windows 2003 router, ISA 2004, surf control, DHCP BOX troubles

[amfony]

hello gang,

i have so much trouble with my server which has ISA 2004, SurfControl, Windows 2003 and acting as a DHCP server.

ill draw a network diagram.

The problems that i get with this situation is ill have a 'working' system, then as soon as i change anything, it will fall apart, there is no stability in this system. I do not know why either. Most of my problems revolve around the routing of the Win2k3 Server. Or so i believe.

Now in the very poor diagram i have the orange box being the box in question. As you can see it is 'hopefully' acting as a router between the 10,20 /24 subnets.

Now that group of lines in the right of the orange box is supposed to represent a single network adapter. Which has a 192.168.10.1 and 192.168.20.1 address.

At the same time I have a DHCP scope of 192.168.20.1 on the ornage box, which will not complete the DORA process unless the 20.1 address is put higher in the ip address field then the 10.1 address.

On this orange box as i say is ISA 2004, however this should be irrelevant, as for troubleshooting purposes, i have created an access rule of "Allow all protocols to all netowrk(including local host) from all networks (including local host) to all unauthenticated users at all times" .

I should also add that the ISA 2004 is acting as a web proxy, that all the subnets point to at 192.168.10.1. ROUTING should ensure that the 20.0 subnet will be able to see the proxy? Correct?

now whilst i can SOMETIMES ping across subnets this is not always the case. As i said in the opening stability is ridiculous here.

Now the first problem is that the orange box cannot see the internet, whilst its own Default gateway and dns are poiting towards the DSL router and beyond, it will simply NOT ACCESS the internet, webpages i mean. I can ping www.google.com with a fail on the first icmp return and 3 replies.

Should the orange box be a web proxy client itself? should it be pointing to itself for proxy?

The error i get with the orange box tryuing to get on the internet is "ISA server denies access" which is ridiculous because i have that rule inplace, or i can also get the "site unavailable" error.

This is 'ok' as i dont want to access the internet at that server anyway, but allow internet access to the client subnets. They get the same errors.

I have so many symptoms its ridiculous, it could be easier if someone could take the time and tell me how they would set up this scenario, keeping in mind that the subnets, and services need to stay in the same arrangment.

I really need help with this. Its the first time ive done this in a windows 2003 enterprise box, but how diferent can it be? I have a working replica of this situation on a 2000 server and isa 2000.

PS: the only working situation i can get, is when i get a client on the 10.0 subnet pointing as it shud to the orange box, but if i remove other ips from the orange box. only the 10.1, or have 10.1 as the first ip in the list. so when thers no routing involved at all, it works. But that leaves me entire subnet out of the loop as far as internet access.

PPS: The little boxes represent computers and blocked in to subnets

the red to the left is the internet.

like i say i really need help with this guys. Can anyone help ?

Thanks alot people i do appreciate this.

**i posted this thread in another forum, i need help so im trying different ponds!

[chilifrei64]

For starters.. I think we are missing some sorta information.

I assume SurfControl is running on this ISA 2004 Proxy gateway..

Correct me if I am wrong but you say that all those lines to the right of the orange box is one network adapter. That is a little crazy and I would say that is a point of failure.

I dont see it on the diagram but i assume the left side of the orange box has an ip address that is assigned by your isp.

Windows will work ok with 1 network adapter to have 2 ip addresses if the 2 addresses are on the same subnet.. if they are not.. you will confuse windows...ESPECIALLY if you have ISA running on that same machine. These interfaces should be configured with just an IP address and a subnet mask (DNS Server if you wish but not necessary, your ISP Nic should definately have that(unless this is ALSO a domain Controller) After you configure the LAN Nic to have NO Default gateway you will need to go into ISA and construct your LAT (Local Address Table) so ISA knows which subnets are LAN Subnet and which ones are not

Is the reason you have both subnets connecting to your orange box on one nic because of SurfControl?

SurfControl Poses a problem.. and as I am sure you have found out.. SurfControl isnt too clear or concise about their configurations. To my knowledge (atleast in my implementation of SC) one nic should be a dedicated "listener" for SC. This nic is configured by giving it an ipaddress of 127.0.0.1 and running in in promiscous mode and mirror the port your gateway is connected to on the managed switch. please correct me if I am wrong.

That is all I can think of.. respond back if I have missed any details.

[amfony]

thanks for the quick reply Chili!

ok so yes Surfcontrol is a WebFiltering service, running AS a service on the orange box, it listens (reports and filters) to everyone requesting the ebProxy service of ISA. Its an Surfcontrol for ISA server installation so its all pretty in sync with eachother or so i believe.

Sorry for the lack of quality of detail on the diag aswell. On the right is a single NIC, yes ur right, crazy - but its only for a short while. Now there is ONLY one nic on the orange box so there is no other IP on the left of the box. to the left of the orange box is our DSL router which has an address of 192.168.10.10 ( thats an error on the diagram sorry!!) so the orange box points to 192.168.10.10 for its Default gateway, and to 192.168.10.2 fpr DNS, which then forwards to ISP DNS servers.

on the other side left side of the dsl router is a static IP address assignedm by ISP.

I have 2 subnets coming in on the one nic because i want the box to route between the subnets aswell as service internet requests.

if you need any more details just ask please!

Thanks again!!

[chilifrei64]

so for more clarification.. you dont have 2 lan segments but you have one lan segment (192.168.20.x/24) and you Wan segment is 192.168.10.x/24 correct.

also.. the nic that is servicing lan requests is also the same nic that is servicing the wan requests?am I following you on this one?

Is this a domain controller also?

on the diagram it looks more as if you have 2 lan segments.... either that or your routing doesnt make much sense since you seem to have the 192.168.10.x/24 segment on both sides of your ISA(LAN/WAN)which simply wont work. please try and clairify this a little more if you could.