RE: DNS and Routers

• From: "Mark Hippenstiel" <m.hippenstiel@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 11 Feb 2003 22:46:49 +0100

Hi Jay,

If you read the follow-ups, you'll find out that we solved the problem the
'business' kind of way... Forgive me that I don't have enough expertise in
explaining things correctly. Ok, you got it partly right; the UU router
_currently_ is not connected to the external interface of the ISA box,
instead it's plugged right into to internal network's switch. Only this way
Exchange is able to talk to UUNET directly - and we don't need to publish it
in ISA. I somehow developed the idea that theoretically it must be possible
to do what you write: direct SMTP traffic to a router that is connected to a
private network that is not part of the LAT. Bear in mind that the UUNET
router also is a NAT device and dials up just like the DSL modem.

Thanks for listening,
Mark

> -----Original Message-----
> From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
> Sent: Tuesday, February 11, 2003 10:21 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS and Routers
>
>
> http://www.ISAserver.org
>
>
> Mark, I'm not sure I followed your original email correctly,
> but I think I may have a way around this.  But first let me
> try and verify we're talking about the same things:
>
> ISA external nic is connected to a switch (private subnet
> that is not in the LAT), along with your DSL modem and your
> UU router. Exchange published on ISA, and delivering all mail
> to a smart host/relay server at your UUNET ISP.  If delivered
> through the DSL, the SMTP host at UUNET will reject it. The
> ISA uses the DSL as its default gateway. You therefore want
> to direct SMTP traffic through the UU, and all other traffic
> through the DSL.
>
> Is that correct?
>
>
>
>
> > > -----Original Message-----
> > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > Sent: Tuesday, February 11, 2003 2:06 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: DNS and Routers
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hi Tom,
> > >
> > > I'm not really certain why we discuss this, but anyway.... Yes I
> > > know a couple of reasons: one being the DSL-ISP does not support
> > > ETRN or other delivery mechnisms with this sort of connection,
> > > secondly all outgoing mails would get stamped/modified by the
> > > smtp-relay which is ok for private users but imho not for a
> > > corporate customer. Another thing would be changing the DSL
> > > contract. Then we would have a fixed IP address. With a
> domain KK to
> > > the provider we would also have backup Mxing. Only the
> costs would
> > > triple.
> > >
> > >
> > > But all this doesn't really answer my question, does it?? :-) Mark
> > >
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > > > Sent: Tuesday, February 11, 2003 2:58 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: DNS and Routers
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi Mark,
> > > >
> > > > Do you know if there's a reason why you can't use your DSL
> > > connection
> > > > to download your mail?
> > > >
> > > > Thanks!
> > > > Tom
> > > >
> > > > Thomas W Shinder
> > > > www.isaserver.org/shinder
> > > > ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA
> > > > Server: http://tinyurl.com/1llp
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > > Sent: Sunday, February 09, 2003 3:48 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: DNS and Routers
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi Tom,
> > > >
> > > > The UUNET router initiates a dial up connection to UUNET
> > > (internet).
> > > > As soon as it goes online, UUNET delivers waiting mails to the
> > > > exchange server. The exchange server is indeed hosting its own
> > > > mail domain. Outgoing mail, like I already said, is delivered to
> > > the UUNET
> > > > smarthost. I'm not too shure about the setup at UUNET,
> but I will
> > > > check on this on Tuesday.
> > > >
> > > > The reason why we cannot use the other internet
> connection is that
> > > > there is no such functiontionality available at the ISP.
> > > >
> > > > But I agree the best thing to do would probably be
> siwtching to a
> > > > provider that provides the functionality - it's only a
> matter of
> > > > cost...
> > > >
> > > > Mark
> > > >
> > > > > -----Original Message-----
> > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > > > > Sent: Sunday, February 09, 2003 10:09 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: DNS and Routers
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Hi Mark,
> > > > >
> > > > > What is the purpose of this UU router? Do you need it? Why
> > > > not use the
> > > > > DSL line for all Internet related activity? Does this
> > > > router connect
> > > > > to the Internet or is it a point to point link with a
> partner or
> > > > > remote office?
> > > > >
> > > > > Is the Exchange Server hosting its own mail? Or are the
> > > > users using a
> > > > > dial up connection to pull mail from their own servers and
> > > > store it in
> > > > > the Exchange Store? Or, are you using TRN/ERTN to pull mail
> > > > from the
> > > > > ISP?
> > > > >
> > > > > Thanks!
> > > > > Tom
> > > > >
> > > > > Thomas W Shinder
> > > > > www.isaserver.org/shinder
> > > > > ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA
> > > > > Server: http://tinyurl.com/1llp
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > > > Sent: Sunday, February 09, 2003 3:26 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: DNS and Routers
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Hi Tom,
> > > > >
> > > > > Thanks a lot for your help, but unfortunately I must say,
> > > > that I knew
> > > > > all of this already. It's a shame really... Ok, let's start
> > > > all over
> > > > > again, where's the reset button...
> > > > >
> > > > > You got the ISA part right down there. What went amiss was
> > > > the UUNET
> > > > > router. This router is with it's current setup a
> > > potential security
> > > > > risk *AND* forces the customer to use some weird network
> > > > settings on
> > > > > the DC (=Exchange). I will try to explain again:
> > > > >
> > > > > >From the external point of view there are two entry
> > > points into the
> > > > > network,
> > > > > both at routers that manage dod connections. The
> > > difference between
> > > > > them
> > > > > is:
> > > > > one is connected to the external NIC of the ISA box (DSL),
> > > > the other
> > > > > one is directly connected to the network (ISDN I think).
> > > Let's call
> > > > > them DSL and UU.
> > > > >
> > > > > This setup is not desirable, so one task would be to but
> > > > both routers
> > > > > onto a network that is connected to the external ISA
> interface.
> > > > >
> > > > > Now this is not the real problem. Let's talk about mail
> > > > > delivery.
> > > > >
> > > > > I'm sure you agree that an SMTP server with a variable IP
> > > > address is
> > > > > not a good idea. Many SMTP hosts reject such connections.
> > > Moreover,
> > > > > you'd be having problems with incoming mails, because to my
> > > > knowlegde
> > > > > there is no reliable way to have an MX point to the
> obtained IP
> > > > > address - even dyndns has it's drawbacks such as cached
> > > > entries and so
> > > > > forth....
> > > > >
> > > > > That's why I don't intend to change the customers
> setup in this
> > > > > respect. So here comes the UU router. This router
> > > connects to UUNET
> > > > > regularly (it's being pinged by the DC). UUNET detects the
> > > > connection
> > > > > and starts delivering mails to the DC. Any outgoing mail
> > > is sent to
> > > > > something like mail.uu.net. Here's the second important
> > > point: for
> > > > > authentication reasons (smarthosting,
> > > > > relaying) the connection to mail.uu.net has to come from
> > > an internal
> > > > > address to the UUNET network (no big deal). That's the reason
> > > > > why the DC has the UU router as a default gateway. Right now
> > > this works
> > > > > more or less, but as I said the setup is a bit spooky.
> > > > >
> > > > > Now, if we move the UU router to the external segment of
> > > > the ISA box,
> > > > > there's going to be the problem of telling ISA how to
> > > > handle this. To
> > > > > keep this in mind: the goal is to make the setup more
> > > > > transpaent, eliminate the security problem and also
> to resolve
> > > > > the DNS
> > > > and routing
> > > > > problems within the network.
> > > > >
> > > > > For my better understandng, let's imagine that both the DSL
> > > > and the UU
> > > > > router were connected to the external interface. We would
> > > > then have a
> > > > > subnet like 10.1.1.0 or whatever, which would not be
> > > > contained in the
> > > > > LAT, right? The default gateway on the external NIC would
> > > > point to the
> > > > > "primary" router (this would be DSL). Now, back to mails:
> > > opening a
> > > > > connection to UUNET is not a problem, we can ping from the
> > > > ISA box to
> > > > > the UU router, thus initiating delivery. Surely we
> would need to
> > > > > publish the exchange and check with UUNET what to
> > > reconfigure at the
> > > > > UU router and so forth. Not a real problem there.
> > > > >
> > > > > Outgoing mails would be bit more tricky: the current
> > > > setting (def. gw.
> > > > > on the DC pointing to UU) would have to be changed. So
> > > the DC would
> > > > > just be a Secure NAT client. When we try to deliver the
> > > > mails, we will
> > > > > connect to mail.uu.net. The default route on the ISA box
> > > > would direct
> > > > > all traffic to the DSL router and the connection will
> > > fail (because
> > > > > the request to mail.uu.net will then not come from
> within UUNET
> > > > > network). So we would have to implement a route or
> > > > something else that
> > > > > automagically directs the traffic to mail.uu.net to the UU
> > > > > router.
> > > > >
> > > > > I've setup a few ISA boxes but I'm not really familiar with
> > > > the SMTP
> > > > > functionality, and I'm also not a geek when it comes to
> > > routing and
> > > > > manually adding routes... So the question is: is that
> possible?
> > > > >
> > > > > I think that changing the mail setup may be another
> > > > approach but this
> > > > > would involve a number of other problems (domain, delivery
> > > > mechanism
> > > > > and so on... Btw features that are not available at the DSL
> > > > > connection's ISP, I'm
> > > > > afraid)
> > > > >
> > > > > Alright, sorry for producing such a lenghty mail. And
> thanks for
> > > > > listenig, as always :) Mark
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT
> > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > Discussion List
> > > > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > > blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT
> > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > Discussion List
> > > > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site:
> http://www.msexchange.org/ Windows
> > > > Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT
> > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> blank email
> > > > to $subst('Email.Unsub')
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site:
> http://www.msexchange.org/ Windows
> > > > Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT
> > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Windows
> > > 2000/NT > Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > > blank email to $subst('Email.Unsub')
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Windows
> > > 2000/NT > Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> > > to $subst('Email.Unsub')
> > >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: mark@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>

Other related posts:

• » DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers
• » RE: DNS and Routers

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---