Re: Disable dynamic route entries in Windows 2003?

Please read all the way to the end before replying. Things at the end can
effect things at the beginning.

"MikeS@MLS" <MikeSMLS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F44A0757-3A99-4C4A-A2B6-55E365AD450C@xxxxxxxxxxxxxxxx
How do I prevent Windows Server from accepting RIP/OSPF route broadcasts
and
creating dynamic entries in the routing table?

You don't need to stop it from doing that.

I have an ISA server with two NIC's, each in a separate VLAN.

VLANs are irrelevant, a subnet is a subnet, no matter how it happens. You
have two Nics. Internal -vs- External? What? The truth makes a
difference,...be specific

I am using it
to publish applications to the Internet; I want inbound Internet traffic
to
hit one NIC (interface), and internal traffic to/from the app servers to
go
through the other NIC (interface).

Be specific. What Applications? Doing what specifically? What Protocols?
Source comming from where? Destination being where?

At first glance, it shouldn't be a problem - except for the fact that the
networking group set both VLAN's up as "internal", i.e. they can "see" all
other internal networks, and traffic can go through either VLAN anywhere
on
the network.
This is a problem for ISA server, because if it detects routes to the same
destination network through two different interfaces, it disables traffic
to
that destination network.

Then remove the second IP Range from the Internal Network Definition.
Create a new Network Definiton that uses the other IP Range. If the two
subnets hit different Nics then they are not VLANs,...they may be VLANs
inside the Switch, but they would be Physical LANs between the Switch and
the ISA,...however if both subnets use the same patch cable and same NIC
then the NIC and its corresponding Driver needs to be VLAN Aware and can
separate the traffic correctly. Again, truth makes a difference,...so be
specific on the details

ISA picks up routes from the Windows routing
table, and since the network admins have RIP or OSPF turned on for those
VLAN's, these multiple routes show up as routing broadcasts in both VLANs.

If you correctly configure the ISA machine with respect to the VLANs and the
LAN's virtual and physical topology,..the Dynamic Routes are perfectly fine.
If not then just uninstall the RIP and OSPF from the ISA box and use Static
Routes if they are needed.

I know this isn't the optimal way of doing things, but it's the only
option
open to me given the limited control I have over networking resources.
Any
ideas?

Ok,...if you want the cleanest, simplest, most straight forward way of doing
this:

1. Forget VLANs with respect to the ISA.

2. Run 2 Nics in the ISA,...one on the Public Side (External) and one nic on
the LAN Side (Internal). Configure the Nic for *ONE* subnet each. The ISA
will sit on onely *one* LAN Segment and have the other nic facing the
"External world".

3. Add all the LAN's IP Ranges to the Internal Network Definition. I mean
*all*,...VLANs are irrelevant,...an IP segment is an IP segment,..it does
not matter how it came to be.

4. If the Dynamic Routing works correctly at this point then leave it
alone,...but if not then uninstall the Routing Protocols from the ISA box
and add a Static Route from the command prompt on the ISA machine that tells
it what LAN Router to use to get to any other other Subnets on the LAN.
Again VLANs are irrelevant,..a Subnet is a Subnet,..it still takes a LAN
Router to get there.

5. When all that works correctly, *then* we can discuss what other things
you are trying to do,...but it is a waist of time to do that if the
foundation is not in place.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: Internet Intermittent Connection
    ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...
    (microsoft.public.isa)
  • Re: Disable dynamic route entries in Windows 2003?
    ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ...
    (microsoft.public.windows.server.networking)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: Client PC cannot access internet
    ... ISA is re-installed and hey presto! ... Merv Porter [SBS MVP] ... Server can access the internet. ... Have you checked the binding order of the NICs? ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Boot-up question on SBS2K3
    ... > The router separates you from the Internet. ... > network. ... >>>> 2 Nics, broadband cable modem connected into the external NIC, ...
    (microsoft.public.windows.server.sbs)
Loading