• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

mutiple external network segments

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> mutiple external network segments Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
mutiple external network segments - 8.Sep.2005 1:54:00 PM   
Guest
I currently have ISA 2000 standard on a windows 2000 server.

I have one internal network segment that connects to the box. All Internet explorer clients are configured to use the IP of the Box.

The problem is that I have multiple external network segments.

1x diginet to ISP
1x Diginet to another company
1x x ADSL line (VPN)
1x ADSL ISP

All http traffic is directed through the 1 diginet to the ISP, exept for one site which I connect to directly via the second diginet. This currently works. This works using static persistant routes

As soon as I connect 1 ADSL and leave the 1 diginet connected to the ISP all traffic stops.

If I disconnect all diginet lines and connect the 1 adsl (vpn) this works.

I need all lines to work!

My opinion is that ISA server 2000 was not meant to handle capable multiple external network segments correctly.

I'm not able to specify what traffic should go though what external interfaces.

Can anyone help? or suggest another firewall capable of handling my requirements!
  Post #: 1
RE: mutiple external network segments - 8.Sep.2005 3:08:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi entigra,

ISA 2000 and ISA 2004 can only handle *one* default gateway. That's a limitation of the underlying OS. However there is a add-on product who can accomplish that. Check out RainWall and RainConnect from http://www.rainfinity.com/ .

HTH,
Stefaan

(in reply to Guest)
Post #: 2
RE: mutiple external network segments - 15.Sep.2005 12:31:00 PM   
Guest
Thx Stefaan

I see that rainfinity software appears all over the message boards.

I've been to thier website and I'm downloading the trial.

I have also downloaded the ISA 2004 trial.

I will setup a Windows 2003 dev box to test this solution.

The funny thing is that there are people running multihomed ISA 2000 servers that work.

My multihomed ISA box works to a certain point.

I am able to route traffic to two different gateways. This is done as I said before by using persistent routes. Therefore ignoring the ISA server routing table.

e.g 196.30.1.65 255.255.255.0 11.11.11.14
all other traffic is routed to 196.34.148.90

this curently works - however both lines as explained are diginet. The minute I introduce ADSL
this configuration no longer works.

So I will just have to see how the Dev box works. [Smile]

(in reply to Guest)
  Post #: 3
RE: mutiple external network segments - 15.Sep.2005 5:51:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi entigra,

if you only have one default gateway and you have persistent static routes who points to other gateways through other interfaces, then that will work. The limitation is of course you have to know the destinations reachable through a particular interface in advance.

HTH,
Stefaan

(in reply to Guest)
Post #: 4
RE: mutiple external network segments - 22.Sep.2005 12:03:00 PM   
Guest
Hi Stefaan

Havn't tested it yet. Just setup a rig with windows 2003, ISA 2004 Trial and have downloaded rainconnect for ISA. I will run this parrallel to the existing solution to see the test results.

I almost fell off my chair when I saw the price of rainconnect ------ oh no wait a minite I did . I'm running a business here not a datacentre or an ISP.

There has got to be a simpler solution to my problem.

Correct I do only have one default gateway defined - the internal interface of the ISA box.

The problem is that all IE clients are configured to use this IP address as the proxy server. Threfore all http traffic is routed to the ISA box.

This essentially creates multiple problems for me.

There is just one internet address that must not be cached and it must it be routed through the 1 ADSL line (VPN).

Do I put a router before the ISA box with 2 LAN interfaces? do I disable the proxy service? Do I have multiple gateways? I don't know!

4 external connections on one ISA box

1 DSL and , 1 diginet to the internet - all destinations are the same

1 DSL (vpn) to a specific IP , 1 Diginet point to point all destinations are the same.

I need to use all of these connections for different purposes - although I connect via a browser to use these

services,applications,internet,email,

I have connected the 1 ADSL line to a Linux box running IP tables and IP cop. This box is on the same network segment as one of the external interface IP's of the ISA box. I tried creating a persistent route however this does not work either.

So frustrating that there are no decent products at an affordable price to use.

The problem may lie in the very fact that the base OS sux and cannot do what I am asking of it!

Entigra

(in reply to Guest)
  Post #: 5
RE: mutiple external network segments - 22.Sep.2005 4:43:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi entigra,

can you make a nice diagram? Specify also which destinations are reachable through which interface. It would tell us much more than 1000 words! [Wink]

You can then post here the link where we can download the picture.

HTH,
Stefaan

(in reply to Guest)
Post #: 6
RE: mutiple external network segments - 23.Sep.2005 10:40:00 AM   
Guest
Hi Stefaan

http://www.mbfs.co.za/network/entigra.pdf

Here is a Diagram a a document a quickly put together for you so that you may have a better understanding.

Some other people told me about ISA server 2004.

I need to test my rig

Regards
Entigra

(in reply to Guest)
  Post #: 7
RE: mutiple external network segments - 23.Sep.2005 10:49:00 AM   
Guest
Hi Stefaan

My Bad the Diagram did not come out correctly on PDF so I have uploaded a jpg

www.mbfs.co.za/network/isa.jpg

Regards
Entigra

(in reply to Guest)
  Post #: 8
RE: mutiple external network segments - 23.Sep.2005 4:36:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Entigra,

let's see if I understand your requirements:
code:
  Internal   External
v v
LAN --- [ ISA ] --- line1/2 --- Internet
!
! < Perimeter
!
+------- line3/4 --- [WebSrv]

Basically you want an ISA server with 3 interfaces:

1. Internal: this is the default Internal network. No default gateway is set on this interface.

2. External: this is the default External network. This interface *must* have a default gateway because it is used for general Internet access.

3. Perimeter: this is another interface *without* a default gateway set. The goal is that the Web Server should be accessed through this interface. Therefore you need to define a static persistent route on ISA for the destinations you want to be reachable through this interface.

It should be clear that out of the box, either line1 or line2 can be operational, not both. By the same token, either line3 or line4 can be operational, not both.

I assume you will have a NAT relation between the Internal and the External network, and a NAT relation between the Internal and the Perimeter network. No relation should be defined between the Perimeter and the External network.

For the internal clients, the access should be completely transparent. They send their requests to the ISA server. ISA server will decide which outgoing interface should be used (routing) and will translate the source IP address to the primary IP address assigned to the outgoing interface choosen.

HTH,
Stefaan

[ September 23, 2005, 04:38 PM: Message edited by: spouseele ]

(in reply to Guest)
Post #: 9
RE: mutiple external network segments - 26.Sep.2005 4:51:00 AM   
Guest
Hi Stefaan

Correct in your assessment, however theoretically sound yes. Practically working at present yes. Deviations from the current solution produce illogical results.

Yes I have three network interfaces currently and the ISA server is working and doing exactly what I want.

1. Routing internet traffic through the external interface Line 1 (Diginet)
2. Routing traffic to the web server via line 4 (Diginet).

Using the same configuration and switching off Line 4 and enabling Line 3 (ADSL) instead does not work. Even if the correct persistent routes are changed to accommodate this.

The introduction of the ADSL line via the Linux box seems to fail. I can ping the box but no traffic goes through. A trace route shows that it is trying to send the information to the internal interface of the Linux which means my routing is correct.

ISA server creates that NAT relationship between Internal and ôdefaultö External network ű this will always be the first network card to initialise if the box is re-booted ű another problem. If the perimeter network enables first, ISA thinks that this is the default external network though which it must route all external traffic.

E.g. Line1 to line 4. The NAT relationship between the internal and perimeter network is defined by the persistent route.

My opinion is the LAT defined in ISA 2000 is responsible for most of the restrictions of the product.
My eventual solution is to have Line 2 and Line 3 working only. The conundrum is that Line 3 can also access the internet as well as the web server via the VPN!

Regards
Entigra

(in reply to Guest)
  Post #: 10
RE: mutiple external network segments - 26.Sep.2005 10:01:00 AM   
Guest
The default internal network can not have multiple NAT relationships. Nor can you define them in ISA 2000 - I believe this is possible in 2004.

So The answer lies in my test rig which is almost up!

(in reply to Guest)
  Post #: 11
RE: mutiple external network segments - 26.Sep.2005 10:21:00 AM   
Guest
New Feature

Multiple network configuration
You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks, and not necessarily relative to a given Internal network. Whereas in ISA Server 2000, all traffic was inspected relative to a local address table (LAT) that included only address ranges on the Internal network, ISA Server 2004 extends the firewall and security features to apply to traffic between any networks.

(in reply to Guest)
  Post #: 12
RE: mutiple external network segments - 26.Sep.2005 3:15:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Entigra,

quote:
Using the same configuration and switching off Line 4 and enabling Line 3 (ADSL) instead does not work. Even if the correct persistent routes are changed to accommodate this.

The introduction of the ADSL line via the Linux box seems to fail. I can ping the box but no traffic goes through. A trace route shows that it is trying to send the information to the internal interface of the Linux which means my routing is correct.

Take a Netmon trace on the ISA perimeter interface to find out what is really happening on the wire. If ISA is sending the packets, but no responses get back then the culprit is upstreams (i.e. the Linux box).

quote:
ISA server creates that NAT relationship between Internal and ôdefaultö External network ű this will always be the first network card to initialise if the box is re-booted ű another problem. If the perimeter network enables first, ISA thinks that this is the default external network though which it must route all external traffic.

Not true! The 'default' External network is that interface where the default gateway is configured on. Keep in mind that ISA 2000 *and* ISA 2004 only supports *one* default gateway. So, there can only be one 'default' External network.

quote:
E.g. Line1 to line 4. The NAT relationship between the internal and perimeter network is defined by the persistent route.
Not true! You configure the NAT or Route relation ship as part of the network configuration.

quote:
My opinion is the LAT defined in ISA 2000 is responsible for most of the restrictions of the product.
My eventual solution is to have Line 2 and Line 3 working only. The conundrum is that Line 3 can also access the internet as well as the web server via the VPN!

This particular configuration can also be implemented with ISA 2000 and ISA 2004! I have more then 20 ISA 2000 installations running that way. The key point is that the perimeter interface must not be included in the LAT.
It doesn't matter if the Internet is reachable through the perimeter interface or not. As long as ISA doesn't know that (no default gateway!), ISA can only send packets through that interface for which a static route is defined through that interface.

HTH,
Stefaan

(in reply to Guest)
Post #: 13
RE: mutiple external network segments - 27.Sep.2005 5:25:00 AM   
Guest
Hi Stefaan

My server is setup correctly. The default external interface is the only external interface that has a default gateway configured.
i.e Line 1

Line 3: The interface connected to the Linux box does not have a default gateway defined.

Line 4: This interface does not have a default gateway defined.

Routing for lines 3 and 4 are by means of persistent routes only.

If I switch all lines off and configure Line 3 as the default external gateway ie. the linux box - this works. but this does not work using persistent routes while other lines are operational - very odd

So traffic does go through the Linux box as long as it is configured as the default external network connection.

You have been preaching to the converted. My setup is exactly as you say. I have agreed with what you have said from the very start.

Eveything that you have told me is exactly how the my box was setup to begin with.

As I told you before my box works using the internal line and external lines 1 and 4. - this shows that I have configured ISA with two external network connections before and that work correctly.

The problem is that the solution does not work when it actually should. This is what I cannot get around my head. All configurations are correct. Changing the route to point to the internal IP of the LINUX box instead of the Router creates the current scenario.

My LAT configuration only includes the internal addess range.

Quote
__________________________________________________
Not true! You configure the NAT or Route relation ship as part of the network configuration.
__________________________________________________

Would you please care to extrapulate on this.

As there is routing , LAT and LDT under network configuration.

Routing enables one to create rules that apply to a specific destination set. The Action determines the path taken. Either directly or using a primary or backup roure. This just forwards the request to an upstream proxy.

Here I have two rules defined.

1. The "Webserver" is defined in the destination set used. The Action is "retrieve the request directly" and under "cache content" - no content will ever be cached.

2. The second is the default standard rule. That applies to all destinations.

I never ruled out the Linux box as I believe this is a dodgy config. This box is handled by an ISP. Which means I don't have control over it - I will be changing that soon.

Regards
Entigra

(in reply to Guest)
  Post #: 14
RE: mutiple external network segments - 27.Sep.2005 11:21:00 AM   
Guest
Your answers make sence now that I have loaded ISA 2004.

The NAT or Route relationship is easy to setup in 2004.

i.e under network rules

3-leg Perimeter Hmmmmm

If I create a URL set that contain the address of the webserver I need to access. How do I tell ISA to route that through the perimeter network and not the default external network.

Entigra

(in reply to Guest)
  Post #: 15
RE: mutiple external network segments - 27.Sep.2005 2:08:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Entigra,

ha... ISA 2000, just what I was beginning to suspect. You posted the question in the wrong forum! [Razz]

First of all, that particular configuration should work in an ISA 2000 *and* ISA 2004 environment. Of course, an ISA 2004 is recommended. [Wink]

To tell ISA 2000 or 2004 to route the traffic to a perimeter interface, you have to configure static persistent routes on ISA (route add -p command). Of course, make sure that the gateway you specify belongs to the network ID you configured on the perimeter interface. Remember, NO default gateway allowed! [Roll Eyes]

HTH,
Stefaan

(in reply to Guest)
Post #: 16
RE: mutiple external network segments - 29.Sep.2005 9:07:00 AM   
Guest
H Stefaan

Sorry [Eek!] about posting it in the wrong forum - I only realised it afterwards. In my defence my very first line stipulated that I have an ISA 2000 box running on Windows 2000.

I have the ISA 2004 test rig up but it is not yet fully operational, still but doing some config.

Is there any software out there that can route "URL" sets (to be resolved by DNS) and not IP addresses through specific default gateways on multiple external network interfaces. (This is without using static persistent routes and ip's).

Oh so it's a multinat config with persistent routes on ISA 2004. How SAD [Razz] - I though the product woould be 100% better if they are boxing it at trying to sell it off as a perimiter based firewall. - LOL [Big Grin] Can't even compare it to a cisco pix 515r.

The config also is a bit dodgy - it takes time to set this up correctly. ISA 2000 had a better method.

Regards
Entigra [Cool]

(in reply to Guest)
  Post #: 17
RE: mutiple external network segments - 29.Sep.2005 11:39:00 AM   
Guest
I Miss Packet Filters [Confused]

(in reply to Guest)
  Post #: 18
RE: mutiple external network segments - 29.Sep.2005 4:15:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Entigra,

quote:
Is there any software out there that can route "URL" sets (to be resolved by DNS) and not IP addresses through specific default gateways on multiple external network interfaces. (This is without using static persistent routes and ip's).
What has URL or domain name sets to do with routing? I would say nothing at all. Also, I will repeat it again and again, there can only be ONE default gateway! So, why are speeking about 'specific default gateways? [Razz]
quote:
The config also is a bit dodgy - it takes time to set this up correctly. ISA 2000 had a better method.
Don't agree with you. ISA 2004 has a much better and logical GUI to configure the box.
quote:
I Miss Packet Filters
Why would you need them for? Even on ISA 2000 they where seldom needed. Only for applications running on ISA itself or for allowing traffic between the Internet and a perimeter network.

HTH,
Stefaan

[ September 29, 2005, 04:17 PM: Message edited by: spouseele ]

(in reply to Guest)
Post #: 19
RE: mutiple external network segments - 30.Sep.2005 5:06:00 AM   
Guest
Hi Stefaan

Yes we all know there can only be one default gateway using ISA server. [Wink]

The question was: is there any other software besides ISA (get ISA out of your head for 1 second - think out of the box) that supports multiple default gateways? I don't care if it's application or hardware based!

e.g

1. Route URL set Http://www.google.co.za/* to 196.20.30.1
2. Route http://asp.application.co.za/* to
196.56.30.34

Imagine you could actually do this within the software!

instead of doing -

route add 66.249.85.104 196.20.30.1 /p
route add 196.34.98.65 196.56.30.34 /p

Note: This is an example.

Config on 2004 - well thats a personal preference.
I prefer 2000 and not 2004 or maybe it takes some time getting used to the methods.

Packet filters:

1. Publish servers on a perimiter network
2. Run Applications or other services on the ISA Server computer
3.Allow outgoing traffic from the ISA server
4. Allow access to protocols that are not based on the User Datagram Protocol (UDP) or Transmission protocol (TCP)

NOTE this is an example !

Filter type: Custom

IP Protocol: TCP
Port Number: 256
Direction: both
local port: fixed port
Remote port: fixed port
port number: 567

Local Computer
This applies to this external ISA interface 196.23.1.34

Remote computer
65.23.25.67

If the direction of the packet filter is both then two rules need to be creatred on ISA 2004 - what a pain.

Bandwidth rules - not supported in 2004.

Site and content rules - Seems everything has been lumped into access rules. That can't even give you a good overview of how the system is configured.

As I said before maybe I just need to get used to the Product.

Regards
Entigra

(in reply to Guest)
  Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> mutiple external network segments Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts