[isalist] Re: Two external interface on isa

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 7 Mar 2009 07:09:45 -0800

Yep - this is what I thought you were talking about.
The problem is; most people don't own their own external routing structure and 
that's about the only way you'll get anycast routing configured.

By "DNS redirection", I mean you'll have to use incredibly short DNS record TTL 
for your published names and use the "ISP Link is unavailable", "ISP Link is 
available" and ISP Link is online" alert set with custom scripts to change your 
public DNS records to reflect the change in ISP connectivity state.

..of course, this assumes that you can reach your public DNS server through the 
active ISP (or perhaps hoist it yourself).

JimmyJoeBob Alooba
Office 2007 on Win7 Beta



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Thursday, March 05, 2009 8:47 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Two external interface on isa

Ah... oh-oh.  Did I make I point?  I thought I just asked a couple of 
questions. :)

And about to which did you think I was making a point?  IP Anycast?

Some decent documentation about IP Anycast already exists.

The following is the link at which I first learned about it (and not long 
ago!!); it's used at a DNS hosting company which I ended up recommending to my 
current client when they started looking to outsource their DNS hosting, and 
has allowed the hosting vendor to maintain a 100% uptime SLA.

https://www.dnsmadeeasy.com/s0306/res/ipanycast.html

A more technical - but still high level enough for a networking neophyte like 
myself to understand - can be found in the following PDF.

http://www.pch.net/resources/papers/ipv4-anycast/ipv4-anycast.pdf

Now, with regards to the *question* I raised - it really wasn't a point - it 
looks like it may be possible to set up the TMG Server interfaces to appear to 
be separate server "instances", providing each external interface is hung off 
of different routers (see page 7 of the PDF file).  That was really what I was 
alluding to by getting "creative".

The real question is whether or not an interface in Windows (only 2008 and 
later??) can be configured with a loopback address and TMG (or the server OS 
itself) can speak an IGP routing protocol to the BGP-speaking border router to 
which it is connected.

It was really just a thought and why I asked the question. :)

By the way, the answer to "DNS redirection" was...? :)
On Thu, Mar 5, 2009 at 9:18 AM, Jim Harrison 
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:

Unfortunately, most people don't have that option.

Speaking of which, where's that article you were supposed to write on this 
point?

Huh?

Huh?!?

:)



JimmyJoeBob Alooba

Office 2007 on Win7 Beta







From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Wednesday, March 04, 2009 8:04 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Two external interface on isa



Jim,



Can you explain further by what you mean when saying "DNS redirection"?



While moving away from a purely Microsoft implementation, would it be possible 
to make creative use of IP Anycast (which is usually implemented across mutiple 
hosts in multiple geographic locations, not interfaces on the same host as far 
as I am aware) to provide the desired assumed behavior?

On Wed, Mar 4, 2009 at 10:02 AM, Jim Harrison 
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:

..and how would you provide inbound LB across ISP connections?

DNS redirection is the only way to accommodate this.





JimmyJoeBob Alooba

Office 2007 on Win7 Beta







From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Steve Moffat
Sent: Wednesday, March 04, 2009 4:48 AM
To: ISA Mailing List
Subject: [isalist] Re: Two external interface on isa



Indeed. Only outgoing LB at the moment tho'



S



From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Wednesday, March 04, 2009 8:45 AM
To: ISA Mailing List
Subject: [isalist] Re: Two external interface on isa



So the solution (assuming a Microsoft-based solution) would be to drop ISA 
Server and pick up Forefront Threat Management Gateway?

On Wed, Mar 4, 2009 at 7:38 AM, Steve Moffat 
<steve@xxxxxxxxxx<mailto:steve@xxxxxxxxxx>> wrote:

Not without rainwall or some other 3rd party app. Can only have 1 gateway in 
ISA.



TMG does it natively.



From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Wednesday, March 04, 2009 8:36 AM
To: ISA Mailing List
Subject: [isalist] Re: Two external interface on isa



You're only allowed a single default route in a generic setting.



By having two avenues to the Internet, you're essentially indicating that you 
need two, which you won't be able to do.



Now, you may be able to leverage RRAS and configure the box as an OSPF router 
but I don't know if you can run ISA on top of such a configuration and if you 
can I don't know what might be able to be done to get ISA to play nicely with 
OSPF in the way you want it.

On Wed, Mar 4, 2009 at 7:26 AM, Vineet Tripathi 
<vineetktripathi@xxxxxxxxx<mailto:vineetktripathi@xxxxxxxxx>> wrote:

I want to setup ISA Server with 3 network cards. One will be connected
to the internal network, where all client workstations and corporate
file/mail servers are. Two other network cards will be connected to two
independent external networks; each external network has it's own
connection to the Internet (to different ISP). . I want ISA server to
route packets between those two external networks.

How I can do this?








--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: