RE: A question of routing and published servers.

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 13 May 2003 23:47:54 -0500

Hi William,

Reading things over again, is all that you require a preservation of the
original IP address of the external SMTP server? If so, you can get
"full NAT" by implementing KB 311777.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: William T. Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] 
Sent: Tuesday, May 13, 2003 9:43 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] A question of routing and published servers.


http://www.ISAserver.org


Hello,

I have a question about published servers and routing. This relates
specifically to a published smtp server. I have ISA configured to
publish an SMTP server. In addition I have a VPN appliance that is
connected on my internal network via RRAS (on an internal box) that is
running NAT. This device provides a route to machines that are behind
another firewall (non-isa).

        

        EXCHANGE---RRAS
Server---ISASERVER---Internet---Firewall---Router---SMTPServer
                           |                                          |
                         (NAT)                                        |
                           |                                          |
                       VPN APPLIANCE----------------------------VPN
Server


The route is really outbound only. In other words the machines that are
behind the firewall are not aware of the route via the VPN tunnel. The
only route then know is the one through the ISA server. Hosts behind the
ISA server are aware of the VPN route to the specific nets the are
reachable via the tunnel.

When the SMTP server attempts to send mail to the published exchange
server it makes its connection via the ISA server, however when the
exchange server attempts to respond it does so via the "easy" route
through the tunnel. This obviously does not work. 

To solve this I have added a host route to my RRAS server for the
SMTPServer which causes the EXCHANGE server to respond back through the
ISAServer and everything works fine.

Now I don't really like host routes for a plethora of reasons, so what I
am wondering: Is it possible to have a published server see the source
address for inbound connections as the ISAServer. I guess I would call
this inbound NAT. In other words when the SMTPServer makes a connection
to the published service, the source address of the packets are changed
so that for the exchange server perspective they appear to be coming
from the ISA Server. This would cause the exchange server to respond to
the ISA server's address and avoid the tunnel, while still allowing the
tunnel to permit outbound traffic for other non published (in this case
SMTP) traffic

The host route solves the immediate problem but its specific rather than
general.


Thanks

Bill


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: