[isalist] Re: FW: Forcing a remote site to use a remote gateway for all IP traffic

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 21 Jan 2010 17:48:42 -0500

Thanks for the info.  Your comment about source based routing vs destination 
based I think is where I'm stuck.

The Nomadix does not do DNS Redirection, but another product does.  In that 
product, once the MAC address of the client is recorded in the DNS redirector 
and the client is authenticated, the DNS server on the DNS redirector then 
gives proper name resolution to that client.  Of course, a nice big hosts file 
would circumvent that, but my bigger issue is the weak authentication mechanism 
(which is merely a URL that once it's typed into a browser, it authenticates 
the machine).

Thanks again for all the insight.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image002.png@01CA9AC1.F8CF20D0]
  [cid:image004.jpg@01CA9AC1.F8CF20D0]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, January 21, 2010 3:00 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for 
all IP traffic

If you could tell RRAS "traffic from subnet X to unknown destinations should be 
routed through Y", this would work like edbile undies.  Sadly, standard IP 
routing (and RRAS) doesn't include the concept of source-based routing; it's 
strictly destination-based.

ISA Server is an IPv4-based firewall and RRAS on WS03 is an IPv4-based router; 
there is no concept of an Ethernet bridge in either product. Other than adding 
IPv6 to RRAS, this state has not changed in TMG or WS08.

The DNS redirector is an interesting idea, but this assumes that either the 
client changes preferred DNS resolvers through some notification mechanism 
(probably requiring an "agent" on the client compouter) or that the Nomadix 
performs that action and changes behavior based on the client-IP authentication 
state.

________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] on behalf of 
Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, January 21, 2010 7:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for 
all IP traffic
Thanks Jim.  When checking out the RRAS, I kind of leaned that way...  I had 
hoped that I could force the next hop from the "R" subnet by a static route in 
RRAS, though.

Any possibility I could do a "bridge" of the two networks in ISA (i.e. making 
them both the same group of IPs)?

I had been using a DNS redirector, where the DHCP server at both the "R" and 
"L" site gives each client a DNS server entry of the DNS Redirector (located 
only at the "L" site).  I setup ISA to only allow DNS out to the Internet from 
the DNS redirector (in case anyone figured that out).  The problem is that the 
DNS redirector is very crude in its authentication mechanism.

Thanks for all the info.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image007.png@01CA9AC1.AB1ED290]
  [cid:image008.jpg@01CA9AC1.AB1ED290]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, January 21, 2010 10:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for 
all IP traffic

That's pretty much true except for one point - assigning the R hosts the 
Nomadix as the DG.

1.       The traffic across the tunnel works because of the routing table 
extant on the R ISA and L ISA as well as the routing tables of the R and L 
hosts. R ISA and L ISA (RRAS on those servers, actually) understands that in 
order to route traffic between hosts on "my side" and "the other side", it has 
to pass traffic to its peer at the other end of the tunnel. If the hosts in R 
or L treat their local ISA as anything other than the DG or as a static route 
to each other, this all falls apart.

2.       You can't define a DG that operates outside of the local NetID or that 
conflicts with the required network path.  Ferinstance, imagine that a host in 
L operates in NetID 172.16/12 and the Nomadix operates in NetID 192.168/16. If 
you tell the L host that it's DG is 192.168.0.2, how is it supposed to 
communicate with that IP address? It has no route to it.  Chickens, eggs, 22 
catches, tinfoil and hats <VBG>.

3.       A TCP/IP host (rightly) expects to ARP its DG. This won't succeed 
across the tunnel because RRAS doesn't provide an ARP proxy

4.       This all assumes a flat network behind each ISA anyway. Layered 
subnets at each end only make the problem worse.

Sorry, Steve - I think you'll have to pony up for another Nomadix in R.

Jim

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Thursday, January 21, 2010 5:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for 
all IP traffic

If it's possible to do this, I certainly wouldn't know how to go about it, 
unfortunately.

I think, however, that ISA Server 2006, even when set up as a VPN end-point, 
will not be able to perform the conditional forwarding you are seeking.

The problem, as I see it, is how the ISA Server 2006 defines its default 
gateway and the classification of "Internet-bound" traffic.

You indicated indirectly that the ISA Server in the R site has direct Internet 
access.  Internet traffic will generally get there using the 0.0.0.0 network 
destination's gateway (generally the default gateway configured for the box) 
found in the routing table of the ISA Server.  In order to route Internet-bound 
traffic to the Nomadix, you'd have to reconfigure the default gateway (or the 
0.0.0.0 network destination's gateway) to point to the IP address of the 
Nomadix.

The problem with that, of course, is that *any* non-local traffic would be sent 
to the Nomadix for *any* client (whether wireless or wired) using the ISA 
Server in the R site as its default gateway.

Adding to that is the consideration of what clients you want to be routed to 
the Nomadix.  You indicated wireless clients that I interpreted as being 
foreign (guests, if you will - Press and Media).  If you only want the traffic 
from this scope of clients to hit the Nomadix, then that's something I would 
definitely think is out of the realm of possibilities for ISA Server (is that 
traffic on its own, segregated subnet, separate from the subnets used by 
internal wireless and wired clients?).

Having never worked with ISA Server as a VPN end-point, however, I'm only 
drawing on my understanding of general networking.

Can anyone else add any more insight (Jim, Tom, Tim, Greg, et al)?
On Wed, Jan 20, 2010 at 5:02 PM, Steven Comeau 
<scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>> wrote:
Thanks for the reply! ;-)

You're 90% of the way there.  The wireless authentication device is a Nomadix 
box only on the "L" network.  I use its built-in DHCP server because when you 
configure up its DHCP server, that is actually how you define its base IP on 
the "L" network (I could use any DHCP server, though).  For clients on the "L" 
network, yes, they get the default gateway IP, via DHCP, which is the Nomadix 
box, and after they authenticate, they use the Nomadix box as the router to the 
Internet.

However, for the "R" site, there is NO Nomadix Authentication (wireless 
controller) box.  I do have a DHCP server on the "R" segment, but that's it.  I 
would like somehow to get the traffic to go out the default gateway of that 
segment (which is the IP of a NIC on an ISA 2006 server), and to somehow define 
in ISA that all traffic on that "R" subnet to then hop (I think that is right 
term) NOT to the Internet, but have the IP of the Nomadix box (on the "L" 
network) be that next hop.  This way, all traffic on the "R" subnet must go 
through to the Nomadix box for Internet access.  The "L" and "R" subnets are 
interconnected via ISA (VPN), fully open.

I'm trying to not have to have to purchase another Nomadix box.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>


Error! Filename not specified.
  Error! Filename not specified.




From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jerry Young
Sent: Wednesday, January 20, 2010 11:41 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: FW: Forcing a remote site to use a remote gateway for 
all IP traffic

Steve,

Your thing is on. :)

I think the lack of response is probably due to a lack of understanding on what 
you're attempting to do; it took me a few times reading over your query before 
I thought I understood what it is you're attempting to do.

To reiterate:

You have two networks, L (local) and R (remote).

Wireless clients on the L network authenticate against an Authentication Server 
you've set up and also hands out DHCP leases to the wireless clients.  The L 
wireless clients use the Authentication Server as their default gateway, as 
defined in the DHCP scope options that the L wireless clients use (which 
implies it's routing).

On your R network, you have wireless clients that you want to use the 
Authentication Server on the L network.

If authentication is all you're concerned about, you should be able to set up 
your the wireless controller on the R network to use the Authentication Server 
on the L network.

It got a bit murky when I was considering the use of the Authentication Server 
as a DHCP server for the R network clients (since it's the DHCP server for the 
L network clients).  However, after reading over the original query a few 
times, it doesn't look like that is what you're attempting to do.

My client uses Internet Authentication Service on Windows Server 2003 to 
provide authentication to wireless clients on remote subnets and the way we 
facilitate that connectivity is by simply telling the wireless controller the 
IP address of the server running IAS.  As long as traffic can be routed between 
your two sites, you should be fine.

Does that answer your question or did I not interpret the query correctly?
On Tue, Jan 19, 2010 at 5:32 PM, Steven Comeau 
<scomeau@xxxxxxxxxxxxxxxxxx<mailto:scomeau@xxxxxxxxxxxxxxxxxx>> wrote:
Tap tap tap... is this thing on?


Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>


Error! Filename not specified.
  Error! Filename not specified.




From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Steven Comeau
Sent: Thursday, January 14, 2010 5:07 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Forcing a remote site to use a remote gateway for all IP 
traffic

I have a scenario where I have 2 sites, a "local" and "remote", interconnected 
via ISA site-to-site VPN, and each site has multiple non-external networks 
where traffic is controlled between the sites and Internet via the policies.

At the local site, one of the networks is wireless that has an Authentication 
Server that I use for Press and Media that does captive portal with 
authentication.  The DHCP server on the Authentication Server gives out IPs so 
that the client uses the Authentication Server as its default gateway, and 
access to the Internet is given once credentials are approved (via RADIUS).  I 
would like to be able to take the remote site's wireless network and route all 
traffic to the local site's Authentication Server and use that for 
authentication, but I'm not sure how to go about that.  Both the remote and 
local wireless network are "open" to each other via ISA, and right now, the 
remote site goes out the Internet via ISA for external access.  Now, I know 
I've got to stop the NAT of that remote network for Internet access, but how do 
I get the remote site to get all traffic to "gateway" through the local site's 
Authentication Server for Internet access?  The bottom line is that I don't 
want to pay for a 2nd Authentication Server at the remote site.

My wording is crude here, so hopefully you get my gist.  I'm guessing it's some 
sort of route add thingy, just not totally sure here.

Thanks in advance.


Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com/>


Error! Filename not specified.
  Error! Filename not specified.





***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com/> ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com/> ***





--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com/>

***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com/> ***





--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com<http://www.youngcss.com>

***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 

PNG image

JPEG image

PNG image

JPEG image

Other related posts: