possible to add a dsl line to our lan for browsing?

[Guest]

I am in a corporate environment with building all over the city. We have
lousy internet speed. The IT dept says that the entire city shares the same
switch and T1 line at a single location. They have also said that they are
not going to do anything about the speed issue.

My boss says that if I can find a way to use a DSL (or even a T1) line
for our plant's internet access, he will buy what ever I need to make it
happen and will also take the complaints from IT. We would still have have
to have access to the city's LAN but for web browsing we would use the DSL
line .

I can envision this being possible but at this point I'm not smart
enough to figure it out. We will have no IT support (and they will be ticked
off if I screw it up) but I have the Bosses full support (in writing no
less) to try.

I imagine that I would need another router betewwn our lan and the
corporate router. Configuration from that point would be interesting. How do
I direct intranet and shared folder requests to the city's Lan while all
other browser requests to the DSL line?

Can anyone get me started on requirements for this ? Caveats?
Thank you in advance

 

[Neteng]

I doubt you have control over the DHCP server(s), so I would say no. If
enough of you complain, especially management types, the IT dept will do
something about it. It's probably low on their list and the management team
needs to move it up (if it really is a business issue and not just people
complaining that surf speeds are slow).

 

[Doug Sherman [MVP]]

The two basic options are:

1. A proxy server such as ISA running on a Windows server or a hardware
proxy device with a DSL line. Note that if you also need to access internal
web servers on the city LAN, you will need to be able to configure
rules/exceptions to reach them.

2. You could use simple routing: Connect a DSL router to a LAN port on
your existing network; give it a compatible non-conflicting IP; and
configure your local machines to use this IP as a default gateway. However,
if the city LAN comprises multiple subnets which you need to reach, you must
configure static routes to all of them on the DSL router - routes would
point to your old LAN gateway. If your DSL router did not support multiple
static routes, you could configure the routes on individual machines.
Whether or not the static route issue is significant requires more
information about the city LAN and your specific needs.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Phillip Windell]

2. You could use simple routing: Connect a DSL router to a LAN port on
your existing network; give it a compatible non-conflicting IP; and
configure your local machines to use this IP as a default gateway. However,
if the city LAN comprises multiple subnets which you need to reach, you must
configure static routes to all of them on the DSL router - routes would
point to your old LAN gateway. If your DSL router did not support multiple
static routes, you could configure the routes on individual machines.
Whether or not the static route issue is significant requires more
information about the city LAN and your specific needs.

Hi, guys...

That is what I would suggest too,..except I would leave the existing LAN
router as the Default Gateway (requires no changes to Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the DSL
Device. If routing protocols are in use it will already know about the
other LAN segments and have routes to them,...if not then give it the
required static routes.

This way only one device is ever touched (the existing LAN Router) and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with multi-segment
LANS, I am always against making the "Internet Sharing Device" (whatever
that may be) from being the lynch-pin of the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Doug Sherman [MVP]]

Phill's idea is indeed better - I was kind of assuming that you didn't have
access to the corporate router.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

2. You could use simple routing: Connect a DSL router to a LAN port on
your existing network; give it a compatible non-conflicting IP; and
configure your local machines to use this IP as a default gateway. However,
if the city LAN comprises multiple subnets which you need to reach, you must
configure static routes to all of them on the DSL router - routes would
point to your old LAN gateway. If your DSL router did not support multiple
static routes, you could configure the routes on individual machines.
Whether or not the static route issue is significant requires more
information about the city LAN and your specific needs.

Hi, guys...

That is what I would suggest too,..except I would leave the existing LAN
router as the Default Gateway (requires no changes to Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the DSL
Device. If routing protocols are in use it will already know about the
other LAN segments and have routes to them,...if not then give it the
required static routes.

This way only one device is ever touched (the existing LAN Router) and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with multi-segment
LANS, I am always against making the "Internet Sharing Device" (whatever
that may be) from being the lynch-pin of the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.msp
x

 

[Phillip Windell]

Phill's idea is indeed better - I was kind of assuming that you didn't have
access to the corporate router.

Configuring it may not be for the timid either. It will have to be up to
them to decide which way to go,...I'll just thought I'd toss in the idea.

 

[Vanguard]

I am in a corporate environment with building all over the city. We
have lousy internet speed. The IT dept says that the entire city shares
the same switch and T1 line at a single location. They have also said that
they are not going to do anything about the speed issue.

My boss says that if I can find a way to use a DSL (or even a T1) line
for our plant's internet access, he will buy what ever I need to make it
happen and will also take the complaints from IT. We would still have have
to have access to the city's LAN but for web browsing we would use the DSL
line .

I can envision this being possible but at this point I'm not smart
enough to figure it out. We will have no IT support (and they will be
ticked off if I screw it up) but I have the Bosses full support (in
writing no less) to try.

I imagine that I would need another router betewwn our lan and the
corporate router. Configuration from that point would be interesting. How
do I direct intranet and shared folder requests to the city's Lan while
all other browser requests to the DSL line?

Did you or your boss actually read the terms of service for the contract
between you and them? The "city's LAN" may not permit you to subvert
security of their network by installing "backdoors" that allow viruses and
other malware to get into the network at points within the network that are
after any protections they have implemented in their LAN. It is *their* LAN
to which you *subscribe*. I'm sure there would be no problem if you
disconnect from their LAN and use your own.

 

[Guest]

Thanks folks,
You are correct in that I wouldn't have access to the lan router. It
would probably be possible to get IT to make a config change but we would
rather just do it ourselves. I imagine that they will have a fit once they
find out anyway but something has to change. This might be the catalyst.
I didn't consider the DHCP aspect, but we could static all the machines
we have easily enough. I prefer that anyway so I can sniff out problems
without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for them but
never had a need, can you give me a cliff notes version of how to use them?
We also use Exchange server and domain logons that woul dhave to be
validated through the central server. How much does that complicate things?
Perhaps a proxy (ISA) is the answer for browsing?

message

2. You could use simple routing: Connect a DSL router to a LAN port on
your existing network; give it a compatible non-conflicting IP; and
configure your local machines to use this IP as a default gateway. However,
if the city LAN comprises multiple subnets which you need to reach, you must
configure static routes to all of them on the DSL router - routes would
point to your old LAN gateway. If your DSL router did not support multiple
static routes, you could configure the routes on individual machines.
Whether or not the static route issue is significant requires more
information about the city LAN and your specific needs.

Hi, guys...

That is what I would suggest too,..except I would leave the existing LAN
router as the Default Gateway (requires no changes to Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the DSL
Device. If routing protocols are in use it will already know about the
other LAN segments and have routes to them,...if not then give it the
required static routes.

This way only one device is ever touched (the existing LAN Router) and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with multi-segment
LANS, I am always against making the "Internet Sharing Device" (whatever
that may be) from being the lynch-pin of the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated with
the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Doug Sherman [MVP]]

The way you configure static routes on a router, as distinguished from a
Windows computer, is product specific. As an example, a low end router such
as Linksys BEFSR11 claims to support 20 static routes and the manual
explains how to configure them;

http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&packedarg
s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2FVisitor
Wrapper

The first thing you need to do is determine whether this is a significant
issue - how many subnets are on this network and how many do you really need
to access. Possibly you could use dynamic routing, but this is probably not
a good idea in this scenario.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Thanks folks,
You are correct in that I wouldn't have access to the lan router. It
would probably be possible to get IT to make a config change but we would
rather just do it ourselves. I imagine that they will have a fit once they
find out anyway but something has to change. This might be the catalyst.
I didn't consider the DHCP aspect, but we could static all the machines
we have easily enough. I prefer that anyway so I can sniff out problems
without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for them but
never had a need, can you give me a cliff notes version of how to use them?
We also use Exchange server and domain logons that woul dhave to be
validated through the central server. How much does that complicate things?
Perhaps a proxy (ISA) is the answer for browsing?

message

2. You could use simple routing: Connect a DSL router to a LAN port on
your existing network; give it a compatible non-conflicting IP; and
configure your local machines to use this IP as a default gateway. However,
if the city LAN comprises multiple subnets which you need to reach, you must
configure static routes to all of them on the DSL router - routes would
point to your old LAN gateway. If your DSL router did not support multiple
static routes, you could configure the routes on individual machines.
Whether or not the static route issue is significant requires more
information about the city LAN and your specific needs.

Hi, guys...

That is what I would suggest too,..except I would leave the existing LAN
router as the Default Gateway (requires no changes to Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the DSL
Device. If routing protocols are in use it will already know about the
other LAN segments and have routes to them,...if not then give it the
required static routes.

This way only one device is ever touched (the existing LAN Router) and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with multi-segment
LANS, I am always against making the "Internet Sharing Device" (whatever
that may be) from being the lynch-pin of the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated with
the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.msp
x

 

[Asher_N]

Talk to your IT folks. In most orgs, and yours sounds like a large one,
somebody installing a rogue device, ESPECIALLY a router to the internet,
You could find yourself unemployed so fast you'll have no idea what hit
you. Think about it, would you install a new door in your company's
building?

The way you configure static routes on a router, as distinguished from
a Windows computer, is product specific. As an example, a low end
router such as Linksys BEFSR11 claims to support 20 static routes and
the manual explains how to configure them;

http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&pack
edarg
s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2FVi
sitor Wrapper

The first thing you need to do is determine whether this is a
significant issue - how many subnets are on this network and how many
do you really need to access. Possibly you could use dynamic routing,
but this is probably not a good idea in this scenario.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Thanks folks,
You are correct in that I wouldn't have access to the lan router.
It
would probably be possible to get IT to make a config change but we
would rather just do it ourselves. I imagine that they will have a
fit once they find out anyway but something has to change. This might
be the catalyst.
I didn't consider the DHCP aspect, but we could static all the machines
we have easily enough. I prefer that anyway so I can sniff out
problems without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for
them but
never had a need, can you give me a cliff notes version of how to use them?
We also use Exchange server and domain logons that woul dhave to
be
validated through the central server. How much does that complicate things?
Perhaps a proxy (ISA) is the answer for browsing?

message
2. You could use simple routing: Connect a DSL router to a LAN
port on
your existing network; give it a compatible non-conflicting IP;
and configure your local machines to use this IP as a default
gateway.
However,
if the city LAN comprises multiple subnets which you need to
reach, you
must
configure static routes to all of them on the DSL router - routes
would point to your old LAN gateway. If your DSL router did not
support
multiple
static routes, you could configure the routes on individual
machines. Whether or not the static route issue is significant
requires more information about the city LAN and your specific
needs.

Hi, guys...

That is what I would suggest too,..except I would leave the
existing LAN router as the Default Gateway (requires no changes to
Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the
DSL Device. If routing protocols are in use it will already know
about the other LAN segments and have routes to them,...if not then
give it the required static routes.

This way only one device is ever touched (the existing LAN Router)
and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with
multi-segment LANS, I am always against making the "Internet
Sharing Device" (whatever that may be) from being the lynch-pin of
the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated
with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserve
r.msp x

 

[Guest]

I really do understand that issue and will deal with it once I have a
solution to the real problem. Which in this case is a crippling lack of
available bandwidth. IT is aware of it and has even switched thier own pipe
to another T1 so they can function but they won't do that for anyone else.
It's so bad that for our plant, windows update doesn't work properly because
it times out, email calls go out occaisionally asking everyone to conserve
usage whenever anyone is doing a presentation that requires bandwidth. It's
just silly and my boss want me to fix it.
Using DSL will be a cost effective solution and once I demonstrate a
viable solution (short of running fiber 20 miles to the noc) IT will come
around. I have the support of my Boss and his. I know this can be secured
better than they currently provide so I'm not too worried about that end.
I'm just looking for the best way to do it. Somthing that IT will appreciate
and understand, even if they didn't think of it themselves.

Talk to your IT folks. In most orgs, and yours sounds like a large one,
somebody installing a rogue device, ESPECIALLY a router to the internet,
You could find yourself unemployed so fast you'll have no idea what hit
you. Think about it, would you install a new door in your company's
building?

The way you configure static routes on a router, as distinguished from
a Windows computer, is product specific. As an example, a low end
router such as Linksys BEFSR11 claims to support 20 static routes and
the manual explains how to configure them;

http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&pack
edarg
s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2FVi
sitor Wrapper

The first thing you need to do is determine whether this is a
significant issue - how many subnets are on this network and how many
do you really need to access. Possibly you could use dynamic routing,
but this is probably not a good idea in this scenario.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Thanks folks,
You are correct in that I wouldn't have access to the lan router.
It
would probably be possible to get IT to make a config change but we
would rather just do it ourselves. I imagine that they will have a
fit once they find out anyway but something has to change. This might
be the catalyst.
I didn't consider the DHCP aspect, but we could static all the machines
we have easily enough. I prefer that anyway so I can sniff out
problems without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for
them but
never had a need, can you give me a cliff notes version of how to use them?
We also use Exchange server and domain logons that woul dhave to
be
validated through the central server. How much does that complicate things?
Perhaps a proxy (ISA) is the answer for browsing?



message
2. You could use simple routing: Connect a DSL router to a LAN
port on
your existing network; give it a compatible non-conflicting IP;
and configure your local machines to use this IP as a default
gateway.
However,
if the city LAN comprises multiple subnets which you need to
reach, you
must
configure static routes to all of them on the DSL router - routes
would point to your old LAN gateway. If your DSL router did not
support
multiple
static routes, you could configure the routes on individual
machines. Whether or not the static route issue is significant
requires more information about the city LAN and your specific
needs.

Hi, guys...

That is what I would suggest too,..except I would leave the
existing LAN router as the Default Gateway (requires no changes to
Hosts, DHCP Scopes,
etc), then change the Default Gateway of the LAN Router to be the
DSL Device. If routing protocols are in use it will already know
about the other LAN segments and have routes to them,...if not then
give it the required static routes.

This way only one device is ever touched (the existing LAN Router)
and it
prevents the LAN's Routing System from becomming dependent on a DSL Device
of which most are "home user" quality. Besides that, with
multi-segment LANS, I am always against making the "Internet
Sharing Device" (whatever that may be) from being the lynch-pin of
the LAN's Routing ability. I like
to keep the LAN's routing abilty independent of anything associated
with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserve
r.msp x

 

[Asher_N]

Have your boss take it up with management. From the perspective of IT,
NO, they will not appreciate. At best, work with them. Introducing a new
connection to the internet behind their back will only piss them off and
put your job in jeopardy. There are other issues that you are not aware
of withregards to bandwidth. One of wich is cost. DSL may be cheap, but
it's not reliable.. You can be assured that if given the budget, your IT
folks would be more than happy to increase bandwidth.

Deal with the issue BEFORE you implement a solution. I run a network, I
can assue you that if I ever found a rogue router, regardless of the
intentions, I'd have the person responsible fired.

I really do understand that issue and will deal with it once I
have a
solution to the real problem. Which in this case is a crippling lack
of available bandwidth. IT is aware of it and has even switched thier
own pipe to another T1 so they can function but they won't do that for
anyone else. It's so bad that for our plant, windows update doesn't
work properly because it times out, email calls go out occaisionally
asking everyone to conserve usage whenever anyone is doing a
presentation that requires bandwidth. It's just silly and my boss want
me to fix it.
Using DSL will be a cost effective solution and once I demonstrate
a
viable solution (short of running fiber 20 miles to the noc) IT will
come around. I have the support of my Boss and his. I know this can be
secured better than they currently provide so I'm not too worried
about that end. I'm just looking for the best way to do it. Somthing
that IT will appreciate and understand, even if they didn't think of
it themselves.

Talk to your IT folks. In most orgs, and yours sounds like a large
one, somebody installing a rogue device, ESPECIALLY a router to the
internet, You could find yourself unemployed so fast you'll have no
idea what hit you. Think about it, would you install a new door in
your company's building?

The way you configure static routes on a router, as distinguished
from a Windows computer, is product specific. As an example, a low
end router such as Linksys BEFSR11 claims to support 20 static
routes and the manual explains how to configure them;

http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&pa
ck edarg
s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2F
Vi sitor Wrapper

The first thing you need to do is determine whether this is a
significant issue - how many subnets are on this network and how
many do you really need to access. Possibly you could use dynamic
routing, but this is probably not a good idea in this scenario.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Thanks folks,
You are correct in that I wouldn't have access to the lan
router. It
would probably be possible to get IT to make a config change but we
would rather just do it ourselves. I imagine that they will have a
fit once they find out anyway but something has to change. This
might be the catalyst.
I didn't consider the DHCP aspect, but we could static all the
machines
we have easily enough. I prefer that anyway so I can sniff out
problems without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for
them but
never had a need, can you give me a cliff notes version of how to
use
them?
We also use Exchange server and domain logons that woul dhave
to be
validated through the central server. How much does that complicate
things?
Perhaps a proxy (ISA) is the answer for browsing?



in message
2. You could use simple routing: Connect a DSL router to a LAN
port
on
your existing network; give it a compatible non-conflicting IP;
and configure your local machines to use this IP as a default
gateway.
However,
if the city LAN comprises multiple subnets which you need to
reach, you
must
configure static routes to all of them on the DSL router -
routes would point to your old LAN gateway. If your DSL router
did not support
multiple
static routes, you could configure the routes on individual
machines. Whether or not the static route issue is significant
requires more information about the city LAN and your specific
needs.

Hi, guys...

That is what I would suggest too,..except I would leave the
existing LAN router as the Default Gateway (requires no changes
to Hosts, DHCP
Scopes,
etc), then change the Default Gateway of the LAN Router to be the
DSL Device. If routing protocols are in use it will already know
about the other LAN segments and have routes to them,...if not
then give it the required static routes.

This way only one device is ever touched (the existing LAN
Router) and
it
prevents the LAN's Routing System from becomming dependent on a
DSL
Device
of which most are "home user" quality. Besides that, with
multi-segment LANS, I am always against making the "Internet
Sharing Device" (whatever that may be) from being the lynch-pin
of the LAN's Routing ability. I
like
to keep the LAN's routing abilty independent of anything
associated with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaser
ve r.msp x

 

[Phillip Windell]

Perhaps a proxy (ISA) is the answer for browsing?

Maybe.

Since clients do not "find" the ISA via the LAN's Routing Scheme, you can
add an ISA to your new Internet Link and have the users use it for the
Internet access and it will not effect the LAN's Routing Scheme at all as
long as you *never* try to use SecureNAT Clients with the ISA. Use only Web
Proxy Clients or Firewall Clients (aka Winsock Clients).

Since Web Proxy Clients use the browser's "proxy settings" to find the ISA
and Firewall Clients use the locally installed "Firewall Client Software" to
find the ISA,...you can therefore use the ISA and never effect or alter the
existing Routing Scheme of the LAN.

This is how I run my system here and have about 3+ ways out to the Internet
with ISA being only one of them. I of course cannot use SecureNAT Clients
with my ISA,...because NAT depends on, and runs on top of, Layer3 Routing,
therefore any clients configured this way would be taken out via a different
Firewall Box because that is the box (not the ISA) that sits within the
"Layer3 Path" of the LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Guest]

When I come up with a solution that works, I will do exactly that.

Have your boss take it up with management. From the perspective of IT,
NO, they will not appreciate. At best, work with them. Introducing a new
connection to the internet behind their back will only piss them off and
put your job in jeopardy. There are other issues that you are not aware
of withregards to bandwidth. One of wich is cost. DSL may be cheap, but
it's not reliable.. You can be assured that if given the budget, your IT
folks would be more than happy to increase bandwidth.

Deal with the issue BEFORE you implement a solution. I run a network, I
can assue you that if I ever found a rogue router, regardless of the
intentions, I'd have the person responsible fired.

I really do understand that issue and will deal with it once I
have a
solution to the real problem. Which in this case is a crippling lack
of available bandwidth. IT is aware of it and has even switched thier
own pipe to another T1 so they can function but they won't do that for
anyone else. It's so bad that for our plant, windows update doesn't
work properly because it times out, email calls go out occaisionally
asking everyone to conserve usage whenever anyone is doing a
presentation that requires bandwidth. It's just silly and my boss want
me to fix it.
Using DSL will be a cost effective solution and once I demonstrate
a
viable solution (short of running fiber 20 miles to the noc) IT will
come around. I have the support of my Boss and his. I know this can be
secured better than they currently provide so I'm not too worried
about that end. I'm just looking for the best way to do it. Somthing
that IT will appreciate and understand, even if they didn't think of
it themselves.

Talk to your IT folks. In most orgs, and yours sounds like a large
one, somebody installing a rogue device, ESPECIALLY a router to the
internet, You could find yourself unemployed so fast you'll have no
idea what hit you. Think about it, would you install a new door in
your company's building?


The way you configure static routes on a router, as distinguished
from a Windows computer, is product specific. As an example, a low
end router such as Linksys BEFSR11 claims to support 20 static
routes and the manual explains how to configure them;

http://www.linksys.com/servlet/Satellite?childpagename=US/Layout&pa
ck edarg
s=c%3DL_Product_C2%26cid%3D1115416832017&pagename=Linksys%2FCommon%2F
Vi sitor Wrapper

The first thing you need to do is determine whether this is a
significant issue - how many subnets are on this network and how
many do you really need to access. Possibly you could use dynamic
routing, but this is probably not a good idea in this scenario.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

Thanks folks,
You are correct in that I wouldn't have access to the lan
router. It
would probably be possible to get IT to make a config change but we
would rather just do it ourselves. I imagine that they will have a
fit once they find out anyway but something has to change. This
might be the catalyst.
I didn't consider the DHCP aspect, but we could static all the
machines
we have easily enough. I prefer that anyway so I can sniff out
problems without chasing mac addresses.
I'm not familar with static routes. I have seen the entry for
them but
never had a need, can you give me a cliff notes version of how to
use
them?
We also use Exchange server and domain logons that woul dhave
to be
validated through the central server. How much does that complicate
things?
Perhaps a proxy (ISA) is the answer for browsing?



in message
2. You could use simple routing: Connect a DSL router to a LAN
port
on
your existing network; give it a compatible non-conflicting IP;
and configure your local machines to use this IP as a default
gateway.
However,
if the city LAN comprises multiple subnets which you need to
reach, you
must
configure static routes to all of them on the DSL router -
routes would point to your old LAN gateway. If your DSL router
did not support
multiple
static routes, you could configure the routes on individual
machines. Whether or not the static route issue is significant
requires more information about the city LAN and your specific
needs.

Hi, guys...

That is what I would suggest too,..except I would leave the
existing LAN router as the Default Gateway (requires no changes
to Hosts, DHCP
Scopes,
etc), then change the Default Gateway of the LAN Router to be the
DSL Device. If routing protocols are in use it will already know
about the other LAN segments and have routes to them,...if not
then give it the required static routes.

This way only one device is ever touched (the existing LAN
Router) and
it
prevents the LAN's Routing System from becomming dependent on a
DSL
Device
of which most are "home user" quality. Besides that, with
multi-segment LANS, I am always against making the "Internet
Sharing Device" (whatever that may be) from being the lynch-pin
of the LAN's Routing ability. I
like
to keep the LAN's routing abilty independent of anything
associated with the
Internet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition

http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaser
ve r.msp x