More questions on the Dual WAN Xincom XC-DPG602 with ISA in DMZ
- From: "Alan Hoshor" <alan@xxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 15 Nov 2004 15:01:52 -0800
Thank you Troy and Ray for your prompt and lengthy replies. I just read
the LinkProof White paper and agree that both the Xincom XC-DPG602 and
the LinkProof work on the same principles. The Xincom cost only $630 at
NewEgg, so it is targeted at a lower tier market. It is the first such
product that our floral business could afford. We are a Microsoft shop
with Exchange, SharePoint, SQL server, and host our own web site. Due
to archaic Telco infrastructure, we can't DSL faster than 384K. So we
were very excited about the recent availability of COMCAST digital cable
for business. That combined with the Xincom XC-DPG602 made it seem that
our Internet access issues were solved.
I know <smile> dreaming again. We have a static IP subnet allocated to
us from our ISP with whom we connect via PPPoE.
What I was attempting to configure, and it is what Troy depicted and the
LinkProof white paper documents is the Xincom XC-DPG602 in front of our
ISA2000 server, and our NAT lan behind ISA. Where I have difficulty is
how to allow access to our servers internally that are mapped in ISA to
five static IP addresses. Apparently, the Xincom needs to have NAT
running in order to load balance out-going traffic. It has a DMZ
function. What I can't seem to do is to create a DMZ out of the static
IP subnet which allows it to address the WAN IP addresses in ISA. I've
stumped the Xincom tech support but was not willing to give up until I
understand why it won't work. The LinkProof paper and Troy didn't
discuss it in enough detail for me to understand.
Can either of you comment?
Cheers,
Alan Hoshor
alan@xxxxxxxxxxxxxxxxxx
+++
Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing)
with ISA2000 as DMZ internal firewall
From: Troy Radtke <TRadtke@xxxxxxxxxxxx>
Date: Thu, 11 Nov 2004 15:14:07 -0600
X-Message-Number: 10
Should work something like this regardless of brand:
connection 1---|
|------------NLB------firewall/proxy------internal
network
connection 2---|
The NLB is the DG of your firewall/proxy system. You can infinitely
expand
the front end to the max capacity of your NLB system. The
firewall/proxy
only cares that it has a DG that it can reach. However the return path
goes
is completely up to the NLB and has no effect on the firewall/proxy.
The NLB is completely unaware of the internal networks/DMZs behind the
firewall/proxy system. It only cares that something on the backend is
there
for it to talk to and be its DG if it needs one.
Good luck.
+++
Subject: RE: Topic: Twin WAN Gateway Xincom XC-DPG602 (load balancing)
with ISA2000 as DMZ internal firewall
From: "Ray" <rdzek@xxxxxxxxxxxxxxx>
Date: Thu, 11 Nov 2004 13:37:00 -0800
If it is DNS based (which looking at the website for it is looks like it
is), you have to make significant changes to your DNS environment to get
everything to work. So, yes, the load balancer becomes the gateway as
all DNS requests are handled by the DPG602 in real-time depending on
current
network traffic perameters that you set up in the device... AND all the
traffic from both connections is routed through the DGP602 to ensure all
the traffic is properly routed to both connections.
We use the Radware Linkproof. It works very much the same way. It is
all quite complicated, and requires coordination between you, whoever
does
your DNS, and the vendor.
Your DNS will look something like:
This tells anyone requesting your www site that they have to go as
NameServer DGP1, or DSP2 (your new device) how to find you.
www NS DGP1
www NS DPP2
DGP1 A IP address of first link
DGP2 A IP address of second link
These DNS entries have to work both inside and outside your company if
you are running a seperate internal DNS server.
When requests come in for your www.stadiumflowers.com site, the DPG602
becomes the DNS authority and using its magic determines which route it
wants the request to come over the DSL, or the cable modem. It then
also routes the traffic from both connections. This is why it has to be
your gateway, as it is routing the traffic for both connections.
Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components
PH: 408-782-5420
FX: 408-782-5421
Other related posts:
