Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Multiple VPNs, single server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Multiple VPNs, single server - 1.Jun.2004 9:07:00 PM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
I would love to be able to publish say 4 IP addresses and have them all available for VPN connections. I could have 4 separate networks internally and you would be directed to each one depending on which IP address you connected to including getting an address from a DHCP server on that particular network. I run a lot of developement networks and the developers are always wanting access via VPN's and I hate having to run a lot of ISA boxes.
It would be great to have Layer 3 switching between the different segments care of ISA.
|
|
|
|
|
RE: Multiple VPNs, single server - 2.Jun.2004 12:07:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Randy,
Could you get the same level of access control by creating user/group rules from the VPN clients network and allows users access to the appropriate network based on group membership?
Thanks!
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 2.Jun.2004 9:05:00 PM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
I'll have a look at that. would it go so far as to allow the remote machine to get an address from a DHCP server on that network? I would like to have as many as 6 separate physical networks with a DHCP server on each.
|
|
|
|
|
RE: Multiple VPNs, single server - 3.Jun.2004 2:31:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Randy,
I won't do that. All VPN clients will be assigned addresses from the same DHCP server. However, the VPN clients are placed on their own "virtual" network, called the "VPN Clients Network". You can then control all communications from hosts on the VPN clients to any other network (including other hosts on the VPN Clients Network, based on user/group membership. So, while all the VPN clients are on the same virtual network, they only have access to resources to the network segments that they are allowed access to, based on the Access Rules you create.
HTH,
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 3.Jun.2004 5:19:00 PM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
I'm running multiple ISA servers now to meet the needs of the different addressing shemes. each has a nic on the local network so that the resources can be accessed without having to VPN in from outside. It isn't a bad solution, in fact it works really well. It would have been nice to be able to take it one step further.
*it's all fixed in the next version*
|
|
|
|
|
RE: Multiple VPNs, single server - 4.Jun.2004 6:47:00 AM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
I found a way to do what I want *sort of*. I'm installing ISA on 6 virtual machines and attaching the inside nics to the interface that connects to individual networks. I gave each one an outside address and set up VPN access. It works rather well.
|
|
|
|
|
RE: Multiple VPNs, single server - 4.Jun.2004 11:44:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by RandyM:
I'm running multiple ISA servers now to meet the needs of the different addressing shemes. each has a nic on the local network so that the resources can be accessed without having to VPN in from outside. It isn't a bad solution, in fact it works really well. It would have been nice to be able to take it one step further.
*it's all fixed in the next version*
Hi Randy,
Good to hear you came up with a solution. I have to admit, I'm not sure what the design goal is here, that requires different IP addresses, since you have the strong user/group based access controls that controls all traffic from the VPN clients network to any other networks.
Thanks!
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 4.Jun.2004 11:45:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by RandyM:
I found a way to do what I want *sort of*. I'm installing ISA on 6 virtual machines and attaching the inside nics to the interface that connects to individual networks. I gave each one an outside address and set up VPN access. It works rather well.
Hi Randy,
That's a creative solution! But I would do it with a single address range, and then strong user/group based access control to control all traffic between the VPN clients network to any other network that ISA firewall can reach.
Thanks!
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 7.Jun.2004 5:34:00 PM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
The reason for this is the need to access multiple Active Directories on multiple subnets. Each one is independent and the user connecting needs to have an addressed assigned them that will give them access to the AD resources, DNS and domain specific. These networks are built to emulate production environments and have to remain completely separate. That's why I need to simulate multiple unique and independent VPN's.
|
|
|
|
|
RE: Multiple VPNs, single server - 8.Jun.2004 12:10:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Randy,
Ah! OK, that makes sense.
Thanks!
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 10.Jun.2004 8:43:00 PM
|
|
|
senad
Posts: 31
Joined: 27.Nov.2001
From: Brighton, MA
Status: offline
|
Hi Randy,
I ran into the same problem, having two independent companies connected to the same ISA firewall. I would like to see an option in ISA 2004 to create multiple (independent) VPN listeners where each VPN client connects to assigned subnet.
However, as Tom emphasized, VNP assigned addresses are completely isolated from the rest of the network(s) as well as one from another and are subject to their own set of firewall rules. This results in much better security:
1) Clients are quarantined after VPN link is established and only given access to resources once all rules are matched.
2) You can fine-tune the permissions and selectively define which resources / networks can be accessed by VPN clients or even each individual VPN user instead of just dropping them on the local subnet as with usual RRAS.
3) Being on their own /24 subnet, remote client are not able to initiate any man-in-the-middle exploits in case account get compromised.
Considering your problem, there are some possible work-arounds. Simple way is to install RRAS on server in each network and publish them through ISA. Not as secure and you will need public IP address for each VPN but it does exactly what you need it to do. You can also install RADIUS server on domain controller in each domain and configure ISA VPN to query them for authentication and then overwrite DNS setting in VNP client to point to correct DNS server for given domain. Then create rules allowing all outgoing traffic to individual networks based on user account. This should do the trick unless you need to be able to listen to network broadcast.
I hope this helps,
Senad
|
|
|
|
|
RE: Multiple VPNs, single server - 11.Jun.2004 2:22:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Senad,
That is exactly what had in mind. I have similar setups and think that the fine tuned user/group based access control over network access (even per host access) can make up for some of these issues.
Thanks!
Tom
|
|
|
|
|
RE: Multiple VPNs, single server - 15.Jun.2004 4:47:00 PM
|
|
|
RandyM
Posts: 29
Joined: 14.Mar.2003
Status: offline
|
Senad, thanks for the reply. I use NAQ now and the VPN's I'm talking about here are exclusive of my production network, it has it's own ISA 2004 server. Security is of course always a concern but these domains are in constant flux and some of them only last a couple days at a time. The names change daily sometimes and a lot of them are built with Virtual Server running on beefy boxes. Since the infrastructures are changing so often the ability to *turn on* another unique VPN with a couple clicks would be a god send. Your suggestions are definitely valid and appreciated.
Running multiple virtual ISA 2004 servers, each with a unique public IP address actually works amazingly well. I have dual head nic's in each PCI slot and each virtual machine has it's own physical network on the inside while letting Virtual Server manage the multiple addresses on the shared public nic.
|
|
|
|
|
RE: Multiple VPNs, single server - 15.Jun.2004 5:39:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Randy,
Nice setup! I've set up some VMs on dual homed boxes for the firewall setup, and it works a treat. Even some interesting VPM/Exchange setups. I'll have to write it up someday.
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
