My client is setting up a small office for a joint-venture with another company. Each company will have their own, separate system, but plan to share 2 resources: A mopier (via JetDirect) and a NAS device in lieu of sneakernet. Our internal subnet and their internal subnet will be different; the 2 shared devices will be on their subnet.
Our side of the system will have a back-to-back ISA VPN connection to the main office (2 NICs), so ISA will be installed at the JV branch office. I want to use ISA to route us to their printer & NAS, and deny all other connections in either direction.
I think I know what I need to do, but want to make sure...
Do I add a 3rd NIC that's on their subnet? Define their subnet as a Network in ISA? NAT relationship? Then set up Access Rules for JetDirect to the printer & NetBIOS to their NAS device?
From: Taylorville, IL
There is no way to answer that. Saying you want a Site2Site VPN between your location and your Main Office tells nothing about the topology of the relationship with the "other company".
Let me explain what I mean:
The other company could join in at the Main Office....
The other company could join in at your Local Office....
The other company could be in the same physical building as the part of your network they are joining into,....or there could be hundreds, or thousands, of miles of Internet in between.....
The ISA may not even "logically" be between them and you at the point where they join in....
There is no way to know any of these things until you post more details to explain.
But let me take a "stab" at something. I will assume you and the other company have the Internet between you. I have no concept of a Main Office or a JV Branch in this illustration. You would use ISA to setup a Site2Site VPN directly between you and the other company. Then I would answer your questions this way....
Do I add a 3rd NIC that's on their subnet?
Define their subnet as a Network in ISA? Yes. It is required by the S2S VPN setup.
NAT relationship? No. Routed.
Then set up Access Rules for JetDirect to the printer & NetBIOS to their NAS device?
Source: Internal, <created Network> Destination: Internal, <created Network> Protocols: <whatever> Users: All Users (because their users can't authenticate with your ISA)
Both companies occupy a single branch office side-by-side at the same physical location.
Internal networks are us, at 10.10.13.0/24, and them (including the NAS device & printer to be jointly used), at 192.168.1.0/24.
I'm hopeful I can just connect their network into an additional NIC on our ISA firewal, and get access to their NAS & printer as simply as possible while keeping our networks separate and secure from each other.
From: Taylorville, IL
Ok. That is a fairly easy one.
There is no VPN here.
Add the new Nic to the ISA machine and install the driver, then configure the TCP/IP specs with specs that are valid for their network.
Go to the Network Node of the ISA MMC and tell it you want to create a "new network".
The Type of the Network must be chosen as "internal"
Give it the Address Range of the other companies Network.
The Relationship of their network to your Internal is Routed.
The Relationship of their network to External is NAT
The Access Rule for traffic between them and your Internal would be as I described in the last post. If they also use your ISA to get to the Internet then I would do that Rule(s) separately. Such an Internet Rule would have to be anonymous (all users) since their users cannot authenticate to your ISA.
Both your LAN and their LAN need the routing scheme adjusted to treat the ISA as the "LAN Router" between the two Segments. But if these are simple single subnet LANs with no other LAN Routers then there probably isn't anything to do there.
However if the other company does not use your ISA to get to the Internet and are therefore using their own firewall for that,...then their Routing Scheme must be adjusted to use your ISA as the LAN Router to get to your Segment. This could be as simple as a Static Route added to their Firewall and add your IP Range to the LAT on their Firewall. But things could also get more complex than that.
Further clarifying, they're not using our network for Internet access, or anything else for that matter. Nor are we using their network for anything except access to these 2 devices.
So if the relationship between our Internal network and their Internal network is NAT, they won't need a route; will they? Their NAS and printer will just think they're talking to the ISA IP, and ISA will get the packets back to the client that requested them. Want to keep the config as simple as possible and require as little coordination as possible.
From: New Jersey
Your idea of using a NAT relationship between the offices might work with minimal configuration, but I'm not sure how well NAT will handle netbios requests to/from the shared storage device - that could be your main hangup. I recall issues with a similar situation many years back. If a NAT relationship between the ISA and the shared devices works, it will eliminate all configuration and routing issues on their side, and your rules will simply permit communication only to specific devices.
If a NAT relationship doesn't work, you might consider configuring the shared devices for the end of their subnet range - 192.168.1.248-255. This way, you could put the ISA interface at 192.168.1.245, the shared devices at 244 and 243, and set the netmask on the ISA interface to 255.255.255.248. Thus, the ISA (and your network) could only access 5 addressed devices on their network, and while users on their network could access the ISA interface, it could not reply to them.
With regard to routing in this model, the simplest thing to do is have the shared devices use the ISA server on their subnet (192.168.1.254) as their default gateway. Since it's unlikely that these devices will need to access to the Internet in this small office scenario, they will be able to communicate directly with all devices on their subnet, and find the gateway to your lan without any configuration or routes on the other company's side. As Phillip mentioned, if the shared devices need to communicate outside the other company's office - like to a headquarters site - the routing could get much more complex on their side.
Regardless of which method you use, I'd consider defining their network as a Perimiter, which by policy blocks most communications into your Internal network unless you specifically permit. Perimiter, by definition, is a protected network less trustworthy than your Internal network.
As an experiment, I set a SOHO NAT router/firewall with its WAN interface on the LAN at the main office and an XP computer (a domain member, actually) on the router's LAN interface, which was (obviously) on a different subnet. I had full connectivity to remote shares, as near as I could tell. In fact, Group Policy refreshed and applied normally, a VB Script showed me the client knew which AD site it was on, and the domain firewall config was applied. That's a lot more than we'll be asking from this NAS device so I've reason to believe this will work.
My test was against a WS2003 server & domain. I don't know what their NAS device is at this time, but suspect if it runs XP embedded, we're golden. If it's Samba it's less clear, but odds are it will. I didn't think to try JetDirect through the NAT router at the time, but if NetBIOS works, I imagine JetDirect will, too. Certainly worth a try.
Your idea about using the last 5 addresses in their subnet if we need to route is a clever one, too. I will keep that in mind as a fallback. Hopefully they're not routing these devices now, but from what I've been told, theirs is a pretty basic setup.
And I will use a Perimeter network regardless.
Thanks, again, and I should know how it works out next week.
< Message edited by JeffVandervoort -- 26.Jan.2008 3:24:59 PM >