I ran into an interesting problem this weekend. I noticed that a lot of email was being returned as non-deliverable from my Exchange 2010 server. Many domains, specifically AOL and some of the major ISPs require that the domains they communicate have mail servers with reverse zone lookups, meaning that their name “mail.domain.com” for example, resolves to a specific IP. Well, my MX record does reverse resolve to the correct IP, however that IP wasn’t the IP address that my server was communicating from.
My infrastructure goes through a firewall. It used to be Microsoft ISA Server, but recently I have been trying the new Forefront Threat Management Gateway. One of the nice things is TMG is supported on Windows 2008 and R2, and can be virtualized as well. I built mine on Windows 2008 R2, which appears to be part of my identity problem, at least as far as other domains are concerned.
Normally on a network card that has multiple IP addresses assigned to it, the first IP listed will be the one that is used for communication. In the case of Windows 2008 (and R2), it actually changes to use the lowest IP address (number-wise). So if my IP ends with 12, and another one ends with 14, even though 14 might be listed first, it will always use 12. From what I understand and without getting into too much detail, there is something called strong and weak host models. It’s hardcore networking, so if you want, you can read more here and here.
Microsoft recognized this as an issue and released a hotfix for Windows 2008 SP2 and Vista SP2, but the hotfix doesn’t cover R2. Basically this hotfix adds a parmeter called SkipAsSource which can be set per interface via NETSH. After you install this hotfix, you can create IP version 4 (IPv4) addresses or IP version 6 (IPv6) addresses by using the netsh command together with the new "skipassource" flag. By using this flag, the added new addresses are not used for outgoing packets unless explicitly set for use by outgoing packets. Therefore, these IP addresses will not be registered on the DNS servers. This also induces the behavior as you knew it in Windows 2003.
Now, since I am running R2, this really didn’t help me, but a slight change in configuration in TMG did. In the Networking configuration inside TMG, I have a rule for anything accessing the Internet. I can control from here what IP is used to talk to the Internet; this would be the IP address that my mail server would be seen as through Network Address Translation (NAT) on its way to the interwebs.
You can configure the NAT rule to use any or all of your externally routable IP addresses. Problem resolved!
Thanks to Nick for the update. A hotfix is now available for Windows 2008 R2. You can find more information here.
You must log in to post a comment.