RE: FWC Client and Network within a Network
- From: "David Haam" <DavidH@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 22 Jul 2005 07:55:59 -0700
Actually, even for the machines on the ISA's internal interface subnet,
the hosts don't NECESSARILY have to have the ISA as their default
gateway. Alternately, if your routing infrastructure is such that any
egress out to the internet (and other DMZs through ISA) get to the ISA's
internal interface, you're fine.
Depending on the routing capabilities on the particular network, I've
done both having the routers be the default gateway with the appropriate
routes being sent over to the ISA as the "next hop" and with the ISA
designated as the default gateway with routes to the other internal
segments sent to the internal routing engine as the "next hop" to
accomplish what Peter is looking at.
Please note when I say "router" I'm talking about any device that can
provide TCP/IP routing (could be a layer-3 switch).
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, July 22, 2005 7:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FWC Client and Network within a Network
http://www.ISAserver.org
I mention that point because IT'S IMPORTANT.
Now, if we're done screaming, let's get down to brass tacks.
Yours is the "network within a network" scenario as described in Clint
Denham's article. The article I sent you the link for will illustrate
the IP configuration that makes this work in your network regardless of
the ISA version.
Since it's the routers (not ISA) handing the inter-network routing, you
need to make them aware of each other's networks. You can do this via
your choice of several routing protocols, but if you want to keep it
simple, use static routes in each.
The hosts in each network must use the nearest router as their default
gateway, except for the hosts in the ISA subnet - they should use ISA as
their default gateway and they also get manual routes to the other
internal networks via the nearest router.
You enter ALL the internal subnets in the ISA :"Internal" network and
create address ranges for ISA policy controls.
None of this has anything to do with whether you use the Firewall Client
configuration. That component is only required if:
- you need authentication for non-web protocols
- you need to use complex protocols and ISA has no application filter
for them
-----Original Message-----
From: Peter [mailto:pladd@xxxxxxxx]
Sent: Friday, July 22, 2005 6:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FWC Client and Network within a Network
http://www.ISAserver.org
I really don't understand how multiple interfaces on the ISA has
ANYTHING to do with the fact that I have 3 subnets connected to each
other over PPP; one that is directly connected to the ISA server via its
"Internal"
NIC and the other two that can be reached via a Router that is NOT the
ISA server.
Again, the only physical interface on the ISA server that is directly
connected to the ISA server is the 192.168.10.x that is connected to
SITE 1. In order for the ISA server or any other host on the
192.18.10.x Subnet to connect to SITE 2 or SITE 3 is via the local PPP
Router that connects to the PPP Routers at the other two sites. THE ONLY
ROUTE THAT THE ISA SERVER HAS TO SITE 2 AND SITE 3 IS VIA THE PPP
ROUTER. THIS ROUTE IS SEPARATE FROM THE INTERNET ROUTER.
Thus, additional interfaces on the ISA are irrelavent. Again, my
question is does one still load the FWC client on the hosts at the
remote site?
And does one enter the PPP Router on the remote sites as the Default
Gateway for the hosts located on those sites?
The reason I asked is that someone on a forum wrote that on the remote
sites, I should use SecureNat instead of the FWC. If this is the case,
the the ISA Server must have either been designed to have an ISA Server
on each subnet, or was designed to for a flat network. In these cases,
I will go back to PIX.
Thanks for any info you can lend.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
davidh@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
