• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN IP Addresses

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN IP Addresses Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN IP Addresses - 3.Feb.2009 12:46:06 PM   
ijchase

 

Posts: 43
Joined: 6.Nov.2002
Status: offline
We currently are issuing IP addresses to VPN users via a static pool of addresses in the same subnet that the internal interface sits on. The ISA is a 2004 Enterprise Array with 2 servers ISA Load balanced. We have just run out of available addresses and need to add others.

If we added new subnet's to the static address pool's would we need to inject that range at the site router to point to the load balanced address (to replicate out to all other routers) or should we route to the actual address of the server.

This is so anyone on the new address pool can access the network... otherwise the rest of the network will not know how to route back to the VPN servers
The company's gateway of last resort is a blackhole and not to the ISA Array servers.
If there are other ways of doing this then please enlighten me...

Thanks
Ian
Post #: 1
RE: VPN IP Addresses - 3.Feb.2009 2:28:46 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hi Ian,

I'm assuming you are using a third-party device to provide VPN services, correct?  With regard to routing, if you add another subnet, you'll need to include that network range in the Internal network definition on the ISA firewall.  You will also need static routes on the Internal interface of your ISA firewalls as well.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to ijchase)
Post #: 2
RE: VPN IP Addresses - 3.Feb.2009 3:22:02 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

If we added new subnet's to the static address pool's would we need to inject that range at the site router to point to the load balanced address (to replicate out to all other routers) or should we route to the actual address of the server.


The LAN Router would use the Array IP# as its Default Gateway

Then each ISA machine would need a static route on it to tell it to use the LAN Router as the path to all the LAN's subnets.

Yes, all the IP Ranges need to be added to the Addresses Tab on the Internal Network Definition.

quote:

This is so anyone on the new address pool can access the network... otherwise the rest of the network will not know how to route back to the VPN servers


What "VPN Server"??? Don't leave information like that just "hanging" to be asssumed.  If the VPN Servers are also the ISA Servers than that doesn't change what I said above.

quote:

The company's gateway of last resort is a blackhole and not to the ISA Array servers. If there are other ways of doing this then please enlighten me...


Stop "black holing" you routing.  Don't "cripple" the routing scheme like that.  Point the routing path to the ISA's as it should be.  The ISA's Access Rules (or lack there of) will determine what correctly happens to the traffic.

_____________________________

Phillip Windell

(in reply to ijchase)
Post #: 3
RE: VPN IP Addresses - 3.Feb.2009 8:21:09 PM   
ijchase

 

Posts: 43
Joined: 6.Nov.2002
Status: offline
The ISA Array are the VPN servers... just that we have used up all 1,000 available addresses for the VPN clients (the servers and clients are on a 255.255.252.0 subnet mask). These servers are configured for VPN services only. We have 2 other ISA arrays for outbound access at different company sites for DR purposes (I have just got the go-ahead to put in another VPN array on another company site for DR).

The VPN server currently has all our internal IP's defined and access is OK.. just that we need to add on approx another 1,000 IP's but was unsure if I should ask the network department to put routing in the network for the additional IP addresses for clients to route to the ISA array address or each ISA's actual address.

As for the blackholing... it wouldnt work in out case as where would you put it? the VPN array .. one of the ISA Outbound arrays or one of approx 30 Checkpoint firewalls going out to customer networks...

(in reply to pwindell)
Post #: 4
RE: VPN IP Addresses - 4.Feb.2009 9:50:43 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

The ISA Array are the VPN servers... just that we have used up all 1,000 available addresses for the VPN clients (the servers and clients are on a 255.255.252.0 subnet mask). These servers are configured for VPN services only. We have 2 other ISA arrays for outbound access at different company sites for DR purposes (I have just got the go-ahead to put in another VPN array on another company site for DR).


Ok, I see why you are doing what you are doing, ...I think.
Well IP segments should be allowed to grow over 250-300 host (like a /24 mask gives a size of 254).  But since these are VPNs maybe there isn't the broadcasts involved that normally hinder a regular IP segment.

quote:

The VPN server currently has all our internal IP's defined and access is OK.. just that we need to add on approx another 1,000 IP's but was unsure if I should ask the network department to put routing in the network for the additional IP addresses for clients to route to the ISA array address or each ISA's actual address.


I don't think you should make the subnet bigger. It is already too big (IMO).  Sorry I don't know what to tell you. I have never heard of anyone having that many VPN clients,...so I don't know what to suggest.  Possibly another subnet with another ISA or ISA Array?,...I don't know.  I think you are going to run into the issue that Remote Access VPN is not design to scale to the level that you use it,...at least I don't think it was designed to.  Why do you have so many in the first place?

quote:

As for the blackholing... it wouldnt work in out case as where would you put it? the VPN array .. one of the ISA Outbound arrays or one of approx 30 Checkpoint firewalls going out to customer networks...


Surely a LAN of your size has a LAN Router on the LAN if not more the one.  All the Hosts should be using the nearest LAN Router to them as their Default Gateway.  The LAN Router then would use the proper Internet Device (ISA, other firewall, whatever) as its default gateway,...and it would be the routing "decision maker" for all its Hosts and the Internet Device would use ACLs to control what actually "gets out" of the LAN.  If there are multiple LAN Routers then you will have to work the scheme out among those routers with either Static Routes or Dynamic Routing protocols.

_____________________________

Phillip Windell

(in reply to ijchase)
Post #: 5
RE: VPN IP Addresses - 11.Aug.2009 8:11:34 PM   
ijchase

 

Posts: 43
Joined: 6.Nov.2002
Status: offline
We have finally expanded the availability of the ISA's... we ended up by putting in 2 extra servers to make the array 4 servers, each server in the array has 4 subnets on it to make 1023 available addresses on each server (nearly 4100 available connections)... currently on a normal day we have 1000 concurrent users... until last week that was the limit of available connections though the numbers of users will probably rise seeing that there are more connections available.

Quantine control has been enabled on the new servers and the quarantine VBS script it runs has been compiled into an exe file so the users cannot modify it, RSA authentication has been configured for the users and finally both L2TP and PPTP is configured.
The network department put routing across the network to route the VPN clients subnets to the internal VIP on the ISA array.

Everything is working fine.

< Message edited by ijchase -- 11.Aug.2009 8:18:28 PM >

(in reply to pwindell)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN IP Addresses Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts