[isalist] Re: FW: Forcing a remote site to use a remote gateway for all IP traffic
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 21 Jan 2010 14:21:18 -0600
The Name Resolution Policy Table I suppose represents a type of DNS
Redirector.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, January 21, 2010 2:00 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway
for all IP traffic
If you could tell RRAS "traffic from subnet X to unknown destinations
should be routed through Y", this would work like edbile undies. Sadly,
standard IP routing (and RRAS) doesn't include the concept of
source-based routing; it's strictly destination-based.
ISA Server is an IPv4-based firewall and RRAS on WS03 is an IPv4-based
router; there is no concept of an Ethernet bridge in either product.
Other than adding IPv6 to RRAS, this state has not changed in TMG or
WS08.
The DNS redirector is an interesting idea, but this assumes that either
the client changes preferred DNS resolvers through some notification
mechanism (probably requiring an "agent" on the client compouter) or
that the Nomadix performs that action and changes behavior based on the
client-IP authentication state.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on
behalf of Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, January 21, 2010 7:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway
for all IP traffic
Thanks Jim. When checking out the RRAS, I kind of leaned that way... I
had hoped that I could force the next hop from the "R" subnet by a
static route in RRAS, though.
Any possibility I could do a "bridge" of the two networks in ISA (i.e.
making them both the same group of IPs)?
I had been using a DNS redirector, where the DHCP server at both the "R"
and "L" site gives each client a DNS server entry of the DNS Redirector
(located only at the "L" site). I setup ISA to only allow DNS out to
the Internet from the DNS redirector (in case anyone figured that out).
The problem is that the DNS redirector is very crude in its
authentication mechanism.
Thanks for all the info.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com <http://www.scarletknights.com>
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, January 21, 2010 10:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway
for all IP traffic
That's pretty much true except for one point - assigning the R hosts the
Nomadix as the DG.
1. The traffic across the tunnel works because of the routing
table extant on the R ISA and L ISA as well as the routing tables of the
R and L hosts. R ISA and L ISA (RRAS on those servers, actually)
understands that in order to route traffic between hosts on "my side"
and "the other side", it has to pass traffic to its peer at the other
end of the tunnel. If the hosts in R or L treat their local ISA as
anything other than the DG or as a static route to each other, this all
falls apart.
2. You can't define a DG that operates outside of the local NetID
or that conflicts with the required network path. Ferinstance, imagine
that a host in L operates in NetID 172.16/12 and the Nomadix operates in
NetID 192.168/16. If you tell the L host that it's DG is 192.168.0.2,
how is it supposed to communicate with that IP address? It has no route
to it. Chickens, eggs, 22 catches, tinfoil and hats <VBG>.
3. A TCP/IP host (rightly) expects to ARP its DG. This won't
succeed across the tunnel because RRAS doesn't provide an ARP proxy
4. This all assumes a flat network behind each ISA anyway. Layered
subnets at each end only make the problem worse.
Sorry, Steve - I think you'll have to pony up for another Nomadix in R.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Thursday, January 21, 2010 5:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway
for all IP traffic
If it's possible to do this, I certainly wouldn't know how to go about
it, unfortunately.
I think, however, that ISA Server 2006, even when set up as a VPN
end-point, will not be able to perform the conditional forwarding you
are seeking.
The problem, as I see it, is how the ISA Server 2006 defines its default
gateway and the classification of "Internet-bound" traffic.
You indicated indirectly that the ISA Server in the R site has direct
Internet access. Internet traffic will generally get there using the
0.0.0.0 network destination's gateway (generally the default gateway
configured for the box) found in the routing table of the ISA Server.
In order to route Internet-bound traffic to the Nomadix, you'd have to
reconfigure the default gateway (or the 0.0.0.0 network destination's
gateway) to point to the IP address of the Nomadix.
The problem with that, of course, is that *any* non-local traffic would
be sent to the Nomadix for *any* client (whether wireless or wired)
using the ISA Server in the R site as its default gateway.
Adding to that is the consideration of what clients you want to be
routed to the Nomadix. You indicated wireless clients that I
interpreted as being foreign (guests, if you will - Press and Media).
If you only want the traffic from this scope of clients to hit the
Nomadix, then that's something I would definitely think is out of the
realm of possibilities for ISA Server (is that traffic on its own,
segregated subnet, separate from the subnets used by internal wireless
and wired clients?).
Having never worked with ISA Server as a VPN end-point, however, I'm
only drawing on my understanding of general networking.
Can anyone else add any more insight (Jim, Tom, Tim, Greg, et al)?
On Wed, Jan 20, 2010 at 5:02 PM, Steven Comeau <
scomeau@xxxxxxxxxxxxxxxxxx> wrote:
Thanks for the reply! ;-)
You're 90% of the way there. The wireless authentication device is a
Nomadix box only on the "L" network. I use its built-in DHCP server
because when you configure up its DHCP server, that is actually how you
define its base IP on the "L" network (I could use any DHCP server,
though). For clients on the "L" network, yes, they get the default
gateway IP, via DHCP, which is the Nomadix box, and after they
authenticate, they use the Nomadix box as the router to the Internet.
However, for the "R" site, there is NO Nomadix Authentication (wireless
controller) box. I do have a DHCP server on the "R" segment, but that's
it. I would like somehow to get the traffic to go out the default
gateway of that segment (which is the IP of a NIC on an ISA 2006
server), and to somehow define in ISA that all traffic on that "R"
subnet to then hop (I think that is right term) NOT to the Internet, but
have the IP of the Nomadix box (on the "L" network) be that next hop.
This way, all traffic on the "R" subnet must go through to the Nomadix
box for Internet access. The "L" and "R" subnets are interconnected via
ISA (VPN), fully open.
I'm trying to not have to have to purchase another Nomadix box.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com <http://www.scarletknights.com/>
Error! Filename not specified.
Error! Filename not specified.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Wednesday, January 20, 2010 11:41 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway
for all IP traffic
Steve,
Your thing is on. :)
I think the lack of response is probably due to a lack of understanding
on what you're attempting to do; it took me a few times reading over
your query before I thought I understood what it is you're attempting to
do.
To reiterate:
You have two networks, L (local) and R (remote).
Wireless clients on the L network authenticate against an Authentication
Server you've set up and also hands out DHCP leases to the wireless
clients. The L wireless clients use the Authentication Server as their
default gateway, as defined in the DHCP scope options that the L
wireless clients use (which implies it's routing).
On your R network, you have wireless clients that you want to use the
Authentication Server on the L network.
If authentication is all you're concerned about, you should be able to
set up your the wireless controller on the R network to use the
Authentication Server on the L network.
It got a bit murky when I was considering the use of the Authentication
Server as a DHCP server for the R network clients (since it's the DHCP
server for the L network clients). However, after reading over the
original query a few times, it doesn't look like that is what you're
attempting to do.
My client uses Internet Authentication Service on Windows Server 2003 to
provide authentication to wireless clients on remote subnets and the way
we facilitate that connectivity is by simply telling the wireless
controller the IP address of the server running IAS. As long as traffic
can be routed between your two sites, you should be fine.
Does that answer your question or did I not interpret the query
correctly?
On Tue, Jan 19, 2010 at 5:32 PM, Steven Comeau <
scomeau@xxxxxxxxxxxxxxxxxx> wrote:
Tap tap tap... is this thing on?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com <http://www.scarletknights.com/>
Error! Filename not specified.
Error! Filename not specified.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Thursday, January 14, 2010 5:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Forcing a remote site to use a remote gateway for all
IP traffic
I have a scenario where I have 2 sites, a "local" and "remote",
interconnected via ISA site-to-site VPN, and each site has multiple
non-external networks where traffic is controlled between the sites and
Internet via the policies.
At the local site, one of the networks is wireless that has an
Authentication Server that I use for Press and Media that does captive
portal with authentication. The DHCP server on the Authentication
Server gives out IPs so that the client uses the Authentication Server
as its default gateway, and access to the Internet is given once
credentials are approved (via RADIUS). I would like to be able to take
the remote site's wireless network and route all traffic to the local
site's Authentication Server and use that for authentication, but I'm
not sure how to go about that. Both the remote and local wireless
network are "open" to each other via ISA, and right now, the remote site
goes out the Internet via ISA for external access. Now, I know I've got
to stop the NAT of that remote network for Internet access, but how do I
get the remote site to get all traffic to "gateway" through the local
site's Authentication Server for Internet access? The bottom line is
that I don't want to pay for a 2nd Authentication Server at the remote
site.
My wording is crude here, so hopefully you get my gist. I'm guessing
it's some sort of route add thingy, just not totally sure here.
Thanks in advance.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com <http://www.scarletknights.com/>
Error! Filename not specified.
Error! Filename not specified.
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com <http://www.scarletknights.com/> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com <http://www.scarletknights.com/> ***
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com <http://www.youngcss.com/>
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com <http://www.scarletknights.com/> ***
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
