Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Go Hawks!
990 posts

Ultimate Geek

Trusted
Subscriber

#28584 4-Dec-2008 23:46
Send private message

Has anyone created a bridging firewall using microsoft ISA server?  Can this be done?  I've managed to get this going (both as a transparent firewall and as a non-transparent firewall) under linux / open/freeBSD variants before, but never tried under Microsoft's solution.

The reason for wanting this is to be able to split an existing LAN in two without having to change (too much) of the existing infrastructure.

I'm 90% positive that I'm going to have to create to logical networks and route between the two to accomplish this properly, but would like to know if it's possible to simply use a bridge functionality instead.

Thanks all.


Create new topic
Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  #182176 5-Dec-2008 00:08
Send private message

what is the end result you are looking for?


for example, do you want computers on two different IP networks to be able to talk to one another  (e.g. computer 10.0.0.1 takling to computer 192.168.0.1) or do you just want computers on each network to be able to browse the internet via a single isa server?






Go Hawks!
990 posts

Ultimate Geek

Trusted
Subscriber

  #182179 5-Dec-2008 00:13
Send private message

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.


 
 
 
 


Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  #182648 7-Dec-2008 22:51
Send private message

wazzageek:

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.



I would think that an ISA server with 3 nics (LAN1, LAN2 and WAN) would be the easiest option and I would make the two LANs use different subnets - e.g. 192.168.0/24 and 192.168.1/24.  As long as all the machines use ISA as the default gateway there should be no problem communicating between each other - you will need to put in an allow rule between LAN1 and LAN2 though.  For the restrictions on the internet you would then just set up a rule with the LAN2 source, allowed destinations and protocols and away you go.






Go Hawks!
990 posts

Ultimate Geek

Trusted
Subscriber

  #182671 8-Dec-2008 08:44
Send private message

Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.

Cloud Guru
4060 posts

Uber Geek

Trusted
Snowflake
Subscriber

  #183425 10-Dec-2008 23:36
Send private message

wazzageek: Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.


you dont need to use the "proxy server" part of ISA in order to selectively block traffic - you do if you want to be able to block it by NT Username though.  All traffic going out via ISA traverses the firewall rules.

Another option would be to create a DHCP range for the set of PC's you want to restrict and give them IP reservations (using their MAC addresses, of course) then create a rule for that range of source IPs.






Go Hawks!
990 posts

Ultimate Geek

Trusted
Subscriber

  #183427 10-Dec-2008 23:49
Send private message

That's true - but that also relies on the client machine not being tampered with - i.e. the DHCP being turned off or a different login being used.  The idea is to physically lock down the machines (hence the MAC address filtering)

It all seems too hard (and as this is a nice to have and a side project) I think I'm just going to work with multiple subnets.

As ASCII art, this is what I'll end up accomplishing:

 

 (Protected Machines) - [subnet 1 / physical net 1 / logical net 1] - (MS ISA server) - [subnet 2 / physical net 2 / logical net 2] - (Outside world router and only NAT device) - (Interwebnet cloud)

 

 


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces 10th Gen Intel Core H-series for mobile devices
Posted 2-Apr-2020 21:09


COVID-19: new charitable initiative to fund remote monitoring for at-risk patients
Posted 2-Apr-2020 11:07


Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03


Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39


New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35


New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11


D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32


Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59


OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54


D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00


Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04


Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19


TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48


Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44


Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.