Re: ISA 2006 configuration question - multiple VLANs and domains
- From: j_crum@xxxxxxxxxxx
- Date: 12 Jan 2007 07:55:58 -0800
Phillip,
Thank you for the reply, but it didn't really answer my question. I'm
very familiar with network segments vs. domains et. al.
The IP addresses in this case are of paramount importance due to legal
regulations. When I mentioned DHCP, I wasn't referring to running DHCP
on the ISA server. Perhaps it's best expressed like this: can a
multihomed ISA 2006 server forward a DHCP request to the proper VLAN
based on the users authentication credentials? From what I've found so
far my guess is no, which means we'll be looking at another product
(probably a Cisco 3080 VPN concentrator since we have an extra one not
in use within the company) or two separate ISA 2006 servers which would
probably be over budget for this project.
Jennifer_C
Phillip Windell wrote:
<j_crum@xxxxxxxxxxx> wrote in message
news:1168552117.970292.104280@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I was thinking of purchasing and installing ISA 2006 for a remote
access solution for my office, but I'm not sure it can do what we need
it to.
ISA is a Firewall Product designed to protect a network from the Internet.
Being a Remote Access device or a LAN Router is a "side-job" for ISA.
Keep that in mind.
We have two logical networks, let's say 10.1.x.x and 10.2.x.x, with two
domains; domain1 and domain2 (both 2003 AD). Due to ACLs set on our
router, domain1 (10.1.x.x) can talk freely to domain2 (10.2.x.x) , but
domain2 is restricted from certain ports and servers when talking to
domain1.
We need to clear the air about Domains. Domains have absolutely nothing to
do with Network segments. You can have 200 network sements with 125 LAN
Routers and still have one Domain. You could also have 150 different AD
Domains and have all of it on one single Network segment. There is just
simply no relationship between the two at all. Until you train yourself to
think in these terms you will find yourself building bad networks with bad
topology designs. I'm not saying yours is bad,...I'm just stating this as a
principle.
Domains may parallel the Segments, but that is because Segments may follow
the geography and the Domains may follow "Offices" which may also follow
geography,...but the Domains still have nothing to do with Network Segments.
This hypothetical ISA 2006 server would be multi-homed to exist on both
logical networks.
No. The LAN Router between the two segments keeps doing the same job it is
already doing. The ISA would be multi-homed with one Nic facing the Internet
and the other facing *one* of the LAN Segments,...it should be whatever LAN
Segment is the most logcal *physical* situation (Domains are irrelevant to
ISA's physical location).
The ISA would contain a Static Route in the OS's Routing Table that tells it
to use the LAN Router as the "path" to get to the opposite Network Segment
(domains are irrelevant). The ISA would contain *all* the IP Ranges use on
the *whole* LAN in its Internal Network Definition. It would also contain
*all* the AD Domain Names used on the LAN within the Domains Tab found in
the Internal Network Definition.
Every machine on the LAN (except ISA) would use the LAN Router as the
Default Gateway.
The LAN Router would use the ISA as its Default Gateway.
There is a trust between the two domains as well,
both ways. This ISA server would probably be a member of domain1.
Trusts do not dictate individual permissions,...the Trust is either both
directions or it is not. If it is both ways than the two Domains behave as
one single Domain and it does not matter which Domain ISA is in.
Ideally, what I would like to do is have the ISA 2006 server DHCP for
No. Never. Do not install DHCP on ISA. The Domain Controllers usually run
DNS, WINS, and DHCP,...or it is a standlone Server by itself. The LAN
Router forwards DHCP Queries to the DHCP Server from the opposite Segment.
The DHCP Server would be configured with a separate, single, independent
Scope for each Segment. (No Superscopes!)
the right network based on the users credentials they authenticate with
and not allow a user from domain2 to talk to domain1,
No. This is important. They way you picture things in you mind is
everything. Users do not "talk" to Domains,...they "authenticate" for
particular resources on particular servers that provide the resources they
want. This means it is the job of the server or the device that provides the
service. Web Servers control access to Websites, Mail Servers control
access to email services, SQL Servers control access to SQL Databases. LAN
Routers with ACLs control access between LAN Segments. Firewalls & Proxys
control access to/from "over-all" networks.
The LAN Router that sits between the Segment (not Domains) can run ACLs to
restrict the flow of traffic between the segment based on Protocols,
Sources, and Destinations. ISA can double as a LAN Router if you throw out
the LAN Router and physically replace it with the ISA, but you have to have
a really "clear head" about what you are doing and be prepared to deal with
a very heavily over restricted setup that will only allow the very specific
things you tell it to allow. When ISA doubles as a LAN router it is
possible to control access between the segments with user accounts, which a
normal router can't do, but then be prepared for everything that is subject
to that to be running as either a Firewall (Winsock) Client or as a Web
Proxy Client. I don't know anyone who has done this, but whoever they are
had better be really good at it.
I know this might sound a little esoteric, so let me give a scenario
that I'd like to have as a final result.
user1 has an account in domain1. He connects to the ISA 2006 (within
domain1) server (via PPTP). The ISA server authenticates him and gives
him the correct IP address for his network - 10.1.x.x .
user2 connects to the same ISA 2006 server in domain1 and authenticates
to domain2 (there's a trust between these domains, so I don't think
this will be an issue). user2 receives the correct IP for his network -
10.2.x.x .
The IP#s the users receive are totally irrelevant.
User1 connects to ISA/VPN. He authenticates to the Domain his account is
member of. He can reach the specified LAN Location (Layer3) using the
specified Protocol (Layer4) according to the ISA Access Rules that are
Applied.
User2, same thing.
User3, same thing.
The Access Rules for them follow this pattern:
Source: VPN Clients Network (It is always this)
Destination: <whatever is specified, Network Objects, Subnets, or IP#s>
Protocol: <whatever is specified, http, https, ftp, whatever>
Users: <whatever is specified, most likely a User Object containing a
specific Group>
You can have multiple Access Rules to cover each situation. ISA reads the
Rules from the "top - down". Which ever Rule matches the situation first,
"wins" and that is the Rule that is applied. Only one Rules ever get used at
a time.
The first two links in my signature may be helpful.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------
.
- References:
- Prev by Date: Re: Questions about ISA2004 and Active Directory
- Next by Date: ftp-data 20 timing out
- Previous by thread: ISA 2006 configuration question - multiple VLANs and domains
- Next by thread: Re: ISA 2006 configuration question - multiple VLANs and domains
- Index(es):
Relevant Pages
|
