• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

ISA 2006 Multiple Internet access points

Hi Guys

Have a customer that would like to direct access to the internet via different ADSL connections based on AD security groups.

Server
ISA2006, W2k3 SP2.

Currently I can control access to the internet via security groups.

What I believe I will need to do is install a Third Nic card in the ISA 2006 server configure it as a secondard External interface and then control access Via security groups.

I would like some advice on this or know if anyone has already configure thier system in this way. I would also like to know if they is anyway to the third nic as a rollover for the primary External Nic. Thus giving me a backup internet connection.

Thanks for your help


0
BrendanKing
Asked:
BrendanKing
  • 4
  • 2
  • 2
2 Solutions
 
Keith AlabasterEnterprise ArchitectCommented:
Not tried this as it is not a recommended method.  ALL users will need toi have their default gateways pointed at the ip address of the internal nic regardless of security group membership. ISA will then route traffic to the appropriate nic based on the routing table setup on the host windows operating system - Remember ISA is not a router itself, its job is to allow/block traffic that passes through its interfaces based on the routes that Windows holds.

No, you would not be able to failover a card/line that way.




0
 
SteveH_UKCommented:
ISA 2006 does not directly support multiple default routes.  You will need to look into a third party add on to make this work.

I'm not aware of one that does what you request.  There are some that will load balance multiple default routes, but not on the basis of users and groups.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Just to be clear here, ISA does not know about ANY routes  - ie you do not tell ISA any routes. The routes are put into the Windows operating system via the NIC tcpip settings or Route -p ADD statements. If you removed ISA from the server, the routing would still be there on the host OS.

The only aspect ISA is interested in regarding addressing are the LAT entries that tell it which IP addresses it can expect on which NIC so that it can protect against spoofing attacks.

Windows does not support multiple default gateways therefore ISA would not be able to either. Sorry.

Keith
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
SteveH_UKCommented:
Thanks for the clarification, Keith :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
0
 
BrendanKingAuthor Commented:
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
BrendanKingAuthor Commented:
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome and thanks.  However, no offence, ISA does support multiple Internet connections.

I have two different adsl connections on my home network through my ISA2006 server. I use routing to split my traffic out. For example, I run a lot of games that use the Internet to connect so I have put static routes into the windows OS with route -p add statements that send the traffic out of adsl2 but all my normal traffic goes out of adsl1.  ALL traffic arrives at ISA through the internal nic but then the routing table decides which nic the traffic will leave out of, it cannot be decided by user or by AD/Security group.

I have access rules that allow internal to external and internal to perimeter (the dmz interface that connects to my 2nd adsl).

As mentioned, it will not fail over either.....

Keith
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now