Access your ISA and Exchange Server from outside the office
Learn how to configure your Linksys router so that you can access your ISA and Exchange Server from outside the office in this expert response by Lisa Phifer.
I have two DSL connections to my office, with traffic load balanced by a Linksys router. I am unable to access my ISA or Exchange Server from outside the office. Is there any configuration required on the servers or on the load balancer?
The answer depends on your load balancer make/model, but let's consider an example using the Linksys RV106 10/100 16-Port VPN Router. Up to seven Ethernet ports on that router can be designated as load-balanced WAN ports using one of two modes: Intelligent Balancer or IP Group.
In Intelligent Balancer mode, the router uses a weighted round robin algorithm to distribute traffic across WAN ports. For each DSL link's WAN port, you must specify upstream and downstream bandwidths. If the bandwidth of your two DSL links are identical, the router will just alternate between links when sending outbound packets.
In IP Group mode, the router uses configured LAN IP address ranges to distribute outbound traffic to WAN links. For example, you could use this mode to direct all packets sent by higher-priority hosts to one DSL link while directing all other packets to the other DSL link.
Let's assume that you are using the default Intelligent Balancer mode. Inbound traffic may be arriving through one WAN port (DSL link #1), but departing through the other WAN port (DSL link #2). If upstream connectivity is the same for both links, this should not really be a problem, provided that your ISA or Exchange Server is connected to your router's DMZ port and assigned its own unique routable public IP address.
However, if your ISA or Exchange Server is located somewhere on your internal LAN (not your DMZ), requests may be reaching the server through one WAN port's NAT-ed public IP address, with responses departing through the other WAN port's NAT-ed public IP address. If this is the source of your problem, the best solution is to put your server on the DMZ with its own public IP. However, if you want to keep the server inside your LAN, you could use IP Group mode to ensure that all packets to/from your server goes through the same WAN port.
To accomplish that, set WAN port #2 to IP Group mode, mapped to the IP address of your internal server (and other hosts on your LAN that you wish to use DSL link #2.) Leave WAN port #1 set to Intelligent Balancer mode. Be sure to set the fail-over detection option so that if DSL link #2 goes down, traffic will be redirected over DSL link #1 until link #2 is restored. Note that this solution may result in uneven distribution of traffic across the two DSL links; that is one reason why moving your server to the DMZ is preferable.
