• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

2 ISA servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> 2 ISA servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
2 ISA servers - 6.May2009 6:18:01 PM   
yba02

 

Posts: 128
Joined: 7.Sep.2006
Status: offline
Hi,
Currently, we have a Windows 2003 AD-based environment that includes:
Exchange 2003, ISA 2004 and Citrix.  Exchange and Citrix are published through ISA and everything works fine.
The line we have attached to ISA is an ADSL line that allows external users an average throughput of 25 kB/second.  This is fairly low but prices are too high in this part of the world.  For me, Citrix matters more than Exchange as a 10 minute delayed message will not make much difference when compared to the latency a remote Citrix user faces when viewing a report on a published application.  Thus, I came up with a solution in mind and need to know if it is applicable.  P. S. For those not familiar with Citrix, the above really does not matter much.  The core of the inquiry is irrelevant to what we have.
I plan to introduce another ISA 2004 in the network.  The roles of ISA servers in the new configuration shall be as follows:
Current ISA server:
1 - Publishing interface (receiving remote connections).
2 - Reply only to Citrix connection.

New ISA:
1 - Proxy for users to browse internet and download.
2 - Reply to Exchange inquiries.

All of this post is about the underlined point above.
I need to configure Exchange to establish incoming connections on the current ISA server (on which the public IP is configured).  However, Exchange shall send all emails through the new ISA.  Thus, the upload bandwidth available on the current ISA will be fully dedicated to Citrix.
Is this possible to do?

Thanks
Yba
Post #: 1
RE: 2 ISA servers - 6.May2009 6:38:21 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
So, are you suggesting having two "exits" from your network? If so, you will essentially have two default gateways to the Internet? Yes?

If so, this is possible, but you will need to define different gateway on different servers to route the traffic as intended. With this done, you will just need to make sure that connections that arrive from one ISA are returned to the same ISA, and not back out the wrong ISA. 

For web publishing this should be fine as the source IP will be ISA, but for server publishing rules you will need to the enable the "connections appears to come from ISA" to ensure the traffic is returned to ISA and not the original client address which may be accessible by the "other" wrong ISA gateway.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to yba02)
Post #: 2
RE: 2 ISA servers - 6.May2009 7:06:35 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
A Windows Server license & an ISA server license is cheaper than upgrading your Internet connection?

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to Jason Jones)
Post #: 3
RE: 2 ISA servers - 6.May2009 9:56:27 PM   
yba02

 

Posts: 128
Joined: 7.Sep.2006
Status: offline
Hi,
[[[So, are you suggesting having two "exits" from your network? If so, you will essentially have two default gateways to the Internet? Yes? ]]]
YES, that is correct, two default gateways.  BUT, every single machine in my network will use the same gateway, the new ISA, except  Citrix and current ISA.  These will be the only machines that shall use the current ISA as the default gateway.
[[[…connections that arrive from one ISA are returned to the same ISA, and not back out the wrong ISA.]]]  That is exactly what I want to reverse.  I want Exchange to receive connections from one ISA (current ISA) and send connection back through the other ISA (new ISA.)  That is the way I intend to dedicate sending from current ISA to Citrix.

I wonder if defining the new ISA's internal IP in Exchange network properties as the default gateway as well as (in the publishing rules) making connections appear to come from the client not the current ISA, will do the thing.
This way, a client will contact the current ISA, current ISA will verify the package and forward the connection to Exchange.  The package includes (connection appears to come from the client).  Thus, Exchange will care only to send back to the client.  To do so, it will check its default gateway to find it the new ISA and sends the reply to the client through it.
It looks fine in theory but I am not sure if it might work in practice.  Any thoughts?

Thanks
Yba

(in reply to Jason Jones)
Post #: 4
RE: 2 ISA servers - 7.May2009 7:36:56 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
If the connection comes in from ISA1, then the reply from Exchange must go back out through ISA1; that's how stateful filtering works. Stateful means that the firewall remembers that state of connection in terms of the original request and the associated repsonse/reply. This prevents having to create specific inbound and outbound policies for requests and replies.

If the reply goes out through ISA2, ISA2 will see the packet as a reply to a previous conversation and have no information about the incoming request; hence it will deny/drop the packet.

I think the best that you can do is to define the required default gatway on individual machines to decide which ISA handles the request. However, inbound requests and associated replies will need to be persistent to the same ISA server.

Maybe I am confused about what you need?

Cheers

JJ 

< Message edited by Jason Jones -- 7.May2009 7:38:50 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to yba02)
Post #: 5
RE: 2 ISA servers - 7.May2009 9:14:10 AM   
yba02

 

Posts: 128
Joined: 7.Sep.2006
Status: offline
No you are not.
You have told me that my plan, which you seem to have clearly understood, is not possible.

Then my whole scheme is not applicable and thus no need for the other ISA.  However, I have learned quite good stuff in these couple of  posts.

Thanks Jason
Yba

(in reply to Jason Jones)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> 2 ISA servers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts