[isalist] Re: FW: Forcing a remote site to use a remote gateway for all IP traffic
- From: Jerry Young <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 21 Jan 2010 08:57:18 -0500
If it's possible to do this, I certainly wouldn't know how to go about it,
unfortunately.
I think, however, that ISA Server 2006, even when set up as a VPN end-point,
will not be able to perform the conditional forwarding you are seeking.
The problem, as I see it, is how the ISA Server 2006 defines its default
gateway and the classification of "Internet-bound" traffic.
You indicated indirectly that the ISA Server in the R site has direct
Internet access. Internet traffic will generally get there using the
0.0.0.0 network destination's gateway (generally the default gateway
configured for the box) found in the routing table of the ISA Server. In
order to route Internet-bound traffic to the Nomadix, you'd have to
reconfigure the default gateway (or the 0.0.0.0 network destination's
gateway) to point to the IP address of the Nomadix.
The problem with that, of course, is that *any* non-local traffic would be
sent to the Nomadix for *any* client (whether wireless or wired) using the
ISA Server in the R site as its default gateway.
Adding to that is the consideration of what clients you want to be routed to
the Nomadix. You indicated wireless clients that I interpreted as being
foreign (guests, if you will - Press and Media). If you only want the
traffic from this scope of clients to hit the Nomadix, then that's something
I would definitely think is out of the realm of possibilities for ISA Server
(is that traffic on its own, segregated subnet, separate from the subnets
used by internal wireless and wired clients?).
Having never worked with ISA Server as a VPN end-point, however, I'm only
drawing on my understanding of general networking.
Can anyone else add any more insight (Jim, Tom, Tim, Greg, et al)?
On Wed, Jan 20, 2010 at 5:02 PM, Steven Comeau
<scomeau@xxxxxxxxxxxxxxxxxx>wrote:
> Thanks for the reply! ;-)
>
>
>
> You’re 90% of the way there. The wireless authentication device is a
> Nomadix box only on the “L” network. I use its built-in DHCP server because
> when you configure up its DHCP server, that is actually how you define its
> base IP on the “L” network (I could use any DHCP server, though). For
> clients on the “L” network, yes, they get the default gateway IP, via DHCP,
> which is the Nomadix box, and after they authenticate, they use the Nomadix
> box as the router to the Internet.
>
>
>
> However, for the “R” site, there is NO Nomadix Authentication (wireless
> controller) box. I do have a DHCP server on the “R” segment, but that’s
> it. I would like somehow to get the traffic to go out the default gateway
> of that segment (which is the IP of a NIC on an ISA 2006 server), and to
> somehow define in ISA that all traffic on that “R” subnet to then hop (I
> think that is right term) NOT to the Internet, but have the IP of the
> Nomadix box (on the “L” network) be that next hop. This way, all traffic on
> the “R” subnet must go through to the Nomadix box for Internet access. The
> “L” and “R” subnets are interconnected via ISA (VPN), fully open.
>
>
>
> I’m trying to not have to have to purchase another Nomadix box.
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> [image: rutgers100px.gif]
>
>
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Wednesday, January 20, 2010 11:41 AM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: FW: Forcing a remote site to use a remote gateway
> for all IP traffic
>
>
>
> Steve,
>
>
>
> Your thing is on. :)
>
>
>
> I think the lack of response is probably due to a lack of understanding on
> what you're attempting to do; it took me a few times reading over your query
> before I thought I understood what it is you're attempting to do.
>
>
>
> To reiterate:
>
>
>
> You have two networks, L (local) and R (remote).
>
>
>
> Wireless clients on the L network authenticate against an Authentication
> Server you've set up and also hands out DHCP leases to the wireless
> clients. The L wireless clients use the Authentication Server as their
> default gateway, as defined in the DHCP scope options that the L wireless
> clients use (which implies it's routing).
>
>
>
> On your R network, you have wireless clients that you want to use the
> Authentication Server on the L network.
>
>
>
> If authentication is all you're concerned about, you should be able to set
> up your the wireless controller on the R network to use the Authentication
> Server on the L network.
>
>
>
> It got a bit murky when I was considering the use of the Authentication
> Server as a DHCP server for the R network clients (since it's the DHCP
> server for the L network clients). However, after reading over the original
> query a few times, it doesn't look like that is what you're attempting to
> do.
>
>
>
> My client uses Internet Authentication Service on Windows Server 2003 to
> provide authentication to wireless clients on remote subnets and the way we
> facilitate that connectivity is by simply telling the wireless controller
> the IP address of the server running IAS. As long as traffic can be routed
> between your two sites, you should be fine.
>
>
>
> Does that answer your question or did I not interpret the query correctly?
>
> On Tue, Jan 19, 2010 at 5:32 PM, Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
> wrote:
>
> Tap tap tap… is this thing on?
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> *Error! Filename not specified.*
>
> *Error! Filename not specified.*
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Steven Comeau
> *Sent:* Thursday, January 14, 2010 5:07 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Forcing a remote site to use a remote gateway for all
> IP traffic
>
>
>
> I have a scenario where I have 2 sites, a “local” and “remote”,
> interconnected via ISA site-to-site VPN, and each site has multiple
> non-external networks where traffic is controlled between the sites and
> Internet via the policies.
>
>
>
> At the local site, one of the networks is wireless that has an
> Authentication Server that I use for Press and Media that does captive
> portal with authentication. The DHCP server on the Authentication Server
> gives out IPs so that the client uses the Authentication Server as its
> default gateway, and access to the Internet is given once credentials are
> approved (via RADIUS). I would like to be able to take the remote site’s
> wireless network and route all traffic to the local site’s Authentication
> Server and use that for authentication, but I’m not sure how to go about
> that. Both the remote and local wireless network are “open” to each other
> via ISA, and right now, the remote site goes out the Internet via ISA for
> external access. Now, I know I’ve got to stop the NAT of that remote
> network for Internet access, but how do I get the remote site to get all
> traffic to “gateway” through the local site’s Authentication Server for
> Internet access? The bottom line is that I don’t want to pay for a
> 2ndAuthentication Server at the remote site.
>
>
>
> My wording is crude here, so hopefully you get my gist. I’m guessing it’s
> some sort of route add thingy, just not totally sure here.
>
>
>
> Thanks in advance.
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> *Error! Filename not specified.*
>
> *Error! Filename not specified.*
>
>
>
>
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> Young Consulting & Staffing Services Company - Owner
> www.youngcss.com
>
> *** This message contains confidential information and is
> intended only for the individual named. If you are not the
> named addressee, you should not disseminate, distribute or
> copy this e-mail. Please notify the sender immediately by
> e-mail if you have received this e-mail by mistake and delete
> this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or
> incomplete, or contain viruses. The sender therefore does not
> accept liability for any errors or omissions in the contents of
> this message, which arise as a result of e-mail transmission.
> If verification is required please request a hard-copy version.
> Rutgers University - DIA
> 83 Rockafeller Road
> Piscataway, NJ 08854www.scarletknights.com ***
>
>
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com
Other related posts:
