Re: "Backwards" Default Gateway on ISA?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

It can work.
The key to this deployment is that it never speaks to the Internet, so the
local and remote routes are clearly defined.
Is there a single internal router that handles all the internal networks?
If so, then it can be the default gateway.
The key to this deployment is that you should:
1. Make sure that no network falls into the "external" range, because ISA
treats the External network differently than all others. you can accomplish
this by ensuring that all possible subnets are accounted for in the
remaining networks
2. use a separate interface and create a network definition for each local
connection (internal, net1, net2, etc.) until there are no networks
remaining

Basically, the goal is to leave the external network "hanging in space".
this also means that you can never use "External" in any rule definition.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"MikeS@MLS" <MikeSMLS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:999E2B45-0100-4C0C-9AEB-F8738475837E@xxxxxxxxxxxxxxxx
Thanks, Phillip. I thought of that, but...

1. One reason for some of the NAT linkages between networks is because
several of the companies use overlapping private ranges (usually in the
172.x.x.x range). So a blanket route won't work, and I will have to
occasionally talk to a NAT address if the server I'm publishing is on
another
network with NAT in between us.

2. What I know <today> is that all but a handfull of private addresses are
viable on the Internal Network. That may not be true tomorrow, and if it
changes then I'd have to break up the supernet static routes (assuming the
network admins in the mothership let me know when they make such changes).

3. This array will NEVER be used to provide internal client access to the
Internet (or elsewhere, for that matter). They will simply be used for
solution publication, URL abstraction, maybe ISA-based web server NLB (in
the
future), and maybe ISA-base SSO for published apps (in the future).
Regardless, though, all traffic handled by this arry will be <inbound> to
published servers. I have no need to worry about ISA knowing where to send
traffic for an internal connection request to joetheplumber.com. Won't
happen, so using the external DG is pointless.

4. I politely beg to differ on it working. Currently, it DOES work, for
how we want to use it. I have a test array, with NLB, set up exactly as
I've
described. I've published several web apps (including Sharepoint and normal
ASP.NET apps) to the Internet, and it works. My main question is whether or
not there are any problems, pitfalls, or other issues with this
configuration
that I need to know about.

If it works, but it's fragile or unstable, then I need to know that <now>
and look for another path (such as the one you suggested). I'd rather claw
my eyes out than try to keep up with all the internal network changes via
static routes, so I was hoping my current solution would work with little or
no issue.

In the end, all I'm really doing is telling the array to look <inward>
instead of <outward> for routes to any IP addresses that aren't specifically
handled by the Windows routing table. Is that likely to cause a problem?
If
so, what are they?

Unless there are identifiable negatives to using this configuration (with
unacceptable consequences), it's what I'd prefer to do. I just thought I'd
bounce the idea out here and let others tell me what I might expect from
doing an "outside-in" DG configuration (that's what someone on another ISA
forurm called it).

Thanks for your reply.

Mike


"Phillip Windell" wrote:

"MikeS@MLS" <MikeSMLS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF0D81EA-196E-44DC-BF11-F058746944B5@xxxxxxxxxxxxxxxx
Okay, I know the conventional wisdom for configuring ISA servers with
multiple NIC's is to enable the DG on the EXTERNAL interface, and build
routing rules for all internal networks that fall in the "network behind
a
network" category.

Granted, that works for a traditonal ISA deployment where the array is
most
likely providing internal user connectivity to the 'net, and inbound VPN
and
publishing rules.

However, I am thinking about reversing that paradigm and putting the DG
on
the INTERNAL interface, and building routing rules to the outside world.
Why?

1. Our internal network is not homogeneous, in that we have several
business units that use differing (or even incompatible) internal
address
ranges. Some are NAT'd, some are directly routed. Our Network folks
have
done a good job connecting all our company networks together and making
the
interconnects work, but it would be an absolute PITA to try and define
all
these "networks behind a network" as static routes on the ISA boxes.

Supernet them.
Just 3 routes can cover all of the possible RFC Private Ranges.

192.168.0.0 255.255.0.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0

NATed ones are irrelevant,...ISA is never going to ever see or interact
with
those.

Use the same technique on any sequential non-RFC Range as well.
Use the same pattern in the ISA Internal Network Definition
I don't believe this is going to be a PITA,...once it is done, it is
done,..it isn't something you have to keep changing all the time.

Are there any drawbacks, problems, or other "gotchas" I
have to worry about in reversing this accepted best practice?

Yea,...it just won't work.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------




.

Relevant Pages

  • Re: Internet Intermittent Connection
    ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...
    (microsoft.public.isa)
  • Re: Disable dynamic route entries in Windows 2003?
    ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ...
    (microsoft.public.windows.server.networking)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: 3 Leg configuration issue.
    ... Does the ISA server have a routing table entry that describes how to reach ... Did you add this address range to the ISA Internal Network address table? ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isaserver)
  • Re: Disable dynamic route entries in Windows 2003?
    ... have two Nics. ... to publish applications to the Internet; ... destination network through two different interfaces, ... If you correctly configure the ISA machine with respect to the VLANs and the ...
    (microsoft.public.windows.server.networking)