Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: mutiple external network segments
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: mutiple external network segments - 30.Sep.2005 2:36:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Entigra,
quote:
The question was: is there any other software besides ISA (get ISA out of your head for 1 second - think out of the box) that supports multiple default gateways? I don't care if it's application or hardware based!
Yes, check out RainConnect from http://www.rainfinity.com .
quote:
Packet filters:
1. Publish servers on a perimiter network
2. Run Applications or other services on the ISA Server computer
3.Allow outgoing traffic from the ISA server
4. Allow access to protocols that are not based on the User Datagram Protocol (UDP) or Transmission protocol (TCP)
This is all done now with access and/or publishing rules:
1. Access or server publishing rule depending on the relationship defined between the External and the Perimeter network.
2&3. Access rules with localhost as source (outbound) or destination (inbound) network.
4. All IP protocols or supported if the relationship is routed. In a NATted environment you mostly need a proper NAT editor (or application filter).
quote:
Site and content rules - Seems everything has been lumped into access rules. That can't even give you a good overview of how the system is configured.
In ISA 2000 you have protocol and site&content rules. The big problem was that there was no binding between the protocol and site&content rules and this makes granular access control nearly impossible. So, ISA 2004 follows a more common concept with access rules where you define source, destination, protocol, content, etc..
HTH,
Stefaan
|
|
|
|
|
RE: mutiple external network segments - 30.Sep.2005 3:10:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Does RainConnect actually support multiple default gateways? I always thought it was an OS limitation and not an ISA limitation.
I was under the impression RainConnect does it differently than using multiple default gateways.
|
|
|
|
|
RE: mutiple external network segments - 1.Oct.2005 11:17:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi LLigetfa,
As far as I know it is indeed an OS limitation. How RainConnect fixes that *exactly*, I don't know because I've no experience with RainConnect yet. However, from reading the docs it seems that only a default gateway must be configured on the primary external interface. For the secondary external interfaces, some NAT technique is used.
On other words, it sounds that only the primary interface is 'transparent'. Therefore, I think that if no RainConnect NAT editor exist for a particular protocol, you can only route that traffic through the primary external interface. Also, for inbound traffic, a special DNS agent authorative for your domains must be used. That DNS agent hands out the DNS responses with a very short TTL value.
So, it sounds that it only appears as multiple default gateways are supported. ![[Wink]](/image/smiles/wink.gif)
HTH,
Stefaan
|
|
|
|
|
RE: mutiple external network segments - 1.Oct.2005 9:17:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi all,
As an aside, it seems to me that the term "multiple default gateways" is a non-sequitor. If we use the term "gateway of last resort," it makes more sense, because that's what it means on the Windows platform--you can't have more than one "last resort."
HTH,
Bill
|
|
|
|
|
RE: mutiple external network segments - 6.Oct.2005 4:37:00 AM
|
|
|
Guest
|
Hi
There are no real networking/gateway limitations,
just routing tables and priorities ... you can
have a dozen different gateways and switch them every second if you like ![[Smile]](/image/smiles/smile.gif)
Gateway of last resort - is used when a router does not know the destination of the packet it has recieved.
If a gateway of last resort has been not been set and the destination network cannot be found in the routing table then the packet will be discarded.
This is Layer3 routing. You're always best served by having one default gateway, and letting a Layer3 device/s (router, firewall, something) do longest-prefix matching decisions for you
My answers lie in routing - traffic segregation by protocol and destination through multiple incomming and outgoing lines.
E.g to route all pop3 (110) traffic through line one and all smtp (25) traffic through line 2.
Getting used to ISA 2004 now. ![[Razz]](/image/smiles/tongue.gif) not as bad as I thought
Not going to replace the 2000 box just yet.
Entigra
|
|
|
|
|
RE: mutiple external network segments - 11.Oct.2005 12:20:00 PM
|
|
|
rosscoid
Posts: 15
Joined: 1.Oct.2004
From: Buckinghamshire, UK
Status: offline
|
quote:
How RainConnect fixes that *exactly*, I don't know because I've no experience with RainConnect yet. However, from reading the docs it seems that only a default gateway must be configured on the primary external interface. For the secondary external interfaces, some NAT technique is used.
Correct. Conceptually RainConnect is 'in front' of the ISA server. It has drivers that sit in the network stack right before the NIC. From a networking perspective ISA doesn't even know RainConnect is installed, it just forwards outbound traffic to its default gateway. RainConnect 'pretends' to be the default gateway and then either routes the traffic via the primary ISP, or NATs and routes it down another ISP.
quote:
On other words, it sounds that only the primary interface is 'transparent'. Therefore, I think that if no RainConnect NAT editor exist for a particular protocol, you can only route that traffic through the primary external interface. Also, for inbound traffic, a special DNS agent authorative for your domains must be used. That DNS agent hands out the DNS responses with a very short TTL value.
Yes, only the primary interface is 'transparent' and if protocols or services are sensitive to being NAT'd then you'll have to fix them to the primary ISP. Not sure what is meant by 'NAT editor' but most traffic is fairly happy being NAT'd, the one common exception is VPN, specifically IPSEC traffic.
[ October 11, 2005, 12:22 PM: Message edited by: rosscoid ]
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
