We have several VLAN's and the Firewall Client software disconnects after 2-3 minutes on all clients connected to other VLAN's excluding the client that has the same VLAN with the ISA Server internal interface. Because of the firewall clients software disconnection, i implemented the Web Proxy Client type. Any ideas to make my firewall client work in a VLAN environment. Thanks.
Thanks for the response. The switches are Nortel. All VLAN users don't login into a domain. The ISA Server is a standalone. A DOS batch file is defined in the ISA Server from VLAN 11 to 27 with a route -p add command for every VLAN. I uninstalled the firewall client software on the test machine wherein the internal ISA server's interface is connected on the same VLAN 10...and after that installed it back--the result, it( the firewall client software) now disconnects like the rest of the VLAN's. I guess something is wrong the ISA Server's configuration with regards to the Firewall Client. Also clients cannot access the Hotmail e-mail via outlook express/microsoft outlook but can access other external e-mails via outlook express/microsoft outlook except for Hotmail. Please help
we use Extreme layer-3 switches on our internal network with a lot of VLAN's and use DNS exclusively for automatic Firewall and Web client configuration. This is working great without any problem.
Are the Nortel switches layer-2 or layer-3 switches (router function)?
We're using Nortel: -Business Policy Switches -and core layer 3 switch 8648 TXE The VLAN users is set to DHCP connecting to a DHCP,DNS server that is located remotely via a Nortel router P5430 remote office suite.
The key point is to put the ISA server on his own VLAN, preferable directly on the Backbone Switch. This simplifies greatly the routing. The default gateway on the Backbone Layer-3 switch should point to the ISA internal interface. On ISA server define a static persistent route for all not directly connected VLAN's (you can probably aggregate them into one IP range) and use the IP address of the layer-3 switch on VLAN-0 as gateway.
For more details, check out the article mentioned in my previous post.
Yes! The ISA server is connected directly in the core switch and belongs to its own VLAN (i.e. VLAN 10). Example of the persistent static route in ISA server are: route -p add 192.168.11.0 mask 255.255.255.0 192.168.10.1 (these static commands are repeated up to 192.168.27.0 VLAN using 192.168.10.1 as its default gateway). Of course all VLAN clients have its own different gateway that corresponds to its VLAN membership. Is my ISA server's routing method correct? Can you please give me an example of your proposed "aggregation of IP Address"? that has to be defined in the ISA server? Thanks a lot.
Some questions: 1) Can you reliable ping from each VLAN to the ISA internal interface and from the ISA server to all the VLAN's? 2) Are all internal VLANs included in the LAT? 3) Is the default gateway in the Backbone switch set to the ISA internal interface? 4) Is the default gateway on the ISA server *only* set on the external interface? 5) Is there any filtering or NAT done in the Backbone switch?
Regarding the aggregation, let's take a simple example. Suppose you have reserved in your network design 192.168.0.0/16 as internal addresses. The ISA server internal interface sits on 192.168.254.0/24 and all other VLANs have 192.168.X.0/24 with X = 0 up to and including 127. In that case you can define *one* static persistent route for 192.168.0.0/17 and this one aggregates all internal VLANs.
What's the difference between a "VLAN" and a network ID/network segment? AFAIK, ISA Server has no concept of "VLAN" -- its works at the network layer and above. VLAN is a layer two concept, isn't it?
If not, why confuse things and say thay you have "X, Y, Z on VLAN 1, 2, 3" when the proper nomenclature is "X is on network ID 192.168.1.0/24" and "Y is on network ID 192.168.25.0/24" etc.
It would certainly make discussions of route summarization make more sense
Virtual LAN (VLAN) technology is used to create logically separate LANs on the same physical switch. In addition, VLANs may be extended beyond a single switch through the use of trunking between the switches. The trunk allows VLANs to exist on multiple switches. To preserve VLAN information across the trunk, the ethernet frame is 'wrapped' in a trunking protocol. This is sometimes called 'tagging'.
You are right to say that VLAN'ing is done at layer 2 of the OSI network model, which means that a layer 3 device (router) is required to get traffic between VLANs (possibly a filtering device). Now, if you look into the admin guides of the so called layer 3 switches, they talk always about VLAN's and routing between VLAN's. Therefore, from the point of view of those devices you create VLAN's and assign a networkID to those VLAN's. So, it is common in such an environment to use the term VLAN instead of networkID.
BTW --- there exists NIC's and drivers for Windows who understand the trunking protocol. Although I never used them, I suppose they create a number of virtual interfaces in the OS so the different VLAN's are distinguishable from each other.
Excellent! Looks like something I need to study up on. I understand a large hospital here in the US had a problem with these "trunking protocols" recently, so it seems like a good time for me to learn about these things.
Hi Stefaan, " >>1) Can you reliable ping from each VLAN to the ISA internal interface and from the ISA server to all the VLAN's? --Yes. >>2) Are all internal VLANs included in the LAT? --Yes. >>3) Is the default gateway in the Backbone switch set to the ISA internal interface? --Yes. >>4) Is the default gateway on the ISA server *only* set on the external interface? --Yes. >>5) Is there any filtering or NAT done in the Backbone switch? --NO.
Thanks for the info about Route Aggregation. In my situation, I have network 192.168.11.x to 192.168.27.x/24 . Now using route aggregation, my 17(from 11 to 27) static route entries will be reduced to 3 as i write: 192.168.11.0/24(= 255.255.255.0 subnet mask) 192.168.12.0/22(= 255.255.252.0 subnet mask) 192.168.24.0/21(= 255.255.248.0 subnet mask)
if the not directly connected networks are 192.168.11.x/24 up to and including 192.168.27.x/24, you need *four* static persistent routes on ISA: - 192.168.11.X/24 covering 11 - 192.168.12.X/22 covering 12 up to and including 15 - 192.168.16.X/21 covering 16 up to and including 23 - 192.168.24.X/22 covering 24 up to and including 27
Once the routing is setup correctly, it should work flawless unless if you have DNS problems. I read in one of your previous posts that the DHCP and DNS server is located remotely via a Nortel router P5430 remote office suite. May I assume you mean through a WAN link? If that's the case, that doesn't sound like the ideal situation. Can't you put a DHCP/DNS server at the same site as the ISA server?
Bldg. A components: ADSL router to ISP--Internet Standalone ISA Server 17 VLAN ISA clients (these clients never logon to a domain but logs on for terminal services--if required by users via Citrix) Nortel Router via frame relay connecting to Bldg. B for DHCP and DNS.
Bldg. B components: ADSL router to ISP--Internet NO ISA Server several VLAN clients(combination of peer to peer and client server types) Domain Controller, Active Directory, DHCP, DNS
1) what device is protecting the internal network in building B? 2) must each building have his own Internet connection or do you want to have one central control for the Internet connection? 3) why do the clients not login to the domain? 4) is the link between both buildings a very reliable high-speed link? 5) ...
Currently ISA knows only about building A as your internal network. However your internal DNS server is in building B. This doesn't sounds very logic to me!
Please, give as some more information about what you want to achieve because you will have to take some very fundamental decisions in your design.
Bldg B is not under my jurisdiction that's why i cannot answer all the queries accurately.
">>1) what device is protecting the internal network in building B? --Trend Microsystem >>2) must each building have his own Internet connection or do you want to have one central control for the Internet connection? --at the moment, both Bldgs. have their own and separate internet access via an ADSL router. >>3) why do the clients not login to the domain? --clients only logon to domain via Citrix terminal services software to access Intranet Mail and some applications. This setup is just temporary because when the database system is finished all clients will only be using remote access via Citrix. >>4) is the link between both buildings a very reliable high-speed link? --it's a frame relay with 512k CIR" "Currently ISA knows only about building A as your internal network. However your internal DNS server is in building B. This doesn't sounds very logic to me!"
--Yes, ISA knows only Bldg A as its internal network. The ISA Server is now acting a secondary DNS while the primary DNS is located at Bldg. B.
The goal that I'm trying to achieve at the moment is to have all VLAN clients use the Firewall Client Software in BLDG.A because the software disconnects after 1 to 2.5 minutes.
OK, it sounds that you should treat building B as another external location. Therefore, I would suggest the following configuration:
code:
VLAN-11 ---+ ! [switch L3] --- [ISA Server] --- Internet ! ^^^ ! VLAN-27 ---+ VLAN-10 ! ! DC/DNS/DHCP server v to Bldg B
In my opinion, the crucial part is that you run your own DC, DNS and DHCP server so that you are completely independent of the network in building B. Next, the users should login to your own local domain, otherwise you can't implement user/group based access control. Also, it sounds that the clients in building A just need access to the Citrix servers in building B. If that's the case, you can place the Frame Relay connection to building B on a seperate DMZ interface on ISA. This is another external interface but without a default gateway. So, you should define a static persistent route on ISA to the networkID's in building B.
In order to have a stable and good working ISA server, it is absolute necessary you have first a solid internal DNS infrastructure. It is *not* a good idea to put a DC, DHCP or DNS server on ISA itself. So, you should first setup an internal DC, DHCP and DNS server, and make the ISA server a member server of your internal domain in building A. Next test, test and test again the DNS resolving for internal and external DNS names. I can't stress it enough, many problems with ISA server are directly related to bad ISA interface configurations, routing problems and the lack of a solid DNS infrastructure.
How are the Firewall clients configured? Can you resolve the ISA internal DNS name? Do you have a 'wpad' entry in your internal DNS server to auto discover and configure the Web proxy clients and firewall clients?