Results 1 to 7 of 7
  1. #1
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default Issues with AD in a 2 NIC setup

    I just installed the AD connector and I am having some problems with rack policies working intermittently. I think it may be due to my network setup, which you can see here.

    I followed the instructions in the wiki and everything seemed to be working. I setup a test rack and assigned one user to that rack with a custom policy to block all web content. I then logged in as that user at a workstation and all web content was blocked. However, I then logged off as that user and then logged back in as the same user and nothing was getting blocked. I logged on to the untangle server on another workstation so I could see how the page requests were being handled.

    What is happening is that all users IPís are the same as the IP of the external NIC of my SBS box, just with different ports. But, it looks like the port changes for a single user every few seconds. For example, looking at the web filer event logs while I am refreshing www.google.com looks like this:
    Code:
    Client				Request
    192.168.1.2:62095	   http://www.google.com
    192.168.1.2:62094	   http://www.google.com
    192.168.1.2:62094	   http://www.google.com
    192.168.1.2:62092	   http://www.google.com
    192.168.1.2:62012	   http://www.google.com
    In a 2 NIC setup I donít see a way around this. Which is unfortunate because the 2 NIC network structure that I am using is very popular for SBS setups and is actually required if the SBS box is running ISA.

  2. #2
    Master Untangler tbelote's Avatar
    Join Date
    Oct 2007
    Posts
    287

    Default

    So it sounds like the SBS server is doing NAT, is it possible to just set it up to be a router. I believe this would fix the problem. So your upstream router would need to handle 192.168.16.x as well.
    Thomas Belote
    Untangle

  3. #3
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default

    SBS needs to handle NAT or the Wizards start to go wonky. I ended up moving to a 1 NIC setup since I am going to have to anyway once SBS2008 is released. All is now well. Well almost, all users except one (me) register with the Untangle AD script.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    You'll need to put untangle inside NAT so it can see the internal IPs to take advantage of policy management.

    San Carlos!
    (i live there)

    edit: the way the AD connector works is to alert the untangle server when someone logs in. The untangle then store the corresponding IP so it can enforce the appropriate policy and store the information in reports. If all your users are behind NAT, they all look the same to the untangle server and it can't differentiate. The effect will most likely be the policy and reports will reflect whoever the last user to login was...
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Master Untangler SirBC's Avatar
    Join Date
    May 2008
    Location
    San Carlos, CA
    Posts
    115

    Default

    Yeah, that is how I ended up doing it and it works like a champ now.

    San Carlos, the "City of Good Living"!

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    nice!
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Apr 2009
    Location
    Richmond, TX
    Posts
    4

    Default

    Can you give details on how you went about adding it to nat.

    I'm a newbie with SBS 2003 and would like the ad connector to work correctly.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2