Gateways Revisited

Thank you for all the letters about my June column, "Unlock Your Gateway to the Internet." The interest this column has generated prompts me to return to the topic of Windows NT as an Internet gateway and to point you, if you haven't found it yet, to Mary Madden and Ed Tittel's excellent July article, "Easy Access to the Internet." It gets down to the buttons-and-dialogs level that I didn't have time to cover.

Continuing the Story
If you're just joining us, the scenario is that you have a LAN in your office and an Internet connection through an Internet Service Provider (ISP). On an NT server or workstation, you can create a router that will let any PC on your network access the Internet, so that Internet mail, newsgroups, the Web, and so on are available to everyone in the office.

Many readers tell me that they can't figure out why they can communicate between their computer and their network's gateway, or between the gateway and the Internet, but not directly between the computers on the LAN and the Internet. The usual reason is that they don't have InterNIC-approved addresses.

Visualize the pieces of this system: your LAN, your gateway/router, your ISP's gateway/router, and the Internet. If you make up a bunch of random IP addresses, no one knows about them but you. Suppose you choose the range from 4.1.1.0 through 4.1.1.15. Now if you ping my gateway at 199.34.57.1 from one of your made-up addresses, 4.1.1.10, your router must shoot that ping packet over the WAN connection to the ISP's router.

Many people say they can see the modem's send data light flash, indicating that the packet has gone out--but nothing returns. The message goes from your router to the ISP's router, which looks in its routing tables to find where to send a message for network 199.34.57.0. The routing tables direct your ISP's router to Digital Express, my main ISP, and the ping gets to my router.

My router isn't configured in paranoid mode (unlike Microsoft's gateway), so it responds to your ping: My router generates a different IP packet directed at IP address 4.1.1.10. My ISP's router says, "Hmmm... Where can I find 4.1.1.10?" It looks in its routing table, and as a matter of fact, finds that Bolt, Baranek, and Newman (BBN), one of the first firms involved in creating the Internet, owns the entire 4.0.0.0 network. Result: My response to your ping goes to BBN, not you, and you see no response.

The moral is that you can't just make up a block of IP addresses, because your addresses must exist in all the routing tables of all the ISPs in the world. You have to apply to InterNIC, the group that coordinates new IP addresses, and your ISP can help you get a block of addresses. (To learn how this application process works, see Richard Reich, "Registering a Domain Name Is Easy," September 1996.) You can't just take one IP address and share it with your whole company.

Proxy Servers
Or can you? Well, yes, you can with a proxy server. (For information about Microsoft's new proxy server, see Mark Joseph Edwards, "Microsoft's Internet Access Server," September 1996, and "Configuring Internet Access Server," on page 153.) A proxy server is a computer that acts as a relaying point between computers on a local network and the Internet.

How's a proxy server different from a router/gateway? All a router does is pick up IP packets from its Ethernet connection and then resend them over the WAN connection. The router doesn't understand whether the IP packet is carrying Web communications, FTP data, or email messages. The Web browser on your PC says, "Hey, www.microsoft.com, let me see your home page." The router just gets the message to www.microsoft.com and has no concept of what HTTP is.

In contrast, a proxy server doesn't relay simple IP packets--it relays particular higher-level requests. Here's a simplified explanation. First, you reconfigure your Web browser so that it can no longer directly access the Internet. Instead, your browser must make its Web requests to the proxy server, which then interprets those requests.

Suppose you have a PC named MYPC and a proxy server named PROXY. You tell your Web browser to use PROXY as a proxy server. You then point the Web browser to www.microsoft. com, and you get Microsoft's home page. But under the hood, the Web browser on MYPC is saying directly to PROXY, "PROXY, please go get the page at www.microsoft.com." PROXY does so, and www.microsoft.com thinks it's communicating with a machine named PROXY; www.microsoft.com has no idea that it is actually meeting the needs of a different machine, MYPC.