[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


ISA Server 2000 Routing certain http requests to a different gateway.

Posted on 2004-10-29
Medium Priority
Last Modified: 2013-11-16
My company uses Oracle applications that is hosted outside the organization. Oracle requires a VPN connection to access the apps. The apps are browser based.  The VPN connection exisits at our corporate office, we connect to them via a WAN on a Point to Point T-1. We also have our own inhouse T-1 for internet access so we do not use up bandwith on the WAN. We use ISA server as our Internet gateway.
Here is my problem,
In order for http requests to the Oracle application to work, we could not use the ISA client software, we had to switch to secure NAT.
Then we had to assign a route to the client computers via a logon script directing all Oracle requests through the P2P router. Everything else goes through the default gateway (ISA). This has worked fine but now I have an issue with Internet abuse. I need to enable content rules on the ISA server by "Users" or "Security Groups". My users are in a mixed environment of thin clients connecting to a Terminal Server and desktop computers. I do not want to restrict activity via the IP address of the client computer. This will cause problems with my Terminal clients. I have managers who use the terminal and need full internet access, but I have others who just need access to our Oracle applications. My delima is, I know I have to use the ISA client to gain this type of control. But I can not use Proxy because it will not route the oracle requests to the proper router on the lan. Is there a way to use the ISA client and tell ISA that all http requests to Oracle applicaitons get routed to the P2P router? I tried telling IE not to use the proxy for local intranet address and I put the addresses in the selection box but it still does not work.
Question by:bryandillon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

TannerMan earned 2000 total points
ID: 12461999
Try this, if I udnerstand correctly.
In your ISA you need the IP addresses added into the LAT table that constitute your P2P routed network.
For example....if your oracle traffic is to NEVER leave  ISA, but rather be directed to the P2P network of 192.168.1.x/24, then you need to add a lat entry  in ISA console for TO
This will tell ISA to NOT send any traffic for that IP range out of it's internet connection.

Next...does ISA know how to find the P2P network? From ISA, can you ping or tracert to the P2P network? If so, good. If not, then you need to add a static route to ISA's route table stating anytihgn going to 192.168.1.x needs to be routed TO x.x.x.x (IP of the network side of your P2P network.

Now set your proxy settings on your client to hit ISA. Traffic for the internet will be routed to internet. Traffic for P2P IP addresses will be sent there. Your thinking that this didn't work before when I tried it? Well, it didn't because ISA had no way of knowing that the IP addresses of the p2p network were INTERNAL and routed everything to the web that is NOT in it's LAT table. Give it a shot.

I am somewhat confused why your needing clients set to Secure NAt (DG of ISA IP) to get an internal vpn connection to be negotiated to the P2P network. No need to explain, I am just thinking outloud.

Try the above and let us know.

Author Comment

ID: 12462404
This thought did come to me over the weekend and I added the address to to LAT and it still did not work. But once I added the static route to the ISA (per your suggestion) with the combination of the LAT it worked great!  Now I get to have fun trying to setup content rules. Thanks!

Expert Comment

ID: 12462432
And thanks for the points

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question