Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
mutiple external network segments
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
mutiple external network segments - 8.Sep.2005 1:54:00 PM
|
|
|
Guest
|
I currently have ISA 2000 standard on a windows 2000 server.
I have one internal network segment that connects to the box. All Internet explorer clients are configured to use the IP of the Box.
The problem is that I have multiple external network segments.
1x diginet to ISP
1x Diginet to another company
1x x ADSL line (VPN)
1x ADSL ISP
All http traffic is directed through the 1 diginet to the ISP, exept for one site which I connect to directly via the second diginet. This currently works. This works using static persistant routes
As soon as I connect 1 ADSL and leave the 1 diginet connected to the ISP all traffic stops.
If I disconnect all diginet lines and connect the 1 adsl (vpn) this works.
I need all lines to work!
My opinion is that ISA server 2000 was not meant to handle capable multiple external network segments correctly.
I'm not able to specify what traffic should go though what external interfaces.
Can anyone help? or suggest another firewall capable of handling my requirements!
|
|
|
|
RE: mutiple external network segments - 8.Sep.2005 3:08:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi entigra,
ISA 2000 and ISA 2004 can only handle *one* default gateway. That's a limitation of the underlying OS. However there is a add-on product who can accomplish that. Check out RainWall and RainConnect from http://www.rainfinity.com/ .
HTH,
Stefaan
|
|
|
|
|
RE: mutiple external network segments - 15.Sep.2005 12:31:00 PM
|
|
|
Guest
|
Thx Stefaan
I see that rainfinity software appears all over the message boards.
I've been to thier website and I'm downloading the trial.
I have also downloaded the ISA 2004 trial.
I will setup a Windows 2003 dev box to test this solution.
The funny thing is that there are people running multihomed ISA 2000 servers that work.
My multihomed ISA box works to a certain point.
I am able to route traffic to two different gateways. This is done as I said before by using persistent routes. Therefore ignoring the ISA server routing table.
e.g 196.30.1.65 255.255.255.0 11.11.11.14
all other traffic is routed to 196.34.148.90
this curently works - however both lines as explained are diginet. The minute I introduce ADSL
this configuration no longer works.
So I will just have to see how the Dev box works. ![[Smile]](/image/smiles/smile.gif)
|
|
|
|
|
RE: mutiple external network segments - 15.Sep.2005 5:51:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi entigra,
if you only have one default gateway and you have persistent static routes who points to other gateways through other interfaces, then that will work. The limitation is of course you have to know the destinations reachable through a particular interface in advance.
HTH,
Stefaan
|
|
|
|
|
RE: mutiple external network segments - 22.Sep.2005 12:03:00 PM
|
|
|
Guest
|
Hi Stefaan
Havn't tested it yet. Just setup a rig with windows 2003, ISA 2004 Trial and have downloaded rainconnect for ISA. I will run this parrallel to the existing solution to see the test results.
I almost fell off my chair when I saw the price of rainconnect ------ oh no wait a minite I did . I'm running a business here not a datacentre or an ISP.
There has got to be a simpler solution to my problem.
Correct I do only have one default gateway defined - the internal interface of the ISA box.
The problem is that all IE clients are configured to use this IP address as the proxy server. Threfore all http traffic is routed to the ISA box.
This essentially creates multiple problems for me.
There is just one internet address that must not be cached and it must it be routed through the 1 ADSL line (VPN).
Do I put a router before the ISA box with 2 LAN interfaces? do I disable the proxy service? Do I have multiple gateways? I don't know!
4 external connections on one ISA box
1 DSL and , 1 diginet to the internet - all destinations are the same
1 DSL (vpn) to a specific IP , 1 Diginet point to point all destinations are the same.
I need to use all of these connections for different purposes - although I connect via a browser to use these
services,applications,internet,email,
I have connected the 1 ADSL line to a Linux box running IP tables and IP cop. This box is on the same network segment as one of the external interface IP's of the ISA box. I tried creating a persistent route however this does not work either.
So frustrating that there are no decent products at an affordable price to use.
The problem may lie in the very fact that the base OS sux and cannot do what I am asking of it!
Entigra
|
|
|
|
|
RE: mutiple external network segments - 23.Sep.2005 10:40:00 AM
|
|
|
Guest
|
Hi Stefaan
http://www.mbfs.co.za/network/entigra.pdf
Here is a Diagram a a document a quickly put together for you so that you may have a better understanding.
Some other people told me about ISA server 2004.
I need to test my rig
Regards
Entigra
|
|
|
|
RE: mutiple external network segments - 23.Sep.2005 10:49:00 AM
|
|
|
Guest
|
Hi Stefaan
My Bad the Diagram did not come out correctly on PDF so I have uploaded a jpg
www.mbfs.co.za/network/isa.jpg
Regards
Entigra
|
|
|
|
|
RE: mutiple external network segments - 23.Sep.2005 4:36:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Entigra,
let's see if I understand your requirements:code:
Internal External
v v
LAN --- [ ISA ] --- line1/2 --- Internet
!
! < Perimeter
!
+------- line3/4 --- [WebSrv]
Basically you want an ISA server with 3 interfaces:
1. Internal: this is the default Internal network. No default gateway is set on this interface.
2. External: this is the default External network. This interface *must* have a default gateway because it is used for general Internet access.
3. Perimeter: this is another interface *without* a default gateway set. The goal is that the Web Server should be accessed through this interface. Therefore you need to define a static persistent route on ISA for the destinations you want to be reachable through this interface.
It should be clear that out of the box, either line1 or line2 can be operational, not both. By the same token, either line3 or line4 can be operational, not both.
I assume you will have a NAT relation between the Internal and the External network, and a NAT relation between the Internal and the Perimeter network. No relation should be defined between the Perimeter and the External network.
For the internal clients, the access should be completely transparent. They send their requests to the ISA server. ISA server will decide which outgoing interface should be used (routing) and will translate the source IP address to the primary IP address assigned to the outgoing interface choosen.
HTH,
Stefaan
[ September 23, 2005, 04:38 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: mutiple external network segments - 26.Sep.2005 4:51:00 AM
|
|
|
Guest
|
Hi Stefaan
Correct in your assessment, however theoretically sound yes. Practically working at present yes. Deviations from the current solution produce illogical results.
Yes I have three network interfaces currently and the ISA server is working and doing exactly what I want.
1. Routing internet traffic through the external interface Line 1 (Diginet)
2. Routing traffic to the web server via line 4 (Diginet).
Using the same configuration and switching off Line 4 and enabling Line 3 (ADSL) instead does not work. Even if the correct persistent routes are changed to accommodate this.
The introduction of the ADSL line via the Linux box seems to fail. I can ping the box but no traffic goes through. A trace route shows that it is trying to send the information to the internal interface of the Linux which means my routing is correct.
ISA server creates that NAT relationship between Internal and ôdefaultö External network û this will always be the first network card to initialise if the box is re-booted û another problem. If the perimeter network enables first, ISA thinks that this is the default external network though which it must route all external traffic.
E.g. Line1 to line 4. The NAT relationship between the internal and perimeter network is defined by the persistent route.
My opinion is the LAT defined in ISA 2000 is responsible for most of the restrictions of the product.
My eventual solution is to have Line 2 and Line 3 working only. The conundrum is that Line 3 can also access the internet as well as the web server via the VPN!
Regards
Entigra
|
|
|
|
RE: mutiple external network segments - 26.Sep.2005 10:01:00 AM
|
|
|
Guest
|
The default internal network can not have multiple NAT relationships. Nor can you define them in ISA 2000 - I believe this is possible in 2004.
So The answer lies in my test rig which is almost up!
|
|
|
|
|
RE: mutiple external network segments - 26.Sep.2005 10:21:00 AM
|
|
|
Guest
|
New Feature
Multiple network configuration
You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks, and not necessarily relative to a given Internal network. Whereas in ISA Server 2000, all traffic was inspected relative to a local address table (LAT) that included only address ranges on the Internal network, ISA Server 2004 extends the firewall and security features to apply to traffic between any networks.
|
|
|
|
|
RE: mutiple external network segments - 26.Sep.2005 3:15:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Entigra,
quote:
Using the same configuration and switching off Line 4 and enabling Line 3 (ADSL) instead does not work. Even if the correct persistent routes are changed to accommodate this.
The introduction of the ADSL line via the Linux box seems to fail. I can ping the box but no traffic goes through. A trace route shows that it is trying to send the information to the internal interface of the Linux which means my routing is correct.
Take a Netmon trace on the ISA perimeter interface to find out what is really happening on the wire. If ISA is sending the packets, but no responses get back then the culprit is upstreams (i.e. the Linux box).
quote:
ISA server creates that NAT relationship between Internal and ôdefaultö External network û this will always be the first network card to initialise if the box is re-booted û another problem. If the perimeter network enables first, ISA thinks that this is the default external network though which it must route all external traffic.
Not true! The 'default' External network is that interface where the default gateway is configured on. Keep in mind that ISA 2000 *and* ISA 2004 only supports *one* default gateway. So, there can only be one 'default' External network.
quote:
E.g. Line1 to line 4. The NAT relationship between the internal and perimeter network is defined by the persistent route.
Not true! You configure the NAT or Route relation ship as part of the network configuration.
quote:
My opinion is the LAT defined in ISA 2000 is responsible for most of the restrictions of the product.
My eventual solution is to have Line 2 and Line 3 working only. The conundrum is that Line 3 can also access the internet as well as the web server via the VPN!
This particular configuration can also be implemented with ISA 2000 and ISA 2004! I have more then 20 ISA 2000 installations running that way. The key point is that the perimeter interface must not be included in the LAT.
It doesn't matter if the Internet is reachable through the perimeter interface or not. As long as ISA doesn't know that (no default gateway!), ISA can only send packets through that interface for which a static route is defined through that interface.
HTH,
Stefaan
|
|
|
|
|
RE: mutiple external network segments - 27.Sep.2005 5:25:00 AM
|
|
|
Guest
|
Hi Stefaan
My server is setup correctly. The default external interface is the only external interface that has a default gateway configured.
i.e Line 1
Line 3: The interface connected to the Linux box does not have a default gateway defined.
Line 4: This interface does not have a default gateway defined.
Routing for lines 3 and 4 are by means of persistent routes only.
If I switch all lines off and configure Line 3 as the default external gateway ie. the linux box - this works. but this does not work using persistent routes while other lines are operational - very odd
So traffic does go through the Linux box as long as it is configured as the default external network connection.
You have been preaching to the converted. My setup is exactly as you say. I have agreed with what you have said from the very start.
Eveything that you have told me is exactly how the my box was setup to begin with.
As I told you before my box works using the internal line and external lines 1 and 4. - this shows that I have configured ISA with two external network connections before and that work correctly.
The problem is that the solution does not work when it actually should. This is what I cannot get around my head. All configurations are correct. Changing the route to point to the internal IP of the LINUX box instead of the Router creates the current scenario.
My LAT configuration only includes the internal addess range.
Quote
__________________________________________________
Not true! You configure the NAT or Route relation ship as part of the network configuration.
__________________________________________________
Would you please care to extrapulate on this.
As there is routing , LAT and LDT under network configuration.
Routing enables one to create rules that apply to a specific destination set. The Action determines the path taken. Either directly or using a primary or backup roure. This just forwards the request to an upstream proxy.
Here I have two rules defined.
1. The "Webserver" is defined in the destination set used. The Action is "retrieve the request directly" and under "cache content" - no content will ever be cached.
2. The second is the default standard rule. That applies to all destinations.
I never ruled out the Linux box as I believe this is a dodgy config. This box is handled by an ISP. Which means I don't have control over it - I will be changing that soon.
Regards
Entigra
|
|
|
|
|
RE: mutiple external network segments - 27.Sep.2005 11:21:00 AM
|
|
|
Guest
|
Your answers make sence now that I have loaded ISA 2004.
The NAT or Route relationship is easy to setup in 2004.
i.e under network rules
3-leg Perimeter Hmmmmm
If I create a URL set that contain the address of the webserver I need to access. How do I tell ISA to route that through the perimeter network and not the default external network.
Entigra
|
|
|
|
|
RE: mutiple external network segments - 29.Sep.2005 9:07:00 AM
|
|
|
Guest
|
H Stefaan
Sorry ![[Eek!]](/image/smiles/eek.gif) about posting it in the wrong forum - I only realised it afterwards. In my defence my very first line stipulated that I have an ISA 2000 box running on Windows 2000.
I have the ISA 2004 test rig up but it is not yet fully operational, still but doing some config.
Is there any software out there that can route "URL" sets (to be resolved by DNS) and not IP addresses through specific default gateways on multiple external network interfaces. (This is without using static persistent routes and ip's).
Oh so it's a multinat config with persistent routes on ISA 2004. How SAD ![[Razz]](/image/smiles/tongue.gif) - I though the product woould be 100% better if they are boxing it at trying to sell it off as a perimiter based firewall. - LOL ![[Big Grin]](/image/smiles/biggrin.gif) Can't even compare it to a cisco pix 515r.
The config also is a bit dodgy - it takes time to set this up correctly. ISA 2000 had a better method.
Regards
Entigra ![[Cool]](/image/smiles/cool.gif)
|
|
|
|
RE: mutiple external network segments - 29.Sep.2005 11:39:00 AM
|
|
|
Guest
|
I Miss Packet Filters ![[Confused]](/image/smiles/confused.gif)
|
|
|
|
|
RE: mutiple external network segments - 30.Sep.2005 5:06:00 AM
|
|
|
Guest
|
Hi Stefaan
Yes we all know there can only be one default gateway using ISA server. ![[Wink]](/image/smiles/wink.gif)
The question was: is there any other software besides ISA (get ISA out of your head for 1 second - think out of the box) that supports multiple default gateways? I don't care if it's application or hardware based!
e.g
1. Route URL set Http://www.google.co.za/* to 196.20.30.1
2. Route http://asp.application.co.za/* to
196.56.30.34
Imagine you could actually do this within the software!
instead of doing -
route add 66.249.85.104 196.20.30.1 /p
route add 196.34.98.65 196.56.30.34 /p
Note: This is an example.
Config on 2004 - well thats a personal preference.
I prefer 2000 and not 2004 or maybe it takes some time getting used to the methods.
Packet filters:
1. Publish servers on a perimiter network
2. Run Applications or other services on the ISA Server computer
3.Allow outgoing traffic from the ISA server
4. Allow access to protocols that are not based on the User Datagram Protocol (UDP) or Transmission protocol (TCP)
NOTE this is an example !
Filter type: Custom
IP Protocol: TCP
Port Number: 256
Direction: both
local port: fixed port
Remote port: fixed port
port number: 567
Local Computer
This applies to this external ISA interface 196.23.1.34
Remote computer
65.23.25.67
If the direction of the packet filter is both then two rules need to be creatred on ISA 2004 - what a pain.
Bandwidth rules - not supported in 2004.
Site and content rules - Seems everything has been lumped into access rules. That can't even give you a good overview of how the system is configured.
As I said before maybe I just need to get used to the Product.
Regards
Entigra
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Roll Eyes]](/image/smiles/rolleyes.gif)
