The Windows Internet Name Service (WINS) enables machines to resolve NetBIOS names of hosts on remote networks. Machines configured as WINS clients register their names with the WINS server. WINS clients are also able to send name queries to a WINS server to resolve the names to IP addresses. Windows clients can send a broadcast to the local network to resolve NetBIOS names, but when hosts are located on remote networks (networks that are on different network segments or NetBIOS broadcast domains), the broadcasts for name resolutions fail. The only solution is a WINS server.
The WINS server is especially important for VPN clients. The VPN clients are not directly connected to the internal network, and they are not able to use broadcasts to resolve internal network NetBIOS names. (An exception is when you use Windows Server 2003 and enable the NetBIOS proxy, which provides very limited NetBIOS broadcast support.) VPN clients depend on a WINS server to resolve NetBIOS names and to obtain information required to populate the browse list that appears in the My Network Places applet.
The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addressing information to DHCP clients. The DHCP server should be configured on an internal network server and not on the firewall itself. When you configure the DHCP server on the internal network, the ISA Server 2004 firewall can automatically obtain IP addresses from the DHCP server and dynamically assign VPN clients to a special “VPN Clients Network.” Access controls and routing relationships can be configured between the VPN Clients network and any other network defined on the ISA Server 2004 firewall machine.
In the ISA Server 2004 Configuration Guide document, we will go over the procedures required to install the Microsoft WINS and DHCP services. We will then configure a DHCP scope with DHCP scope options.
We will discuss the following procedures in this document:
- Installing the WINS service
- Configuring a DHCP scope
The Windows Internet Name Service (WINS) is used to resolve NetBIOS names to IP addresses. On modern Windows networks, the WINS service is not required. However, many organizations want to use the My Network Places applet to locate servers on the network. The My Network Places applet depends on the functionality provided by the Windows Browser service. The Windows Browser service is a broadcast-based service that depends on a WINS server to compile and distribute information on servers on each network segment.
In addition, the WINS service is required when VPN clients want to obtain browse list information for internal network clients. We will install the WINS server on the internal network to support NetBIOS name resolution and the Windows browser service for VPN clients.
Perform the following steps to install WINS:
- Click Start and point to Control Panel. Click Add or Remove Programs.
- In the Add or Remove Programs window, click the Add/Remove Windows Components button.
- On the Windows Components page, scroll through the list of Components and select the Networking Services entry. Click Details.
- In the Network Services dialog box, put a check in the Windows Internet Name Service (WINS) check box. Next, put a check in the Dynamic Host Configuration Protocol (DHCP) check box. Click OK.
- Click Next on the Windows Components page.
- Click OK in the Insert Disk dialog box. In the Files Needed dialog box, enter the path to the i386 folder in the Copy files from text box and click OK.
- Click Finish on the Completing the Windows Components Wizard page.
- Close the Add or Remove Programs window.
The WINS server is ready to accept NetBIOS name registrations immediately. The ISA Server 2004 firewall, the domain controller, and the internal network clients are all configured to register with the WINS server in their TCP/IP Properties settings.
The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addressing information to internal network clients and VPN clients. In the scenarios covered in the ISA Server 2004 Configuration Guide, the DHCP server will be used primarily to assign IP addressing information to the VPN clients network. Note that in a production network, you should configure all machines that do not require a static IP address to be DHCP clients.
The DHCP server service has already been installed according to the procedures you performed in Chapter 1 of this Guide. The next step is to configure a DHCP scope that includes a range of IP addresses to assign DHCP clients and DHCP options.
Perform the following steps to configure the DHCP scope:
- Click Start and point to Administrative Tools. Click DHCP.
- In the DHCP console, right-click the server name in the left pane of the console and click Authorize.
- Click the Refresh button in the mmc button bar. Notice that the icon on the server name in the left pane of the console changes from a red, down-pointing arrow to a green, up-pointing arrow.
- Right-click the server name in the left pane of the console and click the New Scope command.
- Click Next on the Welcome to the New Scope Wizard page.
- On the Scope Name page, enter a name for the scope in the Name text box and enter an optional description in the Description text box. In this example, we will name the scope Scope1 and will not enter a description. Click Next.
- On the IP Address Range page, enter a Start IP address and a End IP address in the text boxes provided. The start and end addresses represent the beginning and end of a range of addresses you want available for DHCP clients. In this example, we will enter the start address as 10.0.0.200 and the end address as 10.0.0.219. This provides twenty addresses for DHCP clients. The ISA Server 2004 firewall will later be configured to allow up to 10 concurrent VPN connections, so it will automatically take 10 of these addresses and use one of them for itself, with the remainder available to assign to the VPN clients. The ISA Server 2004 firewall will be able to obtain more IP addresses from the DHCP server if they are required. You can configure the subnet mask settings in either the Length or Subnet mask text boxes. In our current example, the addresses will be on the same network ID as the internal network, so we will enter the value 24 into the Length text box. The Subnet mask value is automatically added when the Length value is added. Click Next.
- Do not enter any exclusions on the Add Exclusions page. Click Next.
- Accept the default lease duration of 8 Days on the Lease Duration page. Click Next.
- On the Configure DHCP Options page, select the Yes, I want to configure these options now option and click Next.
- On the Router (Default Gateway) page, enter the IP address of the internal interface of the ISA Server 2004 firewall machine in the IP address text box and click Add. Click Next.
- On the Domain Name and DNS Servers page, enter the domain name used on the internal network in the Parent domain text box. This is the domain name that will be used by DHCP clients to fully qualify unqualified names, such as the wpad entry that is used for Web Proxy and Firewall client autodiscovery. In this example, the domain name is msfirewall.org and we will enter that value in the text box. In the IP address text box, enter the IP address of the DNS server on the internal network. In this example, the domain controller is also the internal network’s DNS server, so we will enter the value 10.0.0.2 into the IP address text box and then click Add. Click Next.
- On the WINS Servers page, enter the IP address of the WINS server in the IP address text box and click Add. In this example, the WINS server is located on the domain controller on the internal network, so we will enter 10.0.0.2. Click Next.
- On the Activate Scope page, select the Yes, I want to activate this scope now option and click Next.
- Click Finish on the Completing the New Scope Wizard page.
- In the left pane of the DHCP console, expand the Scope node and then click the Scope Options node. You will see a list of the options you configured.
- Close the DHCP console.
At this point the DHCP server is ready to provide DHCP addressing information to DHCP clients on the internal network and to the VPN clients network. However, the ISA Server 2004 firewall will not actually lease the addresses until we have enabled the VPN server on the firewall.
In this ISA Server 2004 Configuration Guide document we discussed the uses of the Microsoft WINS and DHCP servers, installed the server services on the domain controller, and configured a scope on the DHCP server. Later in this guide we will see how the addition of the WINS and DHCP service help enhance the VPN client experience.