Jim, My internal ISA box crashed and I've not had a chance to get another one setup. Is it a problem to run a simple sql machine in the DMZ? Thanks Joseph -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, January 02, 2002 3:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: how to manage using ISA behind a leased line http://www.ISAserver.org You can't apply the "securing firewall clients" to secureNAT clients because they're fundamentally different. Take a read in here for details: http://isaserver.org/authors/harrison/tutoials/isa-clients-part1.htm http://isaserver.org/authors/harrison/tutoials/isa-clients-part2.htm http://isaserver.org/authors/harrison/tutoials/isa-clients-part3.htm Jim Harrison MCP(NT4, 2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Gérard Dumazet" <gdumazet@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 02, 2002 14:12 Subject: [isalist] RE: how to manage using ISA behind a leased line http://www.ISAserver.org Jim thanks again , i think this times the situation is clear for me, unfortunately i can't try it now as i am not in front of the network, but will do it next week and let you know. your tutorial explains all of this but the point was that i had no hand on the routers which are managed from outside and was not able to check the gateways properly. last point for information only : in the last page of the tutorial you mention the configuration for securing firewalls clients. can this config be compatible with securenat clients ? i understood one way or the other for all subnets. i ask this in case one of the clients need in the future to be a firewall client in my config. -----Message d'origine----- De : Jim Harrison [mailto:jim@xxxxxxxxxxxx] Envoyé : mercredi 2 janvier 2002 15:32 À : [ISAserver.org Discussion List] Objet : [isalist] RE: how to manage using ISA behind a leased line http://www.ISAserver.org ISA must also have a route to site B. You enable this by adding site B's subnet to the ISA routing table. If you have RRAS installed, enter it there. If no RRAS on the ISA, use the "route -p add <subnet> mask <netmask> <gateway>" command. In your case, the command would be "route -p add 192.168.1.0 mask 255.255.255.0 192.168.2.1" Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Gerard Dumazet" <gdumazet@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 02, 2002 03:09 Subject: [isalist] RE: how to manage using ISA behind a leased line http://www.ISAserver.org This is a multi-part message in MIME format. ------------------------------------------------------------------------ ---- ---- sorry for my english. i read carefully your reply and just realised my question was not clear i have only one ISA in site A - no exchange server 2 subnets and one domain with a pdc in site B and a bdc in site A site A 192.168.2.0 bdc2000 + ISA internal NIC 192.168.2.0 gateway : none external NIC 192.168.3.2 gateway 192.168.3.1 adsl router in site A all clients securenat clients internet fine smtp/pop fine for outlook express all clients can share with site B having settled static and permanent routes to site B having 192.168.2.1 as gateway site B 192.168.1.0 pdc2000 AD NIC 192.168.1.2 no ISA, no EXCHANGE how to configure any client of site B to be able to be a securenat client for iSA on site A and to access shared ressources in site A pointing the default gateway on site B's router doen not help -----Message d'origine----- De : Gallop, George [mailto:George.Gallop@xxxxxxxxxx] Envoye : mardi 1 janvier 2002 23:27 A : [ISAserver.org Discussion List] Objet : [isalist] RE: how to manage using ISA behind a leased line http://www.ISAserver.org Happy New Year. I am struggling with understanding your English, sorry. I am no guru, but possibly if I explain what I understood of the problem we can try and all help? I have a suggested solution below, so if anyone wants to comment further... Site A: 192.168.2.x Site B: 192.168.1.x Both Sites connect through a leased line: Router is 192.168.2.1 for site A and 192.168.1.1 Site B DC / possibly Exchange Server in each site and also ISA Server (?): Site A 192.168.2.2 Site B 192.168.1.2 (?) I think for clients to access the DC's in each site, you need to do the following: 1. Set the Default gateway on the secure NAT clients to the ISA server in the site. 2. On the ISA Server in each site set a static route something like (depending on your subnet mask): Site B's ISA Server: route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.1 metric Site A's ISA Server: route add -p 192.168.1.0 mask 255.255.255.0 192.168.2.1 metric 3. In the LAT for the ISA Server ensure the remote network 192.168.x.x is there. Lastly, I am not sure but would the clients using SNAT also need a static route to the remote network, anyone? Kind regards, George -----Original Message----- From: dumazet [mailto:gdumazet@xxxxxxxxxxx] Sent: Wednesday, 2 January 2002 4:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] how to manage using ISA behind a leased line http://www.ISAserver.org fist of all happy new year to everyone especially to those who are managing this helpful list i already asked one week ago such a question but did'nt succeeded to have the right answer, so i formulate again my problem it is a small company with 6 boxes center of paris (site A 192.168.2.0) and another office with 10 boxes (site B 192.168.1.0) both offices are connected through a leased line with cisco routers 800 having adresses 192.168.2.1 for site A and 192.168.1.1 for site B a win 2K cpd with ad is in site B and another in site A 192.168.2.2 each box in each site has to connect to shared applications ou folders in one or the other site. until now everything was working fine to give access for users to internet and be able to use outlook express for internet mail we just installed ISA on the csd of site A : 192.168.2.2 waiting for better time to use another independant server we are using a bewan router on adsl line ok everything working fine for site A with securenat clients (http, smtp, pop3)even able to use shared folders on site B using add -p routes to site B but we dont't know what to do for site B on the internal NIC of ISA 192.168.2.2 we can't include a gateway on the router of site A 192.168.2.1 , accordingly the boxes of site B can't connect to the shared folders or applis running on ISA box. all boxes of site B have the router of site B as gateway 192.168.1.1 but this does not help to be securenat clients for ISA on site A applis don't work anymore and internet is useless i am sure for most of you this routing problem should be quite easy to solve and i just see on message also on this list nearby mine but noone gave idea and this is why i ask again thanks for any idea ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: george.gallop@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gdumazet@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------------------------ ---- ---- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gdumazet@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ________________________________________________________________________ ____ __ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')