>> Why do you need separate IPs for the web servers given they're all being >> proxied through TMG, btw?<<
Well, there's other services besides the web servers, like SMTP (even though we
outsource our email, I still need an SMTP server internally for various
reasons), VPN, etc.
But, if I could handle it all through TMG, that would be fine. I tried it, but
it didn't seem to work.
It's the one IP from the ISP that gets me. TMG complains that my external IP's
aren't on any of the adapters and won't allow the routing rule.
In other words, I setup TMG with:
216.2.69.1 as the external IP, gateway of 216.2.69.2
Then I setup internal IP's of 192.168.1.0 (NAT). Let's say web server 1 is .1,
two is .2, 3 is .3, SMTP server on .1, etc.
The external ip's are: 216.2.234.64, 65, 66
If I setup a TMG rule to publish 216.2.234.64 to 192.168.1.1, it'll complain
that 216.2.234.64 is not in the external adapter (which it isn't, because it
has to be 216.2.69.1). I tried creating a new 'network' with IP's 216.2.234.64
(etc) and then put in rules to do the routing, but again TMG wouldn't do it
because 216.2.234.64 didn't exist as a defined interface. I don't want to make
216.2.234.64, 65, 66 as a DMZ, as the servers are internal in the 192.168.*
address space.
The TMG docs imply you might not be able to do a virtual DMZ:
Forefront TMG does not support defining separate network objects that represent
remote subnets
Issue: Forefront TMG does not support defining separate network objects that
represent remote subnets.
Cause: When you define IP address ranges for a network, Forefront TMG checks
all network adapters. When Forefront TMG finds an adapter with an IP address in
the network range, it associates the network with that adapter. When a network
includes remote subnets accessible by Forefront TMG through routers, the IP
address of the remote subnets should be included in the network definition. If
you define a separate network object for a remote subnet (instead of including
it in the network definition), Forefront TMG tries to locate an adapter with an
IP address of the network object, and fails. Forefront TMG assumes that the
adapter is not available (disconnected or disabled), and sets network status to
disconnected.
I'm running out of NIC's in the servers, I couldn't fit a 4 port board in, and
the little Dell 1U servers don't have room for more than 1 expansion, so I'm
limited to 4 connections. 1 for ISP failover, 1 for cluster interconnect, 1
for internal DMZ, and 1 for the Internet doesn't leave room for an actual DMZ.
So my idea was to setup my Layer 3 switch (not level, my mistake) to do the
routing from 216.2.69.1 to 216.2.234.64, 65, 66, then feed in the 216.2.234.64,
65, 66 as the external IP's to my TMG farm like I did with the previous ISP's.
== John ==
John Gwinner | Director of Technology
DAZSI /Oracle Business Applications
310.640.1300 (office) | 310.640.9900 (fax)
880 Apollo Street - Ste. 201 | El Segundo CA 90245
[cid:[email protected]]<http://www.dazsi.com/>
From: Brian Desmond [mailto:[email protected]]
Sent: Monday, November 14, 2011 9:33 PM
To: NT System Admin Issues
Subject: RE: New ISP - I have to route public IP's
I don't see how an L3 switch is required here. Certainly you could solve this
problem with one but it's not necessary. You can do all the routing with TMG if
you want.
Why do you need separate IPs for the web servers given they're all being
proxied through TMG, btw?
Thanks,
Brian Desmond
[email protected]<mailto:[email protected]>
w - 312.625.1438 | c - 312.731.3132
From: John Gwinner
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Monday, November 14, 2011 8:20 PM
To: NT System Admin Issues
Subject: New ISP - I have to route public IP's
I just signed up with a new ISP for the office - we're getting 15Meg for the
price I used to pay for 2 T-1's. Nice!
Oddly though, I get a single IP in the range 216.2.69.x/30 and a default
gateway. This isn't a T-1 or other telecom ish interface; they give me an
Ethernet jack (comes out of an AdTran), with an IP stack on it.
I ALSO get 5 (usable) IP's in the range 216.2.234.X/29.
I have 3 public web servers with separate IP's I need to host on the Internet
(they are firewalled/DMZ'd through Microsoft's TMG).
The wrinkle: My ISP expects me to route my public IP's 'through' the 216.2.69.X
gateway. Not just switch the 5 usable IP's, I have to route them. The
216.2.69.X is what the Adtran puts out (say .2 for 'my' router and .1 for the
gateway). Behind that, I have the 5 useable IP's and I have to route that to
the Adtran.
My ISP said I needed a Level 3 switch; I have a couple of Dell 6248P's.
Can I do this with a Dell 6248p?
VLAN tagging wouldn't work, I don't think, as who knows if whatever web site
we're surfing too, or whatever customer is looking at our public IP's, would
support vlan tagging. This is a raw, public IP.
Can I do a 'physical segmentation' on say 4 of the ports then setup a route from
216.2.69.1 => 216.2.234.64, 65, 66
and
216.2.234.64, 65, 66 => 216.2.69.1
with the Dell 6248's doing the routing?
If the Dell PowerConnect 6248 cannot do this, can anyone recommend a router
that can? Most of the Cisco, Adtran, etc. routers I've seen take a NIM card
that take T-1's. I don't have a T-1, I'm getting a full 8 pair Ethernet cable
with an IP stack already on it, it's just that I need to route my pubic IP's to
their (my) public gateway IP with my own equipment.
Any advice?
Thanks,
== John ==
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin<<inline: image002.jpg>>
