Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Communicating two private subnets
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Communicating two private subnets - 27.Dec.2005 11:24:25 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi all,
I have a doubt about ISA Server. I am interested in using it to
communicate two private subnetworks (which have the same domain of IP
addresses, so machine 1 in subnet A can have the same address of machine 2
in subnet B, so VPN is not my solution)
BOth subnets have an ISA Server machine behind them. The private clients
want to communicate from one subnets to the another asking for specific
appliation having only the FQDN name of the destination machine. So, is it
possible that ISA Server made the changes in teh packet to send the
message to the machine? It was as inspecting application layer, observing
the name and change the IP address to the private IP address of the
destination machine.
Could it be possible?
Thank you,
Merry Christmas!!
|
|
|
|
|
RE: Communicating two private subnets - 27.Dec.2005 2:49:47 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
Merry Christmas!
You could possibly do this with publishing rules.
Are the private networks located in different places on the Internet?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 28.Dec.2005 3:49:28 PM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
thanks for your inmediate reply.
situation is that:
I have two different private networks in two different places, each one has an isa server machine as boundary.
The private machines (for example, a.domain1 b.domain1 a.domain2 b.domain2) want to communicate with the machines in the other private network (specific application not web)but as they have private dynamic addresses (DHCP) what they know is the FQDN.
Example: a.domain1 want to connect with a.domain2
The things that are known are: the IP address of the isa server machines (public addresses) and the FQDN of the machines inside the private networks.
We want the isa server machine to read the FQDN in the application layer and redirects the packet to a.domain2
I hope I explain myself correctly,
Thank you,
|
|
|
|
|
RE: Communicating two private subnets - 28.Dec.2005 7:14:02 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
You can use Server Publishing Rules and Web Publishing Rules, or you can use a site to site VPN. However, if you use a site to site VPN, you will need to configure DNS on each side so that name resolution is done correctly.
What type of connections do you want to hosts to have? What protocols?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 29.Dec.2005 8:56:38 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
HI!
I want to establish TCP/IP connections for specific applications.
If you have a site to site VPN in each site, can you have the same IP private addresses? I mean (a.domain1 10.0.1.2 and b.domain2 10.0.1.2)
What I understand from server publishing rules is that you have to bind a protocol element (an internal IP address, protocol and port) with a external IP address of teh ISA Server, but I want to have different machines receiving the requests for the same application (same protocol, same port)
Thanks,
Ana Bea
|
|
|
|
|
RE: Communicating two private subnets - 31.Dec.2005 6:19:26 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana Bea,
No, for site to site VPNs, you have to have each network be on a different network ID.
That's why I would recommend Server and Web Publishing Rules.
However, before giving you definitive guidance, I'd like to know what protocols/applications you want to publish.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 2.Jan.2006 11:06:28 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
HAPPY NEW YEAR!!!
what I want to publish applications over TCP, but applications developped by us to control specific devices, so the application layer is up to us. This is the topology we are thinking and we want the gateways to be ISA SErver features.
Client A or B or C Gateway G1 Gateway G2 Destination D or E or F
+-----------+ (Server 1) (Server 2)
|Application|
+===========+ +-------------+ +-------------+ +-----------+
|*SOCKS Lib*| | *Gateway1* | | *Gateway2* | |Application|
+===========+ +=====---=====+ +=====---=====+ +-----------+
| Socket DNS| | Socket DNS | | Socket DNS | | Socket DNS|
+-----------+ +-------------+ +-------------+ +-----------+
| [ IPv X ] | |[IPvX]|(IPvY)| |(IPvY)|{IPvZ}| | { IPv Z } |
+-----------+ +-------------+ +-------------+ +-----------+
|Network I/F| | Network I/F | | Network I/F | |Network I/F|
+-----+-----+ +---+-----+---+ +---+-----+---+ +-----+-----+
| | | | | |
+============+ +==========+ +------------+
socksified socksified normal
connection connection connection
(ctrl)+data (ctrl)+data data only
Figure from (RFC 3098, about SOCKS proxy version 5)
So that, client A(10.1.1.2),B(10.1.1.3) or C(10.1.1.4) and destination D(10.1.1.2), E(10.1.1.3) or F(10.1.1.4) are private machine in different networks with the same configuration in the DHCP server. The gateways have two interfaces(10.1.1.1 and 163.2.5.6) and teh other(10.1.1.1 and 168.2.5.9).
We want to connect
|
|
|
|
|
RE: Communicating two private subnets - 2.Jan.2006 3:16:06 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
OK, but you need to be aware that the ISA firewall does not support SOCKS 5. The reason for this is that that the ISA firewall has a generic Winsock proxy client called the Firewall client, which is far more flexible and easier to manage than SOCKS 5.
So, SOCKS really isn't an issue here and you won't need it.
However, what I do need to know is what protocols are you working with? For example, are the clients going to connect to the destination servers using any of the following protocols:
HTTP
HTTPS
DNS
SMTP
NNTP
POP3
IMAP4
SMB/CIFS
or some other protocol. This is the information I need to know.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 3.Jan.2006 8:54:20 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi Tom,
The problem is that what I am looking for is a solution independent from the protocol. We are oftware developers and some of our applications are over non-commercial protocols and we want to connect these applications from one site to another.
Maybe ISA Server is not the solution for our problem, we are investigating other possibilities too.
Thank you,
Ana Bea
|
|
|
|
|
RE: Communicating two private subnets - 3.Jan.2006 3:54:34 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
OK, so you need to support custom protocols.
As software developers, let me give you some very useful advice: firewalls in general do not like secondary connections. Secondary connections make life miserable to firewall administrators who try to gain tight control over both inbound and outbound access.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 4.Jan.2006 12:11:16 PM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Thanks for all Tom,
I will go on searching to find a solution to my problem over other prodcust or I will construct a custom proxy and clients.
Ana Beatriz Solana
|
|
|
|
|
RE: Communicating two private subnets - 4.Jan.2006 7:17:15 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
Let us know what you finally decide upon, as I'd like to compare your final solution with what the ISA firewall can provide. I suspect that the ISA firewall can do what you want it to do, but it might be easier to explain if I can contrast that with other options you're considering.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 5.Jan.2006 10:28:52 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi again,
Sure, I will inform you if I find a solution.
I have one last question, as ISA Server doesn't support SOCKS version 5, clients couldn't delegate the FQDN resolution, could they?
I think that with port mapping the solution is easy, the problem is that we want to avoid that solution, we prefer something that resolve domain names.
Thank you,
Ana Beatriz Solana
|
|
|
|
|
RE: Communicating two private subnets - 5.Jan.2006 6:20:33 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
For both Web proxy and Firewall clients, the ISA firewall performs name resolution on behalf of the client operating system. So, yes, you can offload name resolution to the ISA firewall.
You also get user authentication for Web proxy and Firewall clients.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 9.Jan.2006 11:31:12 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi again Tom,
I am again sure that I could do what I want simply with ISA Server. Exactly what I want to do is described in RFC 1919 in 3.2.6 (in the last part who talk about interconnection of conflicting IP networks with several networks with teh same number)
Is ISA SERVER functioning as classical proxy or transparente proxy?
Can I publish a server rule where the destination was not specified? opening port 1021 in both interfaces and establshing connections in this way, based on domain names.
proxy session proxy session
a.dmn1 --------------------> ISA SERVER 1 --------------> ISA SERVER 2 ------------->b.dmn2
packet to isa server1 packet to isa server2 packet to b.dmn2
to b.dmn2 to b.dmn2
Thank you again.
Ana Beatriz Solana
|
|
|
|
|
RE: Communicating two private subnets - 9.Jan.2006 6:10:54 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
The ISA firewall can act as both classical and transparent proxy.
What's important is to understand your scenario precisely.
From what I can tell, server publishing rules will work fine out of the box for simple protocols. For complex protocols, you'll need to create an application filter to handle multiple primary and secondary connections to keep it a transparent proxy.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 12.Jan.2006 12:23:33 PM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi Tom,
I am searching the solution using application filters, I found one filter designes that implements SOCKS version 5 that I think that solves my problem.
I suppose that what I have to do is to allow that type of packets passing in IP layer and then they will go through my application filter, so maybe I need to put first an IP packet filtering, or with enbling the application filter is enough???
If I check it and it works, I'll tell you.
Thank you,
Ana Beatriz Solana
|
|
|
|
|
RE: Communicating two private subnets - 12.Jan.2006 7:18:36 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
Let me know what you find out. Keep in mind that the Firewall client does everything a SOCKS5 filter will do and much more, and you don't even need to manually configure the applications.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Communicating two private subnets - 13.Jan.2006 11:47:33 AM
|
|
|
ana_beatriz
Posts: 20
Joined: 27.Dec.2005
Status: offline
|
Hi Tom,
I am looking for more information about the fiewall service and the firewall client, and it could be another possibility for my problematic scenario.
One question, can the computer running as ISA Server be firewall client at the same time? I mean, ISA Server could be client of another servers, so what I needed is the ISA Server to be client to another ISA Server to communicate sockets applications for example???
Thank you,
Ana Beatriz Solana
|
|
|
|
|
RE: Communicating two private subnets - 16.Jan.2006 3:33:51 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ana,
Yes, that is possible. When the ISA firewall acts as a Firewall client to another ISA firewall, that is referred to as "Firewall chaining" and you can configure Firewall chaining in the ISA firewall console.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
