Hi, Currently, we have a Windows 2003 AD-based environment that includes: Exchange 2003, ISA 2004 and Citrix. Exchange and Citrix are published through ISA and everything works fine. The line we have attached to ISA is an ADSL line that allows external users an average throughput of 25 kB/second. This is fairly low but prices are too high in this part of the world. For me, Citrix matters more than Exchange as a 10 minute delayed message will not make much difference when compared to the latency a remote Citrix user faces when viewing a report on a published application. Thus, I came up with a solution in mind and need to know if it is applicable. P. S. For those not familiar with Citrix, the above really does not matter much. The core of the inquiry is irrelevant to what we have. I plan to introduce another ISA 2004 in the network. The roles of ISA servers in the new configuration shall be as follows: Current ISA server: 1 - Publishing interface (receiving remote connections). 2 - Reply only to Citrix connection.
New ISA: 1 - Proxy for users to browse internet and download. 2 - Reply to Exchange inquiries.
All of this post is about the underlined point above. I need to configure Exchange to establish incoming connections on the current ISA server (on which the public IP is configured). However, Exchange shall send all emails through the new ISA. Thus, the upload bandwidth available on the current ISA will be fully dedicated to Citrix. Is this possible to do?
From: United Kingdom
So, are you suggesting having two "exits" from your network? If so, you will essentially have two default gateways to the Internet? Yes?
If so, this is possible, but you will need to define different gateway on different servers to route the traffic as intended. With this done, you will just need to make sure that connections that arrive from one ISA are returned to the same ISA, and not back out the wrong ISA.
For web publishing this should be fine as the source IP will be ISA, but for server publishing rules you will need to the enable the "connections appears to come from ISA" to ensure the traffic is returned to ISA and not the original client address which may be accessible by the "other" wrong ISA gateway.
Hi, [[[So, are you suggesting having two "exits" from your network? If so, you will essentially have two default gateways to the Internet? Yes? ]]] YES, that is correct, two default gateways. BUT, every single machine in my network will use the same gateway, the new ISA, except Citrix and current ISA. These will be the only machines that shall use the current ISA as the default gateway. [[[…connections that arrive from one ISA are returned to the same ISA, and not back out the wrong ISA.]]] That is exactly what I want to reverse. I want Exchange to receive connections from one ISA (current ISA) and send connection back through the other ISA (new ISA.) That is the way I intend to dedicate sending from current ISA to Citrix.
I wonder if defining the new ISA's internal IP in Exchange network properties as the default gateway as well as (in the publishing rules) making connections appear to come from the client not the current ISA, will do the thing. This way, a client will contact the current ISA, current ISA will verify the package and forward the connection to Exchange. The package includes (connection appears to come from the client). Thus, Exchange will care only to send back to the client. To do so, it will check its default gateway to find it the new ISA and sends the reply to the client through it. It looks fine in theory but I am not sure if it might work in practice. Any thoughts?
From: United Kingdom
If the connection comes in from ISA1, then the reply from Exchange must go back out through ISA1; that's how stateful filtering works. Stateful means that the firewall remembers that state of connection in terms of the original request and the associated repsonse/reply. This prevents having to create specific inbound and outbound policies for requests and replies.
If the reply goes out through ISA2, ISA2 will see the packet as a reply to a previous conversation and have no information about the incoming request; hence it will deny/drop the packet.
I think the best that you can do is to define the required default gatway on individual machines to decide which ISA handles the request. However, inbound requests and associated replies will need to be persistent to the same ISA server.
Maybe I am confused about what you need?
< Message edited by Jason Jones -- 7.May2009 7:38:50 AM >