topic Re: Using PBF To Split Services Between ISP's in General Topics

Using PBF To Split Services Between ISP's

smithkopel — Mon, 05 Mar 2012 23:06:09 GMT

I have a need to split the traffic going to and coming from my Exchange server based on service. Currently I have both SMTP and 443 traffic coming into and going out of the same ISP (we'll call it A). ISP A is also the default for all incoming and outgoing traffic. I want to split this to have SMTP traffic coming and going through ISP B and leave the 443 traffic on ISP A.

I think I can do this with PBF rules but I'm not totally sure how to go about it. If so here are some questions that I have.

Do I need to create 1 PBF or 2? Incoming and outgoing or just outgoing?

Do I need to create NAT rules for the PBF traffic? I already have NAT for the stuff on ISP A.

Do I need to create regular policies in addition to the PBF. eg. allowing incoming port 25 etc.

Or, am I barking up the wrong tree. I looked at the document for branch office with two ISP's and there are similarities here, but I only want to do this for the one service and not use it for failover at this time.

Thanks in advance,

Kenton

Re: Using PBF To Split Services Between ISP's

rmonvon — Mon, 05 Mar 2012 23:20:35 GMT

Hi...Yes, you can use PBF to do what you described. My comments are inline:

Do I need to create 1 PBF or 2? Incoming and outgoing or just outgoing?

- You can have 1 PBF rule but the rule would be 'any any service=tcp/25'. I recommend using 2 PBF rules for inbound & outbound to match the IP address of your mail server(s).

Do I need to create NAT rules for the PBF traffic? I already have NAT for the stuff on ISP A.

- Yes, you need NAT rule and most likely, you need to use ISP-B's assigned IP address.

Do I need to create regular policies in addition to the PBF. eg. allowing incoming port 25 etc.

- If ISP-A and ISP-B are in the same security zone, then you can leverage your existing security rules.

Thanks.

Re: Using PBF To Split Services Between ISP's

smithkopel — Mon, 05 Mar 2012 23:23:24 GMT

Thanks for the quick reply. I'll post back if I have any additional questions once I get going on it.

Kenton

Re: Using PBF To Split Services Between ISP's

smithkopel — Tue, 06 Mar 2012 00:13:28 GMT

So would my two PBF rules look like this?

Direction Source Zone Source Server Destination Service Egress I/F

Outgoing Trusted Mail Server Any SMTP ISP B

Incoming Untrusted Any ISP B Pub SMTP Internal

Thanks,

Kenton

Re: Using PBF To Split Services Between ISP's

rmonvon — Tue, 06 Mar 2012 01:40:45 GMT

Yes, the outgoing PBF rule looks good. Make sure that your service=SMTP is where SMTP=tcp/25.

I just realized that we can't control the incoming. Senders will be sending to your mail server 'smtp.company.com' and this domain will resolve to the IP address on your ISP-A. So all incoming traffic will come in the current path.

Thanks.

Re: Using PBF To Split Services Between ISP's

smithkopel — Tue, 06 Mar 2012 16:24:04 GMT

Thanks, yes the service called SMTP is port 25. As for incoming, I would change the DNS so that smtp.company.com would point to ISP B, I think this would be necessary in any case as the receiving servers might do a reverse lookup and be confused. If incoming DNS was pointing to ISP B would my second rule work?

Thanks,

Kenton

Re: Using PBF To Split Services Between ISP's

rmonvon — Tue, 06 Mar 2012 16:36:54 GMT

If you change the DNS for smtp.company.com to ISP-B, then 443 traffic destine to smtp.company.com will also come thru ISP-B. I recall you wanted 443 to stay in ISP-Aand only tcp/25 to use ISP-B.

Re: Using PBF To Split Services Between ISP's

smithkopel — Tue, 06 Mar 2012 16:42:12 GMT

That's OK, I intend to create a new DNS name for the SMTP traffic and keep the old DNS name for the 443 traffic. That is not a problem. The critical part is that the SMTP traffic enter and exit the firewall on the same IP from ISP B.

Kenton

Re: Using PBF To Split Services Between ISP's

rmonvon — Tue, 06 Mar 2012 23:18:41 GMT

The outbound SMTP will work with your PBF rule. I am not sure if the inbound will work because the replies from your server may take the default route which is ISP-A. Also, consider how you plan to failover. When ISP-B is down and SMTP traffic is destined for IP on ISP-B, how can you get this traffic to come to ISP-A, and vice versa?

This would not be an issue if you own the public IP address(es) because you would use the same public IPs for both ISP-A and ISP-B.

Re: Using PBF To Split Services Between ISP's

smithkopel — Tue, 06 Mar 2012 23:39:25 GMT

The main reason I'm doing this is for a temporary workaround to a blacklist that our ISP has managed to get itself on (the entire class C has been blacklisted). So most critical for me is outgoing mail. However, I'm concerned that I will run into problems if mail is coming into a different DNS name and IP than mail is going out.

Is that not something I need to be concerned with?

Kenton

Re: Using PBF To Split Services Between ISP's

rmonvon — Wed, 07 Mar 2012 23:24:13 GMT

Kenton...I don't see a problem but you may want to research this. Maybe your ISP-B can offer some insight on having the inbound & outbound split.