Simple or not? Gateways/VPN/ISA

Hi there,

I would like to try and help you visualise what I am about to suggest, so here is my network:

Site 1: - Server 1 PDC - (has ISA server running) - VPN Router

Site 2: - Server 2 - Global Catalog Server. - VPN Router

This is all set up and running fine. Users at Site 1, connect to the web using ISA server as their web proxy and use their gateway being the router.
ipconfig of a workstation on network.

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

So, here we are. All VPN traffic goes through the router and all web goes through ISA and then the router. This is the same for Site 2.

SDSL is being installed to speed up VPN traffic, strictly. SDSL Routers are going to be (Site1/Site2)
At this point, I am not sure how to configure this.

I would like all web traffic to go out via ISA proxy, so it can all be monitored etc.

To me, it looks impossible. Mainly because all users at Site 2, need to go via the VPN to get web access. Is there a way to configure that to only allow 'authentication' to go via the VPN and all actual 'data transfer' to go via their local router?

Hmm, I think I need to be more clear!

2 Sites, 1 ISA Server.
1 SDSL connection strictly for VPN data.
1 ADSL connection strictly for web access.

All help is GREATLY appreciated!
LVL 15
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Sorry, I am missing your scenario/requirement here.
The requirement is the following. (I think)

Site A has a ISA server (proxy) and he wants all the users on Site B to authenticate traffic through the ISA server.
And the Data stream that follows after the authentication phase should go through the gateway on site B and thus not via the VPN tunnel.

To my knowledge this is not possible, I hope others think otherwise for you!
Keith AlabasterEnterprise ArchitectCommented:
If that is the requirement then no, this cannot be done nor would you want to (in my view) as the performance would be awful.


1. Get another ISA server at site B. Put additional NIC's in each ISA server and create your SDSL vpn's as a site-to-site between them. Use the external interface of each ISA as the route to the local adsl gateways and the Internet. Additionally you can use the external interfaces for client-to-site vpn's for external users. This also gives you resilience options for adding in additional MX records for mail delivery and the like plus a failover route for outbound traffic.

2. Dump the adsl line at site B and set the proxy options to use site A's ISA server.

3. Any one else's thoughts

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.