Hi Alan, It does work, but its not a no-brainer to configure. It's a hardware implementation that provides a feature set similar to what RainConnect provides, but isn't quite as robust in its feature set and definitely many time more difficult to configure. You'll need to bind your public addresses to the external interface of the Xincom and then port forward from there and bind a similar number of addresses on the ISA firewall's external interface, depending on what you're trying to accomplish. The Xincom v. RainConnect comparison reminds me of the Windows v. Linux debate. Linux is a lot cheaper as long as your time isn't worth anything ;-) (TNSTAAFL == There's no such thing as a free Linux) HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Alan Hoshor [mailto:alan@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, November 16, 2004 4:36 PM To: [ISAserver.org Discussion List] Cc: Eric Berglund Subject: [isalist] More questions [01] on the Dual WAN Xincom XC-DPG602 with ISA in DMZ (inbound failover and load balancing) http://www.ISAserver.org Hi Andrew, Thanks for your response. I hate the way Symantec keeps buying up terrific small companies and then destroying their product while charging more...topic for another day. I read the manual for the VPN200. There are significant differences between the Xincom XC-DPG602 and the Symantec VPN200. The Xincom XC-DPG602 acts as the authoritative DNS-to-IP that resolves a domain name to its respective IP address. This capability allows for inbound failover and load balancing for servers located behind the gateway. Using dual WAN ports simultaneously increases available bandwidth for both upload and download requests. You can set load balance type by Packets, Bytes rx+tx and Sessions. As Ray Dzek said below, it is more similar to the Radware Linkproof. I'm really quite impressed with Xincom XC-DPG602's capabilities. I'm relatively certain that I can get it to work once I figure out the right architecture. I think the problem occurs with its need to control NAT on the LAN connections so that it can dynamically allocate packets by using the underlying MAC addresses. I didn't read that in the manual, I just inferred it. What I was attempting to configure, and it is what Troy depicted and the LinkProof white paper documents is the Xincom XC-DPG602 in front of our ISA2000 server, and our NAT lan behind ISA. Where I have difficulty is how to allow access to our servers internally that are mapped in ISA to five static IP addresses. Apparently, the Xincom needs to have NAT running in order to load balance out-going traffic. It has a DMZ function. What I can't seem to do is to create a DMZ out of the static IP subnet which allows it to address the WAN IP addresses in ISA. The LinkProof paper and Troy didn't discuss it in enough detail for me to understand. Cheers, Alan +++ Subject: RE: More questions on the Dual WAN Xincom XC-DPG602 with ISA in DMZ From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx> Date: Mon, 15 Nov 2004 18:17:39 -0500 X-Message-Number: 21 Alan, I use a Linksys BESF41 to get my connection from my ISP. All I had to do was port forward all the ports 1 to 65535 to the ISA box along with opening DMZ for argument sake. The problem you are going to have with the twin WAN's if that you have to keep in mind what goes out must come in. So what goes out on ISP1 must come back on ISP1 otherwise you can return information will get lost. The XC-DPG602 is great for internal load balancing but that's about it. They work the same way as NexLand routers which are now Symantec VPN200's. Andrew +++ Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing) with ISA2000 as DMZ internal firewall From: Troy Radtke <TRadtke@xxxxxxxxxxxx> Date: Thu, 11 Nov 2004 15:14:07 -0600 X-Message-Number: 10 Should work something like this regardless of brand: connection 1---| |---NLB---firewall/proxy---internal network connection 2---| The NLB is the DG of your firewall/proxy system. You can infinitely expand the front end to the max capacity of your NLB system. The firewall/proxy only cares that it has a DG that it can reach. However the return path goes is completely up to the NLB and has no effect on the firewall/proxy. The NLB is completely unaware of the internal networks/DMZs behind the firewall/proxy system. It only cares that something on the backend is there for it to talk to and be its DG if it needs one. Good luck. +++ Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing) with ISA2000 as DMZ internal firewall From: "Ray" <rdzek@xxxxxxxxxxxxxxx> Date: Thu, 11 Nov 2004 13:37:00 -0800 If it is DNS based (which looking at the website for it is looks like it is), you have to make significant changes to your DNS environment to get everything to work. So, yes, the load balancer becomes the gateway as all DNS requests are handled by the DPG602 in real-time depending on current network traffic perameters that you set up in the device... AND all the traffic from both connections is routed through the DGP602 to ensure all the traffic is properly routed to both connections. We use the Radware Linkproof. It works very much the same way. It is all quite complicated, and requires coordination between you, whoever does your DNS, and the vendor. Your DNS will look something like: This tells anyone requesting your www site that they have to go as NameServer DGP1, or DSP2 (your new device) how to find you. www NS DGP1 www NS DPP2 DGP1 A IP address of first link DGP2 A IP address of second link These DNS entries have to work both inside and outside your company if you are running a seperate internal DNS server. When requests come in for your www.stadiumflowers.com site, the DPG602 becomes the DNS authority and using its magic determines which route it wants the request to come over the DSL, or the cable modem. It then also routes the traffic from both connections. This is why it has to be your gateway, as it is routing the traffic for both connections. Ray Dzek Network Operations Supervisor Specialized Bicycle Components PH: 408-782-5420 FX: 408-782-5421 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx