http://www.ISAserver.org ------------------------------------------------------- Avoid playing silly routing table games for traffic control when you have ISA firewall policies at your fingertips. Routing table "tricks" do little more than add unnecessary complexity to an already complex routing structure. When you define the S2S VPN connections using the ISA VPN weirdzards (you _did_ use the weirdzards?), the relevant network objects will be created for you. Whether these use Route or NAT relationships depends on how you want the clients to be seen by the remote host; as their own IP or as the ISA-local IP for the destination network. If you use route mode, then the hosts at the remote network need to have a route back across the VPN tunnel to the local machine. Yes; absolutely create subnets, computer sets and computer object for relevant entities in the various networks. This helps make your ISA rules more granular, and by extension, more secure. Avoid the temptation to create specific rules where implied ones already exist, though. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Tuesday, February 19, 2008 1:56 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Multi Site Help We are using ISA 2004 SP3 and we have 2 sites with a VPN site-to-site connection between them. Each site, A and B, has 3 different internal networks. How do I setup Networks and Network Rules so that each of the individual Networks (A1, A2, A3, B1, B2, B3 are routed to each other, but some networks have restricted access to each other? I know how to setup the rules for access/no access, but I am at a loss how to setup the routes. The goal is to have some networks to be able to access other networks, but not all. Locally, this is not a problem, but between the remote sites I'm having an issue understanding the allowance of certain connections i.e. A1 to B1 and B2, but not B2 to A1. Again, I understand the rules, but the Networks and Network Rules are where I'm having difficulties. I am also not sure how this affects the site-to-site VPN. I noticed that there are networks that represent a remote VPN site to site connection. Should these include all the Networks at the other sites? Is it as simple as allowing routes between all the sites but creating Address Ranges or Computer Sets for allowance/restrictions in the Firewall Polices? Thank you in advance. Steve Comeau IT Manager Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com Small R ________________________________ *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx