[isalist] Re: Multi Site Help
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 19 Feb 2008 15:44:49 -0800
http://www.ISAserver.org
-------------------------------------------------------
Avoid playing silly routing table games for traffic control when you have ISA
firewall policies at your fingertips. Routing table "tricks" do little more
than add unnecessary complexity to an already complex routing structure.
When you define the S2S VPN connections using the ISA VPN weirdzards (you _did_
use the weirdzards?), the relevant network objects will be created for you.
Whether these use Route or NAT relationships depends on how you want the
clients to be seen by the remote host; as their own IP or as the ISA-local IP
for the destination network. If you use route mode, then the hosts at the
remote network need to have a route back across the VPN tunnel to the local
machine.
Yes; absolutely create subnets, computer sets and computer object for relevant
entities in the various networks.
This helps make your ISA rules more granular, and by extension, more secure.
Avoid the temptation to create specific rules where implied ones already exist,
though.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Tuesday, February 19, 2008 1:56 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Multi Site Help
We are using ISA 2004 SP3 and we have 2 sites with a VPN site-to-site
connection between them. Each site, A and B, has 3 different internal
networks. How do I setup Networks and Network Rules so that each of the
individual Networks (A1, A2, A3, B1, B2, B3 are routed to each other, but some
networks have restricted access to each other? I know how to setup the rules
for access/no access, but I am at a loss how to setup the routes.
The goal is to have some networks to be able to access other networks, but not
all. Locally, this is not a problem, but between the remote sites I'm having
an issue understanding the allowance of certain connections i.e. A1 to B1 and
B2, but not B2 to A1. Again, I understand the rules, but the Networks and
Network Rules are where I'm having difficulties. I am also not sure how this
affects the site-to-site VPN. I noticed that there are networks that represent
a remote VPN site to site connection. Should these include all the Networks at
the other sites? Is it as simple as allowing routes between all the sites but
creating Address Ranges or Computer Sets for allowance/restrictions in the
Firewall Polices?
Thank you in advance.
Steve Comeau
IT Manager
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com
Small R
________________________________
*** This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents of this
message, which arise as a result of e-mail transmission. If verification is
required please request a hard-copy version. Rutgers University - DIA, 83
Rockafeller Road, Piscataway, NJ www.scarletknights.com ***
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
