Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Go Hawks!
895 posts

Ultimate Geek
+1 received by user: 54

Trusted
Subscriber

Topic # 28584 4-Dec-2008 23:46
Send private message

Has anyone created a bridging firewall using microsoft ISA server?  Can this be done?  I've managed to get this going (both as a transparent firewall and as a non-transparent firewall) under linux / open/freeBSD variants before, but never tried under Microsoft's solution.

The reason for wanting this is to be able to split an existing LAN in two without having to change (too much) of the existing infrastructure.

I'm 90% positive that I'm going to have to create to logical networks and route between the two to accomplish this properly, but would like to know if it's possible to simply use a bridge functionality instead.

Thanks all.


Create new topic
Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 182176 5-Dec-2008 00:08
Send private message

what is the end result you are looking for?


for example, do you want computers on two different IP networks to be able to talk to one another  (e.g. computer 10.0.0.1 takling to computer 192.168.0.1) or do you just want computers on each network to be able to browse the internet via a single isa server?




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
895 posts

Ultimate Geek
+1 received by user: 54

Trusted
Subscriber

  Reply # 182179 5-Dec-2008 00:13
Send private message

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.


 
 
 
 


Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 182648 7-Dec-2008 22:51
Send private message

wazzageek:

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.



I would think that an ISA server with 3 nics (LAN1, LAN2 and WAN) would be the easiest option and I would make the two LANs use different subnets - e.g. 192.168.0/24 and 192.168.1/24.  As long as all the machines use ISA as the default gateway there should be no problem communicating between each other - you will need to put in an allow rule between LAN1 and LAN2 though.  For the restrictions on the internet you would then just set up a rule with the LAN2 source, allowed destinations and protocols and away you go.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
895 posts

Ultimate Geek
+1 received by user: 54

Trusted
Subscriber

  Reply # 182671 8-Dec-2008 08:44
Send private message

Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.

Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 183425 10-Dec-2008 23:36
Send private message

wazzageek: Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.


you dont need to use the "proxy server" part of ISA in order to selectively block traffic - you do if you want to be able to block it by NT Username though.  All traffic going out via ISA traverses the firewall rules.

Another option would be to create a DHCP range for the set of PC's you want to restrict and give them IP reservations (using their MAC addresses, of course) then create a rule for that range of source IPs.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
895 posts

Ultimate Geek
+1 received by user: 54

Trusted
Subscriber

  Reply # 183427 10-Dec-2008 23:49
Send private message

That's true - but that also relies on the client machine not being tampered with - i.e. the DHCP being turned off or a different login being used.  The idea is to physically lock down the machines (hence the MAC address filtering)

It all seems too hard (and as this is a nice to have and a side project) I think I'm just going to work with multiple subnets.

As ASCII art, this is what I'll end up accomplishing:

 

 (Protected Machines) - [subnet 1 / physical net 1 / logical net 1] - (MS ISA server) - [subnet 2 / physical net 2 / logical net 2] - (Outside world router and only NAT device) - (Interwebnet cloud)

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.