Hello, I have considered this solution and have even tried it. There are just a couple of problems with it: Routed VPNs from Microsoft work great for client to server connections where the client is aware of its actual MTU size when it sets up a TCP connection. However when used as gateways the client is unaware of the restricted MTU through the tunnel. I know I know turn on MTU discovery and all will work fine. Unfortunately MTU discovery requires ICMP to work from end to end. Equally unfortunate are a large number of ill-informed firewall managers around the world that think that all ICMP is bad. Combine this with people who think that the don't defrayment bit is an absolute necessity on all packets and you have a big problem explaining to your users why they can't connect to their favorite web-site. Now if Microsoft would allow for gateway to gateway VPN traffic to ignore the don't defragment bit this wouldn't be a problem. They don't and I understand their reasons, but it would really be nice if the could just this once ignore the RFCs (at least I think it would). The Hardware VPN does not do routing is does bridging, it also ignores the don't deframent bit. Because it it doing bridging it provides the corporate network right to my remote site with out the need of multiple subnets and many other configuration issues. As far as exchange goes, I am not running it on the firewall. I don't run anything on my ISAServer. I have my exchange server published via ISAServer. Bill -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, May 14, 2003 12:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: A question of routing and published servers. http://www.ISAserver.org Hi William, Before we try to make the trip from San Antonio to El Paso via the North Pole, how about trashing the black box VPN server and using ISA Server as your VPN Server? I'm sure ISA Server would be a better VPN solution and if you have Windows 2000 on the other side, create a simple gateway to gateway solution. If you do that, you can take US 10 from San Anton' to El Paso, instead of driving due North until you "loop back" through the South Pole ;-) NB: get the dreaded Exchange server OFF the firewall! HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: William T. Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Tuesday, May 13, 2003 9:43 PM To: [ISAserver.org Discussion List] Subject: [isalist] A question of routing and published servers. http://www.ISAserver.org Hello, I have a question about published servers and routing. This relates specifically to a published smtp server. I have ISA configured to publish an SMTP server. In addition I have a VPN appliance that is connected on my internal network via RRAS (on an internal box) that is running NAT. This device provides a route to machines that are behind another firewall (non-isa). EXCHANGE---RRAS Server---ISASERVER---Internet---Firewall---Router---SMTPServer | | (NAT) | | | VPN APPLIANCE----------------------------VPN Server The route is really outbound only. In other words the machines that are behind the firewall are not aware of the route via the VPN tunnel. The only route then know is the one through the ISA server. Hosts behind the ISA server are aware of the VPN route to the specific nets the are reachable via the tunnel. When the SMTP server attempts to send mail to the published exchange server it makes its connection via the ISA server, however when the exchange server attempts to respond it does so via the "easy" route through the tunnel. This obviously does not work. To solve this I have added a host route to my RRAS server for the SMTPServer which causes the EXCHANGE server to respond back through the ISAServer and everything works fine. Now I don't really like host routes for a plethora of reasons, so what I am wondering: Is it possible to have a published server see the source address for inbound connections as the ISAServer. I guess I would call this inbound NAT. In other words when the SMTPServer makes a connection to the published service, the source address of the packets are changed so that for the exchange server perspective they appear to be coming from the ISA Server. This would cause the exchange server to respond to the ISA server's address and avoid the tunnel, while still allowing the tunnel to permit outbound traffic for other non published (in this case SMTP) traffic The host route solves the immediate problem but its specific rather than general. Thanks Bill ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: wtholmes@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')