VPC and ISA Server configuration help!
I'm using VPC's here and just cannot seem to make this happen.
I want all traffic to go through ISA Server but this does not seem to be working.
I am using VPC's here and ISA 2006.
however, when pinging or access say the exchange server VPC, it pings just fine and bypasses ISA completely.
What am I doing wrong?
I want to eventually publish exchange and other apps through ISA Server but cannot do this until this configuration is sorted.
how should my VPC's be configured?This is my configuration:
VPC Settings:
Client WS2003: Local Only
DC/AD/DNS: Local Only
Exchange 2003: Local Only
OCS: Local Only
ISA Server: LoopBack Adapter #2, Host NIC, Loopback Adapter #3
IP Settings in the VPC's
Client WS2003:
IP: 10.10.10.3
Subnet: 255.255.255.0
Default Gateway: 10.10.10.1
DC/AD/DNS:
IP: 10.10.20.1
Subnet: 255.255.255.0
Default Gateway: 10.10.20.2
DNS: 127.0.0.1
Exchange 2003
IP: 10.10.20.3
Subnet: 255.255.255.0
Default Gateway: 10.10.20.2
DNS: 10.10.20.1
OCS:
IP: 10.10.20.5
Subnet: 255.255.255.0
Default Gateway: 10.10.20.2
DNS: 10.10.20.1
ISA Server:
LoopBack Adapter #2 (Internal) IP: Obtain IP Automatically
LoopBack Adapter #3 (External)
IP: 10.10.10.1
Subnet: 255.255.255.0
NIC (Contoso Networl):
IP: 10.10.20.2
Subnet: 255.255.255.0
DNS: 10.10.20.1
Where am I going wrong?
I am not a pro so please can someone explain step by step on what the configurtion should be rather than just posting links?
Thanks!
Need 2 be back @ MS - MS All the way! Follower since 1995 MS Super Evangelist| MSDN Forums Moderator
Answers
Hi,
Thank you for your post.
I agree with Kent. You should have 2 NICs in Local Only. One configured with the 10.10.10.0 ip and the other with the 10.10.20.0 ip. However, if you want to make the host computer act as “external” and communicate with the VPC’s computer, you may configure as below:
ISA Server:
LoopBack Adapter #3 (External)
IP: 10.10.10.1
Subnet: 255.255.255.0Default gateway:10.10.10.2
The real host computer:
Microsoft Loopback Adapter
IP: 10.10.10.2
Subnet: 255.255.255.0Meanwhile, I will share some information about VPC network option. It really depends on what you want the network to do. If you use the
default setting (linking the vm to the physical network) your vm is effectively in the same network as your physical machine(s).
If your host machine in not connected to a physical network (or if you want to create a separate network for virtual machines) you basically have
two options.
1. If you only need the vms to network with each other, use local only. You do not need the Microsoft Loopback Adapter on the host.
2. If you need the vms and the host to be in the same network, install the MLA on the host and link your vms to that network (ie choose the MLA
from the dropdown list).The only real difference between local only and a loopback network is that local only is for virtual machines only. If you need the vms to also see the host (the OS running on the physical machine) you need to use the loopback adapter.
Hope that helps.
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorWednesday, October 07, 2009 7:27 AM
- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorTuesday, October 06, 2009 3:29 AM
All Replies
I am not sure why you choose LoopBack and HostNIC adapteras for the ISA.
You have to make sure ISA interface is in the same "virtual switch", in this case Local Only, as the computers it is supposed to talk to.From where are you pinging the Exchange?
KONAB- Thanks Kent.
I am pinging from WS2003DC to ping to the Exchange 2003 VPC images. it just completly bypasses ISA Server (using the monitoring tool in ISA to see what the traffic is).
And ISA is using the default rule which is block all traffic to and from.
At the end of the day, I want to be able to publish Exchange and OCS through ISA Server as I want to implement an SSO so I can then eventually implement it into the "real world" but before need to test some things.
What network system/configuration in ISA Server should I choose? 3 way perimter or single NIC? if its single NIC then I dont think it supports publishing of some clients/applications.
Can you tell me what the configuration for the overall network settings should be in ISA and the VPC images?
Need 2 be back @ MS - MS All the way! Follower since 1995 MS Super Evangelist| MSDN Forums Moderator Well if you ping from 10.10.20.1 to 10.10.20.3 there is no reason for the traffic to pass the router (ISA)... or am i missreading your info?
The only machine required to use ISA in this setup is your client on the 10.10.10.0/24 network.
But since the external interface in ISA is in the "wrong" switch i do not see how the traffic will get through to ISA.In ISA you need 2 NICs and can use the edge template if you like to use the network templates.
So on ISA you should have 2 NICs in Local Only. One configured with the 10.10.10.0 ip and the other with the 10.10.20.0 ip.- it could just be me not being experienced in ISA Server.
right so the ISA Server VPC image now has 2 local only NICS.
one of them is configured with 10.10.10.1 IP, the other 10.10.20.2 IP.
so would the internal network traffic not be flowing through ISA Server? (internal meaning the DC, Exchange, OCS)
Need 2 be back @ MS - MS All the way! Follower since 1995 MS Super Evangelist| MSDN Forums Moderator All computers on the 10.10.20.0 subnet kan communicate directly so no need to go through ISA.
This is not ISA specific this is just plain TCP/IP.- gotcha.
ok, so now.... how can I make my host computer act as "external" so I can then try to communicate with the VPC's computers? So for example, I may want to log onto exchange on the VPC images from my host - what do I have to configure my host in terms of loopback adapters/IP settings so it can communicate?
Need 2 be back @ MS - MS All the way! Follower since 1995 MS Super Evangelist| MSDN Forums Moderator Hi,
Thank you for your post.
I agree with Kent. You should have 2 NICs in Local Only. One configured with the 10.10.10.0 ip and the other with the 10.10.20.0 ip. However, if you want to make the host computer act as “external” and communicate with the VPC’s computer, you may configure as below:
ISA Server:
LoopBack Adapter #3 (External)
IP: 10.10.10.1
Subnet: 255.255.255.0Default gateway:10.10.10.2
The real host computer:
Microsoft Loopback Adapter
IP: 10.10.10.2
Subnet: 255.255.255.0Meanwhile, I will share some information about VPC network option. It really depends on what you want the network to do. If you use the
default setting (linking the vm to the physical network) your vm is effectively in the same network as your physical machine(s).
If your host machine in not connected to a physical network (or if you want to create a separate network for virtual machines) you basically have
two options.
1. If you only need the vms to network with each other, use local only. You do not need the Microsoft Loopback Adapter on the host.
2. If you need the vms and the host to be in the same network, install the MLA on the host and link your vms to that network (ie choose the MLA
from the dropdown list).The only real difference between local only and a loopback network is that local only is for virtual machines only. If you need the vms to also see the host (the OS running on the physical machine) you need to use the loopback adapter.
Hope that helps.
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorWednesday, October 07, 2009 7:27 AM
- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorTuesday, October 06, 2009 3:29 AM
- thanks.
right this is the way it stands now on all my VPC's.
they all have a 10.10.20.x IP and a subnet of 255.255.255.0
I installed the loopback adapter on my host and gave it a 192.168.0.1 IP.
on the ISA Server VPC, it has the local only adapter (10.10.20.2 IP) and also the loopback adapter (192.168.0.2 IP)
so, how can I then access the websites which are stored in the VPC images from my host computer, and also being able to see that traffic is being flowed through ISA Server from external (host) to internal, but also the other way around?
Need 2 be back @ MS - MS All the way! Follower since 1995 MS Super Evangelist| MSDN Forums Moderator
