Re: using my ISA for some routing
- From: "Alex" <nospam@xxxxxxxxx>
- Date: Mon, 21 Apr 2008 16:13:46 +0100
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:uuAvVy7oIHA.2636@xxxxxxxxxxxxxxxxxxxxxxx
"Alex" <nospam@xxxxxxxxx> wrote in message
news:%23OrinB6oIHA.5836@xxxxxxxxxxxxxxxxxxxxxxx
Currently my user's default gateway is my WAN router and for access to the
itnernet they're using my ISA 2006 server as a proxy server by specifying
it
in Internet Explorers proxy settings (done by GPO).
GPO for this is a bad deal. It cannot properly handle machines that
travel,..like laptops.
Yerh, you hit the nail on the head as to why I wanted to drop proxy.
I'd like to move away from using the proxy settings (for various reasons)
and set my ISA 2006 server as the users default gateway so they have
direct internet access, however I still need them to access machines in
other offices over the WAN ...
I don't know why you would want to go "backwards" in security and control.
SecureNAT Clients cannot authenticate, therefore all Access Rules must be
anonymous.
I don't really want to fiddle and add manual routing entries for every
user, so is it possible to tell ISA 2006 server that when it see's
traffic for ip addresses ranges that match my other offices (they are
defined as internal) to pass it onto to my WAN router and what sort of
area of ISA 2006 should I be looking to implement this?
Impossible to answer. SecureNAT functionality is based on the LAN's
Routing Scheme (I should say the *correctness* of it),...it is not based
on making the ISA the Default Gateway of Clients,...that is only in
"simple" single-subnet LANs.
Requires 2 things:
1. I need to know and understand the LAN's Routing Scheme
2. You need to be willing to change the Routing Scheme if it is not
optimal.
Or...
Forget the whole SecureNAT, Configure the LAN for Proxy Auto-detection
via WPAD and install the Firewall Client on the machines. This is the
best option, the most flexable, requires no topology change, requires no
routing changes, and will automatically adjust for clients that travel.
it's a small company (30 office users at this location, 100 remote users) I
am running a very simple LAN on a single 255.255.255.0 subnet connected to
two other offices also running simple LAN's on different single subnet's via
a Cisco PIX router on a site to site VPN connection.
I'm not that fussed about outgoing authentication, so can't really see a
problem with setting the ISA as a default gateway. I wanted to avoid ever
using the Firewall client.
I may look at it the other way and just use the Cisco PIX as my gateway and
leave the ISA2006 server for web publishing and incoming RSA VPN. I wanted
to avoid using the PIX as much as possible though because although I've
managed to stumble through some set-up by searching the web, I find it a lot
easier to do stuff on the ISA2006 :) This Cisco PIX does currently work as
a default gateway, but i really wanted some sort of logging and to lock down
certain sites and services which I've found very easy to do in ISA2006.
.
- Follow-Ups:
- Re: using my ISA for some routing
- From: Phillip Windell
- Re: using my ISA for some routing
- References:
- using my ISA for some routing
- From: Alex
- Re: using my ISA for some routing
- From: Phillip Windell
- using my ISA for some routing
- Prev by Date: Re: using my ISA for some routing
- Next by Date: Re: using my ISA for some routing
- Previous by thread: Re: using my ISA for some routing
- Next by thread: Re: using my ISA for some routing
- Index(es):
Relevant Pages
|
