RE: DNS and Routers
- From: "Mark Hippenstiel" <m.hippenstiel@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 9 Feb 2003 10:25:42 +0100
Hi Tom,
Thanks a lot for your help, but unfortunately I must say, that I knew all of
this already. It's a shame really... Ok, let's start all over again, where's
the reset button...
You got the ISA part right down there. What went amiss was the UUNET router.
This router is with it's current setup a potential security risk *AND*
forces the customer to use some weird network settings on the DC
(=Exchange). I will try to explain again:
From the external point of view there are two entry points into the network,
both at routers that manage dod connections. The difference between them is:
one is connected to the external NIC of the ISA box (DSL), the other one is
directly connected to the network (ISDN I think). Let's call them DSL and
UU.
This setup is not desirable, so one task would be to but both routers onto a
network that is connected to the external ISA interface.
Now this is not the real problem. Let's talk about mail delivery.
I'm sure you agree that an SMTP server with a variable IP address is not a
good idea. Many SMTP hosts reject such connections. Moreover, you'd be
having problems with incoming mails, because to my knowlegde there is no
reliable way to have an MX point to the obtained IP address - even dyndns
has it's drawbacks such as cached entries and so forth....
That's why I don't intend to change the customers setup in this respect. So
here comes the UU router. This router connects to UUNET regularly (it's
being pinged by the DC). UUNET detects the connection and starts delivering
mails to the DC. Any outgoing mail is sent to something like mail.uu.net.
Here's the second important point: for authentication reasons (smarthosting,
relaying) the connection to mail.uu.net has to come from an internal address
to the UUNET network (no big deal). That's the reason why the DC has the UU
router as a default gateway. Right now this works more or less, but as I
said the setup is a bit spooky.
Now, if we move the UU router to the external segment of the ISA box,
there's going to be the problem of telling ISA how to handle this. To keep
this in mind: the goal is to make the setup more transpaent, eliminate the
security problem and also to resolve the DNS and routing problems within the
network.
For my better understandng, let's imagine that both the DSL and the UU
router were connected to the external interface. We would then have a subnet
like 10.1.1.0 or whatever, which would not be contained in the LAT, right?
The default gateway on the external NIC would point to the "primary" router
(this would be DSL). Now, back to mails: opening a connection to UUNET is
not a problem, we can ping from the ISA box to the UU router, thus
initiating delivery. Surely we would need to publish the exchange and check
with UUNET what to reconfigure at the UU router and so forth. Not a real
problem there.
Outgoing mails would be bit more tricky: the current setting (def. gw. on
the DC pointing to UU) would have to be changed. So the DC would just be a
Secure NAT client. When we try to deliver the mails, we will connect to
mail.uu.net. The default route on the ISA box would direct all traffic to
the DSL router and the connection will fail (because the request to
mail.uu.net will then not come from within UUNET network). So we would have
to implement a route or something else that automagically directs the
traffic to mail.uu.net to the UU router.
I've setup a few ISA boxes but I'm not really familiar with the SMTP
functionality, and I'm also not a geek when it comes to routing and manually
adding routes... So the question is: is that possible?
I think that changing the mail setup may be another approach but this would
involve a number of other problems (domain, delivery mechanism and so on...
Btw features that are not available at the DSL connection's ISP, I'm afraid)
Alright, sorry for producing such a lenghty mail. And thanks for listenig,
as always :)
Mark
Other related posts:
