mikey250
asked on
isa 2006 - http diffserv - query
hi im trying to understand about - specify diffserv preferences in isa 2006.
i can see the tabs:
- general - enables traffic prioritization via web traffic & routers that support (qos) for eg
- priorities - what are the list of values so i know what to add ?
- url's - what kinds of 'url's am i adding ?
- domains - i assumed i will add the local domain and any other domain im attached/linked to ?
- networks - the networks listed as below & i assume they are there because of my initial configurations already in place, due to allowing my internal users internet access & that i have also configured a vpn remote client at home ?
- external
- internal
- quarantined vpn clients
- vpn clients
i can see the tabs:
- general - enables traffic prioritization via web traffic & routers that support (qos) for eg
- priorities - what are the list of values so i know what to add ?
- url's - what kinds of 'url's am i adding ?
- domains - i assumed i will add the local domain and any other domain im attached/linked to ?
- networks - the networks listed as below & i assume they are there because of my initial configurations already in place, due to allowing my internal users internet access & that i have also configured a vpn remote client at home ?
- external
- internal
- quarantined vpn clients
- vpn clients
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi keith,
"Diffserv is only relevant if you have Diffserv setup on all of your internal routers. If you do not, the Diffserv option within ISA is meaningless. It is similar to the dual ISP options in TMG - if you do not have dual ISP's, you don't use the options."
- ok!
yes i saw on the 'general' tab where it also stated: enables traffic prioritization via web traffic & routers that support (qos) for eg.
i have 2 routers so if i connected routers to act as pretend isp's via my single netgear router box, as this is all i have for testing and although not ideal because i only have a single 'public address' and not 2, so i cannot really simulate anything properly which i realise. also i would activate 'qos' as you state, assuming my routers have this feature within its 'ios'.
ive only ever know of 2 isp's being used for 'fault tolerance' ie one goes down, one comes up, just like, hsrp for example. as im new to isa 2006 completely im trying to gain some insight as i go along!!! unless the company business requires use of both isp's!!
question 1. would my above comments be a good assumption ?
"Diffserv is only relevant if you have Diffserv setup on all of your internal routers. If you do not, the Diffserv option within ISA is meaningless. It is similar to the dual ISP options in TMG - if you do not have dual ISP's, you don't use the options."
- ok!
yes i saw on the 'general' tab where it also stated: enables traffic prioritization via web traffic & routers that support (qos) for eg.
i have 2 routers so if i connected routers to act as pretend isp's via my single netgear router box, as this is all i have for testing and although not ideal because i only have a single 'public address' and not 2, so i cannot really simulate anything properly which i realise. also i would activate 'qos' as you state, assuming my routers have this feature within its 'ios'.
ive only ever know of 2 isp's being used for 'fault tolerance' ie one goes down, one comes up, just like, hsrp for example. as im new to isa 2006 completely im trying to gain some insight as i go along!!! unless the company business requires use of both isp's!!
question 1. would my above comments be a good assumption ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
apologies i mixed both your sentences together without realising you were distinguishing between isa not using 2 isp's because they cannot and the upgrade version tmg which can. i have not touch tmg yet but wanted to evolve onto this another time ages away yet!!
i understand what you mean!!
thanks!!
i understand what you mean!!
thanks!!
No problem. I have been the MS TechNet Moderator for ISA and now TMG for many years and fairly much the resident expert on ISA & TMG for many years but I still learn things now and then about them.
ISA is no longer a supported product but there are still lots of them out in the field.
ISA is no longer a supported product but there are still lots of them out in the field.
ASKER
thanks!!! thats why i chose isa 2006!
i suppose my real question is as ive only wanted to provide internet access just for my internal domain users, which i have and configured a vpn via a laptop. i just wanted to know if that is all i want to use isa 2006 for at this moment in time. is what i have done ok ie on the firewall ?
all the other questions i have are for the progressing onto the other stuff around isa 2006.
i suppose my real question is as ive only wanted to provide internet access just for my internal domain users, which i have and configured a vpn via a laptop. i just wanted to know if that is all i want to use isa 2006 for at this moment in time. is what i have done ok ie on the firewall ?
all the other questions i have are for the progressing onto the other stuff around isa 2006.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi keith ive just read through your 'url' and it appears ive done exactly that although just a couple of queries:
your comments:
"All ISA settings can be left at basic - and the DEFAULT network relationship between internal and external in the gui - networks - is NAT, not ROUTE."
- ive just checked my 'network rules' and prior to my configuratons there was only one default rule that i saw or at least assumed was by default. now i have 2 more rules added, totally 3. ive also checked out of those 3, 2 of them are configured as 'route' and the 3rd one is configured as 'nat'. which states 'internet access'. so i assume that is correct as i only have one 'configuration nic' issue mentioned below that msbpa detected!!
your comments:
"In summary, on the ISA Server machine only the external Nic has a default gateway set" - ok understood
"and only internal DNS Server ip addresses are used on both ISA Server Nics. - im reading this part but not sure what you mean ?
"Use DNS Forwarders to forward name resolution requests to external resolvers" - yes i understand - im currently using my 'residential netgear router box' as my internet connection for test purposes so i other than just receiving internet access, i have not got a package that allows my internal/dns to communicate with there dns other than using my isa/external nic to provide the actual internet connection. so i have ignored the 'forwarders'.
you mention on your example - route - p add 192.168.3.0 mask 255.255.255.0 192.168.5.254, which i did not get at first, but i do now.
originally i had a router attached to my isa/internal nic1 and although my isa was joined to domain successfully and internal domain users had internet access.
i had added on my isa: route -p add 10.0.0.0 mask 255.255.255.0 192.168.100.1 - my 10.x.x.x/24 network is my internal range and the 192.168.100.1 was the connection of my router external int fa1/0. as my router/internal was: 10.0.0.1/24
- i then ran: msbpa and showed a ''configuration issue'' issue with: 192.168.100.0 - x.x.x.x as above.
- i never did find out why, so i removed my router instead!!! would you know why!!!!!!!!!!!?
- even though i have removed the router and 192.168.100.x/24 altogether, my isa msbpa still detects this address.........!!!!!!?
your comments:
"All ISA settings can be left at basic - and the DEFAULT network relationship between internal and external in the gui - networks - is NAT, not ROUTE."
- ive just checked my 'network rules' and prior to my configuratons there was only one default rule that i saw or at least assumed was by default. now i have 2 more rules added, totally 3. ive also checked out of those 3, 2 of them are configured as 'route' and the 3rd one is configured as 'nat'. which states 'internet access'. so i assume that is correct as i only have one 'configuration nic' issue mentioned below that msbpa detected!!
your comments:
"In summary, on the ISA Server machine only the external Nic has a default gateway set" - ok understood
"and only internal DNS Server ip addresses are used on both ISA Server Nics. - im reading this part but not sure what you mean ?
"Use DNS Forwarders to forward name resolution requests to external resolvers" - yes i understand - im currently using my 'residential netgear router box' as my internet connection for test purposes so i other than just receiving internet access, i have not got a package that allows my internal/dns to communicate with there dns other than using my isa/external nic to provide the actual internet connection. so i have ignored the 'forwarders'.
you mention on your example - route - p add 192.168.3.0 mask 255.255.255.0 192.168.5.254, which i did not get at first, but i do now.
originally i had a router attached to my isa/internal nic1 and although my isa was joined to domain successfully and internal domain users had internet access.
i had added on my isa: route -p add 10.0.0.0 mask 255.255.255.0 192.168.100.1 - my 10.x.x.x/24 network is my internal range and the 192.168.100.1 was the connection of my router external int fa1/0. as my router/internal was: 10.0.0.1/24
- i then ran: msbpa and showed a ''configuration issue'' issue with: 192.168.100.0 - x.x.x.x as above.
- i never did find out why, so i removed my router instead!!! would you know why!!!!!!!!!!!?
- even though i have removed the router and 192.168.100.x/24 altogether, my isa msbpa still detects this address.........!!!!!!?
You REALLY need to get a manual or go on a course.... :)
None of the ISA nics can have the ISP or any external DNS ip addresses assigned to them. You place the INTERNAL dns server ip address on the ISA internal nic. You leave the external ISA nic dns entry BLANK or you can place the internal dns ip address in the ISA external nic as well. Your choice - but best practicce is to leave the ISA external nic dns entry blank.
Your forwarders will point to the IP address of the residential router I guess.
Correct - by default build, ISA has onlty one rule - the default deny all.
My example was exactly that - an example - you replace the 192.168.x.y address in the example with your own internal ip address range. i.e. 10.0.0.0 etc
Paste the output of an ipconfig /all and the output from a route print taken from the ISA server. Let's have a look at it.
None of the ISA nics can have the ISP or any external DNS ip addresses assigned to them. You place the INTERNAL dns server ip address on the ISA internal nic. You leave the external ISA nic dns entry BLANK or you can place the internal dns ip address in the ISA external nic as well. Your choice - but best practicce is to leave the ISA external nic dns entry blank.
Your forwarders will point to the IP address of the residential router I guess.
Correct - by default build, ISA has onlty one rule - the default deny all.
My example was exactly that - an example - you replace the 192.168.x.y address in the example with your own internal ip address range. i.e. 10.0.0.0 etc
Paste the output of an ipconfig /all and the output from a route print taken from the ISA server. Let's have a look at it.
ASKER
you mis-interpret me regarding the isa nics' it was just a suggestion i put out there although i have not done this because im aware my dns does not know and will not know my isp dns!!:)
yes my isa 2006/internal nic has always had the primary dns set pointing towards my only master dc/ad/dns/dhcp/gpo server!!
yes my isa 2006/external nic - dns entry has always been blank!!
the reason for my suggestion was as i have never done vpns via isa 2006 ever, i was also wondering if, as my actual internet connection is of a residential hardware rather than a (proper) business type, because i was not sure if my dns did need to be able to communicate with my isp dns, otherwise at the time i was thinking then my work would be of a waste.
but due to other experienced experts telling me it should still work and i do not need to be communicating with my isp dns i excepted this. but like i said it was just an idea i through out there as you clearly know your stuff!!
as im short of funds i cannot buy a book, but definately this is something i will buy. any suggestions on the best step by step book i can get so i can absorb the knowledge instead of an enclopedia ?:)
yes my isa 2006/internal nic has always had the primary dns set pointing towards my only master dc/ad/dns/dhcp/gpo server!!
yes my isa 2006/external nic - dns entry has always been blank!!
the reason for my suggestion was as i have never done vpns via isa 2006 ever, i was also wondering if, as my actual internet connection is of a residential hardware rather than a (proper) business type, because i was not sure if my dns did need to be able to communicate with my isp dns, otherwise at the time i was thinking then my work would be of a waste.
but due to other experienced experts telling me it should still work and i do not need to be communicating with my isp dns i excepted this. but like i said it was just an idea i through out there as you clearly know your stuff!!
as im short of funds i cannot buy a book, but definately this is something i will buy. any suggestions on the best step by step book i can get so i can absorb the knowledge instead of an enclopedia ?:)
ASKER
- enables traffic prioritization via web traffic & routers that support (qos) for eg
URLS: ok so if i wish to block: facebook, yahoo, amazon, google, im aware that the 'www' is a big place so what about the other websites that i dont know
- im also aware that some companies do say dont use the work pc for internet use at all
- im also aware that some companies also provide a few or a single pc specifically in another office, just for personal internet use ie standalone pc not part of the network, so if a problem occurs its just a host pc that can be resolved at a later date.
- im also aware that that may not be ideal, so is there some standardized 'url' that would be added as a result of what you say, to 'allow/deny' ?
Domains : off course you local domain like abc.com - ok
networks : as the networks in place here on isa 2006 were there already when i looked i assume, whatever i configure on isa 2006 is put here by default so it is something i would not touch unless not added for whatever reason ?