Dec 142010
 

As one of the long term moderators at the Petri website I often see questions which could be easily found or answered. A lot of these questions are regarding protocols such as FTP, HTTP or DHCP.

I know for sure that the vast majority of IT professionals are already aware of this and I’m sure the most of the IT professionals just look the questions up on google for example. And maybe the more experienced IT professionals will read the Request for Comments, or also called the RFCs.

But for the less experienced people is where I’m currently targeting on. This is more because I think that RFCs are a very important part when you work with protocols.

But what is actually an Request For Comment?
Wikipedia will tell you; In computer network engineering, a Request for Comments (RFC) is a memorandum published by the Internet Engineering Task Force (IETF) describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.

So with other words, it’s a documents which desribes standards for our important part of the job, for example protocols like DHCP, HTTP and FTP.

Ok, lets take DHCP as an example. Often I see questions if it is possible to force a client to use a certain DHCP server. Well the answer is no, since DHCP uses a broadcast mechanism to find a DHCP server. The first one who responds will serve the IP address.

So lets take a look at the RFC 2131 which describes the Dynamic Host Configuration Protocol or DHCP.
As you can see it’s a document about 45 pages. I’m not going to tell you how to read it but I’ll show you where you can find the answer to the question above.

If you skip to page 13 section 3.1 you’ll find the following text: The client broadcasts a DHCPDISCOVER message[…]
Errr? But what does it do? Well if you scroll a bit futher you’ll find a small definition about the the DHCPDISCOVER namely: DHCPDISCOVER – Client broadcast to locate available servers.
So actually they are telling that it sends out a certain packet to find DHCP Servers. This means that there is no option available to select a certain server. Of course you can force it by temporarly disable the other DHCP serves but that is not the point of this post. The point is that a lot of such questions is doucmented very very well.

A nice sheme how the DHCP process works can be found at page 14. If you scroll a bit further you also find the explanation of the process.

The same of course applies to HTTP/1.1 which is the current standard since about 1997.The RFC for DHCP is RFC 2616. This RFC consists of 176 pages. That’s quite a lot but knowing them is very useful, especially when you need to do advanced troubleshooting.

I don’t say you need to remember each of them, however you need to know where to find them. Just remember the website http://www.ietf.org (which is the acronym of the Internet Engineering Task Force) where all those documents can be found, or use google to find them πŸ™‚

However this is not the only publisher or standards. Another one is the IEEE or the Institute of Electrical and Electronics Engineers. This one is a more commercial website, however also extremly important.

For example, I hope you have heard of VLAN tagging. if not, please read this wikipedia link.
Anyhow the VLAN Tagging is defined in a IEEE 802.1Q standards. For all the 802.1 standard you can follow this link. Those documents basically provides the same kind of information as the IETF.

Both IETF and IEEE are extremly important in the current networks. I really suggest to read some of them to get an impression what it is and what it does. I think it will give you a great inside of the protocols and other network standards.

In fact, just a few days ago I actually used the RFC 959 which described the FTP protocol. So if you’re an advanced or a novice IT Professional, it really doesn’t matter. We all using them and if no we all should using them.
So since I got the feeling the RFCs doesn’t get the attention it should have I had the feeling to bring it back under the attenton again.

May 162010
 

Quite often I get questions about how you should configure your network cards for Microsoft ISA or Microsoft TMG server. Since there is a common misconception about this, I thought I needed to write something down about it. For the moment I will assume that you have configured your ISA/TMG server in a domain environment. Later on I might describe other scenarios where your network card configuration might differ.

First, let’s talk about the external network adapter. Of course, you would configure an IP address and a subnet mask right? But after that, a lot of questions start rising. Should I configure a Default gateway on this adapter? Should I configure DNS servers on this adapter?
First the default gateway. The default gateway is a device where traffic is forwarded to when the machine can’t find the route to the destination IP address in its own routing table. Since adding the whole Internet into a static routing table isn’t a real option, you simple use the machine’s default gateway to forward your traffic to. This is usually your ISP router. So to get back to the question if you should configure a default gateway on the external NIC, the answer is Yes.

So what about the DNS configuration on your external network interface card? Since I assume your ISA/TMG is joined to a domain, this is pretty important question. As you might know, DNS is a very important item within an Active Directory environment. Without a good working DNS environment you might run into loads of problems. For example: authentication issues. So what if you configure ISP DNS servers on your external interface even if you configured DNS servers on your internal interface? There is a big chance that your ISA/TMG server might forward authentication requests to your ISP and of course they don’t know anything about your domain infrastructure. So that would be useless. Actually configuring DNS on the external interface is not necessary.

So to summarize, configure the following on the external network interface card:

  • IP address
  • Subnet mask 
  • Default Gateway

(The image below is from a Windows 7 system but you get the idea)

 External NIC Example

Ok and now we turn our attention to the internal network interface card.
Let’s skip the IP address and subnet mask topics and move on to the default gateway. First of all you can only have one default gateway on your ISA/TMG server. Actually, this is true for many devices. But wait, I just said you should configure the default gateway on your external NIC right? But what if you have multiple different subnets in your internal network? What if you have subnets like 10.10.1.0/24 and 10.10.2.0/24 and 192.168.2.0/24 subnets? Well those subnets should be added on the ISA/TMG servers using static routes to your internal subnets. You can do this with the "route add" command. So no, we don’t add a default gateway on the internal network interface card.

(Example of a persistent route add command)

Persistent static route

But what about DNS? Remember I talked about authentication and stuff? You guessed it, you should add the internal DNS servers to your internal NIC. ISA/TMG is capable of authenticating AD users. Maybe Bob is allowed to use FTP, but Ken isn’t. These users needs to be authenticated and ISA/TMG will query the DNS servers to find the AD servers. So yes, DNS is needed.

Ok, to summarize you should configure the follow settings on the internal NIC:

  • IP address
  • Subnet mask
  • Internal DNS servers

(The image below is from a Windows 7 system but you get the idea)

Internal NIC Example

Well, we’re almost done. The last thing I would like to recommend to you is that you keep an eye on your network binding order. Make sure you keep your internal network on the top and your external network at the end. Anything in between should be your DMZ interfaces if you have them.

Oh! I almost forget to mention DMZ interfaces. The only thing you need to configure for a DMZ interface is an IP address and a subnet mask. Note, if you have multiple subnets behind the DMZ interface make sure you add static routes for it just like you may have done for the internal interface.

Well, this was a pretty long post but I hope that I made it clear how you should configure your network interface cards on your ISA/TMG servers!

Feb 162010
 

A while ago Microsoft has released a nice E-book (PDF) about TCP/IP Fundamentals. At the Petri forums I noticed that many engineers and admins have problems with networking or understanding it.

Well at least I didn’t knew Microsoft created this PDF, so probably others don’t know it either.
To download, click on this link.

It includes for example IPv4, IPv6, OSI, ARP, Multicast, VPN and loads more.

The chapters are:
Chapter 1 – Introduction to TCP/IP
Chapter 2 – Architectural Overview of the TCP/IP Protocol Suite
Chapter 3 – IP Addressing
Chapter 4 – Subnetting
Chapter 5 – IP Routing
Chapter 6 – Dynamic Host Configuration Protocol
Chapter 7 – Host Name Resolution
Chapter 8 – Domain Name System Overview
Chapter 9 – Windows Support for DNS
Chapter 10 – TCP/IP End-to-End Delivery
Chapter 11 – NetBIOS over TCP/IP
Chapter 12 – Windows Internet Name Service Overview
Chapter 13 – Internet Protocol Security and Packet Filtering
Chapter 14 – Virtual Private Networking
Chapter 15 – IPv6 Transition Technologies
Chapter 16 – Troubleshooting TCP/IP
Appendix A – IP Multicast
Appendix B – Simple Network Management Protocol
Appendix C – Computer Browser Service

But check it out yourself!