RE: SSL Problems with ISA 2004

Horse of a different monkey....

*copy, paste, print on banner paper*

Now, where to hang it up......

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Tuesday, January 25, 2005 9:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004


http://www.ISAserver.org

Adding manual routes for specific networks is a horse of a different
monkey.
What ISA can't do is treat two "default gateway" networks as "peers".
Load balancing (sharing), failover; these are not part of the ISA
design.
 
-----Original Message-----
From: David Farinic [mailto:davidf@xxxxxxx] 
Sent: Tuesday, January 25, 2005 07:15
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004

http://www.ISAserver.org

"If you want multiple "default gateways" then use RainConnect."

Or setup your routing table manually? Would this work? For example if I
have voice/video extensive traffic to some internet IP range its easy to
divide internet traffic manually with "route -p" so I can offload
default gateway.
This would be Multiple Internet connections having on 1 ISA server.
Is this correct?

If this is correct then I was thinking that once ISA proxy get http
connection which is not yet resolved it would be kind of easy to make
plugin which will simply add best route to fastest Internet Connection
for that IP and after traffic to that IP will decrease/stop route will
be removed from routing table... this would easily Load balance ISA web
traffic between more ISPs Internet connections.

My question however is: does ISA2004 add something "hidden" to WS2k3
routing table? Or can we use it as it was intended without ISA.

With Regards David Farinic.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Tuesday, January 25, 2005 3:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004

http://www.ISAserver.org

Hi Dan,

External Networks are not necessarily Internet Networks, they're just
not internal Networks (note that I'm not using a capital "I").

Get our book. It make make everything crystal clear regarding what a
network is, what a Network is, what internal is, what Internal is, what
external is and what External is.

Protected Networks are those that are not part of the default External
Network (capital E and capital N).

You can have only a single default gateway, which is the route of last
resort, which most people think of as their "Internet" connection,
although you can have has many Internet connections as you like, as long
as the ISA firewall has routes to the destinations reached through those
connections.

If you want multiple "default gateways" then use RainConnect.

HTH, 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: Monday, January 24, 2005 11:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004

http://www.ISAserver.org

I must apologize if I am offending you, by no means do I wish to
"argue".  I ask these questions not to antagonize, but because I don't
have a clear answer.  I find it disconcerting to myself that someone so
prominent in the field says what I have won't work, and I cannot
understand why.  If true, then I have to completely re-design my entire
network...

Let me explain this a bit further so you can hopefully understand why I
find this topic confusing...

First to respond to a couple of points in the last e-mail:

- Using the same "service provider": The two external networks I have
are completely separate, separate providers, separate IP ranges, even
different domain names.  These two networks cannot even reach each other
without traveling halfway across the US and back.  The only connection
between the two is geographical location, and the fact that they are
both connected to the same ISA server.  Hence, the only same "service
provider" involved is my ISA box.

- Have I read the manual?: You betcha, I've read every manual I could
find on this long before I started, all the whitepapers I could find,
every bit of marketing "spew" (I love that term!) I could find,
darn-near every KB article, and the official Microsoft Course book for
the ISA server class (tried to take class also, but it was cancelled).
Damn can that stuff put you to sleep!

But, let's ignore that part for now, its mostly irrelevant. Please bear
with as I retrace my line of thought on this to see if you can follow
where I'm coming from.  Whenever possible, I will copy it verbatim to
avoid paraphrasing.

First of all, I ditched the ISP term, since it causes so much
confusion...

To start this quest, I first looked up what a "network" is...

Quote: From an ISA Server perspective, a network is a rule element,
which can contain one or more ranges of Internet Protocol (IP)
addresses. Networks include one or more computers, typically
corresponding to a physical network. 

That didn't really answer a lot, but it was a start. The next question
was "how many" networks ISA 2004 supports:  I found that referenced all
over the place, referred to as Multi-networking, a new feature in ISA
2004.

Quote: You can configure one or more networks, each with distinct
relationships to other networks. Access policies are defined relative to
the networks, and not necessarily relative to a given Internal network.
Whereas in ISA Server 2000, all traffic was inspected relative to a
local address table (LAT) that included only address ranges on the
Internal network, ISA Server 2004 extends the firewall and security
features to apply to traffic between any networks.

>Note the phrase "traffic between any networks".<

But that didn't really answer my question about "how many", so I looked
some more, and found this one:

Quote: ISA Server 2004 supports multi-networking. This means that you
can configure an unlimited number of networks on ISA Server. 

So, at this point, we know we can create an unlimited number of
internal, external, or perimeter networks.  (When you run the New
Network wizard, it will ask you if it one of these three.)  Now to
figure out what each network is defined as.

Quote: Throughout this Quick Start Guide, we will refer to internal and
external interfaces. The internal interface is the Ethernet card or
modem connecting the ISA Server 2004 firewall computer to your private
network or LAN. The external interface is a network interface connecting
you to the Internet.

Now we know that Internal networks are your private network, and
External networks are "Internet" networks. At this point, it's still a
little ambiguous, so I looked some more.  I noticed that many of the
documents used the phrase "External Network (Internet)" whenever
referencing an External network, but it still wasn't clear enough.

Quote: ISA Server 2004 considers all networks that are not the External
network to be protected. All networks comprising the External network
are unprotected. Protected networks include the VPN Clients network, the
Quarantined VPN Clients network, the Local Host network, the internal
network, and perimeter networks. The Internet is the primary External
network; although, partner networks and extranets to which protected
clients connect can be considered External networks.

Okay, now this one explains the External=Internet reference a bit more,
and also defines the Protected network reference.  This makes sense,
your internal, private network is "protected", and everything else is
"unprotected".  (Come to think of it, I can't think of a much better
description of the Internet.)

So, now we can summarize it as such... We can create an unlimited number
of Internal, Perimeter, or External networks.  We can route traffic and
set different policies between any/all of these networks.  Your local,
private, network is an Internal network, and Internet is the primary
"external" network, but necessarily the only one.  

Far, far, beyond a "remote hint", it seems (to me, anyways) that all the
reference material pretty much comes right out and tells you that you
can create an unlimited number of Internet (external, unprotected)
networks, and route traffic between them.  This is taken directly from
the Microsoft literature, so it is not simply something I made up.

But, that still doesn't explain why it seems like a bombshell of a
concept to the professionals in the business, so I looked further,
everywhere I could find over the last two days, for some reference
saying "No, you cannot create more than one Internet connection in ISA
2004".  Unfortunately, I could not find any reference whatsoever to that
idea, no matter where I looked.  I remember when I tried creating
multiple external networks in ISA 2000 a couple of years ago.  It took
me a couple of hours, but I finally found a KB article that came right
out and said, "there can be only one".  That is not the case with ISA
2004 though, in fact, it's just the opposite. Everywhere I look, it says
either Multiple or Unlimited connections.

So, hopefully you can follow my ramblings, and can see why I keep asking
"why?", or maybe it would be better described as "why not?".  Please
give me a good answer on this so I can stop waking up in the middle of
the night thinking about it (my wife will be pleased about this part
also)...



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Saturday, January 22, 2005 19:15
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004

http://www.ISAserver.org

Fine; let's clarify it for you, then:
"ISA does not support multiple connections to the Internet".

The fact that you can create a special routing circumstance between
distant entities via the same "service provider" does NOT fall into the
"multiple Internet connection" category.

None of the ISA marketing spew even remotely hinted at being able to use
multiple Internet connections.
"External" networks (if you actually read the documentation that shipped
with ISA) refers to "non-protected networks".

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
davidf@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server
(GFI FAXmaker), and network security and management software (GFI
LANguard) - www.gfi.com 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tradtke@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: