Welcome to ISAserver.org

Howto: enable communication between a remote site and array members

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> Howto: enable communication between a remote site and array members

Page: [1]

Message

<< Older Topic Newer Topic >>

Howto: enable communication between a remote site and a... - 13.Jul.2008 5:42:32 PM

author22

Posts: 12
Joined: 20.May2006
Status: offline

(x-posted to forums.technet.microsoft.com. Sorry to those who read both these great boards).

Here are my humble thougts about how to enable network communication between a remote site and all the array members (and vice versa). This is something which didn't work for me by the default. Of course, there's not very much reasons why you may want to do this. In my case I wanted to use ISA MMC in the remote site to manage my ISA configuration in the 'other' site.

In this example I have two sites � site A and site B. Site A has an array of several hosts running ISA Server Enterprise Edition. Site B may have only one ISA Server, which may be stand-alone Standard Edition or Enterprise Edition. Also, it may have an array running ISA Server Enterprise Edition, which may or may not be in the same Enterprise with Site A.

My goal here is to allow users in site B connect to every member of array in site A. It is not a big deal to connect to the 'active' member � the server which currently holds VPN tunnel between sites A and B. But if we try to connect from site B to the other ('passive') members of the array in site A, it will not succeed by default.

That is mainly because 'passive' members have route relationsip with remote sites via 'Intra-Array' network. And this network has no relationships with any other networks by default. So here's the detailed walkthrough. I've tried to make it as clear as possible. Sorry if it looks too obvious for you.

1. Add the 'Intra-Array' Network of site A to 'Site B to Internal Network' Network rule in site A.
2. Add the 'Intra-Array' Network of site A to 'Site B to Internal Network' Firewall rule in site A.
3. Add the 'Intra-Array' Network address range of site A to 'Site A' Network definition in site B.
4. Here comes a tricky part. When you connect from a remote site to the Array members you cannot use their addresses that belong to the 'Internal' Network. This is because for 'passive' members of the array the route to the remote site goes through the 'Intra-Array' network. So when connecting to array members from a remote site you should use their 'Intra-Array' addresses.

You might want to change the Array members' properties at 'Communication -> Remote Communication -> Use this IP address or computer name' and specify their 'Intra-Array' address in that field. This would make it possible to connect from a remote site, but the same time you would lose connectivity to these hosts from the 'Internal' Network. This is because for all the Array members the route to the 'Internal' Network goes through their 'Internal' NICs. So when ISA Server receives a connection attempt from 'Internal' Network to its own 'Intra-Array' address it would get confused, because it cannot properly respond (remember, it is supposed to talk to the 'Internal' Network using 'Internal' NIC and its 'Internal' address). And as the result, the connection attempt would be dropped as spoof.

So, in order to keep it possible to connect to the Array members both from remote site and 'Internal' Network, you cannot simply replace the 'Internal' Address in host's properties with 'Intra-Array' one. The only workaround I found is to keep a FQDN there and make some change in the remote site. As I have only one machine in the remote site (my management workstation) which needs connectivity to all the Array members, I chose to edit that machine's Hosts file. I added there the Array members' FQDNs with their 'Intra-Array' addresses.

Alternatively, if you have a number of machines in the remote site that need to communicate with all the Array members, you might want to implement the change described above using DNS instead of the Hosts records. But then you should care about preventing replication of this change to the site where the Array members reside.

Any comments are highly welcomed. Are these ideas correct? Don't they violate some global concepts? Is there a better (e.g. more simple/clear/official/etc.) way to achive the same goal?.. Thanks in advance!

< Message edited by author22 -- 13.Jul.2008 11:53:49 PM >

Post #: 1

Featured Links*

RE: Howto: enable communication between a remote site a... - 17.Jul.2008 8:48:27 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Interesting. Wouldn't RDP be easier?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to author22)

Post #: 2

RE: Howto: enable communication between a remote site a... - 17.Jul.2008 9:08:03 AM

author22

Posts: 12
Joined: 20.May2006
Status: offline

Yes, generally RDP is a better choice. It is both easier to set up and faster in use. But we currently have five sites connected to each other via VPNs ('Full Mesh' topology). And my goal was to control all the arrays from a single console.

(in reply to tshinder)

Post #: 3

RE: Howto: enable communication between a remote site a... - 18.Jul.2008 9:22:06 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Ah, yes, OK. That's a good point.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to author22)

Post #: 4