joeyg2391 Posted December 30, 2010 Share Posted December 30, 2010 hello, i currently have a windows 2003 domain environment with the same internal domain as my external domain. I also have exchange 2007 with mail working perfectly fine except for my remote site. I have a dedicated ipsec vpn line to my remote site that is part of my domain. The windows 2003 server that i have on the remote site has active directory integrated zone and i have configured a site link to my main office using active directory sites and services. So my primary network is address 192.168.1.0 and remote is 192.168.2.0. when the vpn link is up an running all mail flows smoothy but the problem arises when the connection drops due to internet problems at the remote site. When the link is down users at the remote site cant get email through outlook or owa. Im pretty sure the reason is because the remote mail clients go through the vpn link to get access to email. I know the root of the problem is because im using the same internal and external domain name. i create an A record on my remote dns server saying anything going to mail.xxx.xxx go to the external ip address and i left the existing A record in place which point to my mail server's internal ip address. i had my brother change that at the remote site but dont know if it will work. Any recommendations on how to fix this? Thanks Link to comment Share on other sites More sharing options...
cluberti Posted December 31, 2010 Share Posted December 31, 2010 It might be better to configure routing rules on your fw to allow certain traffic to your mail servers from certain IPs (external), so that if the internal VPN link goes down, those clients can still get to and use your mail services using the same name (but hitting public IPs). This is called a split DNS, and I've used this extensively in many environments. If you're a Microsoft shop, using something like ISA or TMG firewalls makes this easier, but it can be done with any product if you know the ports in and out you want to allow, and to which IP address ranges. Link to comment Share on other sites More sharing options...
joeyg2391 Posted January 3, 2011 Author Share Posted January 3, 2011 It might be better to configure routing rules on your fw to allow certain traffic to your mail servers from certain IPs (external), so that if the internal VPN link goes down, those clients can still get to and use your mail services using the same name (but hitting public IPs). This is called a split DNS, and I've used this extensively in many environments. If you're a Microsoft shop, using something like ISA or TMG firewalls makes this easier, but it can be done with any product if you know the ports in and out you want to allow, and to which IP address ranges.I have a simple draytek 2130 router that can create to vpn tunnels. Can you tell me how i can go about doing this? Thanks for the reply Link to comment Share on other sites More sharing options...
cluberti Posted January 3, 2011 Share Posted January 3, 2011 I'm not familiar with that device, so someone else who is would have to tell you specifics. However, if you're talking generalities, you'd have to open ports for whatever mail protocols you used, and if the firewall can configure ports based on source IP, you'd base those open ports on the source IP of the end network's public IP addresses, for example. As to specifics, again, I can't give that as I haven't used that router before (I've not heard of it before this, in fact). I did some quick research on it and it looks pretty spartan, so this may not be possible, but you could always ask the vendor (Draytek) if they know how to do such a thing. Link to comment Share on other sites More sharing options...
joeyg2391 Posted January 3, 2011 Author Share Posted January 3, 2011 I'm not familiar with that device, so someone else who is would have to tell you specifics. However, if you're talking generalities, you'd have to open ports for whatever mail protocols you used, and if the firewall can configure ports based on source IP, you'd base those open ports on the source IP of the end network's public IP addresses, for example. As to specifics, again, I can't give that as I haven't used that router before (I've not heard of it before this, in fact). I did some quick research on it and it looks pretty spartan, so this may not be possible, but you could always ask the vendor (Draytek) if they know how to do such a thing.thanks i will check to see if it's possible Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now