Hi Gillian, Thanks for the kind words about the book! :) How about putting the outbound SMTP relay on the DMZ, and then configuring the Exchange Server on the internal network to use it as a smart host? Then configure the SMTP relay on the DMZ to use your ISP's SMTP server as its smart host! That way, you never have to deal with MX domain name resolution, as the mail domain resolution is handled by your ISP's SMTP server. This usually works pretty good, unless your ISP is a cable network, where they're still getting the hang of SMTP servers and how they work ;-) The SMTP server on the DMZ can also work for inbound relay. Just configure the remote domains and configure them to relay. The trick is that you must configure outbound relay to use the virtual server properties for relay, while the inbound relay is dependent on the remote domains. Configure outbound relay to be allowed only for the primary IP address bound to the external interface of the ISA Server. Check out www.msexchange.com, I'm sort of doing a miniseries on IMAP and SMTP that you might find interesting. The next installment is due next week. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Gillian Cook [mailto:gcook@xxxxxxx] Sent: Monday, April 28, 2003 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] Back to back DMZ Exchange and SMTP relay http://www.ISAserver.org I'm working in a lab environment in preparation for a move to a back-to-back DMZ config. All is working perfectly including outgoing web traffic, VPN, Terminal Services published server, OWA published server - thanks to the ISA Server and Beyond book! The only issue is with Exchange and the SMTP mail relay server. Setup: | Internet------ISA 1-------------------ISA 2---------Internal Network (3 subnets) | | DMZ (Exchange) (SMTP Relay) The Exchange server is in the internal network on a subnet other than the ISA 2 server. The SMTP mail relay is in the DMZ. The only way I've been able to get mail flowing both directions (through both ISA's and from SMTP and Exchange) is to publish the SMTP mail relay server on the internal network (while keeping it not part of the domain) on the same subnet as ISA 2 server (SecureNAT). I would like to get it working correctly with the "real" DMZ config. I think I have 2 issues going on with mail flow. Internal mail going out to Internet gets "stuck" in the Exchange server. It doesn't know how to get to the DMZ server. And, does the DMZ SMTP mail relay server need to be able to perform nslookups for domains other than the internal network? Any ideas? I have read the ISA Server and Beyond book but I'm still having issues. Thanks to the book all other parts of the B2B DMZ are working great! It would have been impossible without it. TIA, Gillian ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')