Firewall rules for internal destinations - 19.Nov.2002 7:06:00 PM
Having a bit of trouble getting a PC to use the correct routes once ISA Firewall client is enabled. Is there anyone that can help? =========================== Scenario:
Internal network, with IP ranges 10.0.0.2 -> 10.0.0.34
ISA server local address is 10.0.0.3 (public IP is 345.345.345.345) connected to a T-1
Frame Relay going to a router with internal static IP address 10.0.0.10 (leading to 184.108.40.206)
PC is given static IP of 10.0.0.11 ===========================
Before ISA server was installed, the PC was given a static route to 10.0.0.10 for all requests going to 220.127.116.11 and every other request goes to default (10.0.0.3). Once client software is installed, it no longer seems to use that routing table, and all requests are ported through ISA server. End result is that software needing to connect via 10.0.0.10 cannot connect. I have a feeling I am missing something very obvious ... so forgive me if this sounds like a stupid question
Hi there! You can construct your routing table by using the command 'route add' at a command prompt. Use the -p switch to make the new route stay permanent. route /? will give you a huge explanation on how to use that command. Hope to be helpfull. Cheers, Alvin.
The network 18.104.22.168 reachable through the Frame Relay connection must be considered as an internal network because it is connected to the inside of the ISA server. So, that network must also be on the LAT.
RE: Firewall rules for internal destinations - 19.Nov.2002 10:50:00 PM
Thanks for the reply.
Just curious on what would happen by adding the external address of the frame (22.214.171.124) to the LAT table of the ISA server. The flow I would see would be:
1) Program on PC requests 126.96.36.199. (I am assuming this request bypasses the routing table on the local PC, as I already have a persistent route established -- but always fails when the ISA Client software is activated) 2) ISA Client passes this request to ISA Server. 3) ISA Server identifies this as a local address based on LAT table.
Now at this point, wouldn't it stall? The Local PC would be told to look for 188.8.131.52 on the local network, but it's not going to be there.
Don't know if that is how the flow will go, so please correct me if I am wrong.
no, the working is a little bit different. The LAT is defined on the ISA server, but the Firewall client download it (and other configuration settings) from the ISA server.
The Firewall client intercepts all TCP/IP requests made through the Winsock API on the workstation. When a requested destination is in the LAT, the request is redirected to the Firewall service on ISA. If the requested destination is *not* in the LAT, then the Firewall client let the request through unmodified and it follows the normal packet processing of the TCP/IP stack, including the routing you have defined on the workstation.
So, if the destination is *not* living on the external side of the ISA server, then the client should be able to contact that destination without any restriction, as long as the LAT is properly defined.
RE: Firewall rules for internal destinations - 19.Nov.2002 11:22:00 PM
Thanks for the explanatino Spouseele.
I have entered them in and am just waiting to see if it works. I also pulled out Tom's ISA Server Book to review (it's gotten mighty dusty as of late -- haven't touched the ISA server in a while) and it mentioned a 6 hour time before updates. Any way to expedite that?