Re: RES: RE: Two external interface internet (Routi ng)

• From: "Jay" <jschwarzkopf@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 18 May 2004 17:56:31 -0400

You can run a script as a service. From that script, you can add routes, check 
health of each ISP connection or multiple external smarthosts, failover (or 
back), send status messages or email, change services (like published Citrix or 
smtp smart host), or resolve DNS queries differently (assuming you publish your 
DNS).

Ex:
1st ISP IP: 100.1.1.10
2nd ISP IP: 200.1.1.10

You assign both IPs to ISA.  
Your 1st ISP is the default, so the default gateway is 100.1.1.1.
route delete 200.1.1.0 (to get to perimeter servers you may have to delete 
backup subnet route)


To add routes to perimeter servers:
route add 200.1.1.5 mask 255.255.255.255 200.1.1.10 (note-use the secondary ISA 
IP as the interface)

To add routes to networks that vpn into external firewall:
route add 300.1.1.0 mask 255.255.255.0 200.1.1.1 (note-use the 2nd ISP gateway)



To use failover in script:
1)ping external host (ping.symantec.com for instance)
2)add route to different external host, through 2nd ISP. Ping this host. Remove 
route
If 1) is down, and 2) is up, use netsh exec %standby%.nsh; where standby is 2nd 
network (if 1 comes back 
p, can switch back, and then standby is 1st network).
The NSH file is something like:
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
# Interface IP Configuration for "External"
set address name = "External" source = static addr = 200.1.1.10 mask = 
255.255.255.0
add address name = "External" addr = 100.1.1.10 mask = 255.255.255.0
set address name = "External" gateway = 200.1.1.1 gwmetric = 1
set dns name = "External" source = static addr = dns server on 200 network
set wins name = "External" source = static addr = none
popd
# End of interface IP configuration

You can also failover services (for example, published Citrix servers or smtp 
smart hosts):
If publishing Citrix servers, add following to script:
altaddr /server:xxxx /set %CitrixAddr%; where CitrixAddr is the current 
external interface (100.1.1.10 or 200.1.1.10)

If sending mail to a smart host on the perimeter network, you'll need ADSI:

set objSHAttrib=GetObject("LDAP://"; & ="CN=xxx,CN=Connections,CN=xxx,CN=Routing 
Groups,CN=xxx,CN=Administrative 
roups,CN=xxx,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=xxx,DC=xxx,DC=com")
objSHAttrib.put "msExchSmtpSmartHost", "200.1.1.5]"
bjSHAttrib.setinfo

You can then use ADO to enumerate your DC's and iadstools to replicate the 
change.

Set objReplIads=CreateObject("IADsTools.DCFunctions")
objReplicate=objReplIads.ReplicaSyncAll(Cstr(arrReplServer(X)),Cstr("CN=Configuration,DC=xxx,DC=xxx,DC=com"));
 where arrReplServer 
s array listing DC's



  ----- Original Message ----- 
  From: "UNE-Alexey Fernandez, Administrador de Red" <alexeyf@xxxxxxxxx>
  To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>; 
<jschwarzkopf@xxxxxxxxxx>
  Sent: Tuesday, May 18, 2004 3:56 PM
  Subject: RE: [isalist] Re: RES: RE: Two external interface internet (Routi ng)



  Hi Jay:

  I was looking around my "database" of messages in the ISA Server List,
  working around the issue of configuring multiple subnets in the external
  interface of an ISA Server 2000; so that I can route all traffic to one
  network destination by one ISP and all the other traffic to the other ISP.
  So I found this answer of you. But I have a doubt about this answer.
  You said: " Add a route on your ISA server for only the 222.222.222.0
  network."
  I need to know: Where to add this route? Windows 2000 routing table?

  Thanks in advance
  Lic. Alexey Fernandez Suarez.


  -----Original Message-----
  From: Jay [mailto:jschwarzkopf@xxxxxxxxxx] 
  Sent: Monday, December 01, 2003 12:18 PM
  To: [ISAserver.org Discussion List]
  Cc: fabriciotose@xxxxxxxxxxxx
  Subject: [isalist] Re: RES: RE: Two external interface internet (Routing)

  http://www.ISAserver.org

  They're wrong.  It's actually pretty easy to do.

  If I understand you correctly, all traffic should go through one ISP, except
  that traffic destined for x.y.z.0 network.  This might be useful if you
  wanted to dedicate an entire ISP bandwidth to a private remote office vpn
  for example.

  Join both ISP networks and your external nic into a switch.
  Add a second IP address to your external nic.
  Leave the default gateway on the primary IP.
  Add a route on your ISA server for only the 222.222.222.0 network.


  We've had this configuration with a failover script for 2 years.  Actually
  with 5 remote offices vpn'd to external firewalls.

Other related posts:

• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)
• » Re: RES: RE: Two external interface internet (Routi ng)

1. Home
2. isalist
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---