Solved

ISA 2006 Multiple Internet access points

Posted on 2007-12-04
8
481 Views
Last Modified: 2010-04-21
Hi Guys

Have a customer that would like to direct access to the internet via different ADSL connections based on AD security groups.

Server
ISA2006, W2k3 SP2.

Currently I can control access to the internet via security groups.

What I believe I will need to do is install a Third Nic card in the ISA 2006 server configure it as a secondard External interface and then control access Via security groups.

I would like some advice on this or know if anyone has already configure thier system in this way. I would also like to know if they is anyway to the third nic as a rollover for the primary External Nic. Thus giving me a backup internet connection.

Thanks for your help


0
Comment
Question by:BrendanKing
  • 4
  • 2
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20409478
Not tried this as it is not a recommended method.  ALL users will need toi have their default gateways pointed at the ip address of the internal nic regardless of security group membership. ISA will then route traffic to the appropriate nic based on the routing table setup on the host windows operating system - Remember ISA is not a router itself, its job is to allow/block traffic that passes through its interfaces based on the routes that Windows holds.

No, you would not be able to failover a card/line that way.




0
 
LVL 19

Accepted Solution

by:
SteveH_UK earned 125 total points
ID: 20409485
ISA 2006 does not directly support multiple default routes.  You will need to look into a third party add on to make this work.

I'm not aware of one that does what you request.  There are some that will load balance multiple default routes, but not on the basis of users and groups.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 125 total points
ID: 20409538
Just to be clear here, ISA does not know about ANY routes  - ie you do not tell ISA any routes. The routes are put into the Windows operating system via the NIC tcpip settings or Route -p ADD statements. If you removed ISA from the server, the routing would still be there on the host OS.

The only aspect ISA is interested in regarding addressing are the LAT entries that tell it which IP addresses it can expect on which NIC so that it can protect against spoofing attacks.

Windows does not support multiple default gateways therefore ISA would not be able to either. Sorry.

Keith
0
 
LVL 19

Expert Comment

by:SteveH_UK
ID: 20409547
Thanks for the clarification, Keith :)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414926
Welcome :)
0
 
LVL 1

Author Closing Comment

by:BrendanKing
ID: 31412781
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
LVL 1

Author Comment

by:BrendanKing
ID: 20415156
Hi Guys

Yes I did some more research and found that ISA does not support multiply Internet access points. I will have to find a hardware solution. Possible a router that support Ldap or Radius lookups.

Thanks for the responces.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415331
Welcome and thanks.  However, no offence, ISA does support multiple Internet connections.

I have two different adsl connections on my home network through my ISA2006 server. I use routing to split my traffic out. For example, I run a lot of games that use the Internet to connect so I have put static routes into the windows OS with route -p add statements that send the traffic out of adsl2 but all my normal traffic goes out of adsl1.  ALL traffic arrives at ISA through the internal nic but then the routing table decides which nic the traffic will leave out of, it cannot be decided by user or by AD/Security group.

I have access rules that allow internal to external and internal to perimeter (the dmz interface that connects to my 2nd adsl).

As mentioned, it will not fail over either.....

Keith
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
EMAIL BANNER 8 26
assessing firewall rules 3 72
palo alto VM series in AWS 3 77
SRX240 SYSLOG Setting 6 52
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now