• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SPECIAL ACCESS FOR VIP USERS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> SPECIAL ACCESS FOR VIP USERS Page: [1]
Login
Message << Older Topic   Newer Topic >>
SPECIAL ACCESS FOR VIP USERS - 25.Apr.2010 5:20:58 AM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Hello dears,

I was just deploying a ISA 2006 from a few months and I have now a new issue to solve, but I don't have been able to discover a good solution for it.

Recently I got two internet access through two different routers.
I would like to split traffic from normal users to one of this routers and VIP users traffic to the other one router.

I was testing different ways to do but it didn't work for me.

Please, do you have any idea or procedure to solve this issue?.

Thanks in advance.
Post #: 1
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 9:14:10 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Never gonna happen.

_____________________________

Phillip Windell

(in reply to andolmez)
Post #: 2
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 9:18:53 AM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Excuse me, but I don't understand your post.

Do you mean that there is not an easy solution for this need?

(in reply to pwindell)
Post #: 3
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 10:03:23 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
1. ISA cannot use two Internet connections

2. ISA is not a policy-based router or a source-based router,...even if it were to use two internet connections.

_____________________________

Phillip Windell

(in reply to andolmez)
Post #: 4
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 10:40:06 AM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Thanks a lot Phillip,

In fact, I have deployed a ISA as secondary firewall behind a non microsoft firewall.
The first level firewall is connected to two internet routers

I thought, in ISA you can put several net interfaces.So, there is possible to deploy the next stage:
- I have one for External traffic
- one for Internal (normal) traffic
- one for InternalVIP (special) traffic

Also I think I can prepare in AD a GPO for VIP users to do several things:
- to use a special IP range in the normal network
- to apply a default route pointing to the ISA interface named "InternalVIP"

After that:
Theoretically, I can create a new firewall rule/s where source is "InternalVIP" with destination External
Also, In the first level firewall I can redirect that traffic to the secondari ISP connection.

But, this is only a paper idea right now.
Do you think is it possible to deploy and run?

Thanks again.

P.D: in the past using a basic iptables rules in a linux box I was able to apply QoS and redirection rules based in source subnetting and destination. I was thinking ISA was more powerfull than iptables in this side. That's the reason perhaps I am very confused.

(in reply to pwindell)
Post #: 5
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 2:00:40 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
In fact, I have deployed a ISA as secondary firewall behind a non microsoft firewall.
The first level firewall is connected to two internet routers


Then this whole discussion has no meaning.  To the ISA there is only ONE connection to the Internet,...and the connection is the other firewall.

ISA has no concept,...does not see,...and does not care,...what happens on the opposite side (external side) of the non-microsoft firewall.

No you cannot add another nic to the internal side of the ISA because you can't have two nics in the same subnet.

No, an "address range" is not a "network", and cannot be treated like one.

There is no "redirect" mechanism in the context that you speak,...there is no such thing,...it does not exist.

ISA is not Linux and is not IPTable.  ISA is a proxy-based firewall,...IPTables is an IP Router Application that is capable to using NAT and behaving as a NAT-based firewall.  Two different "worlds",..two different things.

_____________________________

Phillip Windell

(in reply to andolmez)
Post #: 6
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 3:01:42 PM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Thank you very much Phillip,

Perhaps I didn't explain very well the idea and we are mixing options

There were two possibilities:
- If ISA lets TWO internet interfaces then we could use one of the purposed questions.But as you said, ISA doesn't work with TWO internet connections. So we can forget this option.

- On the other hand, if ISA can use TWO INTERNAL interfaces (with different subnets),I was thinking to NAT traffic which source was InternalVIP interface(or subnet) to the other firewall. In this way the other firewall could be able to identify traffic from VIP users (due to that NAT done in ISA) and then, re-routing that traffic wherever.

But I am understanding what you say and I think ISA could be useful/easy in this case more for proxy purposes but not for other issues.

Again, thanks a lot for your help.

Regards

(in reply to pwindell)
Post #: 7
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 3:10:53 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
- On the other hand, if ISA can use TWO INTERNAL interfaces (with different subnets),

Yes,...that you can do.

I was thinking to NAT traffic which source was InternalVIP interface(or subnet) to the other firewall.

No.  You cannot.

In this way the other firewall could be able to identify traffic from VIP users (due to that NAT done in ISA) and then, re-routing that traffic wherever.

No the other firewall will not be able to identify it,...due to the NAT

_____________________________

Phillip Windell

(in reply to andolmez)
Post #: 8
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 3:30:58 PM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Sorry...

I just want to say:

"I was thinking NOT NAT traffic which source was InternalVIP interface(or subnet) to the other firewall."

In this way the other firewall must be able to identify normal traffic (NATted) and VIP traffic (NOT NATed but always with a specific subnet, as you know [three octects])

Is that ok now? :-)

(in reply to pwindell)
Post #: 9
RE: SPECIAL ACCESS FOR VIP USERS - 27.Apr.2010 4:21:33 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Well, if we look back at the goal generically,...you simply have a group of sources that you want to go a different path out to the Internet and you want the decision based on what the identity of the source.

The only way to do that with ISA is to either run two ISAs,...or don't use ISA at all.  With two ISAs (or two any firewalls) you simply configure one groups of sources to use a different firewall than the others.

If you had a LAN Routing Device that could do Source Routing or do Policy-based Routing then that would be "hit" first,...then it would send to one Firewall or the other Firewall according to whatever the criteria dictates.

There is no way to have ISA make those descision or perform those actions, it is not possible, the ability does not exist,...as I first said,..."never gonna happen".

_____________________________

Phillip Windell

(in reply to andolmez)
Post #: 10
RE: SPECIAL ACCESS FOR VIP USERS - 28.Apr.2010 2:30:47 AM   
andolmez

 

Posts: 7
Joined: 25.Apr.2010
Status: offline
Hello Phillip,

I was trying to avoid to use TWO parallel ISA as second level firewall system and I need to keep the first level with other non ISA firewall (customer conditions...).

Anyway, I will test an alternative solution and I will report here if it'll work.

Thanks a lot for your help.

Regards

(in reply to pwindell)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> SPECIAL ACCESS FOR VIP USERS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts