ISA Server and secondary gateway with SMTP server publishing

Bozen999
Bozen999 used Ask the Experts™
on
Hello,
I need to plan the following configuration on ISA Server 2004:

I need to set up a secondary gateway on ISA Server, that would be used as a backup for when my primary connection is down. The second internet connection is a gentle offer from a neighbor, who has posed the condition that I don't do any change in his network configuration other than port forwarding. (Basically: I get permission as long as everything is painless and doesn't require any configuration on his side).

- primary gateway is on an ADSL line with static IP (public)
- secondary gateway would be a connection to a wireless router, with a static IP address
- the wireless router has NAT installed and I would configure "virtual server" to forward from all ports to the internal address ISA would be listening to
- the wireless router has the internal interface set to 192.168.1.x, which happen to be the same private network I set up in my internal network
- I cannot reconfigure the wireless router, except for the port forwarding mentioned above, so I would end up with ISA server using as secondary gateway an address it considers "internal" (I understand security implications, and the fact that ISA complains about external interface in the same subnet of internal network)
- I have a third NIC ready on the server for the secondary gateway, and it would be separate from real internal network being on a different VLAN

I would like to achieve the following:
- Isa Server using the secondary gateway only as backup (configuring 'metric' right?)
- Isa Server considering, if possible, that address as kind of 'exception', thus enforcing security even thoug the address is in the internal subnet
- SMTP server published through ISA should map through the secondary gateway as well (configuring MX record in DNS)
- DNS through secondary gateway as well

I could, of course, change my whole internal subnet to be 192.168.y.x, where y is not equal to 1, but I would prefer not to reconfigure the servers (I really fear what Active Directory can do...)

Does anyone know if such a configuration is possible (if not "supported"), and what kind of problems I would face?

It would be also nice (if the router of the secondary gateway permits VPN passthrough), to be able to connect to my internal network thorugh VPN, which is configured in ISA server.

Thanks in advance to anyone that will point me in the right direction.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011

Commented:
I  need to set up a secondary gateway on ISA Server, that would be used as a backup for when my primary connection is down.
It is just flat out not possible,...never gonna happen.
The new version, TMG (aka ISA2008) will have the ability.

Author

Commented:
Ok. I'll take your word for it and stop wasting time. Just as curiosity, why isn't it possible? I said 'gateway' but maybe I should have said 'external interface'; ISA can manage more than one, what good is it if it can't alternatively route traffic to the one working? Or maybe I am totally confused here, in which case I apologize.

By the way: my neighbor turns out to be an ecology enthusiast, so after he learned his wi-fi router is always broacasting... he called the provider immediately demanding they change it with something not harmful to his health (!!). So goodbye fault-tolerant internet connection :-)
Most Valuable Expert 2011
Commented:
A second External nic can only be used for specific destinations as defined in a routing table,...it cannot be used for failover, loadbalancing, or for general Internet use.
ISA does not do it because WIndows does not do it and Windows does not do it because the TCP/IP Protocol (by itself) is not capable of doing this.
Devices that do this have specifically design software that runs above the OS and the TCP/IP stack to make it happen.  TMG will have this,...previous versions of ISA do not.
ISA Firewall Dirty Dozen FAQ
http://www.isaserver.org/tutorials/ISA-Firewall-Dirty-Dozen-FAQ.html
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial