Registered users    
MembershipMembership:
Latest New UserLatest:Chris Naylor
New TodayNew Today:12
New YesterdayNew Yesterday:10
User CountOverall:23325
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12894
Marina Roos12507
Eriq Neale2114
Stan Guinn1913
Michael Patrick1912
Robert Pearman1771
Nick Pieters1425
Stewart Brown616
william warren600
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004
Subject: Bypassing ISA by expanding your netmask
Prev Next
You are not authorized to post a reply.

Author Messages
Chris Rasco User is Offline
United States
Member since
4/4/2005

Registered Users
Posts: 25
3/27/2008 10:51 PM  
I don't know if it's me or the number of users we have on our network (~35), but web requests through ISA seem to crawl. I've got our network setup with 2 NICs and a Cisco 2821 as our actual edge device. Between the 2821 and the ISA server is a 192.168.1.x network and behind ISA is a 192.168.2.x network. My thoughts are to alter the Netmask for my admins to 255.255.252.0 which would make the .1.x and .2.x networks appear as a single network. From there I could leave DNS resolution with my SBS server, but change my gateway to the LAN ip of our actual edge router.
 
The network topolgy I described is largely logical as the SBS server's external nic is not plugged directly into the 2821, but into a switch. This is a function of additional equipment we have sitting on the .1.x network that we didn't want behind the ISA firewall.
 
Any downsides to trying this that I might not be thinking of? I'll still be able to route to the inside interface of the SBS server, but I'll merely be opening up the address range that my workstation can "natively" route to encompass our edge device.
Mariette Knap User is Online
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12894
3/28/2008 03:29 PM  
If performance on your ISA 2004 server is a problem then you should solve that problem instead of creating a workaround that is not a secure solution at all.
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Chris Rasco User is Offline
United States
Member since
4/4/2005

Registered Users
Posts: 25
3/31/2008 06:31 PM  
The workaround would only be for the IT staff. That said, what kind of limits in terms of traffic have you seen tax ISA2k4? I've got rules setup that create wide open outbound pipes for the machine I am working on, yet I still notice that certain sites have CSS, images, or other content stripped or blocked before getting to my machine.
 
I've run the BPA for both ISA and SBS on this machine and corrected all small changes as directed. It's more of a nuisance than anything really as it's not actually impeding my daily work.
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12507
4/01/2008 02:37 AM  
Hi Chris,
 
I don't quite understand your network setup. Can you please post an ipconfig/all from the server and a client?
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Chris Rasco User is Offline
United States
Member since
4/4/2005

Registered Users
Posts: 25
4/02/2008 05:32 PM  
Server:
 
Windows IP Configuration
   Host Name . . . . . . . . . . . . : TSSBSR2
   Primary Dns Suffix  . . . . . . . : ts.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : ts.local

Ethernet adapter Server Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
   Physical Address. . . . . . . . . : 00-18-8B-31-4E-79
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.2.2
   Primary WINS Server . . . . . . . : 192.168.2.2

Ethernet adapter Network Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #2
   Physical Address. . . . . . . . . : 00-18-8B-31-4E-7B
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.253
   DNS Servers . . . . . . . . . . . : 192.168.2.2
   NetBIOS over Tcpip. . . . . . . . : Disabled
Client:
 
Windows IP Configuration
   Host Name . . . . . . . . . . . . : Hp-xw4300-3
   Primary Dns Suffix  . . . . . . . : ts.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ts.local

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-15-60-A2-14-49
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a021:b057:c1c1:c044%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.2
   DNS Servers . . . . . . . . . . . : 192.168.2.2
                                       66.118.0.20
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Internet ---> Cisco 2821 (LAN IP: 192.168.1.253) ---> ISA Server (External: 192.168.1.10/Internal: 192.168.2.2) ---> Clients (192.168.2.x)
 
Physically, the Cisco 2821 and the ISA Server are plugged into a Cisco Switch Stack so the network separation is logical and not physical. If I change my desktop IP to the 192.168.1.x network and alter my gateway and dns I can bypass the ISA server completely. We do this for outside visitors that need internet access.
Kevin Da Silva User is Offline
Mississauga, Canada
Member since
1/12/2008

Registered Users
Posts: 579
4/04/2008 08:31 PM  
Turn on logging within ISA and see exactly what is going on.
MCSE:Messaging, MCTIP, SBS Specialist
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12507
4/10/2008 02:13 PM  
Hi Chris,
 
Unfortunately you have the dreaded Broadcom nics in the server. Please disable all advanced features on them regarding checksum, offload and Receive Side Scaling. Run the SBS BPA tool.
On the client remove the TCP/IP6 protocol and set it to obtain an IP from DHCP. It is having the wrong information now.
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004 > Bypassing ISA by expanding your netmask


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.3281271 seconds.   :   Terms Of Use   :   Privacy Statement