nationalautoresearch
asked on
Dual ISP's (TMG2010) Route traffic based on AD user
Greetings everyone -
Here is my challenge :
I have 1x Cisco 2800 series router with a checkpoint FW behind it. This is in place by our corporate IT department and is out of my control.
The Checkpoint handles a site-to-site VPN over our 4 T1 lines to the corporate office where they have another Checkpoint FW / cisco router.
They currently have a content engine module installed and are filtering web content based on policies they have defined within.
My management team has asked that I come up with a way to allow certain users (management) access to sites that are blocked by the corporate filter. I have alreayd spoken with the corporate IT group and lets just say that I won't be getting any help from them.
Management has also asked that I be able to report on the internet useage and activity of the users which I don't even know if the content engine could do even if I did have access to it.
We are an enterprise size corporation but structure within corporate IT is very strange.....
My solution to this since I can't do anything with their equipment is the following:
1x TMG 2010 Standard
2x NIC's (One for LAN, one for DSL)
1x IPBinder to change the source IP.
Now I have been told that this scenario will work, but since windows doesn't support more then one default gateway (especially when they are the same metric)
I have run into issues with DNS not choosing the right interface and other things.
I basically just want to use the 1st NIC as an inline proxy / web filter for the users (including management) and simply apply a rule and use IPBinder for specific users (mgmt) to use the DSL NIC
I have searched and searched to no avail, all the multiple gateway / wan / ISP articles i've found pertain to ISA 2006 or older, or they reference the ISP redundancy of TMG which is NOT what I am after.
Here is my challenge :
I have 1x Cisco 2800 series router with a checkpoint FW behind it. This is in place by our corporate IT department and is out of my control.
The Checkpoint handles a site-to-site VPN over our 4 T1 lines to the corporate office where they have another Checkpoint FW / cisco router.
They currently have a content engine module installed and are filtering web content based on policies they have defined within.
My management team has asked that I come up with a way to allow certain users (management) access to sites that are blocked by the corporate filter. I have alreayd spoken with the corporate IT group and lets just say that I won't be getting any help from them.
Management has also asked that I be able to report on the internet useage and activity of the users which I don't even know if the content engine could do even if I did have access to it.
We are an enterprise size corporation but structure within corporate IT is very strange.....
My solution to this since I can't do anything with their equipment is the following:
1x TMG 2010 Standard
2x NIC's (One for LAN, one for DSL)
1x IPBinder to change the source IP.
Now I have been told that this scenario will work, but since windows doesn't support more then one default gateway (especially when they are the same metric)
I have run into issues with DNS not choosing the right interface and other things.
I basically just want to use the 1st NIC as an inline proxy / web filter for the users (including management) and simply apply a rule and use IPBinder for specific users (mgmt) to use the DSL NIC
I have searched and searched to no avail, all the multiple gateway / wan / ISP articles i've found pertain to ISA 2006 or older, or they reference the ISP redundancy of TMG which is NOT what I am after.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If only web sites then the default gw doesn't need changing, just the proxy settings introduced within the browser. If non-web sites are needed then the FTMG firewall client can be used. the static route would need to placed on the ftmg box though.
ASKER
Keith -
In regard to the type of traffic, it is just web traffic that he will need, but if the website he visits contains flash content, or embedded streaming video of some sort obviously I would want this traffic to come via the DSL WAN versus the Corporate WAN, would that be included in HTTP/HTTPS? Or will I have to specify those protocools directly?
Also why did everyone tell me I would need IPBinder in order to split traffic based on the source user with TMG?
I have two NIC's in TMG, one is 10.211.11.25 (corporate LAN) one is 192.168.1.50 (DSL)
Won't I have to use IPBinder on the rule for the specific user so that all his traffic "appears" to TMG to be coming from 192.168.1.50? Otherwise it won't send that traffic out that interface due to no static route..... right?
In regard to the type of traffic, it is just web traffic that he will need, but if the website he visits contains flash content, or embedded streaming video of some sort obviously I would want this traffic to come via the DSL WAN versus the Corporate WAN, would that be included in HTTP/HTTPS? Or will I have to specify those protocools directly?
Also why did everyone tell me I would need IPBinder in order to split traffic based on the source user with TMG?
I have two NIC's in TMG, one is 10.211.11.25 (corporate LAN) one is 192.168.1.50 (DSL)
Won't I have to use IPBinder on the rule for the specific user so that all his traffic "appears" to TMG to be coming from 192.168.1.50? Otherwise it won't send that traffic out that interface due to no static route..... right?
ASKER
I am considering using "Untangle" a dedicated linux based open source solution to achieve this goal versus using TMG.
Version 7.2 supports integration with AD and may be what I need. Anyone have any experience with this product?
Version 7.2 supports integration with AD and may be what I need. Anyone have any experience with this product?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
so often u have a network of 10.0.0.0-255 and a gateway of 10.0.0.254 when the corporate firewall is inserted in the network it for example get 10.0.0.253
the corporate firewall has a default route of 10.0.0.254
your LAN users now begin to get a dhcp served default gw of 253 and now get filtered by the firewall.
if this is the case then u only have to change the default gw of your management pc:s and add static routes to 253 for corporate networks