RE: More questions [01] on the Dual WAN Xincom XC-DPG602 with ISA in DMZ (inbound failover and load balancing)
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 16 Nov 2004 23:34:44 -0600
Hi Alan,
It does work, but its not a no-brainer to configure. It's a hardware
implementation that provides a feature set similar to what RainConnect
provides, but isn't quite as robust in its feature set and definitely
many time more difficult to configure.
You'll need to bind your public addresses to the external interface of
the Xincom and then port forward from there and bind a similar number of
addresses on the ISA firewall's external interface, depending on what
you're trying to accomplish.
The Xincom v. RainConnect comparison reminds me of the Windows v. Linux
debate. Linux is a lot cheaper as long as your time isn't worth anything
;-)
(TNSTAAFL == There's no such thing as a free Linux)
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Alan Hoshor [mailto:alan@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, November 16, 2004 4:36 PM
To: [ISAserver.org Discussion List]
Cc: Eric Berglund
Subject: [isalist] More questions [01] on the Dual WAN Xincom XC-DPG602
with ISA in DMZ (inbound failover and load balancing)
http://www.ISAserver.org
Hi Andrew,
Thanks for your response. I hate the way Symantec keeps buying up
terrific small companies and then destroying their product while
charging more...topic for another day.
I read the manual for the VPN200. There are significant differences
between the Xincom XC-DPG602 and the Symantec VPN200. The Xincom
XC-DPG602 acts as the authoritative DNS-to-IP that resolves a domain
name to its respective IP address. This capability allows for inbound
failover and load balancing for servers located behind the gateway.
Using dual WAN ports simultaneously increases available bandwidth for
both upload and download requests. You can set load balance type by
Packets, Bytes rx+tx and Sessions. As Ray Dzek said below, it is more
similar to the Radware Linkproof.
I'm really quite impressed with Xincom XC-DPG602's capabilities. I'm
relatively certain that I can get it to work once I figure out the right
architecture. I think the problem occurs with its need to control NAT
on the LAN connections so that it can dynamically allocate packets by
using the underlying MAC addresses. I didn't read that in the manual, I
just inferred it.
What I was attempting to configure, and it is what Troy depicted and the
LinkProof white paper documents is the Xincom XC-DPG602 in front of our
ISA2000 server, and our NAT lan behind ISA. Where I have difficulty is
how to allow access to our servers internally that are mapped in ISA to
five static IP addresses. Apparently, the Xincom needs to have NAT
running in order to load balance out-going traffic. It has a DMZ
function. What I can't seem to do is to create a DMZ out of the static
IP subnet which allows it to address the WAN IP addresses in ISA. The
LinkProof paper and Troy didn't discuss it in enough detail for me to
understand.
Cheers,
Alan
+++
Subject: RE: More questions on the Dual WAN Xincom XC-DPG602 with ISA in
DMZ
From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Nov 2004 18:17:39 -0500
X-Message-Number: 21
Alan,
I use a Linksys BESF41 to get my connection from my ISP. All I had to do
was port forward all the ports 1 to 65535 to the ISA box along with
opening DMZ for argument sake.
The problem you are going to have with the twin WAN's if that you have
to keep in mind what goes out must come in. So what goes out on ISP1
must come back on ISP1 otherwise you can return information will get
lost. The XC-DPG602 is great for internal load balancing but that's
about it. They work the same way as NexLand routers which are now
Symantec VPN200's.
Andrew
+++
Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing)
with ISA2000 as DMZ internal firewall
From: Troy Radtke <TRadtke@xxxxxxxxxxxx>
Date: Thu, 11 Nov 2004 15:14:07 -0600
X-Message-Number: 10
Should work something like this regardless of brand:
connection 1---|
|---NLB---firewall/proxy---internal network
connection 2---|
The NLB is the DG of your firewall/proxy system. You can infinitely
expand the front end to the max capacity of your NLB system. The
firewall/proxy only cares that it has a DG that it can reach. However
the return path
goes is completely up to the NLB and has no effect on the
firewall/proxy.
The NLB is completely unaware of the internal networks/DMZs behind the
firewall/proxy system. It only cares that something on the backend is
there for it to talk to and be its DG if it needs one.
Good luck.
+++
Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing)
with ISA2000 as DMZ internal firewall
From: "Ray" <rdzek@xxxxxxxxxxxxxxx>
Date: Thu, 11 Nov 2004 13:37:00 -0800
If it is DNS based (which looking at the website for it is looks like it
is), you have to make significant changes to your DNS environment to get
everything to work. So, yes, the load balancer becomes the gateway as
all DNS requests are handled by the DPG602 in real-time depending on
current network traffic perameters that you set up in the device... AND
all the traffic from both connections is routed through the DGP602 to
ensure all
the traffic is properly routed to both connections.
We use the Radware Linkproof. It works very much the same way. It is
all quite complicated, and requires coordination between you, whoever
does
your DNS, and the vendor.
Your DNS will look something like:
This tells anyone requesting your www site that they have to go as
NameServer DGP1, or DSP2 (your new device) how to find you.
www NS DGP1
www NS DPP2
DGP1 A IP address of first link
DGP2 A IP address of second link
These DNS entries have to work both inside and outside your company if
you are running a seperate internal DNS server.
When requests come in for your www.stadiumflowers.com site, the DPG602
becomes the DNS authority and using its magic determines which route it
wants the request to come over the DSL, or the cable modem. It then
also routes the traffic from both connections. This is why it has to be
your gateway, as it is routing the traffic for both connections.
Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components
PH: 408-782-5420
FX: 408-782-5421
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
