RE: SSL Problems with ISA 2004
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 25 Jan 2005 13:55:32 -0800
All I intend to do is add ISA 2004 to the KB; what else are you looking
for?
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Tuesday, January 25, 2005 11:01
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
Thanks, let me know when that KB update is there so I can read up on it!
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, January 25, 2005 09:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
Short answer to a reeeeeeeeealy long question:
The ISA code doesn't support it.
You're absolutely correct in your design and implementation of your
scenario; for the most part if the Windows routing table supports it, so
does ISA.
The one exception to this is the "multiple Internet connection"
scenario.
I'll get that KB update moving; I'd thought they had it done by now
<sigh>.
Not trying to cause Hate&Discontent (this time) - it's a veeeeery
long-standing issue that we can't afford to get confused with a large
WAN, such as you've created.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Monday, January 24, 2005 9:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
I must apologize if I am offending you, by no means do I wish to
"argue". I ask these questions not to antagonize, but because I don't
have a clear answer. I find it disconcerting to myself that someone so
prominent in the field says what I have won't work, and I cannot
understand why. If true, then I have to completely re-design my entire
network...
Let me explain this a bit further so you can hopefully understand why I
find this topic confusing...
First to respond to a couple of points in the last e-mail:
- Using the same "service provider": The two external networks I have
are completely separate, separate providers, separate IP ranges, even
different domain names. These two networks cannot even reach each other
without traveling halfway across the US and back. The only connection
between the two is geographical location, and the fact that they are
both connected to the same ISA server. Hence, the only same "service
provider" involved is my ISA box.
- Have I read the manual?: You betcha, I've read every manual I could
find on this long before I started, all the whitepapers I could find,
every bit of marketing "spew" (I love that term!) I could find,
darn-near every KB article, and the official Microsoft Course book for
the ISA server class (tried to take class also, but it was cancelled).
Damn can that stuff put you to sleep!
But, let's ignore that part for now, its mostly irrelevant. Please bear
with as I retrace my line of thought on this to see if you can follow
where I'm coming from. Whenever possible, I will copy it verbatim to
avoid paraphrasing.
First of all, I ditched the ISP term, since it causes so much
confusion...
To start this quest, I first looked up what a "network" is...
Quote: From an ISA Server perspective, a network is a rule element,
which can contain one or more ranges of Internet Protocol (IP)
addresses. Networks include one or more computers, typically
corresponding to a physical network.
That didn't really answer a lot, but it was a start. The next question
was "how many" networks ISA 2004 supports: I found that referenced all
over the place, referred to as Multi-networking, a new feature in ISA
2004.
Quote: You can configure one or more networks, each with distinct
relationships to other networks. Access policies are defined relative to
the networks, and not necessarily relative to a given Internal network.
Whereas in ISA Server 2000, all traffic was inspected relative to a
local address table (LAT) that included only address ranges on the
Internal network, ISA Server 2004 extends the firewall and security
features to apply to traffic between any networks.
>Note the phrase "traffic between any networks".<
But that didn't really answer my question about "how many", so I looked
some more, and found this one:
Quote: ISA Server 2004 supports multi-networking. This means that you
can configure an unlimited number of networks on ISA Server.
So, at this point, we know we can create an unlimited number of
internal, external, or perimeter networks. (When you run the New
Network wizard, it will ask you if it one of these three.) Now to
figure out what each network is defined as.
Quote: Throughout this Quick Start Guide, we will refer to internal and
external interfaces. The internal interface is the Ethernet card or
modem connecting the ISA Server 2004 firewall computer to your private
network or LAN. The external interface is a network interface connecting
you to the Internet.
Now we know that Internal networks are your private network, and
External networks are "Internet" networks. At this point, it's still a
little ambiguous, so I looked some more. I noticed that many of the
documents used the phrase "External Network (Internet)" whenever
referencing an External network, but it still wasn't clear enough.
Quote: ISA Server 2004 considers all networks that are not the External
network to be protected. All networks comprising the External network
are unprotected. Protected networks include the VPN Clients network, the
Quarantined VPN Clients network, the Local Host network, the internal
network, and perimeter networks. The Internet is the primary External
network; although, partner networks and extranets to which protected
clients connect can be considered External networks.
Okay, now this one explains the External=Internet reference a bit more,
and also defines the Protected network reference. This makes sense,
your internal, private network is "protected", and everything else is
"unprotected". (Come to think of it, I can't think of a much better
description of the Internet.)
So, now we can summarize it as such... We can create an unlimited number
of Internal, Perimeter, or External networks. We can route traffic and
set different policies between any/all of these networks. Your local,
private, network is an Internal network, and Internet is the primary
"external" network, but necessarily the only one.
Far, far, beyond a "remote hint", it seems (to me, anyways) that all the
reference material pretty much comes right out and tells you that you
can create an unlimited number of Internet (external, unprotected)
networks, and route traffic between them. This is taken directly from
the Microsoft literature, so it is not simply something I made up.
But, that still doesn't explain why it seems like a bombshell of a
concept to the professionals in the business, so I looked further,
everywhere I could find over the last two days, for some reference
saying "No, you cannot create more than one Internet connection in ISA
2004". Unfortunately, I could not find any reference whatsoever to that
idea, no matter where I looked. I remember when I tried creating
multiple external networks in ISA 2000 a couple of years ago. It took
me a couple of hours, but I finally found a KB article that came right
out and said, "there can be only one". That is not the case with ISA
2004 though, in fact, it's just the opposite. Everywhere I look, it says
either Multiple or Unlimited connections.
So, hopefully you can follow my ramblings, and can see why I keep asking
"why?", or maybe it would be better described as "why not?". Please
give me a good answer on this so I can stop waking up in the middle of
the night thinking about it (my wife will be pleased about this part
also)...
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, January 22, 2005 19:15
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
Fine; let's clarify it for you, then:
"ISA does not support multiple connections to the Internet".
The fact that you can create a special routing circumstance between
distant entities via the same "service provider" does NOT fall into the
"multiple Internet connection" category.
None of the ISA marketing spew even remotely hinted at being able to use
multiple Internet connections.
"External" networks (if you actually read the documentation that shipped
with ISA) refers to "non-protected networks".
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts: