GREAT set of articles Tom! How much difference in the procedure would one see if only one of the two locations had a back-to-back ISA combo and the other location(s)had a single ISA? Thanks in advance.
Good question. This is becoming a very popular topic, and its a scenario I haven't worked out yet. Its easy when both sides are back to back, but one only one side is back to back, you have to figure out a way to tunnel within a tunnel.
I'm thinking it might be easier to create a VPN client link first, and then create the gateway to gateway link after the VPN client link is established. The VPN client link would be like a modem link that used to establish the PPP connection to the ISP, except in this situation, the VPN client link is to the remote external ISA Server, then the gateway to gateway link is established inside that connection.
I'll see if I have time to work out the details next week.
quote:Originally posted by mpbrown: GREAT set of articles Tom! How much difference in the procedure would one see if only one of the two locations had a back-to-back ISA combo and the other location(s)had a single ISA? Thanks in advance.
I have this problem now, so one DMZ on the main office and a single ISA server at a small office, and itĂs not that simple as a DMZ to DMZ But it works now for two days in a ˘test lab÷ What I did was:
Very good! However, you don't want the remote network to be able to access the DMZ at the local office, so I would remove the static route on the remote gateway that points to the DMZ. Then I would make the demand-dial interface that allows access to the DMZ to be a "permanant" connection.
Thanks for the response but I am missing the point. I think. The first gateway to the DMZ has no file and printer service enabled. And there is no name server in the DMZ and the two connections are permanent If your working at the remote office and browsing the network the only thing you see is the internal network of the main office because there are two DCĂs at the main office and one DC at the remote office (one domain) so why do I need to remove the static route? And if a user find a server In the DMZ then the have no rights to enter that server (there is no file sharing or client for Microsoft networks enabled in the DMZ)
From a pure security point of view, you do not want to give anyone access to any part of a network that they do not need access to. If you leave the static route in place, users on the remote network have a capability to access the entire network ID, and they have complete and trusted access, since they remote network hosts will be LAT host to the external ISA Server on the main office network. You don't want that, even if you think you've hardened the servers to the best of your ability. Why give people a chance? Just remove the static route. Its not needed anyway, so there's another important consideration!
When we try to install the .VPC file on the 2nd ISA Server. we get an error that the file is corrupt. We have tried to regenerate the file several times. Any ideas? The only thing we can figure is that one of the servers is Windows2000 (old server - main office) and the other is Windows2003 (remote office is a new server bought with 2003 preinstalled). Before we buy another Windows2003 license and take the time (and risk) of upgrading the old server, I wanted to see if we may have other issues.