problem with downlink

problem with downlink (Full Version)

All Forums >> [ISA Server 2000 General] >> Installation

Message

Guest -> problem with downlink (1.Apr.2004 10:42:00 AM)
i have downlink thru dvb card via dish(satelite) and uplink thru phone line and i am trying to install isa but its not work i dont know how to setup isa server thru downlink

sniper -> RE: problem with downlink (8.Apr.2004 7:11:00 PM)
robin, that will not be possible since the outbound request does not go through ISA all packest coming back will be droped . All firewalls will exhibit this behavior.

mohsindabomb -> RE: problem with downlink (9.Apr.2004 8:43:00 PM)
Chris and Robin, Yes, this IS possible to use ISA with dvb-ip downlink. And yes, the outbound requests go through the ISA firewall. Of course they do, like any other normal request. But dvb-ip doesn't seem to work with ISA in your case Robin, cause ISA expects to receive the responses to these request on the interface from which the requests leave the ISA server. In technical lingo, the response ports are opened on that interface. So when the data arrives at the dvb-ip interface, ISA wont let it in. One simple solution to this is to include the autoconfiguration ip address of the dvb-ip interface in the LAT. That 169.254.x.x address! Just put it in the LAT to make it work with dvb-ip. Rest of the configuration is same. But I AM concerned about what security issues thi s might raise. Dr. Tom and Stefaan, could you please say something about the security issues with this configuration. I'd be really interested in a discussion about this. Thanks. And i hope what you just read helps you robin. Any problems? Let me know. I'm happy to help. RedBull, Digital Dominance. http://www.digitaldominance.net

sniper -> RE: problem with downlink (11.Apr.2004 4:43:00 AM)
Redbull Thats why I said it would not work the purpose of an ISA server is security and hacking and slashing and adding 169.254 into the LAT is just crazy. Why use ISA at all in this case if you have to modify ISA in such a way to make it unsecure or weaker than normal

mohsindabomb -> RE: problem with downlink (11.Apr.2004 10:07:00 AM)
Haha. Thanks for the response Chris. I enjoyed reading it. Yes, I agree with you it is crazy to include an untrusted interface in the LAT. Not a situation I'd allow on my network under any condition. But there is a way out. You can have a back-to-back ISA configuration with one ISA box receiving data from the dvb-ip interface and installed in a separate domain and another ISA box chained to the directly exposed ISA and installed in a separate domain. This could provide some security. But still, I'd hate to include that 169.254 thingie in the LAT, which is why I said I would welcome a discussion on this so we could probably discuss and agree on a configuration that works and provides security too. Everybody, any ideas?? Do write back, this is something I'd love to discuss. -------------------- Thanks, RedBull, Digital Dominance Pakistan. http://www.digitaldominance.net

mohsindabomb -> RE: problem with downlink (11.Apr.2004 11:44:00 AM)
I was just wondering... All that data that is received on the dvb-ip interface by ISA has the ip address of the satellite company (the ip bound to dvb-ip's mac address at the satellite company's end) in the tcp/ip destination address headers and NOT the 169.254.x.x address. Still ISA lets all that traffic in, even though the primary connection is originated from outside, from the Internet (this is different from the data coming in in response to requests sent out). So actually ISA is letting connections come in that are connecting to an IP that is NOT on the lat. (the actual public ip bound to the dvb-ip mac is still OFF the lat.) This is a rather strange issue. We're seeing here that ISA doesn't actually dissect the tcp/ip headers and let information come in after comparing destination address and the LAT, it stupidly lets in whatever information is coming through an NIC that appears to be on the lat. The confusion starts from the fact that ISA doesn't know actually what IP is bound to the dvb-ip's mac. That's done at the satellite company's end. It simply thinks the ip for that interface is 169.254.x.x. But still it lets data come in from that interface that is NOT destined for 169.254.x.x. Haha. Pretty funny situation, inney? Any comments anybody, please do write.

amjad220 -> RE: problem with downlink (19.Apr.2004 10:28:00 PM)
Hello Please do you give the complete configuration for DVB link through ISA. Thanks

mohsindabomb -> RE: problem with downlink (24.Apr.2004 1:12:00 PM)
Hi Amjad, There are no special configuration options in ISA for DVB. You may want to contact your service provider if you're asking for dvb-ip card's configuration parameters.

mohsindabomb -> RE: problem with downlink (24.Apr.2004 1:22:00 PM)
Hi Amjad, In reply to your private message: I cannot tell you the configuration for your dvb-ip card since I don't have that information. Your service provider will be able to provide you with configuration parameters for your dvb-ip interface. Are you having problems with dvb-ip or ISA? Does it work fine without ISA? Are you trying to support internet access on the ISA box or the internal hosts? How are your clients configured? Need a bit more information to tell you anything useful.

mohsindabomb -> RE: problem with downlink (24.Apr.2004 1:37:00 PM)
Hi Amjad, You have my attention already. Please do me one courtesy of replying here on the board instead of private messaging me since you have chosen not to accept private messages which makes me switch between PM and the board to write to you. When using DVB-IP, you have three types of configuration: -1- Having the ip of your service provider on your uplink interface (If this is your configuration you don't need to do anything in ISA to make all downloads land on the dvb-ip interface. Everything comes through the dvb-ip interface automatically). -2- Connecting through VPN. (Same as above. You need not do anything) -3- Proxy based. (If this is your configuration, you have to create a new routing rule and configure it to route requests to your service provider's upstream proxy server). I hope this helps. And please reply on the board this time.

amjad220 -> RE: problem with downlink (11.May2004 9:55:00 PM)
I tried every possible solution to resolve the problem but all in vain. Thanks every one for giving me help. ...

epsilon -> RE: problem with downlink (13.May2004 1:14:00 AM)
following redbull replies,i just have the following remarks: 1)The dvb-ip can be assigned a private IP from the remote isp..via a dhcp server (since it compare it with MAC it should do a reservation via dhcp)...so what if we assigned the dvb-ip a static ip 10.x.x.x? ISA just need here to do routing from that ip to the NIC connected to internal network...so we dont have to include that 169.x.x in LAT...routing IP enabled would be enuff...since the returned back packets reach their dvb destinations without IsA intervention (unless playing with outcoming ip listener on dvb ip)...but in case of penta it could sometimes be unreachable by the extern company..so you'd feel like you are working on modem...the upstream proxy is used to send modem's packets to the remote ISP but that didnt mean it would expect the returned ip to the same source...theorically all extern nic are reachable (i guess privilege is given to nic not in LaT)..so dvb would be the 1st nic receiving packets...in case of the current problem: i guess it's related to DNS resolving...and the way it forward demands..so before going so far would you pls try to access the web by just typing IPs?? if u succeed..try clearing your dns cache ...

s_sulaimany -> RE: problem with downlink (15.May2004 7:46:00 AM)
Hi Everyone Could you tell me about a good resource related to this discussions?

mohsindabomb -> RE: problem with downlink (15.May2004 9:33:00 AM)
Hi Epsilon, Thanks for writing. I've been working with many Rx providers including SingTel, PCM, Falconstream, Teleglobe and a few others. I've used Penta, broadlogic, c2b2 as well as a few other dvb cards but so far I've never seen the dhcp configuration you told me about. You ALWAYS have to provide the mac of your dvb-ip card to the Rx provider so the mac can be bound to the ip at their end. In this scenario the Rx provider is acting as the switching station that maps IPs to macs and the communication is based on mac addresses once the switching station resolves the ip to the mac. And yeah, I was wrong about calling ISA stupid at letting in all information from an interface on the LAT. That's the default behavior. I don't know what I was thinking when I wrote that. And by the way, I don't really understand how you could assign a 10.x.x.x and get by with it. All traffic coming in from an interface NOT on the LAT, will be subject ISA's firewall policies. And that traffic wouldn't be allowed in. For inbound access from untrusted interfaces you create packet filters or publishing rules. None of which would be helpful here. And the problem here isn't DNS. I've tested it a lot many times. You have to convince ISA to allow incoming traffic from an untrusted interface which is really an absurd idea. ISA 2004 allows access polices on all interfaces so I suggest you try using that so you can keep your network secure while maintaining service usability. Glad to hear your thoughts by the way. Finally somebody welcomed my idea of a discussion.

rogozinskiy -> RE: problem with downlink (16.Jul.2004 9:37:00 AM)
quote: Originally posted by cgregory: robin, that will not be possible since the outbound request does not go through ISA all packest coming back will be droped . All firewalls will exhibit this behavior. It's possible - http://support.microsoft.com/?id=284811

y_mmohd -> RE: problem with downlink (21.Aug.2004 9:47:00 AM)
Hi To all, I have an internet connection with 3 network cards. One upload lies line, one download penta card, and the third one for local connection. I'm using isa as a firewall. Is there another solution than putting the external ips in the LAT? I hope to send me to my email. my emial is: y_mmohd@yahoo.com Wating your reply. Thanks

pooyeshco -> RE: problem with downlink (12.Aug.2007 5:46:03 AM)
i have downlink thru dvb card via dish(satelite) and uplink/downlink thru phone line and i am trying to install isa in such way that we could send via phone line and recieve both from phone line and the dvb card. Would you please help me doing so? (ISA 2000)

Page: [1]