SPECIAL ACCESS FOR VIP USERS (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message


andolmez -> SPECIAL ACCESS FOR VIP USERS (25.Apr.2010 5:20:58 AM)

Hello dears,

I was just deploying a ISA 2006 from a few months and I have now a new issue to solve, but I don't have been able to discover a good solution for it.

Recently I got two internet access through two different routers.
I would like to split traffic from normal users to one of this routers and VIP users traffic to the other one router.

I was testing different ways to do but it didn't work for me.

Please, do you have any idea or procedure to solve this issue?.

Thanks in advance.




pwindell -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 9:14:10 AM)

Never gonna happen.




andolmez -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 9:18:53 AM)

Excuse me, but I don't understand your post.

Do you mean that there is not an easy solution for this need?




pwindell -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 10:03:23 AM)

1. ISA cannot use two Internet connections

2. ISA is not a policy-based router or a source-based router,...even if it were to use two internet connections.




andolmez -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 10:40:06 AM)

Thanks a lot Phillip,

In fact, I have deployed a ISA as secondary firewall behind a non microsoft firewall.
The first level firewall is connected to two internet routers

I thought, in ISA you can put several net interfaces.So, there is possible to deploy the next stage:
- I have one for External traffic
- one for Internal (normal) traffic
- one for InternalVIP (special) traffic

Also I think I can prepare in AD a GPO for VIP users to do several things:
- to use a special IP range in the normal network
- to apply a default route pointing to the ISA interface named "InternalVIP"

After that:
Theoretically, I can create a new firewall rule/s where source is "InternalVIP" with destination External
Also, In the first level firewall I can redirect that traffic to the secondari ISP connection.

But, this is only a paper idea right now.
Do you think is it possible to deploy and run?

Thanks again.

P.D: in the past using a basic iptables rules in a linux box I was able to apply QoS and redirection rules based in source subnetting and destination. I was thinking ISA was more powerfull than iptables in this side. That's the reason perhaps I am very confused.




pwindell -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 2:00:40 PM)

In fact, I have deployed a ISA as secondary firewall behind a non microsoft firewall.
The first level firewall is connected to two internet routers


Then this whole discussion has no meaning.  To the ISA there is only ONE connection to the Internet,...and the connection is the other firewall.

ISA has no concept,...does not see,...and does not care,...what happens on the opposite side (external side) of the non-microsoft firewall.

No you cannot add another nic to the internal side of the ISA because you can't have two nics in the same subnet.

No, an "address range" is not a "network", and cannot be treated like one.

There is no "redirect" mechanism in the context that you speak,...there is no such thing,...it does not exist.

ISA is not Linux and is not IPTable.  ISA is a proxy-based firewall,...IPTables is an IP Router Application that is capable to using NAT and behaving as a NAT-based firewall.  Two different "worlds",..two different things.




andolmez -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 3:01:42 PM)

Thank you very much Phillip,

Perhaps I didn't explain very well the idea and we are mixing options

There were two possibilities:
- If ISA lets TWO internet interfaces then we could use one of the purposed questions.But as you said, ISA doesn't work with TWO internet connections. So we can forget this option.

- On the other hand, if ISA can use TWO INTERNAL interfaces (with different subnets),I was thinking to NAT traffic which source was InternalVIP interface(or subnet) to the other firewall. In this way the other firewall could be able to identify traffic from VIP users (due to that NAT done in ISA) and then, re-routing that traffic wherever.

But I am understanding what you say and I think ISA could be useful/easy in this case more for proxy purposes but not for other issues.

Again, thanks a lot for your help.

Regards




pwindell -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 3:10:53 PM)

- On the other hand, if ISA can use TWO INTERNAL interfaces (with different subnets),

Yes,...that you can do.

I was thinking to NAT traffic which source was InternalVIP interface(or subnet) to the other firewall.

No.  You cannot.

In this way the other firewall could be able to identify traffic from VIP users (due to that NAT done in ISA) and then, re-routing that traffic wherever.

No the other firewall will not be able to identify it,...due to the NAT




andolmez -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 3:30:58 PM)

Sorry...

I just want to say:

"I was thinking NOT NAT traffic which source was InternalVIP interface(or subnet) to the other firewall."

In this way the other firewall must be able to identify normal traffic (NATted) and VIP traffic (NOT NATed but always with a specific subnet, as you know [three octects])

Is that ok now? :-)




pwindell -> RE: SPECIAL ACCESS FOR VIP USERS (27.Apr.2010 4:21:33 PM)

Well, if we look back at the goal generically,...you simply have a group of sources that you want to go a different path out to the Internet and you want the decision based on what the identity of the source.

The only way to do that with ISA is to either run two ISAs,...or don't use ISA at all.  With two ISAs (or two any firewalls) you simply configure one groups of sources to use a different firewall than the others.

If you had a LAN Routing Device that could do Source Routing or do Policy-based Routing then that would be "hit" first,...then it would send to one Firewall or the other Firewall according to whatever the criteria dictates.

There is no way to have ISA make those descision or perform those actions, it is not possible, the ability does not exist,...as I first said,..."never gonna happen".




andolmez -> RE: SPECIAL ACCESS FOR VIP USERS (28.Apr.2010 2:30:47 AM)

Hello Phillip,

I was trying to avoid to use TWO parallel ISA as second level firewall system and I need to keep the first level with other non ISA firewall (customer conditions...).

Anyway, I will test an alternative solution and I will report here if it'll work.

Thanks a lot for your help.

Regards




Page: [1]