SpencerSteel
asked on
Routing to subnet via switch with ISA Firewall Client
ISA Server 2004 sp2
This could be tricky to explain, so please look at the basic diagram of my network in the attachment.
With Firewall Client 'ON', then a client on 10.10.1.100 cannot connect to the SQL Server by creating an ODBC ... but turn 'OFF' the FWC and it can. Same for RDP protocol. However, PINGING works across the switch regardless.
So, to my not-very-knowledgeable brain it looks like any non-standard protocols are being routed out to the ISA Server regardless of the local routing table.
Go easy on me ... i'm a bit of a 'jack of all trades' but wondered if there was a way to tell FWC routes - I want any traffic bound for 192. to go via the switch ... or perhaps I should I be adding the other network to the ISA Server somehow.
Please advise best practice (with what I have here!)
Thanks,
S.S.
networkbasic.jpg
This could be tricky to explain, so please look at the basic diagram of my network in the attachment.
With Firewall Client 'ON', then a client on 10.10.1.100 cannot connect to the SQL Server by creating an ODBC ... but turn 'OFF' the FWC and it can. Same for RDP protocol. However, PINGING works across the switch regardless.
So, to my not-very-knowledgeable brain it looks like any non-standard protocols are being routed out to the ISA Server regardless of the local routing table.
Go easy on me ... i'm a bit of a 'jack of all trades' but wondered if there was a way to tell FWC routes - I want any traffic bound for 192. to go via the switch ... or perhaps I should I be adding the other network to the ISA Server somehow.
Please advise best practice (with what I have here!)
Thanks,
S.S.
networkbasic.jpg
Keith Alabaster
Thats what the firewall client id for :) - it sends directed traffic to the ISA - normally for when ISA is not the default gateway.
ASKER
hey Keith,
Ah ... OK ... that's a problem then.
I had to put the FWC on, as there is Surfcontrol on the ISA and FWC helps pass out the credentials and capture the users (long story!)
So ... as far as you can see, i'm not going to be able to do this then ... FWC will direct all traffic to the ISA ... is there a way of putting a routing table on ISA Server for anything bound for 192.9.200.x
How about making it a 'network' ?
Any thoughts on this Keith ?
S.S.
Ah ... OK ... that's a problem then.
I had to put the FWC on, as there is Surfcontrol on the ISA and FWC helps pass out the credentials and capture the users (long story!)
So ... as far as you can see, i'm not going to be able to do this then ... FWC will direct all traffic to the ISA ... is there a way of putting a routing table on ISA Server for anything bound for 192.9.200.x
How about making it a 'network' ?
Any thoughts on this Keith ?
S.S.
Sure - ISA is not a router in its own right - it uses the routing tables provided by the host operating system so any routes added through the route - p add syntax will be used by the ISA rules.
ASKER
Cool - so in theory, I'd be able to -p add the route to the ISA Server and then add a rule to allow SQL traffic to ... er, where ?
Sorry for being thick - I need a bit of hand walking through these type of things.
Sorry for being thick - I need a bit of hand walking through these type of things.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keith,
You've been great - but the problem was actually solved by adding the 192.9.200.x address to the 'internal' object in ISA (it wasn't before)
I also added the route -p but i'm not sure that made a big difference ... then (apparently) ISA sends out the routing tables to the FWClients ... I found this on a MS site that explained it ... I've highlighted the best bit !
Points to you for being there and helping me along !
I've learned something today !
S.S.
---------------------
http://technet.microsoft.com/en-us/library/cc302546.aspx
In ISA Server, a network is a rule element, which can contain one or more ranges of Internet Protocol (IP) addresses and domains. Each network that is defined for an ISA Server computer must include an IP address bound to a network adapter on the ISA Server computer and should reflect the physical network topology as viewed from the ISA Server computer. If a network is configured to support Firewall clients, ISA Server will accept incoming requests from Firewall clients in that network on Transmission Control Protocol (TCP) port 1745.
**************************
In addition, ISA Server will supply the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent service (FwcAgent) on the Firewall clients as a table of IP address ranges called the local address table (LAT).
**************************
Each Firewall client recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.
You've been great - but the problem was actually solved by adding the 192.9.200.x address to the 'internal' object in ISA (it wasn't before)
I also added the route -p but i'm not sure that made a big difference ... then (apparently) ISA sends out the routing tables to the FWClients ... I found this on a MS site that explained it ... I've highlighted the best bit !
Points to you for being there and helping me along !
I've learned something today !
S.S.
---------------------
http://technet.microsoft.com/en-us/library/cc302546.aspx
In ISA Server, a network is a rule element, which can contain one or more ranges of Internet Protocol (IP) addresses and domains. Each network that is defined for an ISA Server computer must include an IP address bound to a network adapter on the ISA Server computer and should reflect the physical network topology as viewed from the ISA Server computer. If a network is configured to support Firewall clients, ISA Server will accept incoming requests from Firewall clients in that network on Transmission Control Protocol (TCP) port 1745.
**************************
In addition, ISA Server will supply the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent service (FwcAgent) on the Firewall clients as a table of IP address ranges called the local address table (LAT).
**************************
Each Firewall client recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.
ASKER
Not Keiths fault that he didn't provide all the answer, as I didn't provide all the clues, and kinda solved the last bit myself ... but thanks for being there and pointing me in the right directions :)
learn something new everyday :) thanks for the update - and the points