FW: RE: FW: Different firewalls. Maybe a dumb question.

• From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sun, 20 Jun 2004 00:00:21 -0400

Tom,

 

In simplest terms:

 

Inet <->  ISA1  <-> SMTPSVR <-> ISA2 <-> Inet

 

Inet is of course = Internet (any client, and IP address), so
essentially the diagram should be a big circle (free your mind)...

 

ISA1 and ISA2 are, I hope self explanatory

 

Both ISA1 and ISA2 have server publishing rules for incoming SMTP to
SMTPSvr

 

SMTPSvr is a SMTP server (SNAT client)

 

If SMTPSvr = Windows

 

I set up two default gateways on SMTPSvr and any Inet client can
establish a SMTP session through either ISA1 or ISA2 for incoming mail.

 

If SMTPSvr = Other OS

 

The Inet clients will only get a response by connecting to either ISA1
or ISA2, depending on which default gateway on SMTPSvr has the lower
metric (if both metrics are the same, then it will be whichever gateway
was entered first).   Say ISA1 is the primary default gateway..  SMTP
sessions established through ISA1 work flawlessly.  Requests to ISA2 are
forwarded to SMTPSvr and SMTPSvr does respond (typical 220-------  Ready
type response is sent) BUT the Inet client never receives the request
and the SMTP session is never established.

 

I guess at this point I'm curious as to how / why Windows works this
way, whether it's a quirk with ISA in not allowing the Other OS SMTPSvr
outbound requests to pass (maybe Monday I'll actually get a packet
sniffer in place where I can truly see what's happening)  Pondering it
more and more, it does sound like Dead Gateway Detection could be the
reason the Windows SMTPSvr works, if only I knew a bit more on how DGD
worked in Windows (MS has a small blurb in MSKB 128978).

 

I know this configuration, as described, is strange and could be
addressed properly by adding hardware to gang the Inet connections
together either before or after the ISA's... (any recommendations on how
to do this on the cheap are welcome, no offence to RainConnect, just
don't have money in the budget for it... and because of the way we use
our two Inet links, I don't want them ganged together for all traffic,
just SMTP redundancy...   )

 

Thanks to anyone who managed to plow through this whole email, and even
more thanks to anyone who can enlighten me more on the subjects above!

 

 

 

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Saturday, June 19, 2004 11:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW: Different firewalls. Maybe a dumb question.

 

http://www.ISAserver.org

Hi Joe,

 

Can you post a network diagram? It really speeds up understand of your
environment. You don't need to include every host, just the ones
participating in the communications path.

 

Thanks!

Tom

 

 

Thomas W Shinder

www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
<http://www.microsoft.com/isaserver/beta/default.asp> 

ISA Server and Beyond: http://tinyurl.com/1jq1

Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp> 

 

        -----Original Message-----
        From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx] 
        Sent: Friday, June 18, 2004 10:42 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: FW: Different firewalls. Maybe a dumb
question.

        http://www.ISAserver.org

        I've got my Exchange server set up in a fashion that would
handle this (for the reason to provide incoming redundancy though)...  

         

        Please keep in mind that I don't understand this completely, so
maybe someone who has a better grasp of IP and the way things are
handled through ISA can fill in the blanks...  

         

        Basically, you can set up a Windows server with two different
default gateways, setting the one with the higher metric to be the one
you want your outbound traffic to go through....   You need to manually
add the second route through the ROUTE ADD command, as doing it through
the GUI doesn't seem to stick...  Doing this will cause all outbound
mail to go through the lower metric gateway, but the Exchange server
will still respond back through the ISA server that accepted the
incoming SMTP session...  Without these two gateways on the Exchange
server, incoming client requests sent to the second (incoming only) ISA
server never seem to get a response back from the Exchange box...  

         

        Now, this is where my understanding falls apart...  It's my
understanding in the realm of IP routing that the route to and from a
client doesn't need to be the same...  Having the outbound part of a
incoming SMTP communication go through a different gateway should work
OK...  Maybe it's just the way the session is initiated and flow handled
through ISA?  (I haven't tested this type of scenario without ISA)  I
was told once that this quirk may be due to Windows support for dead
gateway detection (DGD)...  Maybe that's the case though I don't
understand DGD enough to say for sure...  I can confirm that I haven't
been able to replicate this ability to communicate simultaneously
through two ISA servers (inbound SMTP) to a Linux box (which doesn't
support DGD), but I can also confirm that I've run this configuration on
multiple Exchange boxes behind two ISA servers...

         

        Not to usurp the thread, but if anyone can tell me how to allow
a Linux SMTP box (SNAT of course) to accept and properly respond to
incoming SMTP requests from two ISA servers which are acting as default
gateways to two different ISPs, I would be eternally grateful.  (Hey,
I'm sure it would provide an alternate resolution to the original
question as well!)

         

        Joe Pochedley

         

Other related posts:

• » FW: RE: FW: Different firewalls. Maybe a dumb question.

1. Home
2. isalist
3. Archive
4. 06-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---