Hi William, Reading things over again, is all that you require a preservation of the original IP address of the external SMTP server? If so, you can get "full NAT" by implementing KB 311777. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: William T. Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Tuesday, May 13, 2003 9:43 PM To: [ISAserver.org Discussion List] Subject: [isalist] A question of routing and published servers. http://www.ISAserver.org Hello, I have a question about published servers and routing. This relates specifically to a published smtp server. I have ISA configured to publish an SMTP server. In addition I have a VPN appliance that is connected on my internal network via RRAS (on an internal box) that is running NAT. This device provides a route to machines that are behind another firewall (non-isa). EXCHANGE---RRAS Server---ISASERVER---Internet---Firewall---Router---SMTPServer | | (NAT) | | | VPN APPLIANCE----------------------------VPN Server The route is really outbound only. In other words the machines that are behind the firewall are not aware of the route via the VPN tunnel. The only route then know is the one through the ISA server. Hosts behind the ISA server are aware of the VPN route to the specific nets the are reachable via the tunnel. When the SMTP server attempts to send mail to the published exchange server it makes its connection via the ISA server, however when the exchange server attempts to respond it does so via the "easy" route through the tunnel. This obviously does not work. To solve this I have added a host route to my RRAS server for the SMTPServer which causes the EXCHANGE server to respond back through the ISAServer and everything works fine. Now I don't really like host routes for a plethora of reasons, so what I am wondering: Is it possible to have a published server see the source address for inbound connections as the ISAServer. I guess I would call this inbound NAT. In other words when the SMTPServer makes a connection to the published service, the source address of the packets are changed so that for the exchange server perspective they appear to be coming from the ISA Server. This would cause the exchange server to respond to the ISA server's address and avoid the tunnel, while still allowing the tunnel to permit outbound traffic for other non published (in this case SMTP) traffic The host route solves the immediate problem but its specific rather than general. Thanks Bill ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')