RE: DNS and Routers

  • From: "Jay" <jschwarzkopf@xxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 11 Feb 2003 17:57:25 -0500

Okay.  I have set up a somewhat similar environment, though not with UUNET:
We have a smart host/relay between the ISA server and 2 T1's.
Exchange forwards mail to the smart host
Exchange published on ISA for incoming.
ISA has IPs for each external subnet (each T1 - or in your case, the DSL and
the UUNET).
Your Def Gateway would be the DSL
Add route on the ISA server for the SMTP smart host (or in your case the
UUNET ISP smart host) via the second ISA IP.
You also have to delete the subnet route created by the secondary IP for the
ISA to actually forward to the UUNET. In other words, if the SMTP smart host
were 10.1.1.5, add that route via the ISA's 10.1.1.x IP (the secondary IP on
the ISA external nic), and delete the 10.1.1.0 route.  If you use a public
SMTP smart host (UUNET's), then still add the route via the UU router's
10.1.1.y IP, and delete the 10.1.1.0 route.


I'm not sure what the 'business way' means, but this should work.


----- Original Message -----
From: "Mark Hippenstiel" <m.hippenstiel@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, February 11, 2003 4:46 PM
Subject: [isalist] RE: DNS and Routers


> http://www.ISAserver.org
>
>
> Hi Jay,
>
> If you read the follow-ups, you'll find out that we solved the problem the
> 'business' kind of way... Forgive me that I don't have enough expertise in
> explaining things correctly. Ok, you got it partly right; the UU router
> _currently_ is not connected to the external interface of the ISA box,
> instead it's plugged right into to internal network's switch. Only this
way
> Exchange is able to talk to UUNET directly - and we don't need to publish
it
> in ISA. I somehow developed the idea that theoretically it must be
possible
> to do what you write: direct SMTP traffic to a router that is connected to
a
> private network that is not part of the LAT. Bear in mind that the UUNET
> router also is a NAT device and dials up just like the DSL modem.
>
> Thanks for listening,
> Mark
>
> > -----Original Message-----
> > From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
> > Sent: Tuesday, February 11, 2003 10:21 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS and Routers
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Mark, I'm not sure I followed your original email correctly,
> > but I think I may have a way around this.  But first let me
> > try and verify we're talking about the same things:
> >
> > ISA external nic is connected to a switch (private subnet
> > that is not in the LAT), along with your DSL modem and your
> > UU router. Exchange published on ISA, and delivering all mail
> > to a smart host/relay server at your UUNET ISP.  If delivered
> > through the DSL, the SMTP host at UUNET will reject it. The
> > ISA uses the DSL as its default gateway. You therefore want
> > to direct SMTP traffic through the UU, and all other traffic
> > through the DSL.
> >
> > Is that correct?
> >
> >
> >
> >
> > > > -----Original Message-----
> > > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > > Sent: Tuesday, February 11, 2003 2:06 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: DNS and Routers
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hi Tom,
> > > >
> > > > I'm not really certain why we discuss this, but anyway.... Yes I
> > > > know a couple of reasons: one being the DSL-ISP does not support
> > > > ETRN or other delivery mechnisms with this sort of connection,
> > > > secondly all outgoing mails would get stamped/modified by the
> > > > smtp-relay which is ok for private users but imho not for a
> > > > corporate customer. Another thing would be changing the DSL
> > > > contract. Then we would have a fixed IP address. With a
> > domain KK to
> > > > the provider we would also have backup Mxing. Only the
> > costs would
> > > > triple.
> > > >
> > > >
> > > > But all this doesn't really answer my question, does it?? :-) Mark
> > > >
> > > > > -----Original Message-----
> > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > > > > Sent: Tuesday, February 11, 2003 2:58 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: DNS and Routers
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Hi Mark,
> > > > >
> > > > > Do you know if there's a reason why you can't use your DSL
> > > > connection
> > > > > to download your mail?
> > > > >
> > > > > Thanks!
> > > > > Tom
> > > > >
> > > > > Thomas W Shinder
> > > > > www.isaserver.org/shinder
> > > > > ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA
> > > > > Server: http://tinyurl.com/1llp
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > > > Sent: Sunday, February 09, 2003 3:48 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: DNS and Routers
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > Hi Tom,
> > > > >
> > > > > The UUNET router initiates a dial up connection to UUNET
> > > > (internet).
> > > > > As soon as it goes online, UUNET delivers waiting mails to the
> > > > > exchange server. The exchange server is indeed hosting its own
> > > > > mail domain. Outgoing mail, like I already said, is delivered to
> > > > the UUNET
> > > > > smarthost. I'm not too shure about the setup at UUNET,
> > but I will
> > > > > check on this on Tuesday.
> > > > >
> > > > > The reason why we cannot use the other internet
> > connection is that
> > > > > there is no such functiontionality available at the ISP.
> > > > >
> > > > > But I agree the best thing to do would probably be
> > siwtching to a
> > > > > provider that provides the functionality - it's only a
> > matter of
> > > > > cost...
> > > > >
> > > > > Mark
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > > > > > Sent: Sunday, February 09, 2003 10:09 PM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: DNS and Routers
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Hi Mark,
> > > > > >
> > > > > > What is the purpose of this UU router? Do you need it? Why
> > > > > not use the
> > > > > > DSL line for all Internet related activity? Does this
> > > > > router connect
> > > > > > to the Internet or is it a point to point link with a
> > partner or
> > > > > > remote office?
> > > > > >
> > > > > > Is the Exchange Server hosting its own mail? Or are the
> > > > > users using a
> > > > > > dial up connection to pull mail from their own servers and
> > > > > store it in
> > > > > > the Exchange Store? Or, are you using TRN/ERTN to pull mail
> > > > > from the
> > > > > > ISP?
> > > > > >
> > > > > > Thanks!
> > > > > > Tom
> > > > > >
> > > > > > Thomas W Shinder
> > > > > > www.isaserver.org/shinder
> > > > > > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA
> > > > > > Server: http://tinyurl.com/1llp
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > > > > Sent: Sunday, February 09, 2003 3:26 AM
> > > > > > To: [ISAserver.org Discussion List]
> > > > > > Subject: [isalist] RE: DNS and Routers
> > > > > >
> > > > > >
> > > > > > http://www.ISAserver.org
> > > > > >
> > > > > >
> > > > > > Hi Tom,
> > > > > >
> > > > > > Thanks a lot for your help, but unfortunately I must say,
> > > > > that I knew
> > > > > > all of this already. It's a shame really... Ok, let's start
> > > > > all over
> > > > > > again, where's the reset button...
> > > > > >
> > > > > > You got the ISA part right down there. What went amiss was
> > > > > the UUNET
> > > > > > router. This router is with it's current setup a
> > > > potential security
> > > > > > risk *AND* forces the customer to use some weird network
> > > > > settings on
> > > > > > the DC (=Exchange). I will try to explain again:
> > > > > >
> > > > > > >From the external point of view there are two entry
> > > > points into the
> > > > > > network,
> > > > > > both at routers that manage dod connections. The
> > > > difference between
> > > > > > them
> > > > > > is:
> > > > > > one is connected to the external NIC of the ISA box (DSL),
> > > > > the other
> > > > > > one is directly connected to the network (ISDN I think).
> > > > Let's call
> > > > > > them DSL and UU.
> > > > > >
> > > > > > This setup is not desirable, so one task would be to but
> > > > > both routers
> > > > > > onto a network that is connected to the external ISA
> > interface.
> > > > > >
> > > > > > Now this is not the real problem. Let's talk about mail
> > > > > > delivery.
> > > > > >
> > > > > > I'm sure you agree that an SMTP server with a variable IP
> > > > > address is
> > > > > > not a good idea. Many SMTP hosts reject such connections.
> > > > Moreover,
> > > > > > you'd be having problems with incoming mails, because to my
> > > > > knowlegde
> > > > > > there is no reliable way to have an MX point to the
> > obtained IP
> > > > > > address - even dyndns has it's drawbacks such as cached
> > > > > entries and so
> > > > > > forth....
> > > > > >
> > > > > > That's why I don't intend to change the customers
> > setup in this
> > > > > > respect. So here comes the UU router. This router
> > > > connects to UUNET
> > > > > > regularly (it's being pinged by the DC). UUNET detects the
> > > > > connection
> > > > > > and starts delivering mails to the DC. Any outgoing mail
> > > > is sent to
> > > > > > something like mail.uu.net. Here's the second important
> > > > point: for
> > > > > > authentication reasons (smarthosting,
> > > > > > relaying) the connection to mail.uu.net has to come from
> > > > an internal
> > > > > > address to the UUNET network (no big deal). That's the reason
> > > > > > why the DC has the UU router as a default gateway. Right now
> > > > this works
> > > > > > more or less, but as I said the setup is a bit spooky.
> > > > > >
> > > > > > Now, if we move the UU router to the external segment of
> > > > > the ISA box,
> > > > > > there's going to be the problem of telling ISA how to
> > > > > handle this. To
> > > > > > keep this in mind: the goal is to make the setup more
> > > > > > transpaent, eliminate the security problem and also
> > to resolve
> > > > > > the DNS
> > > > > and routing
> > > > > > problems within the network.
> > > > > >
> > > > > > For my better understandng, let's imagine that both the DSL
> > > > > and the UU
> > > > > > router were connected to the external interface. We would
> > > > > then have a
> > > > > > subnet like 10.1.1.0 or whatever, which would not be
> > > > > contained in the
> > > > > > LAT, right? The default gateway on the external NIC would
> > > > > point to the
> > > > > > "primary" router (this would be DSL). Now, back to mails:
> > > > opening a
> > > > > > connection to UUNET is not a problem, we can ping from the
> > > > > ISA box to
> > > > > > the UU router, thus initiating delivery. Surely we
> > would need to
> > > > > > publish the exchange and check with UUNET what to
> > > > reconfigure at the
> > > > > > UU router and so forth. Not a real problem there.
> > > > > >
> > > > > > Outgoing mails would be bit more tricky: the current
> > > > > setting (def. gw.
> > > > > > on the DC pointing to UU) would have to be changed. So
> > > > the DC would
> > > > > > just be a Secure NAT client. When we try to deliver the
> > > > > mails, we will
> > > > > > connect to mail.uu.net. The default route on the ISA box
> > > > > would direct
> > > > > > all traffic to the DSL router and the connection will
> > > > fail (because
> > > > > > the request to mail.uu.net will then not come from
> > within UUNET
> > > > > > network). So we would have to implement a route or
> > > > > something else that
> > > > > > automagically directs the traffic to mail.uu.net to the UU
> > > > > > router.
> > > > > >
> > > > > > I've setup a few ISA boxes but I'm not really familiar with
> > > > > the SMTP
> > > > > > functionality, and I'm also not a geek when it comes to
> > > > routing and
> > > > > > manually adding routes... So the question is: is that
> > possible?
> > > > > >
> > > > > > I think that changing the mail setup may be another
> > > > > approach but this
> > > > > > would involve a number of other problems (domain, delivery
> > > > > mechanism
> > > > > > and so on... Btw features that are not available at the DSL
> > > > > > connection's ISP, I'm
> > > > > > afraid)
> > > > > >
> > > > > > Alright, sorry for producing such a lenghty mail. And
> > thanks for
> > > > > > listenig, as always :) Mark
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > List Archives:
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > ISA Server FAQ:
> > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > > ------------------------------------------------------
> > > > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > > Windows 2000/NT
> > > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List
> > > > > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > > > blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > > > ------------------------------------------------------
> > > > > > List Archives:
> > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > > ISA Server Newsletter:
> > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > > ISA Server FAQ:
> > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > > ------------------------------------------------------
> > > > > > Exchange Server Resource Site: http://www.msexchange.org/
> > > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > > Windows 2000/NT
> > > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > > ------------------------------------------------------
> > > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List
> > > > > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > > > > $subst('Email.Unsub')
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Exchange Server Resource Site:
> > http://www.msexchange.org/ Windows
> > > > > Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT
> > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > Discussion List
> > > > > as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > blank email
> > > > > to $subst('Email.Unsub')
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > > > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Exchange Server Resource Site:
> > http://www.msexchange.org/ Windows
> > > > > Security Resource Site: http://www.windowsecurity.com/
> > > > Windows 2000/NT
> > > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > Discussion List
> > > > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > > > $subst('Email.Unsub')
> > > > >
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > > Security Resource Site: http://www.windowsecurity.com/ Windows
> > > > 2000/NT > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a
> > > > blank email to $subst('Email.Unsub')
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > > Security Resource Site: http://www.windowsecurity.com/ Windows
> > > > 2000/NT > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> > > > to $subst('Email.Unsub')
> > > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: mark@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: