Advanced Routing with an ISA server.

[abuttino]

Hello all, it's my first post here so be gentle

I have a small home network with an ISA server (Microsoft Threat management Gateway 2010), then a domain controller with DHCP and DNS on it on the adminitrative side. Then about 7 "workstations", 3 are joined to the domain with a 192.168.1.? Address.

The windows media center (Windows 7 Ultimate) is one of the computers that are joined to the domain/network. This is connected to the TMG domain network via it's 1st nic.

The XBox 360 (Media center extender) is tied to the network with an Actiontec MI424 acting only as a bridge to the main Westell Verizon router via the MoCA ports.

After knowing that the XBOX was not going to be able to communicate with a computer behind the ISA Server, I had only one temporary choice; hook the second NIC of the media center to the Westell router and give it a 192.168.3.? address along with the Xbox.

So, there becomes a serious security issue when having my media exposed to the internet like that (I don't trust Windows Firewall at all) and I could imagine that it leaves my entire network open to attacks through the media center.

I have been learning my way around WinServer 2008 and Microsoft Threat Management Gateway for a short time but I do have a pretty good grasp of what it's capable of.

What I'd like to do is subnet the entire lan and use some sort of advanced routing to get out to my xbox to use the media center extender properly without the security risk.

What should I do?


EDIT: It's not really the XBox I am concerned about, it's the MoCA that ties the media center to the bedroom. That MoCA connection is also responsible for the IPs on the Set top boxes that gets guide data and Video on Demand. Unfortuately, there is no way around this.

As much as I'd like to, I can't connect the Xbox to the LAN Switch at this point. We are about to move and I am not going to pay a contractor money to run a Cat5.

 

[YeOldeStonecat]

You're in a situation where you're coming up against obstacles of mixing an enterprise level firewall (ISA)..with active directory requirements...combined with more home grade products like non-pro version of Windows, and....other devices that cannot authenticate against AD..such as your console.

Multi-homing the media center get one way around it, but I don't think you have to worry as much...as that second NIC is still behind a NAT router, it's not sitting on a direct public IP.

I haven't worked with ISA since 200..err...4 edition, I got pretty comfy with ISA 2000. With those versions you wanted the proxy client installed on workstations..some I'm sure isn't possible with a gaming console.

To ensure the media center cannot communicate with the internet via the 2nd NIC..give it a static IP without a gateway. That'll ensure no incoming or outgoing without going through ISA.

 

[abuttino]

Well, then, that leaves me with a question. Will the XBox know the media center is connected to the WAN router without it having a proper gateway to talk?

If I were to experiment with connecting the Coax to the LAN router, what ports would I need to forward for VOD and guide info?

 

[abuttino]

Ok, that answers that question. The XBox didn't know where the Media Center was. Tried to download the software for the extender but didn't have the ability to connect.

I also tried to connect the MoCA Fios to the LAN router, it didn't work. I'll try a split and configure the router for a MoCA bridge and use the ISA gateway tomorrow, I highly doubt it'll work..

My WAN connection on my media center has piped through 14TB of data today.. I gotta stop this bleeding.

 

[YeOldeStonecat]

Well, then, that leaves me with a question. Will the XBox know the media center is connected to the WAN router without it having a proper gateway to talk?

If I were to experiment with connecting the Coax to the LAN router, what ports would I need to forward for VOD and guide info?

I imagine it should...you only need IP addresses in the same range, and subnet mask...for computers to talk to each other on a LAN. The gateway is only a pointer to where the router it to talk to other networks (IE...internet). LAN to LAN traffic never goes out the gateway.

Now that I think about it, there was a setting in prior versions of ISA which allowed any/all traffic to pass without authentication. I imagine you could do this on the current version..and allow XBox to hit the internet. But you many end up still finding XBox giving you strict NAT errors. I lost interest in ISA a few years ago as dedicated hardware platforms came out...UTM appliances, to help lock down networks better.

 

[abuttino]

Ok, I have the best situation that I have come across. VOD works and the widgets work, however the MoCA light is flashing on the two LAN routers.

However, all the network functionality is perfect.

I tied the LAN routers together with MoCA, then bridged the coax with Wireless and ethernet and disabled coax STP, all on the server side lan router. Otherwise my DNS wouldn't work. Then did the common instructions for the XBox router for a simple Coax to lan bridge

I'd like to get rid of that flashing MoCA light without having to put a black piece of tape over it.

I tried the Coax Privacy setting and that didn't work. My last option without advice is to try a different channel.