• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for part 2 of joining networks behind back to back DMZs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for part 2 of joining networks behind back to back DMZs Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion for part 2 of joining networks behind back t... - 27.May2003 10:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 2 of the article on joining networks behind a back to back DMZ configuration at http://www.isaserver.org/tutorials/backtobackdmzvpnpart2.html

Thanks!
Tom

[ May 27, 2003, 10:10 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for part 2 of joining networks behind ba... - 31.May2003 7:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This used to be a popular topic. No one wants to discuss it? Maybe everyone learned how to do this already! [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 2
RE: Discussion for part 2 of joining networks behind ba... - 8.Jun.2003 3:19:00 AM   
mpbrown

 

Posts: 11
Joined: 25.Jan.2003
Status: offline
GREAT set of articles Tom! How much difference in the procedure would one see if only one of the two locations had a back-to-back ISA combo and the other location(s)had a single ISA? Thanks in advance.

mb

(in reply to tshinder)
Post #: 3
RE: Discussion for part 2 of joining networks behind ba... - 8.Jun.2003 5:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MB,

Good question. This is becoming a very popular topic, and its a scenario I haven't worked out yet. Its easy when both sides are back to back, but one only one side is back to back, you have to figure out a way to tunnel within a tunnel.

I'm thinking it might be easier to create a VPN client link first, and then create the gateway to gateway link after the VPN client link is established. The VPN client link would be like a modem link that used to establish the PPP connection to the ISP, except in this situation, the VPN client link is to the remote external ISA Server, then the gateway to gateway link is established inside that connection.

I'll see if I have time to work out the details next week.

Thanks!
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion for part 2 of joining networks behind ba... - 10.Jun.2003 8:53:00 PM   
Greven

 

Posts: 12
Joined: 4.Aug.2002
From: Holland
Status: offline
quote:
Originally posted by mpbrown:
GREAT set of articles Tom! How much difference in the procedure would one see if only one of the two locations had a back-to-back ISA combo and the other location(s)had a single ISA? Thanks in advance.

mb

I have this problem now, so one DMZ on the main office and a single ISA server at a small office, and itĂs not that simple as a DMZ to DMZ
But it works now for two days in a ˘test lab÷
What I did was:

ISAIntern ------DMZ------ISAExtern--------Internet---------ISAServer

I first create a local gateway on the ISAExtern (local) that connects to ISAServer (remote)
With the option that only the remote gateway can connect and install the remote gateway on the ISAServer

I did the same on the ISAIntern (Local) that connects to ISAServer (Remote)

So two remote gateways on the ISAServer and one local gateway on ISAExtern and one on ISAIntern

(in reply to tshinder)
Post #: 5
RE: Discussion for part 2 of joining networks behind ba... - 10.Jun.2003 9:27:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Greven,

Very good! However, you don't want the remote network to be able to access the DMZ at the local office, so I would remove the static route on the remote gateway that points to the DMZ. Then I would make the demand-dial interface that allows access to the DMZ to be a "permanant" connection.

HTH,
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion for part 2 of joining networks behind ba... - 10.Jun.2003 10:28:00 PM   
Greven

 

Posts: 12
Joined: 4.Aug.2002
From: Holland
Status: offline
Hi Tom

Thanks for the response but I am missing the point. I think.
The first gateway to the DMZ has no file and printer service enabled.
And there is no name server in the DMZ and the two connections are permanent
If your working at the remote office and browsing the network the only thing you see is the internal network of the main office because there are two DCĂs at the main office and one DC at the remote office (one domain) so why do I need to remove the static route?
And if a user find a server In the DMZ then the have no rights to enter that server (there is no file sharing or client for Microsoft networks enabled in the DMZ)

(in reply to tshinder)
Post #: 7
RE: Discussion for part 2 of joining networks behind ba... - 11.Jun.2003 1:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Greven,

From a pure security point of view, you do not want to give anyone access to any part of a network that they do not need access to. If you leave the static route in place, users on the remote network have a capability to access the entire network ID, and they have complete and trusted access, since they remote network hosts will be LAT host to the external ISA Server on the main office network. You don't want that, even if you think you've hardened the servers to the best of your ability. Why give people a chance? Just remove the static route. Its not needed anyway, so there's another important consideration!

HTH,
Tom

(in reply to tshinder)
Post #: 8
RE: Discussion for part 2 of joining networks behind ba... - 11.Jun.2003 11:55:00 AM   
Greven

 

Posts: 12
Joined: 4.Aug.2002
From: Holland
Status: offline
Hi Tom

Thanks for the clear explanation of the security point of view
IĂm have remove the static route and it still works [Smile]
So thanks

(in reply to tshinder)
Post #: 9
RE: Discussion for part 2 of joining networks behind ba... - 11.Jun.2003 3:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Greven,

Great! Thanks for the follow up!

Tom

(in reply to tshinder)
Post #: 10
RE: Discussion for part 2 of joining networks behind ba... - 17.Dec.2003 9:43:00 PM   
rodonnell

 

Posts: 5
Joined: 18.Jun.2003
From: Austin, TX
Status: offline
When we try to install the .VPC file on the 2nd ISA Server. we get an error that the file is corrupt. We have tried to regenerate the file several times. Any ideas? The only thing we can figure is that one of the servers is Windows2000 (old server - main office) and the other is Windows2003 (remote office is a new server bought with 2003 preinstalled). Before we buy another Windows2003 license and take the time (and risk) of upgrading the old server, I wanted to see if we may have other issues.

Both firewalls work independentaly just fine.

(in reply to tshinder)
Post #: 11
RE: Discussion for part 2 of joining networks behind ba... - 18.Dec.2003 4:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Robert,

This is a known issue. Unfortunately, there is no fix. Its seen when you run the Wizard on one version of Windows and then try to use it on another version [Frown]

HTH,
Tom

(in reply to tshinder)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for part 2 of joining networks behind back to back DMZs Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts