Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Switching from VPN to T1 Private Line
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Switching from VPN to T1 Private Line - 8.Sep.2008 1:06:44 AM
|
|
|
BurnX
Posts: 3
Joined: 8.Sep.2008
Status: offline
|
New to ISA. Inherited a network with a Site-2-Site VPN through the Inet all ready setup. We are currently looking a replacing the VPN with a dedicated T1 line. Current Setup is as follows:
Site A:
Inet
|
ISA 2004
|
Small Business Server 2003
|
Network 192.168.X.X
Site B:
Inet
|
ISA 2004
|
Server 2003 Domain Controller
|
Network 10.10.X.X
With our new configuration Site B would connect to Site A via a T1 connection. Site B would access the Inet through Site A. I would like to keep the separate subnet at Site B. A router would handle the two subnets.
Is it possible to Configure ISA at Site A to work in this configuration?
I am trying to create the senario with Virtual Machines in VMware by linking 2 virtual networks with a Virtual Server 2003 machines using Routing & Remote access to create a router. For my Virtual Site A I added a static route for Site B in Routing & Remote Access & added the 10.10.10.1 to 10.10.10.255 to the existing entry for Internal Network in ISA. I added the subnets & created a 2nd site in Sites & Services. I added a server to Virtual Site B and was communicating with Virtual Site A. The Server on Site B promoted to a domain controller fine without any errors. Replication however does not appear to be routing properly. Site B was able to create one of the Automatic NTDS entries for the local server, but no Automatic NTDS entries show up in Site A. I am getting plenty of NTDS KCC errors relating to insufficient site connectivity.
So, my routing is sort of working. I can ping by IP or computer name between networks. Server in Site B can get on the Internet through ISA at Site A. Directory Replication seems to not be able to find the path.
|
|
|
|
|
RE: Switching from VPN to T1 Private Line - 8.Sep.2008 11:43:00 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
Is it possible to Configure ISA at Site A to work in this configuration?
Yes but bandwidth might be a concern with users in site B. Site B’s ISA can be chained to send requests to ISA A. If you maintain Internet connectivity from both sites, each could use the other as an backup route.
quote:
So, my routing is sort of working. I can ping by IP or computer name between networks. Server in Site B can get on the Internet through ISA at Site A. Directory Replication seems to not be able to find the path.
Here again, is bandwidth sufficient? ISA in site A will need to be properly configured by defining the IP ranges for each network in the ISA’s Internal network properties and a static persistent route created for site B’s network on ISA A. On the Windows server side, you need to make sure each DC is a GC and that you have established the sites, subnets and networks in Site and Services and placed the DC in their own site. You don’t want users authenticating across a T1 because it’s going to be darn sloooooooooooow.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Switching from VPN to T1 Private Line - 8.Sep.2008 12:56:44 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
I should also mention DNS. AD replication issues can be a sign of an underline DNS problem. Make sure you have DNS services at both sites and that ISA is properly configured to use an Internal DNS server that can resolve Internet queries.
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Switching from VPN to T1 Private Line - 8.Sep.2008 3:58:25 PM
|
|
|
BurnX
Posts: 3
Joined: 8.Sep.2008
Status: offline
|
Thanks for the info Rotor!
We are looking at 2 bonded T1s, so we would have 3mb of bandwidth between sites. Site B will have its own domain controller, dhcp, dns, wins. I plan to have Site B access inet through the connection with Site A The primary reason for the connection is to get Site B a more stable access to a Terminal server in Site A. The current VPN traverses multiple ISPs, and has such unstable latency that even Terminal services is unmanagble at times. I think the bonded T1s will be plenty of bandwidth for this application. Its much better anyways then current VPN which is limited by a 384kb upload at Site A.
I found that the Intersite Messaging service for the domain controller in Site A was disabled. Enabling that appears to have fixed the replication issues. Everything appears to be working now. Some other issues I've found:
- In order for some traffic between clients in Site A & B to route properly, I had to set the default gateway for Clients in Site A to the address of the Router handling the subnets. That router's gateway then directs internet traffic back to the ISA gateway. My test server is not fully updated. Does anyone know if this is fixed in an ISA service pack?
- I had to adjust the scope of the File & Print sharing exception in Windows Firewall on clients to include both subnets.
|
|
|
|
|
RE: Switching from VPN to T1 Private Line - 8.Sep.2008 4:50:29 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
It is no different than if you had a second subnet right in the same room with your existing subnet with a LAN Router between them. No different at all.
The Routers on the bonded T1s will become the "LAN Routers" and will "centrally" make all the routing decisions for the LAN. The ISA just does its job as a Firewall only (it is not a LAN router).
1. Everything uses the LAN Router as the Default Gateway.
2. LAN Router uses the ISA as the Default Gateway
3. ISA has a Static Route that tells it to use the LAN Router as the "path" to the other opposite LAN Segment.
4. IP Ranges of all Segments (geography is irrelevant) get added to the Addesses Tab of the Internal Network Definition.
That's it...
The only different "twist" with a WAN link if you want everyone to use the same ISA, is that it involves two LAN Routers instead of one like I mentioned above. So the farther router uses the nearer router as its Default Gateway,..then the nearer Router uses the ISA as the Default Gateway.
But I wouldn't do it that way. It will be slower than crap as Rotoblade said. You already have an ISA at each Site,...let each site use their own internet independently of each other. Then the routing is easier. They just use their own Router as the Default Gateway which in turn uses their own ISA as the Default Gateway and everything is happy. The two Routers will already "know" about each other and LAN Traffic across the WAN will work fine,..and since those Routers would already be the respective Default Gateways of their respective Sites, everything would be fine.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Switching from VPN to T1 Private Line - 9.Sep.2008 12:41:29 PM
|
|
|
BurnX
Posts: 3
Joined: 8.Sep.2008
Status: offline
|
Well Site B is in a remote location. The fastest available Internet is 512/512 & costs over $200/mth vrs. Site A which has a 1.5mb connection. I think in this case it might actually be an upgrade and save us some money since we will have the T1s anyways.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
