Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Go Hawks!
844 posts

Ultimate Geek
+1 received by user: 43

Trusted
Subscriber

Topic # 28584 4-Dec-2008 23:46
Send private message

Has anyone created a bridging firewall using microsoft ISA server?  Can this be done?  I've managed to get this going (both as a transparent firewall and as a non-transparent firewall) under linux / open/freeBSD variants before, but never tried under Microsoft's solution.

The reason for wanting this is to be able to split an existing LAN in two without having to change (too much) of the existing infrastructure.

I'm 90% positive that I'm going to have to create to logical networks and route between the two to accomplish this properly, but would like to know if it's possible to simply use a bridge functionality instead.

Thanks all.


Create new topic
Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 182176 5-Dec-2008 00:08
Send private message

what is the end result you are looking for?


for example, do you want computers on two different IP networks to be able to talk to one another  (e.g. computer 10.0.0.1 takling to computer 192.168.0.1) or do you just want computers on each network to be able to browse the internet via a single isa server?




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
844 posts

Ultimate Geek
+1 received by user: 43

Trusted
Subscriber

  Reply # 182179 5-Dec-2008 00:13
Send private message

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.


 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 182648 7-Dec-2008 22:51
Send private message

wazzageek:

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server.  As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.



I would think that an ISA server with 3 nics (LAN1, LAN2 and WAN) would be the easiest option and I would make the two LANs use different subnets - e.g. 192.168.0/24 and 192.168.1/24.  As long as all the machines use ISA as the default gateway there should be no problem communicating between each other - you will need to put in an allow rule between LAN1 and LAN2 though.  For the restrictions on the internet you would then just set up a rule with the LAN2 source, allowed destinations and protocols and away you go.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
844 posts

Ultimate Geek
+1 received by user: 43

Trusted
Subscriber

  Reply # 182671 8-Dec-2008 08:44
Send private message

Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 183425 10-Dec-2008 23:36
Send private message

wazzageek: Thanks Regs,

I don't need the third card - I can see where you're coming from.  I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.


you dont need to use the "proxy server" part of ISA in order to selectively block traffic - you do if you want to be able to block it by NT Username though.  All traffic going out via ISA traverses the firewall rules.

Another option would be to create a DHCP range for the set of PC's you want to restrict and give them IP reservations (using their MAC addresses, of course) then create a rule for that range of source IPs.




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




Go Hawks!
844 posts

Ultimate Geek
+1 received by user: 43

Trusted
Subscriber

  Reply # 183427 10-Dec-2008 23:49
Send private message

That's true - but that also relies on the client machine not being tampered with - i.e. the DHCP being turned off or a different login being used.  The idea is to physically lock down the machines (hence the MAC address filtering)

It all seems too hard (and as this is a nice to have and a side project) I think I'm just going to work with multiple subnets.

As ASCII art, this is what I'll end up accomplishing:

 

 (Protected Machines) - [subnet 1 / physical net 1 / logical net 1] - (MS ISA server) - [subnet 2 / physical net 2 / logical net 2] - (Outside world router and only NAT device) - (Interwebnet cloud)

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12


Framing Facebook: It’s not about technology
Posted 14-May-2018 16:02


Vocus works with NZ Police and telcos to stop scam calls
Posted 12-May-2018 11:12


Vista Group signs Aeon Entertainment, largest cinema chain in Japan
Posted 11-May-2018 21:41


New Privacy Trust Mark certifies privacy and customer control
Posted 10-May-2018 14:16


New app FIXR connects vehicle owners to top Mechanics at best prices
Posted 10-May-2018 14:13


Nutanix Beam gives enterprises control of the cloud
Posted 10-May-2018 14:09


D-Link ANZ launches Covr Seamless Wi-Fi System
Posted 10-May-2018 14:06


Telstra, Intel and Ericsson demonstrate a 5G future for esports
Posted 10-May-2018 13:59


Spark introduces Android One with Nokia 7 plus and Nokia 6.1
Posted 8-May-2018 05:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.