0

First, let's start with a picture to illustrate my problem...

Network Diagram

Naturally, IP addresses have been obfuscated for security reasons.

I have an internal LAN, 192.168.1.x behind ISA Server 2004. On this network reside a number of fixed workstations, a POP3 mail server (not Exchange) and a WAP supporting mobile clients. All devices are served by DHCP (though with reserved addresses where applicable).

On the Internet-side, I have an ADSL-connected router with a range of public IP addresses. The WAN port on the router has the IP address 123.0.0.241, the LAN port, 123.0.0.246.

Between the two, I have an ISA Server 2004 with two network cards. The first is attached to the router and has a public IP address, 123.0.0.242. The router is configured to route traffic, rather than use NAT. The ISA Server publishes the POP3 mail server on its 123.0.0.242 public IP address.

The problem is this...

When mobile devices are on-site, connected to the WAP, they belong to the 192.168.1.x subnet and connect to the mail server directly, without bothering the ISA Server.

However, when taken off-site, they must now access the POP3 server via the ISA Server on 123.0.0.242.

What I want is a single configuration for the mobile devices that works regardless of whether they're on-site or off-site.

If I configure them with the public IP of the ISA Server (123.0.0.242), they can't contact the mail server when they're on-site, because the IP is on the wrong side of the ISA Server.

Obviously, if I configure them with the private IP of the Mail Server, they can't access it when off-site.

I've tried a split DNS approach, where the FQDN of the mail server resolves to 192.168.1.2 on-site and 123.0.0.242 when off-site. The trouble is that the DNS TTL is too long, so I have to wait an eternity for the devices to refresh the IP address. The Internet-facing DNS Server isn't mine and I have no control over the TTL.

I've tried associating the FQDN of the Mail Server with both the public and the private IP addresses, relying on the DNS client's round-robin failover to eventually select the right IP address. Apart from the fact that it's a really bad idea to use the private IP address on someone else's network, some of the devices seem rather reluctant to fail over to the alternate address when you move from on- to off-site or vice versa.

I can't bind the public IP address to both the internal and external adapters on the ISA Server, as ISA Server complains bitterly (I can't say I blame it).

So, I'm stumped. What I want is for both internal and external clients to be able to access the Mail Server using a public IP address. I have some spare addresses, so I could use another, if that helps.

But I don't know where to go next. Any suggestions would be very gratefully received!

Steve Morgan
  • 219
  • 2
  • 10

1 Answers1

1

The split DNS should be workable.

I'd think that the system's local DNS cache would reset when switching wireless networks.. but now that I think of it, I haven't tried that before (and I can't find any documentation one way or the other).

If it is the OS cache, it's is easy to overcome:

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheTtl

Times are in seconds, so crank that down to just a couple minutes; more frequent queries against a DNS server on your LAN never hurt anyone.

But, I suspect that's not the issue. I would suspect that the mail client application is the culprit on keeping the old host resolution data.. which makes things a little more difficult. Depends on your mail application, but, worst-case, users may need to restart their client application if it won't ditch the data from the no-longer-connected network.

Finally, the obligatory security note:

If you're using vanilla port 110 POP3, without an SSL component to the connection, that's a bad thing; it becomes a very, very bad thing on a public wifi network. POP3 is a cleartext protocol; all authentication data and all mail are in clear text, and would be available for the taking to anyone else on the same wifi network.

If you are stuck using POP3 without encryption, then throw this architecture out the window and use remote access VPN.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Shane, thanks a lot for that. Unfortunately, most of the offending mobile devices are iOS-based (iPhones and iPads) and I seem to have little influence over the operation of the mail clients. Since writing the post, I managed to get somewhere by adding a Network Routing Rule to ISA Server which, while I don't completely understand what I've done, seems to have had a positive effect. Thanks for the reminder about POP3. I've temporarily moved to Challenge-Response authentication. I'll look to move to SSL as soon as possible. – Steve Morgan May 17 '11 at 22:39