows Firewall so it can be configured to allow / deny ports and services while the VPN is enabled. Here are the steps to configure Windows 2003:

In Administrative Tools, open the Routing and Remote Access dialog.

If you have the Windows Firewall running on your server, you will see a dialog that says that ICF must be disabled before continuing. If you see this dialog, you must disable your Windows Firewall before continuing. The next couple of steps show how to do this.

In Administrative Tools, open the Services dialog and find the Windows Firewall/Internet Connection Sharing (ICS) entry. Click the “Stop the service” link to stop the service.

Double-click the service and set it’s Startup type to “Disabled”. This will make it so that the Windows Firewall does not run anymore and is completely disabled. Click OK.

Right-click your server name in the Routing and Remote Access dialog (it should be the item with little server icon that has a red stop square on top of it) and select Configure and Enable Routing and Remote Access.

Click Next on the Routing and Remote Access Server Setup Wizard.

Select Custom configuration and click Next.

In the Custom Configuration, select VPN access and NAT and basic firewall and click Next.

Click Finish to complete the setup.

When you click Finish, a dialog will ask you if you want to start the server and being running the Routing and Remote Access. Choose Yes.

After you wait for just a second, the routing server comes online and you will see a tree of options open up underneath your server icon. Your server icon will also change from a red square to a green square to show you that it has been started successfully.

Right-click the NAT/Basic Firewall and choose New Interface from the context menu.

We are going to configure the firewall settings for the connection that has the VPN running on it. Choose your network card by name from the list. In most cases, this will be Local Area Connection as this is the default name of the NIC that Windows assigns.

in the Network Address Translation Properties dialog, select Basic firewall only.

Click on the Services and Ports tab and click on IP Security (IKE).

Once you click on the IP Security (IKE) entry, a edit box will immediately come up. You need to set up where NAT should route this traffic when received in the firewall. Just set all traffic to route directly to the local server (since this is where all the services are running) by setting the IP to itself (127.0.0.1).

Do the same with IP Security (IKE NAT Traversal), VPN Gateway (L2TP/IPSec – running on this server), and VPN Gateway (PPTP). Each one will need to be set to 127.0.0.1 the same as the above dialog. NOTE: For any other ports you want to open, do the same process to expose them in the firewall. The IP Security and VPN Gateway are the only required to enable the VPN to actually show from the NAT service. Then click OK.

Right-click the server name (the one with the green icon) and select Properties.

Click on the IP tab and select Static address pool. This will enable the Add button. Click the Add button to edit the range IP’s. You need to set a static range of IP addresses that will be used on the internal network that the VPN creates.

Set a range for the IP addresses that will be assigned for the local network that the VPN creates. The Number of addresses will automatically be calculated for you. Click OK.

VERY IMPORTANT: Make sure you set a range for the IP addresses that is unique and not likely to be on another network or there will be conficts if the client connects from a network with the same subnet.

Click OK to close the properties dialog.

In Administrative Tools, open the Computer Management tool (unless you are running Active Directory on your server and then you would need to add the user from there). Tree open Local Users and Groups -> Users and right-click Users to select New User….

Create the new user as you would normally. Click the Create button and then click Close to close the dialog.

Right-click the new user account you just created and select Properties.

We have to enable this account to allow VPN login to this server. On the user properties dialog, click on the Dial-in tab. Then select Allow access. Click OK to apply the change.

Once the server is set up, you can configure a client to connect to the VPN. Here are the instructions to connect with Windows XP:
http://www.devtoolshed.com/content/connect-site-site-vpn-windows-xp

Thanks to Author, source http://www.devtoolshed.com/node/31

In this how to I will be describing the process for implementing RAS on Windows 2003 server to create a VPN service and then connect to it using a client computer. To perform this how to you will need a computer running Windows 2003 server. The server will need to be multi-homed i.e. it will need two networking cards. If you have Microsoft Virtual PC you can use that to create the VPN server by simply adding two virtual networking cards to the Virtual PC. In addition, you will need two internal NAT static IP addresses one for each networking card.

Begin by adding the static IP addresses one for each network card. You can name the network connections if you whish i.e. one “Internal” and one “External”. If your server is already being used for network/domain services then name the existing network card with the existing IP address “Internal” as the internal IP address will be the one used by the actual server. Now make sure to plug both network cards into your network. Your configuration should look something like the example below:

NAT Network = 192.168.0.0

RAS Server Network Card One IP = 192.168.0.10

RAS Server Network Card Two IP = 192.168.0.11

DNS Server = Your DNS servers IP address

Gateway = Blank or your routers gateway address

Subnet Mask = 255.255.255.0

Now you can configure Remote Access Server (RAS). Check that you have installed the RAS server from the 2003 CD. Programs->Administrative Tools> Remote Access Server. RAS is installed but not configured for the default 2003 OS installation.

Open RAS and right click where the red x is to Configure and Enable the service.

Proceed through the wizard by clicking Next:

Select “Virtual Private Network (VPN) access and NAT”:

Select “VPN”:

Select the External interface (network card) as the connection to the internet. In this case it is your internal NAT 192.168.0.11 that will connect you to the internet:

You will need a DHCP server setup for clients to get an IP address automatically:

Select No unless you have a RADIUS server:

Finish the wizard:

You will get a message about DHCP relay click Ok:

Now you need to configure your Basic Firewalls External address by going to the NAT/Basic Firewall settings in RAS and right clicking the External interface and selecting Properties:

Now select “Private interface connected to private network” because that is what you have. If your external interface was connected directly to your external IP then you would select the second (default) radio button.

To configure a VPN client to test the connection to the new VPN server open the network properties on a different computer and select the “New Connection Wizard”:

Now that you have the client VPN connection setup you will need to make sure the account you are going to use has the Dial-in permission set to “Allow access”

Now you can open your Test VPN connection and type your username and password. You should connect to your VPN server and get a DHCP assigned address.

The connection should be successful and you will now need to configure your NAT router i.e. Linksys, Netgear ext. to open PPTP port to the internal address of 192.168.0.11. When you create a client VPN connection from the internet you will need to use your external IP address attached to the external interface (internet connection) of your router.

Thanks to Author, source http://www.charlieclaycomb.com/HowTo/rassetup.aspx

This article will describe how to setup and configure NAT in Windows 2003. NAT, or Network Address Translation, is a widely used IP translation and mapping protocol that works on the network layer (level 3) of the OSI model. It is sometimes referred to as a routing protocol because of the way it allows packets from a private network to be routed to the Internet.

NAT acts as a middle man between the internal and external network; packets coming from the private network are handled by NAT and then transferred to their intended destination.

A single external address is used on the Internet so that the internal IP addresses are not shown. A table is created on the router that lists local and global addresses and uses it as a reference when translating IP addresses.

NAT can work in several ways:

Static NAT

An unregistered IP address is mapped to a registered IP address on a one-to-one basis – which is useful when a device needs to be accessed from outside the network.

Dynamic NAT

An unregistered IP address is mapped to a registered IP address from a group of registered IP addresses. For example, a computer 192.168.10.121 will translate to the first available IP in a range from 212.156.98.100 to 212.156.98.150.

Overloading

A form of dynamic NAT, it maps multiple unregistered IP addresses to a single registered IP address, but in this case uses different ports. For example, IP address 192.168.10.121 will be mapped to 212.56.128.122:port_number (212.56.128.122:1080).

Overlapping

This when addresses in the inside network overlap with addresses in the outside network – the IP addresses are registered on another network too. The router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.

How NAT works

A table of information about each packet that passes through is maintained by NAT.

When a computer on the network attempts to connect to a website on the Internet:

• the header of the source IP address is changed and replaced with the IP address of the NAT computer on the way out
• the “destination” IP address is changed (based on the records in the table) back to the specific internal private class IP address in order to reach the computer on the local network on the way back in

Network Address Translation can be used as a basic firewall – the administrator is able to filter out packets to/from certain IP addresses and allow/disallow access to specified ports. It is also a means of saving IP addresses by having one IP address represent a group of computers.

Setting up NAT

To setup NAT you must start by opening the Configure your server wizard in administrative tools and selecting the RRAS/VPN Server role. Now press next and the RRAS setup wizard will open. The screen below shows the Internet Connection screen in which you must specify which type of connection to the Internet and whether or not you want the basic firewall feature to be enabled.

Press next to continue. The installation process will commence and services will be restarted, after which the finish screen will be displayed – showing what actions have taken place.

Configuring NAT

Configuration of NAT takes place from the Routing and Remote Access mmc found in the Administrative Tools folder in the Control Panel or on the start menu.

The screenshot below shows the routing and remote access mmc.

Select which interface you wish to configure and double click it. This will bring up the properties window giving you the option to change settings such as packet filtering and port blocking, as well as enabling/disabling certain features, such as the firewall.

The remote router (set up previously) properties box is shown below. The NAT/Basic Firewall tab is selected.

You are able to select the interface type – to specify what the network connection will be. In my example I have selected for the interface to be a public interface connected to the internet. NAT and the basic firewall option have also been enabled. The inbound and outbound buttons will open a window that will allow you restrict traffic based on IP address or protocol packet attributes. As per your instructions, certain TCP packets will be dropped before they reach the client computer. Thus, making the network safer and giving you more functionality. This is useful if, for example, you wanted to reject all packets coming from a blacklisted IP address or restrict internal users access to port 21 (ftp).

For further firewall configuration, go to the Services and Ports tab. Here you can select which services you would like to provide your users access to. You can also add more services by specifying details such as the incoming and outgoing port number.

The list of services shown in the above screenshot are preset. Press Add to bring up the window that will allow the creation of a new service or select an available service and press Edit to modify that service. You will be asked to specify the name, TCP and UDP port number and the IP address of the computer hosting that service.

If the services in the list aren’t enabled then any client computer on the Windows 2003 domain will not be able to access that specific service. For example, if the computer was configured as shown in the image above and a client computer tried to connect to an ftp site, he would be refused access. This section can prove to be very useful for any sized networks, but especially small ones.

That concludes this article. As you have seen, Network Address Translation is a useful feature that adds diversity and security to a network in a small to medium sized company. With the advent, and implementation, of IPv6 still in its beginning stages, we can expect to see NAT being used for many years to come.

Thanks to Andrew Z. Tabona, source http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html