Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Which network template?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Which network template? - 13.Jan.2005 6:25:00 PM
|
|
|
Guest
|
Hi there,
I'm new to ISA Server 2004, and I have a problem with the setup of my organization. First, let me put things in perspective (a diagram of the physical network can be found on http://www.carnero.ca/NETPHYS.gif, BTW.)
There is one machine, G, which is the gateway for the organization. It provides NAT to share the internet connection for the 192.168.250.0/24 network. Of course, this machine has two Fast Ethernet interfaces, one with a public routable IP address and the other configured as 192.168.250.1.
There are several machines with the roles of routers that have ISA Server 2004 connected into this network as well (R1 and R2 in the diagram.) They also have two Fast Ethernet interfaces: one into the above network (192.168.250.0/24) and the other into their respective client networks. For instance, R1 is connected to 192.168.250.20 on one side and 10.20.0.0/16 on the other. It provides access to the workstations on that network. Note that there's no NAT there as they use the web proxy.
Now what I want to do is this: I'd like to tell ISA Server in each router (Rx) that traffic going to 192.168.250.0/24 and 10.0.0.0/8 is absolutely trusted, for both incoming and outgoing connections. User-based Internet access is something else (and it works, BTW.)
What's the proper network template to use here? How do I open the firewall to my trusted networks?
Thanks,
Carlos.
|
|
|
|
RE: Which network template? - 14.Jan.2005 12:36:00 AM
|
|
|
test541
Posts: 17
Joined: 9.Jan.2005
Status: offline
|
Hi.
Use Networks/Network rules, create networks and set relation to route (no NAT).
Then create Firewall policy to allow desired traffic.
|
|
|
|
|
RE: Which network template? - 14.Jan.2005 10:39:00 PM
|
|
|
Guest
|
I did that. However, I still seeing in the logs blocked packets by ISA Server coming in from those trusted networks.
|
|
|
|
|
RE: Which network template? - 18.Jan.2005 1:37:00 AM
|
|
|
leonhughes
Posts: 149
Joined: 19.Mar.2001
From: UK
Status: offline
|
Interesting setup... Why are you using 2 ISA servers and why are you using ICS??? You could have achieved the same result much more securely and controlably using one ISA 2004 server and 3 NIC's...
To respond to your query regarding access, the best way to find out why trafic is getting blocked is to review the logs (monitoring tab then start query will show you 'live' activity).
Usually the logs will tell you why a packet is being blocked. If it doesn't, it usually means you either have no routing rule or the rule that is blocking the requst has it's logging checkbox unchecked.
I generally find the network templates are a waste of time. You're better off using the default 'edge' template and doing the rest of the configutation manually as the templates make some strange assumptions about the networks you are trying to configure.
Leon.
[ January 18, 2005, 01:39 AM: Message edited by: leonhughes ]
|
|
|
|
|
RE: Which network template? - 18.Jan.2005 3:23:00 PM
|
|
|
Jason Jones
Posts: 2265
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Good advice from leon...
You can also edit the default log filter and chanhe the action to "equals denied connection" this will only show you denied items and will be a lot easier to read
JJ
|
|
|
|
|
RE: Which network template? - 24.Jan.2005 9:21:00 PM
|
|
|
Guest
|
Hi,
Leon, in the diagram, when you read "Internet connection sharing" it's not Microsoft's ICS but an OpenBSD machine which does NAT for 192.168.250.0/24. That means, "G" does not run Windows.
In an effort to simplify, I ommited several networks that look exactly like the ones managed by "R1" and "R2" (thus, the whole thing is actually several Rs: we currently have 7 of these semi-autonomous networks.) Each of those routers ARE running ISA.
I have one rule that allow all outbound traffic from/to "Internal", "Local Host" and two network definitions (using route as the relation). However, I think that freely incoming connections from those trusted networks are not being allowed.
The funny thing is that in the logs I'm seeing them being blocked, but I don't know where to go to allow them!
Thanks,
Carlos.
|
|
|
|
|
RE: Which network template? - 25.Jan.2005 7:40:00 PM
|
|
|
leonhughes
Posts: 149
Joined: 19.Mar.2001
From: UK
Status: offline
|
Hi Carlos,
I'm not entirely sure what you mean. Where do you need security on your network? Are you just trying to protect the entire internal network from the internet or do you need security between the subnets. If you don't need security between the subnets, you'd be much better off using routers to perform routing operations than ISA servers as they are more efficient at routing packets. Then just have one ISA server at the network edge.
If you need the security between the subnets, you could acomplish the task with just one ISA server and multiple NIC's. In terms of why the stuff is getting blocked at the moment, have you checked your routing tables? Are all of the networks behind 'internal' in the routing tables on the respective ISA servers and are they bound to the internal interface networks?
If the ISA machines are purely being used as routers and buying proper router hardware is'nt an option, there is little point in having ISA server installed on these machines. For a start, allowing networks to be 'absolutely trusted' as you put it is not that straight forward as it depends on the clients you have. If you're clients are'nt running the ISA firewall client (i.e. they are secure NAT clients), either an application filter or protocol definition has to exist for each protocol you want to allow through - so there is no rule that will allow everything.
You only need the routing and remote access console to use a Windows machine as a router. You might also want to install a routing protocal such as OSPF so that you don't have to manually look after the routing tables.
Leon.
|
|
|
|
|
RE: Which network template? - 26.Jan.2005 3:49:00 PM
|
|
|
Guest
|
Hello Leon,
I know that you're confused. I was. I know that if I just want routing among the subnets I only need the Routing and Remote Access enabled (I've done it before.) At this moment, we don't need ISA at th very edge since there's an OpenBSD box there.
I just refactored my original question, so I think now will be more palatable ![[Wink]](/image/smiles/wink.gif) My problem is that I can't easily have a setup where I only need the web proxy. I mean, I want to give/remove/control access to the Internet through ISA, but use plain old routing for the other subnetworks.
I'm now thinking that ISA server might be inappropiate/overengineering for this to happen and I just need to find other simpler proxy servers.
Thanks a lot,
Carlos.
|
|
|
|
|
RE: Which network template? - 8.Feb.2005 2:06:00 AM
|
|
|
leonhughes
Posts: 149
Joined: 19.Mar.2001
From: UK
Status: offline
|
Hi Carlos,
The open BSD box could'nt ever hope to give the same level of protection as an ISA server would. I'd replace the openBSD box with ISA if you're only to have one firewall. From a caching point of view, you could just install the ISA server with one NIC and only allow the ISA's IP through the edge firewall. You would still have to set up an access rule, but this configuration would not block anything to the rest of the network as ISA would have no control over it.
Leon.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
