I have 2 internet connections and want to use one for Internettraffic and the other for a Static VPN Tunnel

Currently, I have 2 Internet Connections at a client of mine. I have
Internet A plugged into a wireless router that isn't connected to the
internal network. Internet B I have connected to a Watchguard FireBox
that is used for a VPN to the home office in Canada. It is also used
for internet but has a 5 user license. I want to use Internet A for
Internet traffic and Internet B for VPN traffic to our terminal
server. Both server are dual Nics. Please advise.


mark@csctechnology.net

1. Get rid of the duel nics. *One* nic per server.

2. The "wirless router" is just a NAT Firewall just like the Watchgaurd is a
NAT Firewall. Apart from the wireless ability they both do the same
thing,...one just costs more.

3. The "wireless" part of the device is almost (not quite, but almost)
useless. You will use it like a "wired router" for the most part but you
can have laptops or something still use the wireless part if you want, after
everythhng is completed.

4. Connect both the NAT Firewall's internal facing interfaces into the same
switch/hub that the rest of the LAN uses. The Interfaces must have IP#s
compatible with the LAN (same IP Segment,..different IP#).

5. Since you probably only have one IP Segment on the LAN,...and hence, no
LAN Router,...and since there is almost a zero percent chance the "wireless
router" s capable being capable of holding Static Routes,...and since the
Watchgaurd box will have to keep its own Default Gateway pointed where it
is,.........You will have to manage your routing with Staitc Routes entered
on every single machine individually.

The Default Gateway of all machines will point to the "wireless router"
since that is the device providing the General Internet. Then every machine
needs a Static Route that tells it to use the Watchgaurd as the "gateway"
for the Home Office.

If the Watchgaurd IP is 192.168.17.1 and the Home Office internal subnet was
192.168.24.x,...the static route on each machine would be:

Route Add -p 192.168.24.0 mask 255.255.255.0 192.168.17.1

If the Wireless Device has a Local Addess table then the home Office Subnet
needs added to it,...but it probably isn't capable of having one of those.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

<(E-Mail Removed)> wrote in message
news:74836051-fa9a-4045-888c-(E-Mail Removed)...
> Currently, I have 2 Internet Connections at a client of mine. I have
> Internet A plugged into a wireless router that isn't connected to the
> internal network. Internet B I have connected to a Watchguard FireBox
> that is used for a VPN to the home office in Canada. It is also used
> for internet but has a 5 user license. I want to use Internet A for
> Internet traffic and Internet B for VPN traffic to our terminal
> server. Both server are dual Nics. Please advise.

What if I set it up as this.

Internet A goes to PDC Nic 1.
Set Default gateway in DHCP to Wireless router.
Plug PDC Nic 2 into switch
Plug firebox into Terminal server Nic 1
Set Default Gateway on TS to Firebox
Plug TS Nic 2 into switch

Will this work as I am intending?

On Nov 19, 2:51 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> 1. Get rid of the duel nics. *One* nic per server.
>
> 2. The "wirless router" is just a NAT Firewall just like the Watchgaurd is a
> NAT Firewall. Apart from the wireless ability they both do the same
> thing,...one just costs more.
>
> 3. The "wireless" part of the device is almost (not quite, but almost)
> useless. You will use it like a "wired router" for the most part but you
> can have laptops or something still use the wireless part if you want, after
> everythhng is completed.
>
> 4. Connect both the NAT Firewall's internal facing interfaces into the same
> switch/hub that the rest of the LAN uses. The Interfaces must have IP#s
> compatible with the LAN (same IP Segment,..different IP#).
>
> 5. Since you probably only have one IP Segment on the LAN,...and hence, no
> LAN Router,...and since there is almost a zero percent chance the "wireless
> router" s capable being capable of holding Static Routes,...and since the
> Watchgaurd box will have to keep its own Default Gateway pointed where it
> is,.........You will have to manage your routing with Staitc Routes entered
> on every single machine individually.
>
> The Default Gateway of all machines will point to the "wireless router"
> since that is the device providing the General Internet. Then every machine
> needs a Static Route that tells it to use the Watchgaurd as the "gateway"
> for the Home Office.
>
> If the Watchgaurd IP is 192.168.17.1 and the Home Office internal subnet was
> 192.168.24.x,...the static route on each machine would be:
>
> Route Add -p 192.168.24.0 mask 255.255.255.0 192.168.17.1
>
> If the Wireless Device has a Local Addess table then the home Office Subnet
> needs added to it,...but it probably isn't capable of having one of those.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processinghttp://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-...
>
> Microsoft Internet Security & Acceleration Server: Partnershttp://www.microsoft.com/isaserver/partners/default.asp
>
> Microsoft ISA Server Partners: Partner Hardware Solutionshttp://www.microsoft.com/forefront/edgesecurity/partners/hardwarepart...
> -----------------------------------------------------
>
> <m...@csctechnology.net> wrote in message
>
> news:74836051-fa9a-4045-888c-(E-Mail Removed)...
>
> > Currently, I have 2 Internet Connections at a client of mine. I have
> > Internet A plugged into a wireless router that isn't connected to the
> > internal network. Internet B I have connected to a Watchguard FireBox
> > that is used for a VPN to the home office in Canada. It is also used
> > for internet but has a 5 user license. I want to use Internet A for
> > Internet traffic and Internet B for VPN traffic to our terminal
> > server. Both server are dual Nics. Please advise.

Having two NICs in a DC is a recipe for disaster. It can cause you all
sorts of odd problems which can take ages to debug.

<(E-Mail Removed)> wrote in message
news:867b33bb-bbfa-4ad3-8d22-(E-Mail Removed)...
> What if I set it up as this.
>
> Internet A goes to PDC Nic 1.
> Set Default gateway in DHCP to Wireless router.
> Plug PDC Nic 2 into switch
> Plug firebox into Terminal server Nic 1
> Set Default Gateway on TS to Firebox
> Plug TS Nic 2 into switch
>
> Will this work as I am intending?
>
> On Nov 19, 2:51 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
>> 1. Get rid of the duel nics. *One* nic per server.
>>
>> 2. The "wirless router" is just a NAT Firewall just like the Watchgaurd
>> is a
>> NAT Firewall. Apart from the wireless ability they both do the same
>> thing,...one just costs more.
>>
>> 3. The "wireless" part of the device is almost (not quite, but almost)
>> useless. You will use it like a "wired router" for the most part but you
>> can have laptops or something still use the wireless part if you want,
>> after
>> everythhng is completed.
>>
>> 4. Connect both the NAT Firewall's internal facing interfaces into the
>> same
>> switch/hub that the rest of the LAN uses. The Interfaces must have IP#s
>> compatible with the LAN (same IP Segment,..different IP#).
>>
>> 5. Since you probably only have one IP Segment on the LAN,...and hence,
>> no
>> LAN Router,...and since there is almost a zero percent chance the
>> "wireless
>> router" s capable being capable of holding Static Routes,...and since the
>> Watchgaurd box will have to keep its own Default Gateway pointed where it
>> is,.........You will have to manage your routing with Staitc Routes
>> entered
>> on every single machine individually.
>>
>> The Default Gateway of all machines will point to the "wireless router"
>> since that is the device providing the General Internet. Then every
>> machine
>> needs a Static Route that tells it to use the Watchgaurd as the "gateway"
>> for the Home Office.
>>
>> If the Watchgaurd IP is 192.168.17.1 and the Home Office internal subnet
>> was
>> 192.168.24.x,...the static route on each machine would be:
>>
>> Route Add -p 192.168.24.0 mask 255.255.255.0 192.168.17.1
>>
>> If the Wireless Device has a Local Addess table then the home Office
>> Subnet
>> needs added to it,...but it probably isn't capable of having one of
>> those.
>>
>> --
>> Phillip Windellwww.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule
>> Processinghttp://www.isaserver.org/articles/ISA2004_AccessRules.html
>>
>> Troubleshooting Client Authentication on Access Rules in ISA Server
>> 2004http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-...
>>
>> Microsoft Internet Security & Acceleration Server:
>> Partnershttp://www.microsoft.com/isaserver/partners/default.asp
>>
>> Microsoft ISA Server Partners: Partner Hardware
>> Solutionshttp://www.microsoft.com/forefront/edgesecurity/partners/hardwarepart...
>> -----------------------------------------------------
>>
>> <m...@csctechnology.net> wrote in message
>>
>> news:74836051-fa9a-4045-888c-(E-Mail Removed)...
>>
>> > Currently, I have 2 Internet Connections at a client of mine. I have
>> > Internet A plugged into a wireless router that isn't connected to the
>> > internal network. Internet B I have connected to a Watchguard FireBox
>> > that is used for a VPN to the home office in Canada. It is also used
>> > for internet but has a 5 user license. I want to use Internet A for
>> > Internet traffic and Internet B for VPN traffic to our terminal
>> > server. Both server are dual Nics. Please advise.
>
>
>

<(E-Mail Removed)> wrote in message
news:867b33bb-bbfa-4ad3-8d22-(E-Mail Removed)...
> What if I set it up as this.
>
> Internet A goes to PDC Nic 1.
> Set Default gateway in DHCP to Wireless router.
> Plug PDC Nic 2 into switch
> Plug firebox into Terminal server Nic 1
> Set Default Gateway on TS to Firebox
> Plug TS Nic 2 into switch

If the only thing using the WG Internet link is the TS box and nothing else,
then....

1. Configure the TS box as you describe.

2. Keep the DC with *one* nic and configure as I decribed before. You just
won't need the Static Routes since everything will just use the Broadband
box as the DFG.

3. Doing it this way you could potentially still end up in a mess if the LAN
is a multi-subnet LAN with a LAN Router. It would actually be easier to
deal with in the long run but is configured differently than I have
described up to now.

4. Only the TS box will even know the Line with the WG even exists. The
other link is the only thing that the other machines will "know" about.
However TS traffic is *very low*,...that is the whole point of using TS over
a slow link. This whole project could be a waiste of time based on the
faulty idea that you need a bunch of bandwidth dedicated to the TS box. You
might be better off using the TS over the same link with everything else and
save the extra line for something else that truely needs it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On Nov 21, 10:25 am, "Phillip Windell" <philwind...@hotmail.com>
wrote:
> <m...@csctechnology.net> wrote in message
>
> news:867b33bb-bbfa-4ad3-8d22-(E-Mail Removed)...
>
> > What if I set it up as this.
>
> > Internet A goes to PDC Nic 1.
> > Set Default gateway in DHCP to Wireless router.
> > Plug PDC Nic 2 into switch
> > Plug firebox into Terminal server Nic 1
> > Set Default Gateway on TS to Firebox
> > Plug TS Nic 2 into switch
>
> If the only thing using the WG Internet link is the TS box and nothing else,
> then....
>
> 1. Configure the TS box as you describe.
>
> 2. Keep the DC with *one* nic and configure as I decribed before. You just
> won't need the Static Routes since everything will just use the Broadband
> box as the DFG.
>
> 3. Doing it this way you could potentially still end up in a mess if the LAN
> is a multi-subnet LAN with a LAN Router. It would actually be easier to
> deal with in the long run but is configured differently than I have
> described up to now.
>
> 4. Only the TS box will even know the Line with the WG even exists. The
> other link is the only thing that the other machines will "know" about.
> However TS traffic is *very low*,...that is the whole point of using TS over
> a slow link. This whole project could be a waiste of time based on the
> faulty idea that you need a bunch of bandwidth dedicated to the TS box. You
> might be better off using the TS over the same link with everything else and
> save the extra line for something else that truely needs it.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------

I have tried this and the TS cannot see the PDC. Any thoughts?

<(E-Mail Removed)> wrote in message
news:ce18dc74-5da5-4364-97dd-(E-Mail Removed)...
>
> I have tried this and the TS cannot see the PDC. Any thoughts?

Several..

1. There is no true PDC in a Windows2000 or newer domain. PDCs were from
the NT4 "world".

2. The TS box should *never* be allowed to get its TCP IP config from the
Broadband box. If fact the broadband box should never have is DHCP Service
enabled.

3. The TS box should never get it IP Config from any DHCP ever. It must
always be statically assigned.

IP#: <whatever>
Mask: <whatever the LAN uses>
DFG: <the broadband box>
DNS: <the Domain Controllers>
WINS: <the Domain Controllers> or whatever is running WINS>

4. Your LAN has to be a single subnet with the DC in the same subnet as the
TS box. The broadband box must also have its internal facing interface in
the same subnet as the rest of the LAN. It can work with more than one
subnet but is more complicated to deal with and has not been discussed in
this thread.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------