Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Two internal networks connecting to the Internet using one internal netcard on the ISA server 2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Two internal networks connecting to the Internet using ... - 11.Nov.2005 2:04:54 PM
|
|
|
glukken
Posts: 20
Joined: 3.Nov.2005
Status: offline
|
Hi,
In our network we have both PC's and Apple Macintosh computers, which both access the internet through an Isa server 2004. Since I would like to use authenticated web-proxy connections for the PC's and non-authenticated web-proxy connections for the Mac's I thought I'd create two networks, one containing the Mac IP addresses using 'not require authentication' and one containing the PC IP addresses using 'require authentication' (Mac's have static private addresses from 172.16.0.0 to 172.16.0.255, PC's have dynamic addresses from 172.16.1.0 to 172.16.255.255). Before creating two networks, I had one Internal network using 172.16.0.0-172.16.255.255. No problems there, all computers could access the Internet. Now I've added a new network called Apple Macintosh, the PC's from the network called Internal can access the internet, but the Apple Macintosh network gets Access Denied in the monitor, not even processing to the firewall rules. My configuration is as follows:
ISA Server 2004
network/subnet: 172.16.0.0/255.255.0.0
Networks:
Apple Macintosh : 172.16.0.0-172.16.0.255
Internal : 172.16.1.0-172.16.255.255
External: predefined internet network
Network rules:
Local Host access : default
VPN Clienst access : default
Internet Access : source: [Internal, Apple Macintosh], destination: [External], relation: [NAT]
Network Configuration:
Apple Macintosh: Enable Web Proxy Clients, Enable HTTP on port 8080
Somehow Isa Server is blocking the traffic from the Apple Macintosh network, and I can't figure out why. Perhaps the fact that I 'subnet' the Apple Macintosh network as part of the entire internal network, but then I might have experienced problems with the PC's as well.
I've already tried different network rules with routing between the two networks, but with no result. All Policy rules seem to be in order.
Greetings
Gesture.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 11.Nov.2005 2:49:47 PM
|
|
|
glukken
Posts: 20
Joined: 3.Nov.2005
Status: offline
|
Follow up,
Ok, I've read the f... manual, Isa server disconnects networks that do not fall in the range of it's own local ip adres, which happen to be in the PC network, so the Apple Macintosh network is disconnected. Is there another way to do what I would like, creating a 'require authentication' and 'not require authentication' on the same subnet?
Greeting,
Gesture
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 11.Nov.2005 2:58:22 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
You can write rules that apply to specific ranges of IPs.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 12.Nov.2005 3:32:25 PM
|
|
|
glukken
Posts: 20
Joined: 3.Nov.2005
Status: offline
|
Thx, but that would only apply to specific computers that either do or do not need to authenticate. I would like to use exception groups and have rules that apply to certain users. In that case I need for the (Webproxy) Windows PC's to authenticate themselves with the ISA server, and the (Webproxy) Macintosh computers not to authenticate. This way I can apply rules on Windows users/groups, and ignore/deny the Macintosh users. Since only networks can be configured to either have users explicitly authenticated or not, I need two networks, one containing the Windows PCs that need to authenticate, and one containing the Macintosh computers that do not need to authenticate (since I don't want Mac users to manually authenticate to browse the internet). So do I need two network interfaces in the ISA server or can I suffice with one and configure the server somehow?
Greetings,
Gesture.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 18.Nov.2005 12:57:51 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Gesture,
it's a bad idea to use the Require all users to authenticate Web Proxy setting on the Internal interface of your ISA 2004 server. It's much better to request for authentication on a rule base. For more info, check out http://www.isaserver.org/articles/ISA2004_AccessRules.html .
HTH,
Stefaan
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 18.Nov.2005 3:43:27 PM
|
|
|
glukken
Posts: 20
Joined: 3.Nov.2005
Status: offline
|
Hi Stefaan,
Your suggestion would be appreciated if not the problem occurs when a rule is using authentication, and a connection can not authenticate itself (SecureNET, the Macintosh users), the rule will drop the connection (deny access), whether its an allow or a deny rule. So when I use rule authentication on lets say deny http content 'streaming media' and deny all users, but allow (exception group) a group of users, all non-firewall client users will lose connection to the internet, because the access rule drops/denies all non-authenticated connections!! A.f.a.i.k, with ISA firewall 2000, in this case all remaining rules would be checked and could still allow access. With ISA server 2004, no more rules are checked and connection is smiply denied because the connection can not authenticate itself against a rule that needs authentication!
So my thought was to create two networks, one that needs authentication (or at least uses authentication when needed), and one network that does not need authentication...
Greetings,
Gesture
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 11:09:05 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Gesture,
you don't need to create two networks to accomplish that. Physically you have one internal network. So, leave it that way. However, what you can do is create two other network objects such as Address Ranges and Subnets. You can then use those as source (from) in your rules instead of the Internal network object to differentiate between the MAC's and the PC's.
HTH,
Stefaan
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 3:09:31 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
...which basically says the same with more words.
quote:
You can write rules that apply to specific ranges of IPs
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 3:51:23 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
It's just that often people have a pre-conceived notion of what the answer should be and when it does not fit their line of thinking, dismiss it. You see this often when they design a complex rule set based on flawed expectations and then are in denial and not ready to accept that they need a different approach.
Did you understand G's dismissal of my suggestion? I certainly could not follow it. :(
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 5:13:59 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Les,
I read it again and again .... and I'm still confused what he is trying to tell us.
I assume he want to use the Require all users to authenticate Web Proxy setting on the ISA interfaces. This is indeed a property of the network. However, that setting must *not* be anabled to use authentication on a rule base. Maybe he is confused by that!
HTH,
Stefaan
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 5:48:20 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
If you're right about the Require all users to authenticate Web Proxy setting on the ISA interface, then IMHO that is the lazy way of getting out of rule based authentication. You do reap what you sow by self-imposing limitations.
If he insists on that approach, he could VLAN his network and put all the Macs in a separate VLAN and use 802.1Q tagging to create two separate logical internal NICs in ISA. Depending on his network hardware, that could (would?) prove to be more work than re-thinking the rule base authentication.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 19.Nov.2005 6:09:09 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Perhaps he does not understand the importance of rule order with rule based authentication.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
RE: Two internal networks connecting to the Internet us... - 21.Nov.2005 9:03:03 AM
|
|
|
glukken
Posts: 20
Joined: 3.Nov.2005
Status: offline
|
Hi Stefaan and LLigetfa,
Wow, this seems to get out of hand...
Anyway, sorry for the hassle, you where right, I did not interpret your suggestions correctly. The IP range did indeed solve my problem, but I misunderstood your reply, and because of that I tried to suggest that I needed two networks as listeners, but what you tried to suggest was to use an IP range as listener. Therefore it would have been more clear to me if you'd said 'replace the Internal network as the listener by an IP range' in stead of just 'quote: You can write rules that apply to specific ranges of IPs', than I would have understood it immediately. Thanx for the replies.
Greetings
Gesture.
"It's not the art of telling, it's the art of explanation"
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Two internal networks connecting to the Internet us... - 
