• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Make Web Site request look like its coming from main office, when it branch office, over StS VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Make Web Site request look like its coming from main office, when it branch office, over StS VPN Page: [1]
Login
Message << Older Topic   Newer Topic >>
Make Web Site request look like its coming from main of... - 12.Aug.2008 9:19:49 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
I have a site to site VPN, with the main office and the remote branch office.
 
The Main Office is on a Domain, and the Branch Office is Not.
 
At the main office we have are IP Address registered with a Library service, and this gives us access to there site to access to there web site based resources.
 
Is it possible to make the request for the use of the services look like its coming from the Main Office, when accessed from a Branch Office Machine? but only when the user wants to access these resources.
 
Any Instructions or Tutorials welcomed!
 
Many Thanks
Post #: 1
RE: Make Web Site request look like its coming from mai... - 12.Aug.2008 9:26:29 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You could create a NAT relationship between the Branch Office and Main office. However, you won't be able to connect to the branch office from the main office unless you use publishing rules.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 2
RE: Make Web Site request look like its coming from mai... - 12.Aug.2008 10:16:27 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Thanks Tom, for your speedy reply.
 
I've done a little google searching on nat relationships and I'm a bit confused.  I understand how they work and the theory behind them.
 
The part that confuses is me, is that i don't understand how to implement this solution.
 
Are they any guides, KB or tutorial i could study on this site you could recommend?
 
Many Thanks

(in reply to tshinder)
Post #: 3
RE: Make Web Site request look like its coming from mai... - 13.Aug.2008 8:55:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi C,

For site to site VPNs I always use route relationship because of the limitation of NATs. However, you can configure the site to site VPN to use a NAT relationship from the branch office to the main office. Unfortunately for this situation, I've never done a site to site VPN article that includes a NAT relationship. It's definitely something that I can put together, though.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 4
RE: Make Web Site request look like its coming from mai... - 13.Aug.2008 9:13:18 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Hi Tom,
 
Thanks again, you are a credit to this site.
 
If it wouldn't be to much to ask, an article on site to site VPN with a NAT relationship sounds like just what i need.
 
Many Thanks.... again!

(in reply to tshinder)
Post #: 5
RE: Make Web Site request look like its coming from mai... - 13.Aug.2008 9:43:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi C,

You bet! I was wondering what I would write next and you've given me an ideal article to write!

I'll take care of that this weekend.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 6
RE: Make Web Site request look like its coming from mai... - 13.Aug.2008 9:47:15 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Tom,
 
Thanks again, I will look forward to reading it next week and let you know how I get on.

(in reply to tshinder)
Post #: 7
RE: Make Web Site request look like its coming from mai... - 26.Aug.2008 6:10:46 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Hi Tom,
 
No pressure, but how is the article coming along?
 
Chris

(in reply to cjoyce1980)
Post #: 8
RE: Make Web Site request look like its coming from mai... - 26.Aug.2008 9:14:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Sorry about that. Got caught up in a VMware nightmare (Vista machines pegging the processor) last weekend and ran out of time. Will try to get something done on this this weekend.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 9
RE: Make Web Site request look like its coming from mai... - 26.Aug.2008 9:19:56 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
That's OK, Tom.  No worries.
 
Many Thanks

(in reply to tshinder)
Post #: 10
RE: Make Web Site request look like its coming from mai... - 17.Oct.2008 5:48:11 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Hi Tom, 
 
How is the article coming along? have you had time to consider it?

Chris

(in reply to cjoyce1980)
Post #: 11
RE: Make Web Site request look like its coming from mai... - 17.Oct.2008 8:20:48 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

Thanks for the reminder! Will try to work that up this weekend.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 12
RE: Make Web Site request look like its coming from mai... - 10.Nov.2008 6:16:54 AM   
cjoyce1980

 

Posts: 35
Joined: 25.Apr.2008
Status: offline
Hi Tom,  

Just a little nudge :)

Chris

(in reply to tshinder)
Post #: 13
RE: Make Web Site request look like its coming from mai... - 11.Nov.2008 8:22:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Feeling the nudge :)

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cjoyce1980)
Post #: 14
RE: Make Web Site request look like its coming from mai... - 11.Nov.2008 3:49:14 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Till' Tom wrotes that article, may I help ? (if Tom does not mind, or if he minds, I hope he does not remember where he left his baseball bat...)

Say:
(HostC/HostD)Internal Network---ISABranch----VPN Tunnel----ISAMain---Internal Network(HostA/HostB)

Where is your library service located, behind ISAMain, on ISAMain's Internal Network ?
If so, we can pretend that this service is hosted on HostA.
Create the site-to-site on both ISAs without access and network rules(if you use IPsec tunnel mode, leave on both ISA the remote VPN gateway address added by default by the wizard to the remote network address range).

On ISA Branch, create a network rule with a route relationship between remote site(let's call it Main) and Internal Network.
For our fun, let's create an access rule allowing all traffic from Internal Network to Main and vice-versa.

On ISA Main, create a network rule with a NAT relationship between the remote site(let's call it Branch) and the Internal Network. Keep this order, because it matters since this is a NAT relationship.
What this NAT relationship means:
For example when HostC pings HostA, the ping packet from HostC will be sourced on ISAMain with the IP address from ISA's internal interface(the first IP address in case for some reasons there are multiple IP addresses on this NIC).
So HostA will see these ping packets as "coming" from ISAMain's internal interface IP address, it will have no clue that this packet was sent by HostC.
In order to allow these packets on ISAMain, we can create an access rule allowing all traffic from Branch to Internal Network(just for test).
Note that the HTTP packets coming from HostC to HostA will originally come from ISABranch sourced with ISABranch's IP address(by default due to the web proxy: for IPsec tunnel mode-this IP address will be ISABranch's external IP address-, for PPTP and L2TP-this IP address will be ISABranch's IP address from its internal PPP adapter - my bad - ||| actually is the IP address of the DDI interface(Main) created for the s2s on ISABranch(no strikethrough on this forum ?), an IP address obtained through IPCP from ISAMain, it depends how IP addresses are assigned for VPN connections on ISAMain, either by DHCP or static range) and not with HostC's IP address.
If that represents a problem, you can use a web server publishing rule on ISABranch, and publish the HTTP server on HostA(remember to check the allow HTTP authentication checkbox on listener if that web server requires auth, since you're not using SSL so your connections to not be dropped), check on this rule the request appears to come from the original client option, select the Internal Network as the network on which ISABranch listens for requests, and from HostC access HostA by ISABranch's published internal IP address.

Now in reverse, if HostA wants to reach HostC, you need a server publishing rule. Say you want to RDP into HostD from hostB. Create a server publishing rule for RDP server, the published server is HostD, and the network on which ISAMain listens is Internal Network. From HostB you will connect to HostD using ISAMain's published internal IP address. If you leave the default settings in place on this server publishing rule, the packets from HostB will appear to HostD with HostB's original IP address.

Note that you do not need to create such a "general" network rule on ISAMain.
For example, you can create a network rule with a NAT relationship between HostC and HostA, a network rule with a route relationship between HostD and HostA+HostB.
So only requests from HostC to HostA will be NAT-ed, and requests from HostD to HostA and from HostD to HostB will be routed(the original source IP addresses will be preserved).
And you can use access rule to allow traffic from HostA to HostD or from HostB to HostD, which can help with certain traffic, say Ping which cannot be "published".

As you can see from above, with NAT rules, with access rules we cannot specify which IP address on ISA's adapter to be used for NAT when the translation takes place, the first one on the NIC will be used. I don't know if IPbinder (http://www.collectivesoftware.com/Products/IPbinder) may help in your situation(I did not try that).

Adrian

< Message edited by adimcev -- 12.Nov.2008 12:01:57 PM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 15
RE: Make Web Site request look like its coming from mai... - 12.Nov.2008 8:49:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

Thank you very much!

I forgot where I put the baseball bat :)

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 16
RE: Make Web Site request look like its coming from mai... - 12.Nov.2008 12:07:15 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Hi Tom,
Thanks!
I've edited the above post as I made a small mistake(just italic it, as I could not find the strikethrough).

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 17
RE: Make Web Site request look like its coming from mai... - 15.Nov.2008 7:00:15 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

No problem.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Make Web Site request look like its coming from main office, when it branch office, over StS VPN Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts