Re: Win2k3 R2 does not route to virtual guests

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi again.

Thanks a lot for your very informative post!

I will try this out tonight and get back to you.


-- Martin


Phillip Windell wrote:
<martin.edelius@xxxxxxxxx> wrote in message
news:1152312880.170553.40990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Philip.

1. You don't add routes. All networks are "Directly Connected
Networks",...there are no routes to add.

You need to give me some context here. Are you talking about the entire
setup, the firewall or the host?

I mean the OS Routing Table. It can be done via command prompt or via
RRAS,...either way, the same thing. Best thing to do is go to a command
prompt and type:

c:\> Route /f
Then reboot the machine. You will now have a clean (and correct) routing
table.

3. ISA is a proxy server not a router.

We use an ISA as a combined firewall/router in another setup so I'm not
sure what you base this statement on. I might have misunderstood the
job of a router (to re-route traffic between networks?).

I interpret what you are saying as that the ISA can't redirect traffic
to a device that sits on the same interface/network that the traffic
originally came from. Is this correct?

It can, but that would not be what I consider a good network design, and I'm
all about making a good design,..not making a bad design work :-). What I
actually meant was,... it doesn't route between the External and any other
Network. Yes, ISA can double as a LAN Router in the correct situation if
done correctly,..and it can route between any two networks as long as it
doesn't involve the External Network.

I think you misunderstood my setup. The best way I can explain it to
you is with the image I linked to in my original post.

You're right. I didn't see the link to the image.

After looking at the image, here's what you are dealing with (assuming ISA
is the one called "Fire-wall"):
1. The device called Host will become the LAN Router in this topology. The
Default Gateway of all the machines in both segments will become the machine
you call Host and will use the IP# of the Nic that directly faces them
respectively.

2. The device called Host will then in turn use the ISA as its Default
Gateway.

3. The ISA box needs one (only one) static route added to the OS's Routing
Table. It will be this one:
c:\> Route Add -p 192.168.0.0 mask 255.255.0.0 192.168.0.201

4. The ISA's Internal network definition will need the IP Range of all
segments added to it. Or just add 192.168.0.0 --to-- 192.168.255.255 and be
done with it. If their are multiple Active Directory Domains involved, then
all of them need to be added to the Domains Tab in the Internal Network
Definition.

5. There are no Access Rules or System Policies involved in any way at all.
In fact ISA will have absolutely nothing at all to do with any of the
traffic between these segments. ISA could be powered off and the LAN would
still function (and that is the way it should be). A well designed LAN
topology, and the routing scheme, should never be dependent on an Internet
Device for the LAN to function normally within itself,...even if the
Internet Device happens to be ISA.

There are times when ISA can double as a LAN router,...but the topology you
created here is not one of those.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

.

Relevant Pages

  • Re: MSSQL Server Gateway
    ... I personaly don't think it's possible to do this with ISA and/or Proxy ... Server but I was told otherwise and just try to figure out if I'm wrong ... - Client in private LAN wants data from SQL Server DB in secure private ... to the other LAN Segment but have a "nat relationship" to the Internet ...
    (microsoft.public.isa)
  • Re: Proxy capabilities and securenat/firewall client
    ... GPOs won't adjust the proxy settings with machines that are sometimes on the ... LAN and sometimes not on the LAN. ... part of ISA functionality and decision making is built around ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isaserver)
  • Re: ISA 2006 in basic web proxy mode query
    ... Having installed ISA 2006 and patched it with SP1, ... You have a multi-subnet LAN with a single LAN Router in the ... Exterior to that you have a traditional Internet WAN Router operating ...
    (microsoft.public.isaserver)
  • Re: RPC Publishing and Internal Network routing.
    ... But I also want to route to another internal networkon my internal ... network and I feel if I can get this working then since the vpn is another ... network internal to isa I should be able to get that running too once I ... Microsoft Internet Security & Acceleration Server: ...
    (microsoft.public.isa.configuration)
  • Re: connect a remote office with ISA
    ... means you made the ISA the Client's Default Gateway when it should not be. ... subnet LAN and you intend to run the clients *specifically* as SecureNAT ... Also if you access the remote equipment using some type of internal FQDN ... The ISA will also have to have a static route added to itself for the remote ...
    (microsoft.public.isa)