RE: A question of routing and published servers.
- From: "William Holmes" <wtholmes@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 May 2003 01:17:27 -0400
Hello,
I have considered this solution and have even tried it. There are just a
couple of problems with it:
Routed VPNs from Microsoft work great for client to server connections
where the client is aware of its actual MTU size when it sets up a TCP
connection. However when used as gateways the client is unaware of the
restricted MTU through the tunnel. I know I know turn on MTU discovery
and all will work fine. Unfortunately MTU discovery requires ICMP to
work from end to end. Equally unfortunate are a large number of
ill-informed firewall managers around the world that think that all ICMP
is bad. Combine this with people who think that the don't defrayment bit
is an absolute necessity on all packets and you have a big problem
explaining to your users why they can't connect to their favorite
web-site. Now if Microsoft would allow for gateway to gateway VPN
traffic to ignore the don't defragment bit this wouldn't be a problem.
They don't and I understand their reasons, but it would really be nice
if the could just this once ignore the RFCs (at least I think it would).
The Hardware VPN does not do routing is does bridging, it also ignores
the don't deframent bit. Because it it doing bridging it provides the
corporate network right to my remote site with out the need of multiple
subnets and many other configuration issues.
As far as exchange goes, I am not running it on the firewall. I don't
run anything on my ISAServer. I have my exchange server published via
ISAServer.
Bill
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, May 14, 2003 12:41 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: A question of routing and published servers.
http://www.ISAserver.org
Hi William,
Before we try to make the trip from San Antonio to El Paso via the North
Pole, how about trashing the black box VPN server and using ISA Server
as your VPN Server? I'm sure ISA Server would be a better VPN solution
and if you have Windows 2000 on the other side, create a simple gateway
to gateway solution.
If you do that, you can take US 10 from San Anton' to El Paso, instead
of driving due North until you "loop back" through the South Pole ;-)
NB: get the dreaded Exchange server OFF the firewall!
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: William T. Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Tuesday, May 13, 2003 9:43 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] A question of routing and published servers.
http://www.ISAserver.org
Hello,
I have a question about published servers and routing. This relates
specifically to a published smtp server. I have ISA configured to
publish an SMTP server. In addition I have a VPN appliance that is
connected on my internal network via RRAS (on an internal box) that is
running NAT. This device provides a route to machines that are behind
another firewall (non-isa).
EXCHANGE---RRAS
Server---ISASERVER---Internet---Firewall---Router---SMTPServer
| |
(NAT) |
| |
VPN APPLIANCE----------------------------VPN
Server
The route is really outbound only. In other words the machines that are
behind the firewall are not aware of the route via the VPN tunnel. The
only route then know is the one through the ISA server. Hosts behind the
ISA server are aware of the VPN route to the specific nets the are
reachable via the tunnel.
When the SMTP server attempts to send mail to the published exchange
server it makes its connection via the ISA server, however when the
exchange server attempts to respond it does so via the "easy" route
through the tunnel. This obviously does not work.
To solve this I have added a host route to my RRAS server for the
SMTPServer which causes the EXCHANGE server to respond back through the
ISAServer and everything works fine.
Now I don't really like host routes for a plethora of reasons, so what I
am wondering: Is it possible to have a published server see the source
address for inbound connections as the ISAServer. I guess I would call
this inbound NAT. In other words when the SMTPServer makes a connection
to the published service, the source address of the packets are changed
so that for the exchange server perspective they appear to be coming
from the ISA Server. This would cause the exchange server to respond to
the ISA server's address and avoid the tunnel, while still allowing the
tunnel to permit outbound traffic for other non published (in this case
SMTP) traffic
The host route solves the immediate problem but its specific rather than
general.
Thanks
Bill
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT
Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
