Hi, I'm locking for a solution for the following problem: Our schoolnet (server and clients all w2k) are connected over a router to out citynet and from there to internet. This works rather fine and we have no security problems. Unfortunitly there are a number of districtions so that we want to use an extra dsl-connection for special using.
Is it with ISA possible to let the pupils use the standard gateway and the teacher (for example) use the new DSL connection? And more, can teachers switch between these connections, because some informations are only available over the standard gateway?
Hi Stefan, I'm simply looking for a solution for my problem. Someone posted me, the ISA-server could be a solution with his possibility of ARRAYS (I don't know what that means). So I wanted to ask someone who knows better, before I study the documentation. The connection to our citynet is an internal route and runs with Citrix clients to the servers in the city.
is the solution with the Citrix clients connecting to the servers in the city the only connection needed to the citynet? How is the current Internet access regulated? Is the Internet accessed only through the Citrix clients or how is it done?
Hi Stefaan, as I described above the normal way is using IE with a citrix addon to connect over a router to the citynet. But the security mechanisms are rather restrict. Now we have an independant additional DSL line, which we want to use to connect to the internet. The goal is, that we can decide, who is allowed to use which connection.
as far as I understand your configuration, I would propose the following basic design:
Internal --- [ISA] --- Internet ! ! v to CityNet
This is a variant of a trihomed DMZ scenario. I often use this configuration when there is a second external connection to another partner network. The key point is that through the link to the CityNet only a limited set of destinations are reachable (you can't set a default gateway on the DMZ interface). In your case, it sounds that only the Citrix Metaframe should be reachable.
On ISA server you will have complete control over which users can access which destinations on the basis of user/group membership (Web Proxy and Firewall client) or IP address (SecureNAT client). Note that by default no communication is possible between the external interface (Internet) and the DMZ interface (CityNet). However, all Internet traffic (if allowed by the outbound access policy) will be directed through your own Internet connection (default gateway), unless some users are accessing the Internet through the Citrix client.