• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

multiple external interfaces

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> multiple external interfaces Page: [1]
Login
Message << Older Topic   Newer Topic >>
multiple external interfaces - 28.Jun.2004 3:45:00 AM   
ssmith

 

Posts: 6
Joined: 28.Jun.2004
Status: offline
Hi Folks!

can isa server 2004 manage multiple external interfaces? it was a Isa server 2000 limitation.

TIA
Post #: 1
RE: multiple external interfaces - 28.Jun.2004 3:47:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi S,

It wasn't an ISA limitation, its a Windows networking issue. However, RainConnect for ISA 2004 is in beta and will fix this right up.

HTH,
Tom

(in reply to ssmith)
Post #: 2
RE: multiple external interfaces - 19.Jul.2004 11:48:00 PM   
sschafer

 

Posts: 5
Joined: 5.Jul.2001
Status: offline
Does your reply mean you MUST have Rainconnect?

The literature I've read on the MS site seems to say you can have as many "networks" as you'd like.

Thanks, waiting for the new book
Scott

(in reply to ssmith)
Post #: 3
RE: multiple external interfaces - 20.Jul.2004 2:39:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi S,

Yes, you can have as many networks as you like, but you can have only one ISP connection per ISA firewall unless you use RainConnect.

HTH,
Tom

(in reply to ssmith)
Post #: 4
RE: multiple external interfaces - 20.Jul.2004 3:56:00 PM   
sschafer

 

Posts: 5
Joined: 5.Jul.2001
Status: offline
I'm sorry...... I don't mean to belabor the point but..... the docs seems to talk about the "inside/trusted" network and how everything else is outside.

Question: what is an "ISP" connection? How is it different from any other outside connection.

Thanks,
Scott

(in reply to ssmith)
Post #: 5
RE: multiple external interfaces - 20.Jul.2004 8:45:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Scott,

With ISA 2004 firewalls there isn't the concept of inside/trusted, like there was with ISA 2000.

However, you can still have only one default gateway. That's why you need additional software for multiple Internet connections.

HTH,
Tom

(in reply to ssmith)
Post #: 6
RE: multiple external interfaces - 21.Jul.2004 12:49:00 AM   
Uju Sivas

 

Posts: 236
Joined: 31.Dec.2001
Status: offline
the concept behind the fact is : the external interface of ISA "program" is considered as one. You can definitely have
multiple interfaces bound to same external interface....where we just define ip and subnet mask but gateway is the same...

Now, of course, we can have multiple ISA servers bound to different IP addresses - like you have one wan IP and you have
5 lan IPs in your T1 line. You can definitely put 2 isa servers in those lan addresses behind straight router.

and you can connect the lan cables to same giga-bit switch.....now, only the issue we have to remember is
we should not overlap the ips and subnet mask in these two areas....

YOur users behind the ISA lan can point either of the isa servers..as gateway.....you may need to add routing manually
to get each other talk...

Multiple gateways is technically not allowed in Windows .......pitfall of code derived from NT world...or earlier.

(in reply to ssmith)
Post #: 7
RE: multiple external interfaces - 21.Jul.2004 3:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Uju,

That's why I like the miracle of RainConnect!

HTH,
Tom

(in reply to ssmith)
Post #: 8
RE: multiple external interfaces - 8.Aug.2004 8:40:00 AM   
ralden@ralden.com

 

Posts: 3
Joined: 8.Aug.2004
From: California
Status: offline
Let me try to clarify.

Any router, and ISA+RRAS+TCP/P is basically just one big fat complicated router (among other things), can have interfaces to multiple networks and generally speaking these interfaces have IP subnets associated with them. The router sends traffic out a particular interface because it has some understanding of what IP addresses are reached via that interface.

Most routers have another concept: the ˘default÷ route; i.e., where it will send traffic that is addressed to an IP address which is not otherwise listed on any of it interfaces (i.e, is not in its routing table).

For example, most simple routers like a Linksys box know about only three routes: 1) the ˘inside÷ network (192.x), 2) a tiny subnet facing the ISP that reaches a default gateway (usually set up by DHCP or PPPoE and numbered by a temporary routable IP address), and 3) ˘other÷; i.e., the place where all ˘other÷ traffic is sent.

The problem starts here. If there is only one ˘other÷ then when that route fails ˘most÷ traffic routing will stop. As soon as you have two ISP connections things get complicated. Somebody has to decide when one connection will be used and when the other will be used. Each will probably get the packet to its destination. If you just want to leave one connection idle, and fail over to it when the primary connection dies, that would be simple (and there are simple products like the Linksys RV08 that will do that). As soon as you want to use both connections at the same time, sending some traffic out one and some out the other, you have to do two things. 1) Decide which to use; and 2) Keep track of NAT-like bookkeeping, because once you establish a particular TCP connection out one interface it is very hard (e.g, nearly impossible) to switch it to the other.

All of this is ˘too complicated÷ for your average TCP/IP stack which is why we have to resort to some add-on product to get this functionality; given the complexity of the VPN and RRAS engine inside Windows, and what is going on inside ISA, that of course is an absurd statement. This stuff should be built into ISA; but it isnĂt. So there you have it.

All of the above has to do with outbound traffic sharing two (or more in the case of RainConnect) connections. On the inbound side, things are complicated in different ways. Most inbound traffic arrives at just one IP address through DNS. Most of the products in this ˘inbound load balancing÷ category implement some type of DNS server that is set up to answer queries that are targeted to two or more IP addresses. These DNS ˘A Records÷ have very short TTL values so that endpoints out on the Internet are constantly asking the DNS server for the right IP address to use. The load balancer answers differently for each query, depending on load and the health of back end servers, and the health of each Internet connection. In this way, traffic can be routed around a bad connection quickly and automatically. Again all this functionality is really just a DNS server that is connected to something that is watching the health of the links, and youĂd think Microsoft might be able to do that part too  but nooooo.

End of tutorial.

(in reply to ssmith)
Post #: 9
RE: multiple external interfaces - 8.Aug.2004 7:25:00 PM   
Uju Sivas

 

Posts: 236
Joined: 31.Dec.2001
Status: offline
I'm pretty much sure that this ( limitation to MS Networking Fundas - and its impact to ISA firewall should change in near future by MS )

Nobody wants to have some third product to controll your overall firewall situations.....

Past experiecne have allways indicated that its a pain in **ss.

If RainConnect software / technology can do it, then why not that thing can come as part of ISA itself....

(in reply to ssmith)
Post #: 10
RE: multiple external interfaces - 8.Aug.2004 9:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Uju,

MS could do it, but then they would have to charge more for the core ISA firewall software. Price out something like a Sonicwall with equal specs as an ISA firewall. Its over 10,000US! Even if you buy the ISA firewall with RainConnect, you still beat the competition by miles.

We're not talking about shops that just want a cheapo NAT router, or a crummy PIX 501, we're talking about real firewall protection and you have to pay a premium. Or, you can put a 600US hardware device in front of the ISA firewall and get multiple Internet links.

HTH,
Tom

(in reply to ssmith)
Post #: 11
RE: multiple external interfaces - 7.Feb.2005 7:14:00 PM   
AnotherGeek

 

Posts: 3
Joined: 25.Dec.2004
From: South Bend IN
Status: offline
Tom,

You refered to a $600 dollar piece of hardware which would load Balance. What $600 piece of hardware would you recommend?

By the way I'm currently working through your ISA 2004 book.

(in reply to ssmith)
Post #: 12
RE: multiple external interfaces - 13.Feb.2005 9:42:00 AM   
shigum

 

Posts: 4
Joined: 5.Jun.2003
From: BC, Canada
Status: offline
Our shop is doing as Tom suggested with load balancing by using a Fortinet Fortigate 200 appliance in front of the isa server. That takes care of the load balancing. Fortinet has a Fortigate 60 model that also provides redundant ISP connections, as do a couple of models from symantec. There are probably many more out there too.

(in reply to ssmith)
Post #: 13
RE: multiple external interfaces - 15.Feb.2005 2:34:00 PM   
AnotherGeek

 

Posts: 3
Joined: 25.Dec.2004
From: South Bend IN
Status: offline
I looked at the Fortigate 200/300 spec's sheet and it doesn't appear that load balancing is still a feature on that model.

We have about 125 max users and around 80 on any given day. I'm looking a HotBrick solution and the pricing is very good.

If I'm mistaken about the Fortigate unit, please correct me. And if yo have any input on the HotBrick solution I would love to hear it.

Thanks
Ed

(in reply to ssmith)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> multiple external interfaces Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts