?
Solved

ISA 2006 Multiple Internet access points

Posted on 2007-12-04
8
Medium Priority
?
489 Views
Last Modified: 2010-04-21
Hi Guys

Have a customer that would like to direct access to the internet via different ADSL connections based on AD security groups.

Server
ISA2006, W2k3 SP2.

Currently I can control access to the internet via security groups.

What I believe I will need to do is install a Third Nic card in the ISA 2006 server configure it as a secondard External interface and then control access Via security groups.

I would like some advice on this or know if anyone has already configure thier system in this way. I would also like to know if they is anyway to the third nic as a rollover for the primary External Nic. Thus giving me a backup internet connection.

Thanks for your help


0
Comment
Question by:BrendanKing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20409478
Not tried this as it is not a recommended method.  ALL users will need toi have their default gateways pointed at the ip address of the internal nic regardless of security group membership. ISA will then route traffic to the appropriate nic based on the routing table setup on the host windows operating system - Remember ISA is not a router itself, its job is to allow/block traffic that passes through its interfaces based on the routes that Windows holds.

No, you would not be able to failover a card/line that way.




0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 375 total points
ID: 20409485
ISA 2006 does not directly support multiple default routes.  You will need to look into a third party add on to make this work.

I'm not aware of one that does what you request.  There are some that will load balance multiple default routes, but not on the basis of users and groups.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 375 total points
ID: 20409538
Just to be clear here, ISA does not know about ANY routes  - ie you do not tell ISA any routes. The routes are put into the Windows operating system via the NIC tcpip settings or Route -p ADD statements. If you removed ISA from the server, the routing would still be there on the host OS.

The only aspect ISA is interested in regarding addressing are the LAT entries that tell it which IP addresses it can expect on which NIC so that it can protect against spoofing attacks.

Windows does not support multiple default gateways therefore ISA would not be able to either. Sorry.

Keith
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20409547
Thanks for the clarification, Keith :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414926
Welcome :)
0
 
LVL 1

Author Closing Comment

by:BrendanKing
ID: 31412781
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
LVL 1

Author Comment

by:BrendanKing
ID: 20415156
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415331
Welcome and thanks.  However, no offence, ISA does support multiple Internet connections.

I have two different adsl connections on my home network through my ISA2006 server. I use routing to split my traffic out. For example, I run a lot of games that use the Internet to connect so I have put static routes into the windows OS with route -p add statements that send the traffic out of adsl2 but all my normal traffic goes out of adsl1.  ALL traffic arrives at ISA through the internal nic but then the routing table decides which nic the traffic will leave out of, it cannot be decided by user or by AD/Security group.

I have access rules that allow internal to external and internal to perimeter (the dmz interface that connects to my 2nd adsl).

As mentioned, it will not fail over either.....

Keith
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question