Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Clarifying Multi-internet connections
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Clarifying Multi-internet connections - 20.Jun.2006 3:40:51 AM
|
|
|
krampot
Posts: 11
Joined: 20.Jun.2006
Status: offline
|
Hello all,
I know there are several threads about working with multiple internet connections, and I realize that you cannot natively load balance between connections, etc with ISA 2004. I am aware of the RainWall/RainConnect product...
Please bare with me as I am an ISA newbie.
Ok to preface this post, I am basically redesigning my network infrastructure from SCRATCH. Currently I have 3 Netscreen firewalls independently connected to each of my 3 internet connections, and am planning to rip it all out and work with ISA.
So here-goes:
I have 3 independent internet connections (for the purpose of I want certain types of traffic to use certain internet connections) and I am trying to figure out if I can use 1 edge ISA firewall on these connections. I do NOT need to load balance, auto-failover or anything real special. I strictly want traffic coming in and out of various parts of my internal network & DMZ to use a predetermined specific internet connection.
Reference network diagram at the bottom:
All internet traffic for my webservers, ftp server, etc would be incoming and outgoing from the internet connection labeled in purple.
All general internet traffic (browsing, etc) would use the yellow internet connection
I have an IP-PBX system which connects to other office sites via VPN through its own dedicated internet connection (blue)
My question is, can I get this to work correctly?? Can I set up static routes on the edge ISA server?
Please note that both of my ISA servers only have 2 NICs currently, and my plan is to use a back-to-back DMZ.
Please forgive my rudimentary network diagram... my head is running in circles trying to figure out how to set everything up.
I also have multiple site-to-site VPN's to setup within this infrastructure too, but I'll leave that for another thread. 
Thanks for any help/ guidance you might be able to give.
Also, I have purchased Tom Shinder's ISA 2004 book and it's been very helpful thus far (particularly in the area of deciding to go with ISA =)
|
|
|
|
|
RE: Clarifying Multi-internet connections - 26.Jun.2006 6:49:24 PM
|
|
|
krampot
Posts: 11
Joined: 20.Jun.2006
Status: offline
|
Tom, thank you for your response. I figured I was out of luck, but wanted to clarify.
I am going to have to figure out some type of parallel configuration since I have 3 connections coming into my main office.
As I mentioned, right now I use "simple" Netscreen firewalls, I may turn to your Netscreen/ISA article you wrote in response to that 1 forum post. My network architecture is very similar to that article example, except that I am willing to remove the netscreens for an all-ISA environment.
Back to the drawing board!
Thanks again.
|
|
|
|
|
RE: Clarifying Multi-internet connections - 26.Jun.2006 7:02:54 PM
|
|
|
krampot
Posts: 11
Joined: 20.Jun.2006
Status: offline
|
1 other thought...
I realize this may not be the best forum for it, but maybe someone can help me.
I also have a new Watchguard Firebox X700 w/ Fireware Pro that I can use.
Does anyone know if this device supports multiple default gateways? I am not 100% sure from the documentation.
I could use this as my edge firewall in the back-to-back setup and of course use ISA 2004 as my inner firewall protecting the internal network....
Any advice/feedback is appreciated. Thank you.
|
|
|
|
|
RE: Clarifying Multi-internet connections - 27.Jun.2006 3:45:26 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Kram,
That would work or any other multi WAN link device in front of the ISA firewall. I've been using relatively inexpensive devices for most locations and they work fine with the ISA firewall. Just don't enable any filtering on the front-end device and let everything into and from the external interface of the ISA firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Clarifying Multi-internet connections - 27.Jun.2006 6:06:33 PM
|
|
|
lewinr
Posts: 9
Joined: 25.Jun.2006
Status: offline
|
Tom, which "relatively inexpensive multi-WAN link devices" have you had good experiences with?
|
|
|
|
|
RE: Clarifying Multi-internet connections - 27.Jun.2006 8:34:54 PM
|
|
|
krampot
Posts: 11
Joined: 20.Jun.2006
Status: offline
|
FYI, after more investigation, the Firebox X700 does in fact support multi-WAN but is known to be a bit buggy. Subpar performance and quirky with Failover mode & round robin "load balancing"
In addition, it does not support policy-based routing, so good luck trying to host a webserver, etc behind a multi-wan environment.
This will supposedly be supported in Fireware 9.0 which has an unknown release date....
So now I propose another possible solution, I'd like some feedback on.
I would keep my back-to-back scenario with ISA 2004 as my firewall for my internal network.
But I could have 3 "edge" firewall devices, each connecting to a WAN connection and each for a different purpose.
For example, I add another ISA 2004 firewall on the edge of my "Server Traffic" connection. I can reliably publish webserver, FTP servers etc though that.
For my "general browsing traffic connection" I could use the Firebox or Netscreen (I also have to terminate 6 site-to-site VPN connections on this pipe)
And for my IP/PBX connection I could use a left-over Netscreen.
So essentially I would have 3 edge devices as the outer edge of my back-to-back DMZ.
Now this poses a security question....
I am I truly at risk having these other devices on the edge of these connections, all with their "trusted" NICs sitting on the same DMZ segment?
What I mean by this, if I simply set the policies on those devices to allow NO incoming connections from the internet to anything inside.. is that safe?
100% of the traffic on the IP/PBX VOIP connection is through a VPN tunnel.
Is my "primitive" firewall device posing a security risk to the entire DMZ, even if NO ports are opened and no incoming traffic allowed through it?
Sorry for dragging this thread on... but hopefully this is helping some other forum members struggling with the Multi-WAN issue.
Thanks,
|
|
|
|
|
RE: Clarifying Multi-internet connections - 4.Jul.2006 4:10:40 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Kram,
I could see it work with a FE ISA firewall that publishes services, because you can replace the source IP address with the IP address of the ISA firewall, so it makes the routing configuration transparent, and then your packet filtering devices in front of the back end ISA firewall can be used for outbound access. Not sure what you can do with the VoIP device, as I don't know the routing requirements for it.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
