Re: Multiple external IPs, binding on outbound

Absolutely agreed, I support this. This is a big problem exactly because of what you mention here. Checkpoint can do it :) and it would be great functionality to have.

From what I understand, this is a limitation in the OS at the moment, it
always uses its primary IP for outbound traffic of any kind, rather a problem for reverse lookup!

--
David Maskell
(CISSP, MCSSA, MBCS, CITP, WCE-WS, nCSE, MCSE: NT4, 2000,2003,Messaging,Security, MCTS:SQL 2005,Vista)


"Tim Parker-Nance" <tim_pn@xxxxxxxxxxx> wrote in message news:Oi%233$uf9HHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
Hi all

My ISA server has a hoard of external IPs. Amoungst them are 4 for mail servers and 2 for Radius servers. Inbound works ok, but outbound always binds to the primary external IP. There have been suggestions to change the primary IP to the IP of the mail server, but in our case we have multiple servers so this is not possible.

For mail it is not too much of a problem, except for those mail servers using reverse lookups to identify spam.

For Radius it is a problem. Our upstream provider will only accept Radius Packets of Disconnect (PoD) from our Radius server IPs it knows. As ISA is using the primary external IP all our PoDs are being rejected.

Is there any way of binding outbound traffic to a specific external IP?

If not, please consider this 'feature' of ISA useless and in the next service pack please provide a way to publish outbound traffic simillar to inbound so that we can bind our services to the correct external IPs.

Thanks

Tim Parker-Nance


.

Relevant Pages

  • Multiple external IPs, binding on outbound
    ... My ISA server has a hoard of external IPs. ... servers and 2 for Radius servers. ... Is there any way of binding outbound traffic to a specific external IP? ...
    (microsoft.public.isaserver)
  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
    (freebsd-questions)
  • Re: DNS not resolving mail server for ADSL users
    ... > did I say my intention was to confuse, ... > to identify mail servers, so it better to set up one as ... > of even one SMTP server that will be looking for an MX ... Maybe the way you configure your mail servers, there is no need for internal ...
    (microsoft.public.win2000.dns)
  • RE: suggestions on a good firewall
    ... > guard feature which only lets mail servers receive the RFC 821 commands ... the FTP Fixup allows traffic in on port 20 ... > commands that could be used for nefarious purposes. ...
    (Security-Basics)
  • Re: Which greylist milter is least maintenance
    ... If you have multiple mail servers and MX records a sending system, on receiving a tempfail, will try the next. ... If that also has greylisting it will move to the next until it has exhausted your mx list. ... If you have greylisting enabled on one but not all MX servers you effectively have no greylisting for sending systems that are smart enough to retry. ... If you have greylisting on all your systems and they each maintain their own database you effectively have greylisting from hell. ...
    (comp.mail.sendmail)