[isalist] Re: FW: Forcing a remote site to use a remote gateway for all IP traffic
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Jan 2010 17:02:25 -0500
Thanks for the reply! ;-)
You're 90% of the way there. The wireless authentication device is a Nomadix
box only on the "L" network. I use its built-in DHCP server because when you
configure up its DHCP server, that is actually how you define its base IP on
the "L" network (I could use any DHCP server, though). For clients on the "L"
network, yes, they get the default gateway IP, via DHCP, which is the Nomadix
box, and after they authenticate, they use the Nomadix box as the router to the
Internet.
However, for the "R" site, there is NO Nomadix Authentication (wireless
controller) box. I do have a DHCP server on the "R" segment, but that's it. I
would like somehow to get the traffic to go out the default gateway of that
segment (which is the IP of a NIC on an ISA 2006 server), and to somehow define
in ISA that all traffic on that "R" subnet to then hop (I think that is right
term) NOT to the Internet, but have the IP of the Nomadix box (on the "L"
network) be that next hop. This way, all traffic on the "R" subnet must go
through to the Nomadix box for Internet access. The "L" and "R" subnets are
interconnected via ISA (VPN), fully open.
I'm trying to not have to have to purchase another Nomadix box.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image002.png@01CA99F2.56D3B1D0]
[cid:image004.jpg@01CA99F2.56D3B1D0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Wednesday, January 20, 2010 11:41 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for
all IP traffic
Steve,
Your thing is on. :)
I think the lack of response is probably due to a lack of understanding on what
you're attempting to do; it took me a few times reading over your query before
I thought I understood what it is you're attempting to do.
To reiterate:
You have two networks, L (local) and R (remote).
Wireless clients on the L network authenticate against an Authentication Server
you've set up and also hands out DHCP leases to the wireless clients. The L
wireless clients use the Authentication Server as their default gateway, as
defined in the DHCP scope options that the L wireless clients use (which
implies it's routing).
On your R network, you have wireless clients that you want to use the
Authentication Server on the L network.
If authentication is all you're concerned about, you should be able to set up
your the wireless controller on the R network to use the Authentication Server
on the L network.
It got a bit murky when I was considering the use of the Authentication Server
as a DHCP server for the R network clients (since it's the DHCP server for the
L network clients). However, after reading over the original query a few
times, it doesn't look like that is what you're attempting to do.
My client uses Internet Authentication Service on Windows Server 2003 to
provide authentication to wireless clients on remote subnets and the way we
facilitate that connectivity is by simply telling the wireless controller the
IP address of the server running IAS. As long as traffic can be routed between
your two sites, you should be fine.
Does that answer your question or did I not interpret the query correctly?
On Tue, Jan 19, 2010 at 5:32 PM, Steven Comeau
<scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>> wrote:
Tap tap tap... is this thing on?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>
Error! Filename not specified.
Error! Filename not specified.
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Steven Comeau
Sent: Thursday, January 14, 2010 5:07 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Forcing a remote site to use a remote gateway for all IP
traffic
I have a scenario where I have 2 sites, a "local" and "remote", interconnected
via ISA site-to-site VPN, and each site has multiple non-external networks
where traffic is controlled between the sites and Internet via the policies.
At the local site, one of the networks is wireless that has an Authentication
Server that I use for Press and Media that does captive portal with
authentication. The DHCP server on the Authentication Server gives out IPs so
that the client uses the Authentication Server as its default gateway, and
access to the Internet is given once credentials are approved (via RADIUS). I
would like to be able to take the remote site's wireless network and route all
traffic to the local site's Authentication Server and use that for
authentication, but I'm not sure how to go about that. Both the remote and
local wireless network are "open" to each other via ISA, and right now, the
remote site goes out the Internet via ISA for external access. Now, I know
I've got to stop the NAT of that remote network for Internet access, but how do
I get the remote site to get all traffic to "gateway" through the local site's
Authentication Server for Internet access? The bottom line is that I don't
want to pay for a 2nd Authentication Server at the remote site.
My wording is crude here, so hopefully you get my gist. I'm guessing it's some
sort of route add thingy, just not totally sure here.
Thanks in advance.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>
Error! Filename not specified.
Error! Filename not specified.
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com/> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com/> ***
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com>
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
