Hi Dan, OK, these are good issues. What I need to do is boil down the "generic" issues from this and include some guidance on it. What I glean from your experiences are: * How to deal with autodiscovery in a multi-segment/NIC environment * How to deal with Network Rules in a multi-segment/NIC environment * How to deal with Web proxy and Firewall client listeners in a multi-segment/NIC environment I have this type of setup in my own office, as I have production, WLAN (guest), WLAN (private), wired (guest) and public interfaces on one of our ISA firewalls, so most of it would work with just a discussion on how I use it. Of course, I could expand on it by explaining on I use the ISA firewalls here in a multi-NIC/multi-ISP (without RainConnect) environment. (No I don't do PBR or bandwidth aggregation :) Any other general concepts that I missed? Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Monday, February 14, 2005 9:04 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Understanding IS Firewall Networks article... http://www.ISAserver.org Okay, here was the dilemma I ran into, it made sense once you thought about it, but wasn't exactly obvious at first. My setup: NIC1 -> 10.20.x.x -> LAN NIC2 -> 10.6.x.x -> WAN I added the LAN and it worked great. Then I added the WAN by setting it up the same way and adding its IP ranges to the default Internal Network. This "seemed" like it should work, as it was part of the Internal Network. I then found out (from the users) that although it was working on the Intranet, they could not reach the Internet at all. I fought with this for a couple of days, trying every combination I could think of, going through every tutorial I could find, etc... Finally we opened a case with Microsoft to resolve it, as we had exhausted every other possible resource. What Microsoft found (after packet captures, etc.), was that the packets weren't going through because they were coming from the 10.6.x.x subnet, and the proxy server was listening for outbound connections on the 10.20.x.x subnet. If we put the IP address for NIC2 in the proxy settings of a client on the WAN, it worked just fine. The proxy settings were using a hostname, which resolved to the IP address of NIC1 instead of NIC2. Now the part that was a bit confusing was how to setup the clients with different proxy settings (we have to use the Proxy to get SurfControl to work). I had previously forced all those settings through AD Group Policy. This worked, but everyone got the same settings. I thought about moving the proxy settings to the computer portion of the Group Policies, to give different settings, but we frequently have users bringing laptops to other buildings so that wouldn't work. The only solution that seemed practical was to install the Firewall Client on each workstation, which would then configure the proxy settings. This was a simple process, as all I had to do was add it as "managed software" via Group Policy. However, before I could get that installed, there was a discrepancy with the settings the client received. After conferring with Microsoft again, it was traced down to an invalid WPAD entry. Apparently we couldn't pass out the WPAD entry via DNS because then everyone would get the same setting. So, we removed it from the DNS and added to the DHCP settings, with different entries depending on what subnet the computer was plugged into. Now the computers were getting the correct WPAD entries, and I could install the Firewall Client on all computers. So, I rebuilt the ISA server settings almost from scratch at that point. - I added an internal Network for the LAN, with the appropriate Firewall Client settings. - I added an internal Network for the WAN, with the appropriate Firewall Client Settings. - I created a Network Set, containing those two Networks, to use in all the policies to reference the internal Networks. - I created a Network Rule, to "route" traffic between those two networks. - I created a Firewall Policy to allow ALL traffic between those two networks. - I modified every policy on the system that referred to the Internal Network to refer instead to the Network Set for internal Networks. Note: Since we also have multiple external Networks, I repeated several of the above steps to use a Network Set for all external Networks also. Once we got all this in place, things started working like they were supposed to. It all boiled down to that the ISA server was doing exactly what it was supposed to do; it filtered the traffic passing between different subnets. Because the settings were pointed to IP addresses on different subnets, they got filtered out and weren't allowed through. I have since found a couple of other things I could have done, such as multiple IP addresses for the DNS server WPAD entry, and site-level Group Policy settings. I tried the multiple IPs in the DNS server (theoretically it is supposed to resolve to the IP on the subnet the computer is on), but it didn't work right away and I didn't take the time to pursue it further. The site-level policies idea also sounded good, but I didn't implement that because the Firewall Client works so smooth and if someone attempts to use their laptop on a network other than ours it is more likely to work without having to go in and manually change proxy settings. Any other questions about this? I'm sure I must have left some step out; it was a busy couple of weeks. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, February 14, 2005 08:42 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Understanding IS Firewall Networks article... http://www.ISAserver.org Hi Dan, This is great! I actually have set up the multiple internal Networks scenario in serveral locations. What is the stuff that you find confusing or unclear about the mult internal Network config on a multiple NIC ISA firewall? I can do another article to help clarify those issues. Thanks! Tom ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx