ISA 3 NIC failover question

[KK20]

Our connectivity is as follows; 1x SDSL connection and 2x ADSL connections. The SDSL is a 5 IP going directly to WAN side of ISA 2006. This is for our email, VPN, Web server and DNS server external requests. The ADSL connections go into a 3200 vigor 4xWAN router. The two ADSL are load balanced "UP" (WAN 1 & 2) and the SDSL on failover (WAN 3) if both the ADSL are down - the vigor pings "back" along each WAN to ensure connectivity to the internet rather than just ethernet link active. The 3200 is then the gateway for the clients (with filtering as a bridged proxy).

however, I want to employ multiple MX records to ensure that if our SDSL connectivity goes down we wont lose out on our email. I am wondering what is the best idea, the cheapest would be to add another NIC and somehow configure ISA 2006 (I can install TMG if necessary) and connect this 3rd NIC to the DMZ of the vigor 3200. The more expensive would be to have another vigor box and "cross them over". I.e have a new vigor dual WAN box with WAN1 -> SDSL and WAN2 -> DMZ of the 3200 ADSL vigor then remove the SDSL from the WAN 3 of the 3200 to avoid a circular loop. I only plan on adding ONE of the ADSL external IP addresses to the MX record so that I can add a route for to the 3200 vigor for that ADSL line (although DMZ should take care of that anyway!)

Bottom line. Can ISA failover a NIC based on connectivity (not simply ethernet link as the router would be live) such as ping. This will need to failover all external requests such as email, vpn etc and come back "live" once it has returned. Has anyone else done something similar?

My guess is another vigor box so that all the rules in ISA simply send to its WAN side and the vigor decides which way that should go based on its own pings and routes. I would use the DMZ from the vigors in any case.

[Cools]

i take it all your internet goes to the isa server? on 2 diff nicks and 3rd one for LAN
if so just add more then 1 ip to MX records on ya dns, and a just isa settings.

Code:

Subdomain	 Mail server	                               Priority	
                 mail.ilimits.co.uk.		                 1	
                 mail2.ilimits.co.uk.                        5
                 mail3.ilimits.co.uk                         10



and add to dns A record

Subdomain                          Address
mail                                   ip of  sdsl
mail2                                 ip of adsl 1
mail3                                 ip adsl 2

i hope it helps

[KK20]

I know that bit. Its the "backend" i'm working on. I am wondering what people have done at the backend to accept the second IP. Effectively they are both the same server but with different entry points. After more googling I havent found anyone who has used ISA to failover NICs reliably, so it looks like another vigor box when I can afford one.

[pantscat]

@KK20 - You can use Forefront TMG to do this...

"You can configure ISP redundancy to distribute outbound traffic between two ISP connections using failover between a primary and backup link, or load balancing and failover."

Not used it myself... yet... but it's on the plan!

[bio]

Bottom line. Can ISA failover a NIC based on connectivity

Nope..ISA 2000/2004/2006 can not do this..However TMG can do this (ISP-R).

bio..

[KK20]

I have convinced the bean counter to give me another £300 for the venture and will be going down the hardware route. So far the vigor router has done exactly what I want it to do and it has "failed over" when the exchange had issues over the last weekend. So I have no reason to doubt a second one will do the same. It is a shame that TMG will only look at 2 WAN connections - it may be overkill but if I have 3 connections there is no reason why I cant failover onto all three if necessary (and just add the relevent MX weight in the DNS)

Thank you for your replies though.

[Cools]

just use hardware unless you go down the linux route..
DrayTek Vigor 3300v+ Multi-WAN Security VoIP Load Balancer w/ 2 Module Slots

sell the vigor you have and get a new one.. we all like to upgrade..