• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN? Router or ISA?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> VPN? Router or ISA? Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN? Router or ISA? - 30.Nov.2006 10:58:16 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Hey all,

First off, my setup is kinda confusing to explain. It's a cross between a Tri-homed setup and a back-to-back setup. We have a Sonicwall Router in the front, and ISA server on the back. And we have a seperate (private) DMZ connected on our OPT port on the Sonicwall router. So it looks something like this:

Sonicwall--DMZ (10.1.1.x)
    |
  ISA (192.168.2.x)

Now my question is this. What would be easier to setup?

1. Setting up the VPN on Sonicwall--from there, access either the DMZ or internal network (which would require it to pass through ISA, (and how would I do that?)).

2. Moving the DMZ onto a 3rd NIC on ISA, and just let ISA handle all VPN connections for both internal and DMZ (also, how do I do that?)

As it stands right now, It's setup as option 1, but I'm having connectivity issues (I can't RDP into the Internal network)--which makes me also ask--Can the RDP be defined as one of the internal servers, or does it have to be ISA which it RD's into?


thanks,
10
Post #: 1
RE: VPN? Router or ISA? - 7.Dec.2006 7:52:14 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
1. Setting up the VPN on Sonicwall--from there, access either the DMZ or internal network (which would require it to pass through ISA, (and how would I do that?)). TOM: Terminating the VPN at the ISA Firewall would be more secure, and not require using the horked Sonicwall VPN client. Access to the DMZ could be done from a client on the Internal network, or you could port forward at the Sonicwall.

2. Moving the DMZ onto a 3rd NIC on ISA, and just let ISA handle all VPN connections for both internal and DMZ (also, how do I do that?)
TOM: This would be the superior solution, because the ISA Firewall's access controls and logging for VPN connections is much better than Sonicwalls.
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to x102020)
Post #: 2
RE: VPN? Router or ISA? - 28.Feb.2007 11:59:44 AM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
I have to agree with Tom, Replace that pesky Sonicwall with a ISA server instead. You get so much for free in the ISa firewall..

Just a quick tip though. My experience is that any people with harware firewall use the inside of their FW as their default Gateway, but still have a router on the inside to other remote site networks. Don't make this mistake with the isa. The stateful inspection will go haywire(as it should) when traffic comes from the remote site through the router directly to your machine on the network. When that machine answers, it sends the packet to ISA, but since the ISA server never heared the original message, it will drop the packet.

Good luck! I'm sure you will be pleased!

(in reply to tshinder)
Post #: 3
RE: VPN? Router or ISA? - 1.Mar.2007 10:54:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patos,

Good point!

Thanks!
Tom


_____________________________

Thomas W Shinder, M.D.

(in reply to patos)
Post #: 4
RE: VPN? Router or ISA? - 1.Mar.2007 11:47:41 AM   
x102020

 

Posts: 53
Joined: 23.Oct.2006
Status: offline
Excellent point.

As of right now, the dmz is on sonicwall though, we need to get a new mobo for the ISA server, it only carries 2 pci slots (which are used for int & ext), although it has a 3rd onboard nic, this nic will be used for a secondary lan that we must setup. so for right now, dmz is stuck on the hardware firewall.

But you are absolutly right about the packet inspection, because isa sees most requests as the hardware firewall's gateway ip, and not the original source.

One area where this was obvious was with users that have blackberries, it was being caught by sonicwall's intrusion prevention module. But we've sorted that out by allowing low level risks only (med & high are still enabled).

Our main purpose for having the sonicwall in front is really for it's AV scanning and content filtering. At least until we get a new mobo for isa...then we can move the sonicwall out all together. woohoo!

(in reply to tshinder)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> VPN? Router or ISA? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts