RRAS ip routing and ISA

Discussion in 'Server Networking' started by bingyeo, Aug 20, 2009.

  1. bingyeo

    bingyeo Guest


    This is going to be a long post with several questions so please be patient.

    I have an dual homed ISA 2006 enterprise server acting as an edge firewall
    connected to internal AD network 10.10.10.x/24.
    I would like to join another internal subnet, 10.10.11.x/24 to use the ISA
    as a proxy server to the internet. I want to use a w2k3 server as a router
    for this subnet to connect to the internet, and this server will also act as
    DNS and DHCP for the subnet as well. The new subnet should not be able to
    access any resources in 10.10.10.x, only to use ISA ( as a proxy

    I have set up an RRAS server (ROUTER) with LAN Routing as well as DNS:
    GW: (ISA internal IP)


    For DNS, no forward zones are created.
    No static routes have been added to the ROUTER.

    I have also added a persistent static route on ISA by using "route add -p
    mask metric 1"

    Now, when I test with a notebook configured with a static 10.10.11.x/24
    address with ROUTER ( as gateway and DNS server, I am only able
    to ping the ROUTER's NICs and other 10.10.11.x hosts but not any other
    10.10.10.x hosts. I am not able to connect to the internet as well.

    What am I missing here?
    Do I need to add static routes in the ROUTER or ISA?

    Next, I realised that DHCP does not work unless I authorise it with AD.
    According to technet: Although it is not recommended, you can use a
    stand-alone server as a DHCP server as long as it is not on a subnet with any
    authorized DHCP servers. When a stand-alone DHCP server detects an authorized
    server on the same subnet, it automatically stops leasing IP addresses to
    DHCP clients.

    I tried configuring another standalone server with IP 10.10.11.x with DHCP
    but still encountered the same prompt for AD authorisation. However when I
    changed this server's IP config to be updated by DHCP (10.10.10.x), DHCP on
    this server became active after its IP was updated. Is there an explanation
    for this, remember, this server is stand alone and I did not have to right
    click, Authorise it.

    Anyway, my problem here is that I would like the DHCP server for the
    10.10.11.x subnet to be stand alone. Is there any way for me to do this?

    Lastly, all of my servers and clients are connected to the same network
    switch. Is there anyway for me to ensure clients from 10.10.10.x subnet and
    10.10.11.x subnet do not receive IP leases from the wrong scope or is
    Vlanning required?

    If I use a wireless access point of IP 10.10.11.x and get clients to connect
    to it, would it ensure that they receive only leases from the 10.10.11.x
    scope? Of course, I realise that this does not solve the problem for DHCP
    clients who are on wired connections.

    Alright, really hope to receive some help and feedback on my queries here.
    Thanks in advance.
    bingyeo, Aug 20, 2009
    1. Advertisements

  2. bingyeo

    Bill Grant Guest

    Here are a few things to consider.

    1. You can run two subnets on one physical switch, but it is not efficient.
    Although the machines are connected to the same switch, machines in one
    subnet cannot communicate directly with machines in the other subnet. They
    must communicate through a router. These are usually confusingly called
    virtual networks.

    2. You cannot really run two DHCP servers on the same switch. DHCP works on
    broadcasts, so there is no way to discriminate. If a machine broadcasts a
    discover message, both DHCP servers will respond and the client will accept
    whichever offer it receives first.

    3. You don't really need the DHCP server to be standalone. You can run both
    scopes on the same DHCP server, as long as your network is configured
    correctly. The router between the subnets will forward the requests to the
    DHCP server.

    4. Unless you can see a way to configure this using VLANs, get an additional
    switch and run each subnet on its own switch.

    5. I would not run DNS and/or DHCP on a machine running as a router.

    6. I found your proposed routing scheme a bit strange. It seemed to be aimed
    at NAT routing rather than using the proxy service in ISA. In any case this
    setup would not achieve your stated aim. All machines in the new subnet
    would be able to see all machines in the existing subnet and vice versa.

    7. To isolate one subnet, you would need to reverse your setup. The subnet
    which could access the Internet but not the second subnet would need to be
    directly connected to the ISA server. The second subnet would then be
    connected to this subnet with a RRAS/NAT router. This simplifies the routing
    but also means that machines in subnet 1 cannot connect to machines in
    subnet 2 (because they are on the public side of the NAT). The setup would
    look like this.

    limited subnet
    10.10.10 x dg
    | dg
    RRAS/NAT dg blank
    10.10.11.x dg

    You do not need any static routes. Because of NAT, all traffic from the
    10.10.11 subnet uses the NAT router's 10.10.10 IP address in the 10.10.10
    subnet. All traffic is automatically routed back to the NAT router, which
    delivers the traffic in the 10.10.11 subnet. I haven't tested it (an I would
    not do it myself), but this setup should run even on one switch.
    Bill Grant, Aug 21, 2009
    1. Advertisements

  3. bingyeo

    bingyeo Guest

    Hi Bill, appreciate your reply.

    Let me try to explain clearer my requirements.
    10 subnet is our office network, running AD, DNS and DHCP for office use,
    and connect via ISA to the internet.
    We would like to provide internet access to external users who are not part
    of the company, which is why the new subnet must have only access to ISA and
    nothing else from the 10 subnet.
    This is the reason why I am trying to run a separate standalone DHCP and DNS
    servers, to reduce exposure of corporate resources to the 11 subnet as far as

    Due to budget and hardware constraints, I am trying to work something out
    with what I currently have to fulfil my requirements without additional costs.

    Right now, the current setup is

    limited subnet
    10.10.10 x dg
    I understand this point, which is why I have configured a server with 2 NICs
    with LAN routing on RRAS. However, the problem is that I am not able to
    communicate from 10 subnet to 11 subnet and vice versa, and I do not know
    where the problem lies. Do I need to configure static routes in RRAS?
    Does this mean that the only way to go is either additional switches or
    configuring VLANs on the switch?
    I would like to avoid the complexity of VLAN configuration.

    See the starting lines of this post, would like to separate server roles for
    each subnet.
    See point 2.
    Ok, got it. Would running DNS and DHCP on 1 machine and another as a router
    be better?

    What do you mean by 'directly connected to the ISA server.'?
    The 10 subnet is connected to the same switch as ISA currently.
    I am not entirely sure of the difference between NAT routing and using ISA
    as a proxy server. I configured ISA as an Edge firewall and configured WPAD
    in DHCP and DNS for autodiscovery for our office users.

    From your diagram, does this mean that I have to configure NAT on RRAs
    rather than LAN routing?

    bingyeo, Aug 21, 2009
  4. bingyeo

    Bill Grant Guest

    Yes. If you configure RRAS as a NAT router, you do not need additional
    routing. NAT takes care of it by doing address translation. All traffic from
    the 10.10.11 subnet uses the NAT router's 10.10.10 IP address in the
    10.10.10 subnet. Traffic going beyond this network comes back to the NAT
    router, which has tables set up so it can forward the reply to the correct
    machine on the 10.10.11 subnet.

    If you use LAN routing, you need extra routing on the ISA server so that
    it knows where the 10.10.11 subnet is and how to reach it. The other
    disadvantage is that any machine in either subnet can see any machine in the
    other, which you said you did not want.
    Bill Grant, Aug 22, 2009
  5. bingyeo

    bingyeo Guest

    Okay I have tried your suggestion of configuring NAT on the RRAS instead of
    LAN routing. Picked NAT option and chose NIC1 (10 subnet) as the public

    In addition, I:
    - managed to acquire an 8 port unmanaged switch (call this 10.10.11x switch)
    and plugged Router NIC2 ( into this switch.
    - connected another stand alone server with only 1 NIC, 10.10.11.x address
    configured, running DHCP for 10.10.11.x subnet to this switch
    - removed DHCP from Router but left DNS service running
    - removed the persistant static route from ISA which I had configured earlier.

    Here is what happened:

    When I connect my notebook to the 10.10.11.x switch, the standalone DHCP
    server was able to lease an 10.10.11.x address to me. That's one requirement

    However, I was not able to reach the internet, until I configured a DNS
    forwarder on Router to a DNS server in the 10.10.10.x subnet. Even though
    Router sits on both subnets, it is not able to send DNS requests to the
    internet. Why is this so? Is there any way to configure a DNS server on
    10.10.11.x subnet to send DNS requests to the internet directly and not
    depend on a 10.10.10.x subnet DNS server?

    Also, although I was not able to reach the 10.10.11.x subnet from the
    10.10.10.x subnet, I was able to reach 10.10.10.x from 10.10.11.x. Why is
    this possible? I have not configured any static routes anywhere.

    bingyeo, Aug 24, 2009
  6. bingyeo

    bingyeo Guest

    Ok quick update. I realised I did not add the Router Computer to the Allow
    Forwarding DNS to ISP rule, that's why it was blocked.
    DNS seems to work properly without forwarding now.
    My bad.
    bingyeo, Aug 24, 2009
  7. bingyeo

    bingyeo Guest

    Hi Bill

    After configuring NAT, internet access for 11 subnet works fine, but it is
    able to access 10 subnet since, like you said, traffic from 11 subnet is
    passed to the NAT router and uses its 10.10.10 address in the 10.10.10

    ISA is currently joined to the domain in the 10 subnet. Would there be any
    problems if the setup was reversed as you suggested in #7?

    Also, is there any alternative setting on the Router which I would use to
    block ping, RDP etc from 11 subnet to 10 subnet if I stick with the current

    Anyone is welcome to contribute their opinions.

    bingyeo, Aug 26, 2009

  8. I don't see a problem with Bill's suggestion. After reading through the
    thread, Bill's suggestion to have 11 on the ISA, and 10 behind its own NAT,
    will meet your requirements. Keep in mind, LDAP, RPC, and basically AD
    domain traffic, cannot pass across a NAT, therefore your .10 network will be
    isolated and secure from the .11 folks.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
    Ace Fekay [MCT], Aug 26, 2009
  9. bingyeo

    bingyeo Guest

    Hi Ace

    I understood what Bill was suggesting. My question was that ISA is currently
    joined to the AD on the 10 subnet as a member server, and if AD traffic
    cannot pass through NAT like you said, does this mean I should remove ISA
    from the domain if I move ISA to the 11 subnet?
    I am toying with the idea of using packet filtering on the interfaces on
    RRAS to block 11 subnet from accessing 10 subnet. Is this a good idea?

    bingyeo, Aug 26, 2009
  10. Well, that is one solution, to remove ISA, but then users will be prompted
    to authenticate to ISA, whereas you would have to create identical user
    accounts on ISA, if removed.

    You could also add an additional NIC to ISA for the .11 subnet, and define
    it as a DMZ or an additional subnet (either way), and control traffic using
    ISA rules between the subnets. This will simplify the network instead of
    adding another RRAS internally.

    Also, as a recommendation, don't put ISA or RRAS on a DC. I don't know if
    that's what you have or not, but they don't marry well.

    Ace Fekay [MCT], Aug 26, 2009
  11. bingyeo

    bingyeo Guest

    Hi Ace

    Like I mentioned in my initial post, I have to work with the hardware that I
    have and avoid budgeting for additional NICs. However, there is a possibility
    that addtional subnets may be added in future and I cannot add an additional
    NIC to the ISA everytime a new subnet needs to be added.

    Anyway, I have added:
    - an Outbound Filter on the Router's 'public' (10 subnet) interface allowing
    all traffic except from Source (Router's own NAT public
    interface) to Destination network, Protocol Any
    - an Inbound Filter on the Router's 11 subnet interface allowing all traffic
    except from Source network to Destination (Router's
    own NAT public interface), Protocol Any

    The first filter blocks traffic from the 11 subnet to the 10 subnet and the
    2nd filter blocks traffic from the 11 subnet to the Router's 10 subnet
    I have also unbound RDP from the Router's 11 subnet interface in Terminal
    Services Configuration.

    After doing this, 11 subnet is no longer able to access 10 subnet, but still
    is able to access internet. 11 subnet is also not able to access the Router's
    10 subnet interface, or RDP to its 11 subnet interface.

    The only downside to this configuration is that I am no longer able to
    access Router via its 10 subnet interface from the 10 subnet.
    Other than that, this seems to meet my requirements.
    Any opinions on whether this method is advisable?

    And no, the ISA and RRAS are not installed on DCs. Thanks for the heads up.

    bingyeo, Aug 27, 2009

  12. If the config works for your requirements, I would go with it. As for not
    being able to access the router on it's .10 interface from the .10 subnet,
    which it appears one of the rules may be doing it, assuming that you;ve
    defined both subnets as internal, you may be able to add an exception to the
    rule? It's been a little while since I've administered an ISA, so I can't
    help specifically, but that is what I am preliminarily thinking.

    I hope that helps.

    Ace Fekay [MCT], Aug 27, 2009
  13. bingyeo

    bingyeo Guest

    Hi Ace

    not sure if you have misread, but the filter is actually done on the RRAS,
    not the ISA.
    Here's what I have configured:

    10.10.10 x dg
    | dg
    RRAS/NAT <----- the Inbound/Outbound Filters
    are configured here dg blank
    10.10.11.x dg

    So the filters are actually preventing the 11 subnet from accessing anything
    related to 10 subnet directly.
    However, even though it has been configured as an Outbound filter, the interface seems to be preventing inbound traffic from the
    10.10.10.x network as well (no ping, RDP).

    And there is no way to configure exceptions at the RRAS filters, unless
    there is some way which I am unaware of. The only options are Allow all
    traffic except, or Block all traffic except, and any option you pick applies
    to all the filters that you configure.
    bingyeo, Aug 28, 2009

  14. I apologize for the misunderstanding and mis reading your description.

    As for RRAS filters, they are limited with rules, and not very robust. If
    you have it set to Block All except, possibly try the reverse to allow All
    except everything other than the gateway? Otherwise, I'm not sure how to
    help with that, unless you install another ISA on that RRAS server.

    Ace Fekay [MCT], Aug 28, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.