Connexion
Microsoft.com
 
Pour les professionnels de l’informatique
 
 
 
Pour les professionnels de l’informatique > Forums - Accueil > Forefront Edge Security Virtual Private Networks > Howto: enable communication between a remote site and array members
Poser une questionPoser une question
Rechercher dans les forums :
 

Discussion généraleHowto: enable communication between a remote site and array members

  • dimanche 13 juillet 2008 22:04PronichkinMVPMédailles de l'utilisateurMédailles de l'utilisateurMédailles de l'utilisateurMédailles de l'utilisateurMédailles de l'utilisateur
     
    Connectez-vous pour voter
    0
    Connectez-vous pour voter
    (x-posted from forums.isaserver.org. Sorry to those who read both these great boards).

    Here are my humble thougts about how to enable network communication between a remote site and all the array members (and vice versa). This is something which didn't work for me by the default. Of course, there's not very much reasons why you may want to do this. In my case I wanted to use ISA MMC in the remote site to manage my ISA configuration in the 'other' site.

    In this example I have two sites — site A and site B. Site A has an array of several hosts running ISA Server Enterprise Edition. Site B may have only one ISA Server, which may be stand-alone Standard Edition or Enterprise Edition. Also, it may have an array running ISA Server Enterprise Edition, which may or may not be in the same Enterprise with Site A.

    My goal here is to allow users in site B connect to every member of array in site A. It is not a big deal to connect to the 'active' member — the server which currently holds VPN tunnel between sites A and B. But if we try to connect from site B to the other ('passive') members of the array in site A, it will not succeed by default.

    That is mainly because 'passive' members have route relationsip with remote sites via 'Intra-Array' network. And this network has no relationships with any other networks by default. So here's the detailed walkthrough. I've tried to make it as clear as possible. Sorry if it looks too obvious for you.

    1. Add the 'Intra-Array' Network of site A to 'Site B to Internal Network' Network rule in site A.
    2. Add the 'Intra-Array' Network of site A to 'Site B to Internal Network' Firewall rule in site A.
    3. Add the 'Intra-Array' Network address range of site A to 'Site A' Network definition in site B.
    4. Here comes a tricky part. When you connect from a remote site to the Array members you cannot use their addresses that belong to the 'Internal' Network. This is because for 'passive' members of the array the route to the remote site goes through the 'Intra-Array' network. So when connecting to array members from a remote site you should use their 'Intra-Array' addresses.

    You might want to change the Array members' properties at 'Communication -> Remote Communication -> Use this IP address or computer name' and specify their 'Intra-Array' address in that field. This would make it possible to connect from a remote site, but the same time you would lose connectivity to these hosts from the 'Internal' Network. This is because for all the Array members the route to the 'Internal' Network goes through their 'Internal' NICs. So when ISA Server receives a connection attempt from 'Internal' Network to its own 'Intra-Array' address it would get confused, because it cannot properly respond (remember, it is supposed to talk to the 'Internal' Network using 'Internal' NIC and its 'Internal' address). And as the result, the connection attempt would be dropped as spoof.

    So, in order to keep it possible to connect to the Array members both from remote site and 'Internal' Network, you cannot simply replace the 'Internal' Address in host's properties with 'Intra-Array' one. The only workaround I found is to keep a FQDN there and make some change in the remote site. As I have only one machine in the remote site (my management workstation) which needs connectivity to all the Array members, I chose to edit that machine's Hosts file. I added there the Array members' FQDNs with their 'Intra-Array' addresses.

    Alternatively, if you have a number of machines in the remote site that need to communicate with all the Array members, you might want to implement the change described above using DNS instead of the Hosts records. But then you should care about preventing replication of this change to the site where the Array members reside.

    Any comments are highly welcomed. Are these ideas correct? Don't they violate some global concepts? Is there a better (e.g. more simple/clear/official/etc.) way to achive the same goal?.. Thanks in advance!
    • ModifiéPronichkinMVPdimanche 13 juillet 2008 22:10fixed more typos
    • ModifiéPronichkinMVPlundi 14 juillet 2008 03:52...found more typos
    • ModifiéPronichkinMVPdimanche 13 juillet 2008 22:06fixed some typos
    •