I have an ISA server 2004 machine that has 2 external ip addresses. These addresses are not on the same physical NIC, they are on 2 different NICs. I will call them NIC1 and NIC2. The IP addresses are on the same subnet. Originally, the machine only had one external IP assigned to NIC1. Recently, NIC2 was added. The problem is I must have a default gateway assigned to NIC2 in order to surf the web. (And traffic goes out over NIC2). When I remove the default gateway from NIC2 I get a proxy chain loop error. I would like to remove the default gateway from NIC2 and only use it for incoming traffic. I would like outgoing traffic to go out over NIC1 as it did before NIC2 was added. I am not trying to do anything fancy like load balancing or high availability. I understand that ISA does not support multiple external interfaces but it does allow you to route incoming traffic based on the specific external IP the traffic came from (so there is some support). It just seems that it is not supported or very configurable on the outgoing side. In troubleshooting this issue I have disabled NIC2 and assigned its IP address as an additional address on NIC1. (and everything works as expected) BUT - I am looking for a way to remove this additional IP from NIC1 and make it the primary IP on NIC2.
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Steve,
thereīs no difference between use an addtional NIC or just one with two IPs. The traffic load will affect the same server, ISA firewall in this case. In addtion, what you mentioned that ISA does not support multiples gateways.
Is there any particular reason (that you can think of) that would allow it to work when both IPs are on NIC1 but would get a "proxy loop error" when the IPs are on 2 different NICs? If I remove the default gateway from NIC2 the system will not go on the web, even though there is a gateway on NIC1... Any additional thoughts?
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Steve,
if you take a look at the routing table, you will notice that each interface has itīs own routing configured to go to somewhere. The route print command will show which interface has a default gateway associated with.
Meaning that each NIC will know itīs way to go out, even though the both NICs are on the same subnet, but one of them will only work on itīs local subnet (no default gateway).
Like I said, use both (or more) IPs on the same NIC, if they are on the same subnet.
The problem is I must have a default gateway assigned to NIC2 in order to surf the web. (And traffic goes out over NIC2). When I remove the default gateway from NIC2 I get a proxy chain loop error.
Steve says that the traffic is going out NIC2. And as we already know, ISA only chooses one IP for all its outbound.
I have some additional information, for what its worth: I put the IPs back on two separate NICs but programmed the subnet mask on NIC2 to 255.255.255.252. This also seems to fix the issue. The address on NIC1 is no longer in the host address range of NIC2. In addition, the default gateway is beyond the host address range of NIC2.
Coincidentally, the reason I want to have these IPs on 2 different NICs is because one of the sites hosted on this machine is very busy. The people using the other site have complained about speed so we thought we could split the traffic between 2 physical NICs. (The other solution I have in mind is to replace the 10/100 NICs with a gigabit NIC...)
Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Steve,
you just subneted your IP range. This will not be supported by Microsoft.
First point, about the website, is this hosted on ISA firewall itself? If so, you should remove it. It is bad practice to install other roles on you firewall.
Second point, is this website accessible through only LAN? If not, gigabit NIC will make no difference, unless your company and your clients both are using gigabit connections.
Third point, it is meaningless splitting traffic, since the machine receiving this traffic it is the same still, ISA firewall. Unless you have specialized NICs installed with a dedicated processor to handle the traffic load.
My conclusion here is either add a dedicated ISA firewall intended for publishing only or use only one NIC with multiples (secondaries) IPs.
What you're trying to accomplish seems a little backwards. Have you taken a look at the NIC while it's at its busiest time frame? Does it constantly show 100% usage when the web server is at its busy time? If so, then yeah you would benefit from having a Gig card installed. By design ISA is meant to work with only one external NIC, but multiple Internal NIC's.
The other solution to this problem would be to separate Web servers and ISA from the regular business portion of the lan. Meaning,
ISP > Switch > ISA (for web servers) + different ISA for client LAN
That way the ISA server for your internal clients is never bogged down by IP traffic meant for the web servers you host!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Web browsing with Multiple External IPs 
Web browsing with Multiple External IPs - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread