?
Solved

Routing to subnet via switch with ISA Firewall Client

Posted on 2009-02-09
8
Medium Priority
?
522 Views
Last Modified: 2013-11-16
ISA Server 2004 sp2

This could be tricky to explain, so please look at the basic diagram of my network in the attachment.

With Firewall Client 'ON', then a client on 10.10.1.100 cannot connect to the SQL Server by creating an ODBC ... but turn 'OFF' the FWC and it can. Same for RDP protocol. However, PINGING works across the switch regardless.

So, to my not-very-knowledgeable brain it looks like any non-standard protocols are being routed out to the ISA Server regardless of the local routing table.

Go easy on me ... i'm a bit of a 'jack of all trades' but wondered if there was a way to tell FWC routes - I want any traffic bound for 192. to go via the switch ... or perhaps I should I be adding the other network to the ISA Server somehow.

Please advise best practice (with what I have here!)

Thanks,

S.S.

networkbasic.jpg
0
Comment
Question by:SpencerSteel
  • 4
  • 4
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23592779
Thats what the firewall client id for :) - it sends directed traffic to the ISA - normally for when ISA is not the default gateway.
0
 

Author Comment

by:SpencerSteel
ID: 23598729
hey Keith,

Ah ... OK ... that's a problem then.

I had to put the FWC on, as there is Surfcontrol on the ISA and FWC helps pass out the credentials and capture the users (long story!)

So ... as far as you can see, i'm not going to be able to do this then ... FWC will direct all traffic to the ISA ... is there a way of putting a routing table on ISA Server for anything bound for 192.9.200.x

How about making it a 'network' ?

Any thoughts on this Keith ?

S.S.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23599853
Sure - ISA is not a router in its own right - it uses the routing tables provided by the host operating system so any routes added through the route - p add syntax will be used by the ISA rules.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:SpencerSteel
ID: 23601091
Cool - so in theory, I'd be able to -p add the route to the ISA Server and then add a rule to allow SQL traffic to ... er, where ?

Sorry for being thick - I need a bit of hand walking through these type of things.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 23602617
lol - OK.

If the SQL traffic is local (on the same internal subnet) then you can create an access rule allowing it FROM internal TO internal.
If the SQL traffic needs to go to a different subnet that is behind the ISA firewall then you would use the route -p add network_id mask mask_id ip_of_gateway_to_other_subnet PLUS the access rule allowing sql from internal to internal.
0
 

Author Comment

by:SpencerSteel
ID: 23602800
Keith,

You've been great - but the problem was actually solved by adding the 192.9.200.x address to the 'internal' object in ISA (it wasn't before)

I also added the route -p but i'm not sure that made a big difference ... then (apparently) ISA sends out the routing tables to the FWClients ... I found this on a MS site that explained it ... I've highlighted the best bit !

Points to you for being there and helping me along !

I've learned something today !

S.S.

---------------------
http://technet.microsoft.com/en-us/library/cc302546.aspx

In ISA Server, a network is a rule element, which can contain one or more ranges of Internet Protocol (IP) addresses and domains. Each network that is defined for an ISA Server computer must include an IP address bound to a network adapter on the ISA Server computer and should reflect the physical network topology as viewed from the ISA Server computer. If a network is configured to support Firewall clients, ISA Server will accept incoming requests from Firewall clients in that network on Transmission Control Protocol (TCP) port 1745.

**************************
In addition, ISA Server will supply the set of IP address ranges included in the network to all Firewall clients residing in the network. These IP address ranges are stored in memory by the Firewall Client Agent service (FwcAgent) on the Firewall clients as a table of IP address ranges called the local address table (LAT).
****************************

Each Firewall client recognizes all IP addresses included in the LAT and the IP addresses specified in its own routing table as being local.
0
 

Author Closing Comment

by:SpencerSteel
ID: 31544506
Not Keiths fault that he didn't provide all the answer, as I didn't provide all the clues, and kinda solved the last bit myself ... but thanks for being there and pointing me in the right directions :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23603143
learn something new everyday :) thanks for the update - and the points
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question