Questions about IPs of ISA 2006 Enterprise Arrays with 2 Nics each.
-
Monday, January 07, 2013 1:12 AM
The plan is to deploy 2 ISA 2006 Enterprise servers with 2 nics each on a LAN with 10 subnets. We would have all web proxy clients, Firewall Client clients and SecureNat clients. For SecureNat of multiple subnets, we would leave the client local gateway configurations left as they are and have the network team forward internet requests going from the gateway routers on the LAN to the internal nic of the ISA server.
If the local subnets are 192.168.0 to 192.168.10.0 and "internal" nics on the ISA servers are on 192.168.0.10 for ISA1 and 192.168.0.20 for ISA2. What subnet does the "external" nics of both ISA servers go on? I know it needs to be "different" than the one used for the nics labled internal, but can it be any other subnet (like 192.168.0.2) or does a brand new subnet need to be created for this that other internal computers are not using and is not included in the list of local subnets on the local interface (such as 192.168.11.0)?
If both NICs are attached to the LAN, what prevents both NIC addresses from being registered in DNS and clients becoming confused as to which of the 2 IP addresses to communicate with when they resolve the hostname?
All Replies
-
Monday, January 07, 2013 1:30 PM
I am sure that you have good reason to deploy ISA 2006 (TMG is current and last version of fírewalls from MS as it is today, see http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx).
In any way, the external interface has to be on a different subnet than defined on the internal network.
If your internal network is 192.168.0.0 - 192.168.10.255 (each network being a /24 network - e.g. 192.168.x.0/24 where x starts at 0 and is incremented by one to 10) then the external network has to be on a different subnet. E.g. you cannot take on address in that range and exclude it and put it on your external nic.
The reason for this is that ISA acts as a router in a 2 nic (or more) scenario and hence the subnets has to be different.
192.168.0.2 is not on a different subnet as per the above.
192.168.11.2 would be a different subnet (or any other for that matter).
The only way to use 192.168.0.2 on the external interface is to segment the 192.168.0.0 network in a suitable fashion and thus create a different network and use one on the external interface and the rest on the internal.
Hth, Anders Janson Enfo Zipper
-
Monday, January 07, 2013 6:27 PM
I just noticed I had a typo in the original post that changed the meaning of the question. I meant to type 192.168.2.0 instead of 192.168.0.2. Of course 192.168.0.2 is on the same network as 192.168.0.10 ans 192.168.0.20 used be the two ISA servers' internal connections. I already knew that IP address could not be used.
So, you are still saying that none of the other current subnets between 192.168.1.0 and 192.168.0.10 can be used as the IP for the external nics and a new subnet (like 192.168.11.0) must be created even though each of the existing subnets need to go through a gateway to reach another subnets?
-
Tuesday, January 08, 2013 8:04 AMModerator
Hi,
Thank you for the post.
You must use different IP subnets for each interface on your ISA Server. The subnet 192.168.2.0 is still include the internal network(192.168.0.0 - 192.168.10.255).
Regards,
Nick Gu - MSFT
- Marked As Answer by MyGposts Thursday, January 10, 2013 1:36 PM
-
Thursday, January 10, 2013 12:27 PM
Assuming that you mean 192.168.1.0 - 192.168.10.255 as the range for the internal network.
In that case, then no, you cannot use 192.168.2.x as the external network as that network will be in the LAT. Should you want to use that subnet as the external network, then the LAT will look like this:
192.168.0.0 - 192.168.1.255
192.168.3.0 - 192.168.10.255
Notice the gap for the 192.168.2/24 network. Again, this assuming that you are using /24 ("c-networks"). Otherwise, use a completely different external network.
Hth, Anders Janson Enfo Zipper
- Marked As Answer by MyGposts Thursday, January 10, 2013 1:35 PM
.png)
