ISA Server 2000 and DSL
David Fosbenner, MCSE, MCSA
ISA Server 2000 can be used with a DSL connection for internet access, provided you set it up correctly. DSL is different than other types of internet access because DSL uses Point to Point Protocol over Ethernet (PPPoE), which is not inherently supported by Windows 2000. Adding to the confusion is the various vendors who blame each other when things don’t work right.
This document will detail the steps, explain some pitfalls, and offer some troubleshooting tips. This document assumes Windows 2000 Professional at the client, but will reference other OS settings where possible. This document assumes Windows 2000 SP3 at the server and client and ISA SP1.
Part I – The DSL Connection
- Setup your DSL connection
Your DSL line may be shared the same physical line as a telephone line, in which case you’ll need a splitter at the wall jack to separate the DSL and POTS (plain old telephone service) lines. If you have this shared configuration, you will need to install a filter on the POTS line, then plug your phone line into the filter. DO NOT install a filter on the DSL line.
Your DSL modem will have an ethernet port and a DSL line port. Use a standard telephone cord to connect the DSL modem’s DSL line port to the DSL wall jack (or splitter, if the line is shared).
Use an ethernet patch cable (straight-through), connect the DSL modem’s ethernet port to the external NIC in your ISA server.
Your ISP may supply the DSL modem, splitter, filter, and phone cord, which certainly makes things easier. If you’re going to share the DSL internet access among multiple PCs, the ISP will expect you’re going to connect the DSL modem to a router. Tell them you’re using Microsoft ISA Server 2000 and they’ll all but hang up on you – "it’s not a supported configuration." Ignore them and press on! You can separate and test the DSL connection prior to doing anything with ISA, so don’t let them intimidate you.
When you’ve got everything connected, you should have status lights on your modem that indicate everything is a go. If the status lights don’t indicate a good DSL signal, you’ll need to resolve that with your ISP before proceeding any farther.
- Install the DSL software
In my configuration, the ISP (Verizon) supplied software called "WinPoet" (the Poet being a clever usage of the PPPoE acronym), which is from Fine Point Technologies, supposedly the leader in PPPoE software. The purpose of the WinPoet software is to create a virtual device on your server which will allow you to establish a PPPoE connection with dialup networking. WinPoet is a simple install with no parameters – install it (or whichever software you were supplied with) on the ISA server and reboot. After reboot, you should have a dialup networking entry for your DSL ISP.
- Connect !
Double-click the dialup networking icon – make sure you enter the username and password supplied by your ISP, and connect. It should authenticate and connect in a matter of seconds. If you are having any problems connecting at this point, it has nothing to do with ISA. In fact, you don’t even need to have the ISA services running at this point – all we’ve done so far is establish a dialup connection, much the same as you would with a standard modem.
If you have connection problems, now’s the time to call your ISP and work them out. No need to tell them you’re using ISA, you really aren’t yet, you’re just trying to do a standard dialup connection to their network.
Verizon has a cool website at www.ba-hss.com that can be used to test the speed of your internet connection, DSL or otherwise, which you can use to see if you’re getting the bandwidth you paid for. Once you’re connected and satisfied with the connection speed, it’s time to setup ISA.
Part II – Setup ISA Server 2000
Install an external NIC in your ISA Server and set it to automatically detect the IP address and DNS (the default). It’s also a good idea to determine the link speed and duplex setting for the DSL modem, and manually set these on your external NIC. In my case, it was 10MB/Half-duplex. Leaving this setting on Auto can sometimes cause problems.
Get yourself a copy of Microsoft Q296534, "How to Configure ISA Server to Use a PPPoE Connection" and follow the steps. (I won’t repeat it here to avoid discrepancies). It will direct you to 1) add a dialup entry to ISA and 2) configure the routing to use it.
To test the ISA / DSL setup, manually disconnect the dialup networking connection at the ISA server, if connected. Now go to a workstation that is an ISA client and pull up a web page. The request should be handed to ISA, which will establish a dialup connection, and you should get the web content quickly. BUT WAIT !!! You’re not done yet.
Part III – Configure the MTU Size
- Understanding the MTU
The Maximum Transfer Unit (MTU) is defined in Q140375 - "Default MTU Size for Different Network Topology" (Win9x/NT/2000/WFW). See Q314496 for WinXP. Ethernet uses an MTU size of 1500. PPPoE uses an MTU anywhere from 1400-1480, depending on your ISP. If you don’t set the MTU correctly, you will be unable to send email, and may experience other problems.
- Find Your MTU Size
Determine the MTU size that you need using this command from the ISA server:
ping –f –l 1400
In the above command, the -f parameter prevents the packet from being fragmented – this will allow you to determine the maximum packet size that can go out without fragmentation. The –l parameter allows you to set the buffer size. (Use ping /? for details). In the above command, we used 1400, which should work, and you should get replies back.
Repeat the above command with an increased buffer size, keep increasing it until you find the maximum buffer size that will successfully ping. On my configuration, the magic number was 1432. Voila – this number is the MTU size for PPPoE. If I use 1433, PPPoE can’t handle it, and the ping fails.
In actuality, there are 28 bytes of overhead that are tacked on to the number above, so my PPPoE setup can handle 1432+28, or 1460. To test this out, try this from a workstation and ping a server on your network:
ping –f –l 1472
‘this is 1472+28, or 1500, the maximum for ethernet.
ping –f –l 1473
‘this will fail because it’s 1501, which exceeds the ethernet MTU
- Change the MTU Size
Once you’ve determined what MTU size you need, you must set the MTU size in the registry on ALL YOUR WINDOWS CLIENTS. (If you plan to send email on the ISA server, you’ll need to set it on the external interface there too). See Q120642 – "TCP/IP and NBT Configuration Parameters for Windows 2000 or Windows NT" (Q314053 for WinXP). This setting needs to be done in the registry for the network card (a.k.a, the interface) that is being used to communicate with ISA. Since most workstations have one NIC, this is a no brainer. If you want to make this setting on your server however, you’ll need to determine which interface corresponds to which NIC. (According to Microsoft, it may be possible to configure the MTU size at the network switch instead of each workstation, but I haven’t tried it).
Be aware that in Win2000 and later, the location in the registry for the MTU is diffferent than in earlier versions. You’ll have to create the MTU entry since it’s not there by default. It’s of type REG_DWORD. Make sure you set the value to decimal before entering the value, otherwise it will be interpreted as hex.
- REBOOT after making the MTU change
- Change the MTU Size
Are you still with me? You’re DONE. You should now be able to web browse, send, and receive email from your ISA clients over your DSL line. The dialup entry on the ISA server should stay there even when the network is idle. Some DSL modems have a setting to disconnect after a certain period of idle time, however ISA will reconnect on demand, so this shouldn’t be noticed by the clients.
Are you still here? Uh oh. Troubleshoot things in a modular way:
Is the physical DSL connection working?
You should have indicator lights on the modem that show a connection to the DSL network (even if you’re not connected using dialup networking). On my modem, a Westell 2100, this is in the form of a steady green READY light. If it’s flashing, there’s a line issue. You can call your ISP and have them run tests from their location. In fact, they can actually read the MAC address of your NIC in the ISA server from where they are. Creepy!
Can you establish a dialup networking connection?
If you can’t establish a dialup networking connection, forget ISA for the time being and focus on that. Do you have the correct username and password? I’ve had scenarios where I needed to go into Services on the Windows 2000 server and stop the WinPoet service (which makes it disappear), then relaunch the service and start it. I guess it can get hung up like any other service can. A server reboot is always a consideration when troubleshooting, though not a pleasant one. Power cycling the DSL modem is also worth trying. Do the Link Speed and Duplex settings of your external NIC match those required for the DSL modem? Work with your ISP to establish a dialup networking connection.
Take ISA out of it.
Once you’re connected via dialup networking, stop the ISA services, and configure your server to use the external NIC as the default gateway. Disable any proxy settings in your web browser - you should be able to surf the web. If you can, then your DSL connection is working, so turn the focus to ISA. Review the ISA settings in Part II, above. You shouldn’t need to adjust the MTU setting to web browse, so don’t be distracted by that.
Don’t forget things like Packet Filters, Site and Content Rules, Protocol Rules, etc., since these can prevent internet access if not setup properly.
DSL is an inexpensive technology that provides high speed internet access which can be shared in a small workgroup, satellite office, home, and so on. It can even be used as a secondary connection to the internet should the primary connection in ISA fail. DSL integrates nicely with ISA Server once you connect all the pieces, and it is a technology that’s here to stay.
-David Fosbenner, MCSE NT/2000, MCSA
Sr. IT Administrator, Eastern Alloys, Inc.