+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 R2 Thread, LGFL 2.0 services - Firewall & web filtering in Technical; We are using LGFL 1.0 internet and using our own ISA server 2006 and Websense filtering. Now we are configured ...
  1. #1
    apur32's Avatar
    Join Date
    Mar 2009
    Location
    London
    Posts
    75
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    12

    LGFL 2.0 services - Firewall & web filtering

    We are using LGFL 1.0 internet and using our own ISA server 2006 and Websense filtering. Now we are configured with LGFL 2.0 services few days ago and would like to use LGFL's firewall & web filtering services. They configured CISCO Router + CiSCO Firewall on the site and gave us an IP range to use. Previously we had the connection from the extreme switch going into our ISA Server 2006 and then distribute to all the school through Group Policy. We got IP address range from LGFL to use and different DNS addresses, which I think will direcetly go into our switch and we will configure our DHCP settings? Can someone already using LGFL 2.0 services confirms thins please???

    Now the second question how do we change our internal IP address? Domain controller, AV etc. We are currently using 172.x.x.x ip adress and received 10.8.x.x from LGFL for 2.0 services. Please advise how to change the all the internal IP addresses and what impact will it has on our network??

    I hope this is possible as we do not have much time left for change over.

    Please help .................................................. ...... help.............................................. ............
    Please help .................................................. ...... help.............................................. ............

  2. #2

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    No need to change your internal addresses.

    DOCUMENT EVERYTHING YOU CHANGE BEFORE YOU MAKE ANY CHANGES.
    DOCUMENT YOUR CHANGES BEFORE YOU MAKE THEM


    Make sure all your internal servers and clients use only your AD for DNS.

    Physically isolate the 10 range from your LAN.

    Plug your ISA into either the curriculum or admin port on the ASA as though it was the old Extreme.
    Re-configure the EXTERNAL NIC on the ISA to have an address in the 10.8.x.x range (make sure it is in the correct admin / curriculum range)
    Make sure that only the INTERNAL NIC on the ISA has DNS servers configured and make sure they are your DCs (assuming your DCs are running AD integrated DNS)
    Remove the webchaining rule that points to proxy1; there is no explicit proxy required now.

    Update the forwarders on ALL your AD DNS servers as per Atomwide documentation.

    Job done.

    (Assuming the default gateway of your internal network is your core switch and that the default gateway of your core switch is your ISA.)

    Are you publishing any sites (do you host sims/eportal/exchange/sharepoint/moodle?) from your LAN? if so you will need to ensure that you have the correct MIPs in place.

    Do you have any services that connect out on strange ports? Then as well as having them open on your ISA you will also need to have them configured on the ASA by Atomwide (though tell them that it's your ISA IP that is making the outbound connections - because from their persepective it is)

    Finally where are you? I know someone who might be able to come to site to help if needed.

  3. #3
    apur32's Avatar
    Join Date
    Mar 2009
    Location
    London
    Posts
    75
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    12
    North London


    Quote Originally Posted by psydii View Post
    No need to change your internal addresses.

    DOCUMENT EVERYTHING YOU CHANGE BEFORE YOU MAKE ANY CHANGES.
    DOCUMENT YOUR CHANGES BEFORE YOU MAKE THEM


    Make sure all your internal servers and clients use only your AD for DNS.

    Physically isolate the 10 range from your LAN.

    Plug your ISA into either the curriculum or admin port on the ASA as though it was the old Extreme.
    Re-configure the EXTERNAL NIC on the ISA to have an address in the 10.8.x.x range (make sure it is in the correct admin / curriculum range)
    Make sure that only the INTERNAL NIC on the ISA has DNS servers configured and make sure they are your DCs (assuming your DCs are running AD integrated DNS)
    Remove the webchaining rule that points to proxy1; there is no explicit proxy required now.

    Update the forwarders on ALL your AD DNS servers as per Atomwide documentation.

    Job done.

    (Assuming the default gateway of your internal network is your core switch and that the default gateway of your core switch is your ISA.)

    Are you publishing any sites (do you host sims/eportal/exchange/sharepoint/moodle?) from your LAN? if so you will need to ensure that you have the correct MIPs in place.

    Do you have any services that connect out on strange ports? Then as well as having them open on your ISA you will also need to have them configured on the ASA by Atomwide (though tell them that it's your ISA IP that is making the outbound connections - because from their persepective it is)

    Finally where are you? I know someone who might be able to come to site to help if needed.

  4. #4
    apur32's Avatar
    Join Date
    Mar 2009
    Location
    London
    Posts
    75
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    12
    If LGFL is providing Cisco firewall than why do we need to use ISA 2006?

    This should be switched off???

  5. #5

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    It depends on your local requirements. Who set up your ISA and what were their reasons? Also do you have mulitple subnets?

    Keeping your internal ranges as-is and making a small change to your DNS servers and ISA will take a few minutes (after an hour of thinking and planning).

    Re-addressing your entire lan will require the retesting of every single service on the network.

    You've 'officially' got 72hrs to make the switch, so you don't have time to plan for implement and test a complete reconfig.
    Last edited by psydii; 28th May 2012 at 09:06 PM.

  6. #6
    hit
    hit is offline
    hit's Avatar
    Join Date
    Mar 2008
    Location
    London
    Posts
    326
    Thank Post
    49
    Thanked 50 Times in 48 Posts
    Rep Power
    51
    Quote Originally Posted by psydii View Post
    You've 'officially' got 72hrs to make the switch, so you don't have time to plan for implement and test a complete reconfig.
    That 72 hours is a very variable thing, my main site migrated back in mid-march. I went to the cabinet where the old LGfL1 connection came in and noticed that there still was a link light on the media converter, so plugged in a laptop and sure enough, it's still live. So it looks like I have a redundant circuit for the time being

  7. #7
    apur32's Avatar
    Join Date
    Mar 2009
    Location
    London
    Posts
    75
    Thank Post
    2
    Thanked 3 Times in 3 Posts
    Rep Power
    12
    We are using ISA 2006 with Websense filtering. On our external ISA NIC an ip 212.85.x.x is configured. We are hosting eportal and Moodle on two 212.85.x.x ip address. I think you were assuming that we are using the proxy 1 from LGFL.
    I think we need to do NAT on our ISA and don't need to change our internal IP. If anyone did NAT before please explain the process. Eventually we will change all our internal IPs?
    Another question. On our ASA only one port is open for both admin and curriculum . How can have two different policies for staff and student? Do we need request to open 2nd port on ASA? And use the different solution for staff. What other schools are using?
    What will be the configuration?
    Last edited by apur32; 30th May 2012 at 12:26 PM.

  8. #8
    hit
    hit is offline
    hit's Avatar
    Join Date
    Mar 2008
    Location
    London
    Posts
    326
    Thank Post
    49
    Thanked 50 Times in 48 Posts
    Rep Power
    51
    You cannot use the ip lgfl2 filtering behind your own NAT/firewall. You will need to move all your machines that were behind the firewall to the other side of your isa server. you can still use logon based filtering however. When you hit a blocked page you should get a login button which you put in your USO credentials which (depending on your policies) may let you view the page. It's all well documented on the support.lgfl.org.uk site, logon there and hit the help link (top right).

  9. #9

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    I don't think you get that option either if you are running your own firewall. It's assumed your firewall can differentiate between your users.

    Upgrading to TMG + Web Protection subscription gives this functionality, but if it is important for your school you may already have a third party addo-on for ISA?

    Broadly speaking if you run your own firewall/proxy then your options for Web Filtering remain mostly unchanged under LGFL2.

  10. #10

    Join Date
    May 2012
    Posts
    50
    Thank Post
    0
    Thanked 6 Times in 6 Posts
    Rep Power
    7
    It's true if you have a local firewall or ISA that’s doing NAT then normally you can't do per user filtering or for that matter per workstation filtering - the whole network goes out as one ip so it's the same as Opt2 in LgfL 1 land.

    What you can do is run your local firewall in one-to-one nat mode rather than many-to-one this means that every workstation and device gets it's own 10.x.x.x address as it goes past your firewall. This way you can make use of the WebScreenII filtering in full. Tricky to set up but does the trick.

    There is no specific need for an ISA in the corner of the network and I've got rid of that in a couple of primaries but the real way to do it is to re-ip the network which makes full use of all the features.



SHARE:
+ Post New Thread

Similar Threads

  1. Recommendations for Firewall / Web Filtering
    By Geek_of_HeathMount in forum Internet Related/Filtering/Firewall
    Replies: 20
    Last Post: 2nd May 2011, 04:02 PM
  2. Untangle Web Filter and Firewall
    By m8ttysmith in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 7th March 2011, 05:55 PM
  3. JANET Web Filtering Service
    By RobJohnson in forum Internet Related/Filtering/Firewall
    Replies: 7
    Last Post: 26th November 2010, 09:34 PM
  4. LGFL synetrix web filtering
    By lionsl2005 in forum Internet Related/Filtering/Firewall
    Replies: 21
    Last Post: 10th June 2010, 12:17 AM
  5. Web Filtering
    By pooley in forum Windows
    Replies: 38
    Last Post: 1st April 2006, 01:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •