RE: DNS and Routers

Hi Mark,

What is the purpose of this UU router? Do you need it? Why not use the
DSL line for all Internet related activity? Does this router connect to
the Internet or is it a point to point link with a partner or remote
office?

Is the Exchange Server hosting its own mail? Or are the users using a
dial up connection to pull mail from their own servers and store it in
the Exchange Store? Or, are you using TRN/ERTN to pull mail from the
ISP?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 
 


-----Original Message-----
From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx] 
Sent: Sunday, February 09, 2003 3:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS and Routers


http://www.ISAserver.org


Hi Tom,

Thanks a lot for your help, but unfortunately I must say, that I knew
all of
this already. It's a shame really... Ok, let's start all over again,
where's
the reset button...

You got the ISA part right down there. What went amiss was the UUNET
router.
This router is with it's current setup a potential security risk *AND*
forces the customer to use some weird network settings on the DC
(=Exchange). I will try to explain again:

From the external point of view there are two entry points into the
network,
both at routers that manage dod connections. The difference between them
is:
one is connected to the external NIC of the ISA box (DSL), the other one
is
directly connected to the network (ISDN I think). Let's call them DSL
and
UU.

This setup is not desirable, so one task would be to but both routers
onto a
network that is connected to the external ISA interface.

Now this is not the real problem. Let's talk about mail delivery.

I'm sure you agree that an SMTP server with a variable IP address is not
a
good idea. Many SMTP hosts reject such connections. Moreover, you'd be
having problems with incoming mails, because to my knowlegde there is no
reliable way to have an MX point to the obtained IP address - even
dyndns
has it's drawbacks such as cached entries and so forth....

That's why I don't intend to change the customers setup in this respect.
So
here comes the UU router. This router connects to UUNET regularly (it's
being pinged by the DC). UUNET detects the connection and starts
delivering
mails to the DC. Any outgoing mail is sent to something like
mail.uu.net.
Here's the second important point: for authentication reasons
(smarthosting,
relaying) the connection to mail.uu.net has to come from an internal
address
to the UUNET network (no big deal). That's the reason why the DC has the
UU
router as a default gateway. Right now this works more or less, but as I
said the setup is a bit spooky.

Now, if we move the UU router to the external segment of the ISA box,
there's going to be the problem of telling ISA how to handle this. To
keep
this in mind: the goal is to make the setup more transpaent, eliminate
the
security problem and also to resolve the DNS and routing problems within
the
network.

For my better understandng, let's imagine that both the DSL and the UU
router were connected to the external interface. We would then have a
subnet
like 10.1.1.0 or whatever, which would not be contained in the LAT,
right?
The default gateway on the external NIC would point to the "primary"
router
(this would be DSL). Now, back to mails: opening a connection to UUNET
is
not a problem, we can ping from the ISA box to the UU router, thus
initiating delivery. Surely we would need to publish the exchange and
check
with UUNET what to reconfigure at the UU router and so forth. Not a real
problem there.

Outgoing mails would be bit more tricky: the current setting (def. gw.
on
the DC pointing to UU) would have to be changed. So the DC would just be
a
Secure NAT client. When we try to deliver the mails, we will connect to
mail.uu.net. The default route on the ISA box would direct all traffic
to
the DSL router and the connection will fail (because the request to
mail.uu.net will then not come from within UUNET network). So we would
have
to implement a route or something else that automagically directs the
traffic to mail.uu.net to the UU router.

I've setup a few ISA boxes but I'm not really familiar with the SMTP
functionality, and I'm also not a geek when it comes to routing and
manually
adding routes... So the question is: is that possible?

I think that changing the mail setup may be another approach but this
would
involve a number of other problems (domain, delivery mechanism and so
on...
Btw features that are not available at the DSL connection's ISP, I'm
afraid)

Alright, sorry for producing such a lenghty mail. And thanks for
listenig,
as always :)
Mark







------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: