CSS SMTP failover design question

Unanswered Question
Aug 16th, 2007

I have a question about designing a failover for SMTP server between HQ site and DR site.

I have web servers failover using this CSS.

I have a one armed config and cannot change it, I am using

"add destination service" for the web servers and it works.

The problem is that on a Mail server, it can initiate connections to send mail from the inside and I am thinking I will have reverse lookup problems whne the connection to remote mail domains from my server will NAT from the PIX rather than the CSS.

I have looked into having all traffic route through the CSS from the PIX firewalls to the edge router.

I am also wondering about haveing PTR records in our hosted DNS from the 4 IP Addresses that traffic could originate from (two at HQ and two at DR).

I am not sure which way to go with this, but I need to get something set up for a DR test next month.

Does anyone have any input about this?

Is the PRT records an ok way to go?

What about forcing the traffic through the CSS, then from the CSS to the edge router?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Gilles Dufour Fri, 08/17/2007 - 03:23

basically, your concern is traffic originated from the mail server.

You want to make all this traffic look as if coming from a single unique server ip.

So, I would say you need to nat this traffic with the vip address and you can do it using ACL on the CSS.

Then the PIX can, if needed, nat this vip address into a public address.

So from outside to inside, client communicate with the public address which is nated by the pix into the vip address. Traffic is loadbalanced to the servers and everything is ok.

From inside to outside, the CSS nat with the ACL the server ip into the vip address, which the pix translate into the public ip and if a reverse lookup is done, it should show the mailserver name of your company.

Gilles.

wilson_1234_2 Fri, 08/17/2007 - 05:24

I appreciate your reply.

Here is the problem:

The CSS, edge router and PIX are all sitting in the same LAN with the VIP address being a public IP address and the services have public IP addresses also.

So the CSS is sitting on the outside network.

The CSS is taking inbound and sending to the the PIX NATed address, if that server is down, the CSS forwards to the second PIX NATed address.

Inbound the traffic all hits the VIP and the CSS forward it to the public IP NAT on the ouside interface of the PIX. That works ok.

The problem is on the outbound, I am not sure if I should try and force the e-mail traffic through the CSS (from PIX to CSS to edge router and out, or make sure the hosted DNS will have PTR records of the NATed addresses of the servers (bypassing CSS outbound).

Our failover sceanario depends on the default gateway to be dynamic, so I cannot static route through the CSS to the edge router.

Gilles Dufour Wed, 08/22/2007 - 03:53

I see the concern now.

Unfortunately I do not know what other people do in this case and I have never thought about this before.

I guess the DNS solution seems to be the best option.

Gilles.

wilson_1234_2 Wed, 08/22/2007 - 04:28

Thanks for the reply.

This is what I am going to try and see if there will be any problems:

I have PTR records set up for all of the service addresses that could potentially send mail depending on the failover scenario.

They all point to mail.mydomain.com, only one will ever be active at any one time.

The VIP will take all inbound mail, so that should be not problem.

When my clients send mail, it will originate from the servie IP address NATed on the PIX.

If the remote server does a reverse lookup, the PTR will point to mail.mydomain.com.

Something else is that I can prevent any access to the PIX NATed Service IP address by only allowing inbound mail from the CSS group address to the PIX NATed address.

wilson_1234_2 Tue, 08/28/2007 - 06:15

Gilles,

My understanding is that if I can get the traffic to flow back through the CSS even in one-armed mode, with the CSS sitting outside the PIX, the traffic will be sourced from the VIP address and I do not need to use "destination service"

Is this correct?

Actions

This Discussion