I run a shop with W2K3 AD integrated DNS. I also host an Exchange 2003
server.

We have a CISCO Firewall in the network and until recently I used DNS
doctoring (aliasing) to redirect requests from my inside users for the
publicly registered email server In other words, I had a firewall
rule that specified my publicly registered email server (MX), i.e.
mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
great --there were no problems with name resolutions and email. After
maintenance on the firewall, this DNS doctoring stopped working
altogether.

This has become a real annoyance since I have a lot of branch office
and mobile users
who visit the main office and can not access email because the mail
host is named differently on the inside from the public email name.
And without changing settings in their mail client and \ or providing a
"new" address for their OWA, they cannot get to their email.

I've troubleshot the problem with CISCO -- there's no way to recapture
the functionality without changing hardware -- not a very practical
solution. I've thought there may be a way
to do it in DNS with the use of CNAME RR. But I've also heard there
may be problems
using cname references for mail servers.

Does anyone have experience with this type of problem and if so, how
did you resolve it?
Any advice or guidance is greatly appreciated.

DNSer

If your inside DNS only services your inside clients, it seems like you
should be able to create a mydomain.com lookup zone on your local server,
create whatever records you need for www, ftp, mail, etc. that are also
externally resolvable, and point the MX record for that domain to
mail.inside.mydomain.com.

....kurt

"DNSer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I run a shop with W2K3 AD integrated DNS. I also host an Exchange 2003
> server.
>
> We have a CISCO Firewall in the network and until recently I used DNS
> doctoring (aliasing) to redirect requests from my inside users for the
> publicly registered email server In other words, I had a firewall
> rule that specified my publicly registered email server (MX), i.e.
> mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
> great --there were no problems with name resolutions and email. After
> maintenance on the firewall, this DNS doctoring stopped working
> altogether.
>
> This has become a real annoyance since I have a lot of branch office
> and mobile users
> who visit the main office and can not access email because the mail
> host is named differently on the inside from the public email name.
> And without changing settings in their mail client and \ or providing a
> "new" address for their OWA, they cannot get to their email.
>
> I've troubleshot the problem with CISCO -- there's no way to recapture
> the functionality without changing hardware -- not a very practical
> solution. I've thought there may be a way
> to do it in DNS with the use of CNAME RR. But I've also heard there
> may be problems
> using cname references for mail servers.
>
> Does anyone have experience with this type of problem and if so, how
> did you resolve it?
> Any advice or guidance is greatly appreciated.
>
> DNSer
>

DNSer wrote:
> I run a shop with W2K3 AD integrated DNS. I also host an Exchange
> 2003 server.
>
> We have a CISCO Firewall in the network and until recently I used DNS
> doctoring (aliasing) to redirect requests from my inside users for the
> publicly registered email server In other words, I had a firewall
> rule that specified my publicly registered email server (MX), i.e.
> mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
> great --there were no problems with name resolutions and email. After
> maintenance on the firewall, this DNS doctoring stopped working
> altogether.
>
> This has become a real annoyance since I have a lot of branch office
> and mobile users
> who visit the main office and can not access email because the mail
> host is named differently on the inside from the public email name.
> And without changing settings in their mail client and \ or providing
> a "new" address for their OWA, they cannot get to their email.
>
> I've troubleshot the problem with CISCO -- there's no way to recapture
> the functionality without changing hardware -- not a very practical
> solution. I've thought there may be a way
> to do it in DNS with the use of CNAME RR. But I've also heard there
> may be problems
> using cname references for mail servers.
Tell me you aren't hosting the Public zone for your public domain on your
internal DNS server and whether the internal domain is or is not the same
name as your public domain. MX records should never give a CNAME for an SMTP
server, the MX record should give the A record name that the SMTP server
uses in its EHLO/HELO greeting.

> Does anyone have experience with this type of problem and if so, how
> did you resolve it?

I'm going to assume that the internal domain name is not the same as your
public domain, you need to create a forward lookup zone with the
fully-qualified name that you use from the external DNS server, e.g.
"mail.mydomain.com" in that zone create one new host, leave the name field
blank and give it the internal IP of the mail server. Make sure you give
this record a TTL of 15 minutes or less, assuming 15 minutes is the minimum
time it takes for mobile users to move from the internal network to an
external network, you might even use a lower TTL or even a 0 TTL so the
internal record does not get cached at all, but that puts extra load on your
DNS server.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

I will try it Kevin. Thanks,
-- DNSer
Kevin D. Goodknecht Sr. [MVP] wrote:
> DNSer wrote:
> > I run a shop with W2K3 AD integrated DNS. I also host an Exchange
> > 2003 server.
> >
> > We have a CISCO Firewall in the network and until recently I used DNS
> > doctoring (aliasing) to redirect requests from my inside users for the
> > publicly registered email server In other words, I had a firewall
> > rule that specified my publicly registered email server (MX), i.e.
> > mail.mydomain.com, is found at mail.inside.mydomain.com. It worked
> > great --there were no problems with name resolutions and email. After
> > maintenance on the firewall, this DNS doctoring stopped working
> > altogether.
> >
> > This has become a real annoyance since I have a lot of branch office
> > and mobile users
> > who visit the main office and can not access email because the mail
> > host is named differently on the inside from the public email name.
> > And without changing settings in their mail client and \ or providing
> > a "new" address for their OWA, they cannot get to their email.
> >
> > I've troubleshot the problem with CISCO -- there's no way to recapture
> > the functionality without changing hardware -- not a very practical
> > solution. I've thought there may be a way
> > to do it in DNS with the use of CNAME RR. But I've also heard there
> > may be problems
> > using cname references for mail servers.
> Tell me you aren't hosting the Public zone for your public domain on your
> internal DNS server and whether the internal domain is or is not the same
> name as your public domain. MX records should never give a CNAME for an SMTP
> server, the MX record should give the A record name that the SMTP server
> uses in its EHLO/HELO greeting.
>
> > Does anyone have experience with this type of problem and if so, how
> > did you resolve it?
>
> I'm going to assume that the internal domain name is not the same as your
> public domain, you need to create a forward lookup zone with the
> fully-qualified name that you use from the external DNS server, e.g.
> "mail.mydomain.com" in that zone create one new host, leave the name field
> blank and give it the internal IP of the mail server. Make sure you give
> this record a TTL of 15 minutes or less, assuming 15 minutes is the minimum
> time it takes for mobile users to move from the internal network to an
> external network, you might even use a lower TTL or even a 0 TTL so the
> internal record does not get cached at all, but that puts extra load on your
> DNS server.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================