"If you want multiple "default gateways" then use RainConnect." Or setup your routing table manually? Would this work? For example if I have voice/video extensive traffic to some internet IP range its easy to divide internet traffic manually with "route -p" so I can offload default gateway. This would be Multiple Internet connections having on 1 ISA server. Is this correct? If this is correct then I was thinking that once ISA proxy get http connection which is not yet resolved it would be kind of easy to make plugin which will simply add best route to fastest Internet Connection for that IP and after traffic to that IP will decrease/stop route will be removed from routing table... this would easily Load balance ISA web traffic between more ISPs Internet connections. My question however is: does ISA2004 add something "hidden" to WS2k3 routing table? Or can we use it as it was intended without ISA. With Regards David Farinic. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, January 25, 2005 3:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SSL Problems with ISA 2004 http://www.ISAserver.org Hi Dan, External Networks are not necessarily Internet Networks, they're just not internal Networks (note that I'm not using a capital "I"). Get our book. It make make everything crystal clear regarding what a network is, what a Network is, what internal is, what Internal is, what external is and what External is. Protected Networks are those that are not part of the default External Network (capital E and capital N). You can have only a single default gateway, which is the route of last resort, which most people think of as their "Internet" connection, although you can have has many Internet connections as you like, as long as the ISA firewall has routes to the destinations reached through those connections. If you want multiple "default gateways" then use RainConnect. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Monday, January 24, 2005 11:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SSL Problems with ISA 2004 http://www.ISAserver.org I must apologize if I am offending you, by no means do I wish to "argue". I ask these questions not to antagonize, but because I don't have a clear answer. I find it disconcerting to myself that someone so prominent in the field says what I have won't work, and I cannot understand why. If true, then I have to completely re-design my entire network... Let me explain this a bit further so you can hopefully understand why I find this topic confusing... First to respond to a couple of points in the last e-mail: - Using the same "service provider": The two external networks I have are completely separate, separate providers, separate IP ranges, even different domain names. These two networks cannot even reach each other without traveling halfway across the US and back. The only connection between the two is geographical location, and the fact that they are both connected to the same ISA server. Hence, the only same "service provider" involved is my ISA box. - Have I read the manual?: You betcha, I've read every manual I could find on this long before I started, all the whitepapers I could find, every bit of marketing "spew" (I love that term!) I could find, darn-near every KB article, and the official Microsoft Course book for the ISA server class (tried to take class also, but it was cancelled). Damn can that stuff put you to sleep! But, let's ignore that part for now, its mostly irrelevant. Please bear with as I retrace my line of thought on this to see if you can follow where I'm coming from. Whenever possible, I will copy it verbatim to avoid paraphrasing. First of all, I ditched the ISP term, since it causes so much confusion... To start this quest, I first looked up what a "network" is... Quote: From an ISA Server perspective, a network is a rule element, which can contain one or more ranges of Internet Protocol (IP) addresses. Networks include one or more computers, typically corresponding to a physical network. That didn't really answer a lot, but it was a start. The next question was "how many" networks ISA 2004 supports: I found that referenced all over the place, referred to as Multi-networking, a new feature in ISA 2004. Quote: You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks, and not necessarily relative to a given Internal network. Whereas in ISA Server 2000, all traffic was inspected relative to a local address table (LAT) that included only address ranges on the Internal network, ISA Server 2004 extends the firewall and security features to apply to traffic between any networks. >Note the phrase "traffic between any networks".< But that didn't really answer my question about "how many", so I looked some more, and found this one: Quote: ISA Server 2004 supports multi-networking. This means that you can configure an unlimited number of networks on ISA Server. So, at this point, we know we can create an unlimited number of internal, external, or perimeter networks. (When you run the New Network wizard, it will ask you if it one of these three.) Now to figure out what each network is defined as. Quote: Throughout this Quick Start Guide, we will refer to internal and external interfaces. The internal interface is the Ethernet card or modem connecting the ISA Server 2004 firewall computer to your private network or LAN. The external interface is a network interface connecting you to the Internet. Now we know that Internal networks are your private network, and External networks are "Internet" networks. At this point, it's still a little ambiguous, so I looked some more. I noticed that many of the documents used the phrase "External Network (Internet)" whenever referencing an External network, but it still wasn't clear enough. Quote: ISA Server 2004 considers all networks that are not the External network to be protected. All networks comprising the External network are unprotected. Protected networks include the VPN Clients network, the Quarantined VPN Clients network, the Local Host network, the internal network, and perimeter networks. The Internet is the primary External network; although, partner networks and extranets to which protected clients connect can be considered External networks. Okay, now this one explains the External=Internet reference a bit more, and also defines the Protected network reference. This makes sense, your internal, private network is "protected", and everything else is "unprotected". (Come to think of it, I can't think of a much better description of the Internet.) So, now we can summarize it as such... We can create an unlimited number of Internal, Perimeter, or External networks. We can route traffic and set different policies between any/all of these networks. Your local, private, network is an Internal network, and Internet is the primary "external" network, but necessarily the only one. Far, far, beyond a "remote hint", it seems (to me, anyways) that all the reference material pretty much comes right out and tells you that you can create an unlimited number of Internet (external, unprotected) networks, and route traffic between them. This is taken directly from the Microsoft literature, so it is not simply something I made up. But, that still doesn't explain why it seems like a bombshell of a concept to the professionals in the business, so I looked further, everywhere I could find over the last two days, for some reference saying "No, you cannot create more than one Internet connection in ISA 2004". Unfortunately, I could not find any reference whatsoever to that idea, no matter where I looked. I remember when I tried creating multiple external networks in ISA 2000 a couple of years ago. It took me a couple of hours, but I finally found a KB article that came right out and said, "there can be only one". That is not the case with ISA 2004 though, in fact, it's just the opposite. Everywhere I look, it says either Multiple or Unlimited connections. So, hopefully you can follow my ramblings, and can see why I keep asking "why?", or maybe it would be better described as "why not?". Please give me a good answer on this so I can stop waking up in the middle of the night thinking about it (my wife will be pleased about this part also)... -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Saturday, January 22, 2005 19:15 To: [ISAserver.org Discussion List] Subject: [isalist] RE: SSL Problems with ISA 2004 http://www.ISAserver.org Fine; let's clarify it for you, then: "ISA does not support multiple connections to the Internet". The fact that you can create a special routing circumstance between distant entities via the same "service provider" does NOT fall into the "multiple Internet connection" category. None of the ISA marketing spew even remotely hinted at being able to use multiple Internet connections. "External" networks (if you actually read the documentation that shipped with ISA) refers to "non-protected networks". ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: davidf@xxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com