gwia and 450 Host down for own domain

Suddenly have a spate of this going on, no apparent reason.

450 Host Down stmarks.pp.catholic.edu.au  (Which is the name of our domain)

Defer is filling up with messages that are being sent by gwia to (itself?)
mostly dealing with failed deliveries of emails for one (real) reason or
another (typos in address etc)
Most of these are from <> ie null sender.

Inbound mail from other domains (ie the internet at large) seems ok.
Outbound mail to other domains is likewise ok.

Caveat: AOHell and now Hotmail, but that's not GWIA's fault - they have
decided we are on a dialup/dynamic which is not true but they insist someone
in authority from the ISP (Verizon) tell them so, - since the people able to
do so live in the US I can't seem to get anything done about it.  Anyone
that can tell me who to scream at to fix this will be thanked profusely.
;^)

I've been following what I can about this 450 problem which seems to happen
a lot to others as well.

Our setup is as follows.

1. ALL (and I DO mean all) of our groupwise components run on the same
server.
2. The server is also the Primary DNS for our domain.
(stmarks.pp.catholic.edu.au)
3. DNS records are correct, ie MX etc.  
4. There are other DNS servers for the domain, some local some elsewhere.

AFAICT, this is something to do with the GW box being behind a NAT and the
interface address not matching the DNS listed address.  NAT is done at the
PIX.  Unfortunately, AFAICT, there is no way to tell the PIX to allow
30.0.0.2 to go back out through the PIX and talk to its alter-ego internet
IP address and loop back in.  If someone knows a way to actually do this,
I'd be pleased to hear it. :^)

Obviously DNS lists the domain and MX records against the real IP address,
not the NAT address.

Obviously, this is not in the DNS.

I'm confused by a couple of things.

1. Why is the GWIA incapable of talking to itself?  Surely it could just use
the loopback address?  Why does it need to call itself this way?

2. What is the solution to this, as it eludes me?

I've amended HOSTS as follows

#
# SYS:ETC\HOSTS
#
#	Mappings of host names and host aliases to IP address.
#
127.0.0.1		loopback lb localhost	# normal loopback address
#
# interesting addresses on the Internet

30.0.0.2	groupwise.stmarks.pp.catholic.edu.au

This is the ip address bound to the outside NIC.

I've tried amending sys:etc\resolv.cfg as follows, seems to make no
difference one way or the other.

domain stmarks.pp.catholic.edu.au
nameserver 127.0.0.1
nameserver 10.0.0.2
nameserver 10.0.0.3
nameserver 10.0.0.66
nameserver 203.61.120.102
nameserver 203.61.120.103

There's an INSIDE nic bound to 10.0.0.2 but this doesn't/shouldn't affect
anything either way.

There's an INSIDE domain stmarks.college that applies to the 10.0.x.x. net
but again this shouldn't have any impact one way or the other.

Anyone able to help?

Regards





-- 

Geoff Roberts
Computer Systems Manager
Saint Mark's College
Port Pirie, South Australia
geoffrobxATstmarksxdotppxdotcatholicxdoteduxdotaux
Remove the x's

0
Geoff
7/25/2007 8:40:30 AM
novell.groupwise.7x.gwia 3041 articles. 0 followers. Follow

7 Replies
507 Views

Similar Articles

[PageSpeed] 26

Do you have a route.cfg file in wpgate/gwia?  if the file exists add
the line for your domain and the gwia's ip address.  If not create a
text file of this name and add the line.  Syntax can be found at
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=10010997&sliceId=&dialogID=41711296&stateId=1%200%203504012



On Wed, 25 Jul 2007 08:40:30 GMT, "Geoff Roberts"
<geoffrobx@stmarksx.ppx.catholicx.edux.aux> wrote:

>Suddenly have a spate of this going on, no apparent reason.
>
>450 Host Down stmarks.pp.catholic.edu.au  (Which is the name of our domain)
>
>Defer is filling up with messages that are being sent by gwia to (itself?)
>mostly dealing with failed deliveries of emails for one (real) reason or
>another (typos in address etc)
>Most of these are from <> ie null sender.
>
>Inbound mail from other domains (ie the internet at large) seems ok.
>Outbound mail to other domains is likewise ok.
>
>Caveat: AOHell and now Hotmail, but that's not GWIA's fault - they have
>decided we are on a dialup/dynamic which is not true but they insist someone
>in authority from the ISP (Verizon) tell them so, - since the people able to
>do so live in the US I can't seem to get anything done about it.  Anyone
>that can tell me who to scream at to fix this will be thanked profusely.
>;^)
>
>I've been following what I can about this 450 problem which seems to happen
>a lot to others as well.
>
>Our setup is as follows.
>
>1. ALL (and I DO mean all) of our groupwise components run on the same
>server.
>2. The server is also the Primary DNS for our domain.
>(stmarks.pp.catholic.edu.au)
>3. DNS records are correct, ie MX etc.  
>4. There are other DNS servers for the domain, some local some elsewhere.
>
>AFAICT, this is something to do with the GW box being behind a NAT and the
>interface address not matching the DNS listed address.  NAT is done at the
>PIX.  Unfortunately, AFAICT, there is no way to tell the PIX to allow
>30.0.0.2 to go back out through the PIX and talk to its alter-ego internet
>IP address and loop back in.  If someone knows a way to actually do this,
>I'd be pleased to hear it. :^)
>
>Obviously DNS lists the domain and MX records against the real IP address,
>not the NAT address.
>
>Obviously, this is not in the DNS.
>
>I'm confused by a couple of things.
>
>1. Why is the GWIA incapable of talking to itself?  Surely it could just use
>the loopback address?  Why does it need to call itself this way?
>
>2. What is the solution to this, as it eludes me?
>
>I've amended HOSTS as follows
>
>#
># SYS:ETC\HOSTS
>#
>#	Mappings of host names and host aliases to IP address.
>#
>127.0.0.1		loopback lb localhost	# normal loopback address
>#
># interesting addresses on the Internet
>
>30.0.0.2	groupwise.stmarks.pp.catholic.edu.au
>
>This is the ip address bound to the outside NIC.
>
>I've tried amending sys:etc\resolv.cfg as follows, seems to make no
>difference one way or the other.
>
>domain stmarks.pp.catholic.edu.au
>nameserver 127.0.0.1
>nameserver 10.0.0.2
>nameserver 10.0.0.3
>nameserver 10.0.0.66
>nameserver 203.61.120.102
>nameserver 203.61.120.103
>
>There's an INSIDE nic bound to 10.0.0.2 but this doesn't/shouldn't affect
>anything either way.
>
>There's an INSIDE domain stmarks.college that applies to the 10.0.x.x. net
>but again this shouldn't have any impact one way or the other.
>
>Anyone able to help?
>
>Regards
Tim
___________________
Tim Heywood (SYSOP)
NDS8
Scotland
(God's Country)
www.nds8.co.uk
___________________

In theory, practice and theory are the same
In Practice, they are different
0
Tim
7/25/2007 2:37:35 PM
>>> On 7/25/2007 at 3:40 AM, Geoff
Roberts<geoffrobx@stmarksx.ppx.catholicx.edux.aux> wrote:
> Suddenly have a spate of this going on, no apparent reason.
> 
> 450 Host Down stmarks.pp.catholic.edu.au  (Which is the name of our 
> domain)
> 
> Defer is filling up with messages that are being sent by gwia to 
> (itself?)
> mostly dealing with failed deliveries of emails for one (real) reason or
> another (typos in address etc)
> Most of these are from <> ie null sender.
> 
> Inbound mail from other domains (ie the internet at large) seems ok.
> Outbound mail to other domains is likewise ok.
> 
> Caveat: AOHell and now Hotmail, but that's not GWIA's fault - they have
> decided we are on a dialup/dynamic which is not true but they insist 
> someone
> in authority from the ISP (Verizon) tell them so, - since the people able

> to
> do so live in the US I can't seem to get anything done about it.  Anyone
> that can tell me who to scream at to fix this will be thanked profusely.
> ;^)
> 
> I've been following what I can about this 450 problem which seems to 
> happen
> a lot to others as well.
> 
> Our setup is as follows.
> 
> 1. ALL (and I DO mean all) of our groupwise components run on the same
> server.
> 2. The server is also the Primary DNS for our domain.
> (stmarks.pp.catholic.edu.au)
> 3. DNS records are correct, ie MX etc.  
> 4. There are other DNS servers for the domain, some local some 
> elsewhere.
> 
> AFAICT, this is something to do with the GW box being behind a NAT and 
> the
> interface address not matching the DNS listed address.  NAT is done at 
> the
> PIX.  Unfortunately, AFAICT, there is no way to tell the PIX to allow
> 30.0.0.2 to go back out through the PIX and talk to its alter-ego 
> internet
> IP address and loop back in.

Exactly.


  If someone knows a way to actually do 
> this,
> I'd be pleased to hear it. :^)
> 
> Obviously DNS lists the domain and MX records against the real IP 
> address,
> not the NAT address.
> 
> Obviously, this is not in the DNS.
> 
> I'm confused by a couple of things.
> 
> 1. Why is the GWIA incapable of talking to itself?  Surely it could just 
> use
> the loopback address?  Why does it need to call itself this way?

It treats every email as a regular old email.  Some sites have their domain
split across multiple heterogenous email systems, and for GW to blithely
assume that any email destined for its own domain is only for itself is
inappropriate.


> 2. What is the solution to this, as it eludes me?

2 solutions.  The easy and obvious is to add a route.cfg file.  Make sure
you add an entry for BOTH your domain AND your hostname (domain.com AND
mail.domain.com).  Also make sure there is a hard return at the end of the
file.

The 2nd option is a generic solution that fixes most problems related to
NAT.  You setup DNS servers that are for internal use ONLY, and then have
those servers resolve any of your normally external public IP addresses to
the internal private IP address instead.  So the outside world would see:

stmarks.pp.catholic.edu.au  MX=groupwise.stmarks.pp.catholic.edu.au
groupwise.stmarks.pp.catholic.edu.au  A=130.57.5.70 (whatever your public IP
is)

While on the inside, your internal DNS servers would return:

stmarks.pp.catholic.edu.au  MX=groupwise.stmarks.pp.catholic.edu.au
groupwise.stmarks.pp.catholic.edu.au  A=192.168.1.254 (whatever your
internal IP is).

Note that this works for any internally hosted service -- like
www.stmarks.pp.catholic.edu.au.

 
> I've amended HOSTS as follows
> 
> #
> # SYS:ETC\HOSTS
> #
> #	Mappings of host names and host aliases to IP address.
> #
> 127.0.0.1		loopback lb localhost	# normal loopback address
> #
> # interesting addresses on the Internet
> 
> 30.0.0.2	groupwise.stmarks.pp.catholic.edu.au
> 
> This is the ip address bound to the outside NIC.
> 
> I've tried amending sys:etc\resolv.cfg as follows, seems to make no
> difference one way or the other.
> 
> domain stmarks.pp.catholic.edu.au
> nameserver 127.0.0.1
> nameserver 10.0.0.2
> nameserver 10.0.0.3
> nameserver 10.0.0.66
> nameserver 203.61.120.102
> nameserver 203.61.120.103


GWIA doesn't use the HOSTS file.


Ted Kumsher


0
Ted
7/25/2007 5:37:16 PM
>>> On 26/07/2007 at 3:07 am, in message
<46A74428.65A5.0016.0@davisbrownlaw.com>, Ted
Kumsher<ted@davisbrownlaw.com> wrote:

>> 1. Why is the GWIA incapable of talking to itself?  Surely it could just

>> use the loopback address?  Why does it need to call itself this way?
> 
> It treats every email as a regular old email.  Some sites have their 
> domain split across multiple heterogenous email systems, and for GW to
blithely
> assume that any email destined for its own domain is only for itself is
> inappropriate.

Ok. Still seems a bit brain dead though, should be a way to tell it.
Ok, reading on I guess the way is route.cfg, but it seems clumsy at best.
 
>> 2. What is the solution to this, as it eludes me?
> 
> 2 solutions.  The easy and obvious is to add a route.cfg file.  Make 
> sure you add an entry for BOTH your domain AND your hostname (domain.com
AND
> mail.domain.com).  Also make sure there is a hard return at the end of 
> the file.

Ok, there is now a route.cfg and it contains this:

stmarks.pp.catholic.edu.au [30.0.0.2]
groupwise.stmarks.pp.catholic.edu.au [30.0.0.2]

Top line is the domain and bottom line is the GW server.
This is the DMZ address of course.

Tim Heywood was kind enough to post this link,
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=
10010997&sliceId=&dialogID=41711296&stateId=1%200%203504012
But it doesn't say how to list a domain specifically, so is this correct?
Do I need to do anything to GWIA to make it notice the route.cfg?
 
> The 2nd option is a generic solution that fixes most problems related to
> NAT.  You setup DNS servers that are for internal use ONLY, and then 
> have those servers resolve any of your normally external public IP
addresses 
> to the internal private IP address instead.  So the outside world would 
> see:
> 
> stmarks.pp.catholic.edu.au  MX=groupwise.stmarks.pp.catholic.edu.au
> groupwise.stmarks.pp.catholic.edu.au  A=130.57.5.70 (whatever your 
> public IP is)

We have that at present yes.

> While on the inside, your internal DNS servers would return:
> stmarks.pp.catholic.edu.au  MX=groupwise.stmarks.pp.catholic.edu.au
> groupwise.stmarks.pp.catholic.edu.au  A=192.168.1.254 (whatever your
> internal IP is).

Um, we have an inside domain (on a different nic) though it is just
stmarks.college not the real Inet domain.  IIUYC, I would need to build a
stand alone DNS server with just a DMZ zone that resolves the real inet
hostname to the DMZ IP and have the GW server look at that?  I'm not sure I
fully understand what you have in mind, or what else it will break.  But it
sounds good, can you point me at something that would explain in detail how
to do that without collateral damage please?
 
> Note that this works for any internally hosted service -- like
> www.stmarks.pp.catholic.edu.au.

Only the servers etc have access to the DMZ. The unwashed hordes use a
different IP block (10.0.x) on a second nic in the servers.  These are also
DNS listed with an internal only domain stmarks.college so the gw box is:

groupwise.stmarks.pp.catholic.edu.au  203.61.xxx.xxx
(which is NAT to 30.0.0.2 on the DMZ and that is actually bound to the
server nic)
but it's also
groupwise.stmarks.college 10.0.0.2
(which is bound to the second nic in the box.  Inside users access GW using
that address.)

I specifically wanted separate networks when I set this mess up, and that
was the only way I could think of to do it.
  
> GWIA doesn't use the HOSTS file.

Oookkk.  I suppose there is a good reason for that?

Thanks for you help, I'm trying the route.cfg first to see if that works.

Regards




-- 

Geoff Roberts
Computer Systems Manager
Saint Mark's College
Port Pirie, South Australia
geoffrobxATstmarksxdotppxdotcatholicxdoteduxdotaux
Remove the x's

0
Geoff
7/26/2007 12:28:33 AM
>>> On 26/07/2007 at 12:07 am, in message
<gvnea39lejdik58gpaama42uja5udvqhoq@4ax.com>, Tim Heywood NSC
SYSOP<tim@no.spam.please.nds8.co.uk> wrote:
> Do you have a route.cfg file in wpgate/gwia?  if the file exists add
> the line for your domain and the gwia's ip address.  If not create a
> text file of this name and add the line.  Syntax can be found at
> http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalI

> d=10010997&sliceId=&dialogID=41711296&stateId=1%200%203504012

I do now.  Ted Kumsher offered a different approach, but I will try this
first.
(See my reply to Ted in this thread)

Thanks for the link.

Regards


-- 

Geoff Roberts
Computer Systems Manager
Saint Mark's College
Port Pirie, South Australia
geoffrobxATstmarksxdotppxdotcatholicxdoteduxdotaux
Remove the x's

0
Geoff
7/26/2007 12:30:09 AM
> Ok. Still seems a bit brain dead though, should be a way to tell it.
> Ok, reading on I guess the way is route.cfg, but it seems clumsy at 
> best.

More clumsy than using a hosts file?  Either way it's a manual method of
making an exception.  The route.cfg file is much more powerful, however.  It
allows you to tell GWIA to send all email destined for <domain.com> to a
specific address--either a manual IP address OR you can use a hostname
(without the square brackets).

  
> Ok, there is now a route.cfg and it contains this:
> 
> stmarks.pp.catholic.edu.au [30.0.0.2]
> groupwise.stmarks.pp.catholic.edu.au [30.0.0.2]


Good.

> Tim Heywood was kind enough to post this link,
> http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalI

> d=
> 10010997&sliceId=&dialogID=41711296&stateId=1%200%203504012
> But it doesn't say how to list a domain specifically, so is this 
> correct?

Yes.

> Do I need to do anything to GWIA to make it notice the route.cfg?

No.  Well--shut it down and restart it.
 

> Um, we have an inside domain (on a different nic) though it is just
> stmarks.college not the real Inet domain.  IIUYC, I would need to build 
> a
> stand alone DNS server with just a DMZ zone that resolves the real inet
> hostname to the DMZ IP and have the GW server look at that?  I'm not 
> sure I
> fully understand what you have in mind, or what else it will break.  But 
> it
> sounds good, can you point me at something that would explain in detail 
> how
> to do that without collateral damage please?


Well, since you have a DMZ, this issue is probably isolated to the GWIA. 
The issue has nothing to do with GW--rather it has to do with firewalls.  In
general (and don't ask me why--because it doesn't seem like it should be a
difficult proposition) a firewall that uses NAT will not allow you to go out
through it's NAT interface and then "turn around" and access a port
translation back in through the firewall.  This is what your GWIA is
experiencing.  Anything in your private network should be able to go out its
firewall and come back in through the port translation on the (I assume)
separate DMZ firewall.

As for a detail explanation, you probably don't need to use an internal DNS
server so it's probably not worth learning all about DNS (auth zones,
transfers, recursion etc.) just for GWIA.



>> Note that this works for any internally hosted service -- like
>> www.stmarks.pp.catholic.edu.au.
> 
> Only the servers etc have access to the DMZ. The unwashed hordes use a
> different IP block (10.0.x) on a second nic in the servers.  These are 
> also
> DNS listed with an internal only domain stmarks.college so the gw box 
> is:
> 
> groupwise.stmarks.pp.catholic.edu.au  203.61.xxx.xxx
> (which is NAT to 30.0.0.2 on the DMZ and that is actually bound to the
> server nic)
> but it's also
> groupwise.stmarks.college 10.0.0.2
> (which is bound to the second nic in the box.  Inside users access GW 
> using
> that address.)


By the way, this is basically NOT a DMZ.  If you have 1 machine with a nic
in the DMZ and a nic in the private network, you are no longer separate
networks.  Unless perhaps you have BorderManager running on the server.  You
need a firewall between your DMZ and your private network.



>> GWIA doesn't use the HOSTS file.
> 
> Oookkk.  I suppose there is a good reason for that?

Well, I can't really say for certain--you'd have to ask actual GW
programmers.  For 1 thing, hosts file (obviously) has nothing to do with MX
records.  With primary and secondary MX records and hostname resolution, I
imagine that GW programmed it's own DNS lookup code instead of relying on
the OS to do the DNS lookups--and then I couldn't say why they don't read
the hosts file.

Ted
0
Ted
7/26/2007 4:37:22 PM
>>> On 27/07/2007 at 2:07 am, in message
<46A8879D.65A5.0016.0@davisbrownlaw.com>, Ted
Kumsher<ted@davisbrownlaw.com> wrote:
>>  Ok. Still seems a bit brain dead though, should be a way to tell it.
>> Ok, reading on I guess the way is route.cfg, but it seems clumsy at 
>> best.
> 
> More clumsy than using a hosts file?

In the sense that the hosts file is already there.

> Either way it's a manual method of
> making an exception.  

Yes.

> The route.cfg file is much more powerful, however. 
> It allows you to tell GWIA to send all email destined for <domain.com> to
a
> specific address--either a manual IP address OR you can use a hostname
> (without the square brackets).

Ok, I can see where that could be useful for some sites.  Thanks.
   
>> Ok, there is now a route.cfg and it contains this:
>> 
>> stmarks.pp.catholic.edu.au [30.0.0.2]
>> groupwise.stmarks.pp.catholic.edu.au [30.0.0.2]
 
> Good.

Seems to be working, haven't seen the 450 since.

>> Tim Heywood was kind enough to post this link,
>>
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalI 
> 
>> d=
>> 10010997&sliceId=&dialogID=41711296&stateId=1%200%203504012
>> But it doesn't say how to list a domain specifically, so is this 
>> correct?
> 
> Yes.
> 
>> Do I need to do anything to GWIA to make it notice the route.cfg?
> 
> No.  Well--shut it down and restart it.

LOL.  Sorry, yes, I did that.
 
>> Um, we have an inside domain (on a different nic) though it is just
>> stmarks.college not the real Inet domain.  IIUYC, I would need to build 
>> a
>> stand alone DNS server with just a DMZ zone that resolves the real inet
>> hostname to the DMZ IP and have the GW server look at that?  I'm not 
>> sure I
>> fully understand what you have in mind, or what else it will break.  But

> 
>> it
>> sounds good, can you point me at something that would explain in detail 
>> how
>> to do that without collateral damage please?
> 
> 
> Well, since you have a DMZ, this issue is probably isolated to the GWIA. 

Some web based stuff gets confused about which interface it should be
talking to.
Remote Manager is not usable from outside as it tries to contact the
'inside' network
rather than the outside. This isn't greatly bothering anyone and important
things like iMangler and NetStorage and even iFolder 2 and 3 seem to cope
quite readily with it.


> The issue has nothing to do with GW--rather it has to do with firewalls. 

> In general

Oh yes, I understand that.  In all honesty I'm not a big fan of GWIA, it
strikes me as being fragile and twitchy compared to other MX packages I have
used, but clearly it's not to blame for this.

> (and don't ask me why--because it doesn't seem like it should be a
> difficult proposition) a firewall that uses NAT will not allow you to go 
> out through it's NAT interface and then "turn around" and access a port
> translation back in through the firewall.

Yes.  I spent some long hours trying to persuade the PIX to allow this and
it simply will not.

> This is what your GWIA is
> experiencing.  Anything in your private network should be able to go out 
> its firewall and come back in through the port translation on the (I
assume)
> separate DMZ firewall.

The private network is completely separate, DSL line with Cisco 877 box NAT
to 10.0.  
There is another DSL line with a Cisco 877 that feeds that entire
'real'subnet to the Pix, which has two NAT outlets, one for the DMZ and a
'backup' gateway for the 10.0 network that I can redirect lusers to if the
other DSL line goes down. With some slapping around I can persuade the
servers to use 10.0 for their gateway as well, it gives us separation and
redundancy.
> 
> As for a detail explanation, you probably don't need to use an internal 
> DNS
> server so it's probably not worth learning all about DNS (auth zones,
> transfers, recursion etc.) just for GWIA.

We already do that.
We maintain our own domain zone, the authoritative server is the GW box, it
gets zone transferred to our ISP whenever I make a change, additionally we
have an internal zone for the 10.0 network so that all our workstations have
dns names instead of just IP addresses.
We use DHCP to assign manual ip addresses on a room basis, ie pcs in Room 7
get 10.0.7.x ip address and RM7STN(x).stmarks.college DNS name.  Ditto
servers, so people using iFolder and GW Web access inside the network go to
groupwise.stmarks.college instead of groupwise.stmarks.pp.etc out through
the firewall and back in on the second DSL line where the servers live.
 
> By the way, this is basically NOT a DMZ.  If you have 1 machine with a 
> nic in the DMZ and a nic in the private network, you are no longer
separate
> networks.  Unless perhaps you have BorderManager running on the server.  

No, but it doesn't route from one side to the other, ie you can't route from
the 30.0 network to the 10.0 network through any of the servers.

> You need a firewall between your DMZ and your private network.

See what you mean, I think.  Not sure if it's an issue or not.  (No expert
in such things)

>>> GWIA doesn't use the HOSTS file.
>> 
>> Oookkk.  I suppose there is a good reason for that?
> 
> Well, I can't really say for certain--you'd have to ask actual GW
> programmers.  For 1 thing, hosts file (obviously) has nothing to do with 
> MX
> records.  With primary and secondary MX records and hostname resolution, 
> I
> imagine that GW programmed it's own DNS lookup code instead of relying 
> on
> the OS to do the DNS lookups--and then I couldn't say why they don't read
> the hosts file.

Well. I have a solution that seems to be working fine, so thank you for your
help and insightful knowledge, much appreciated.

Regards



-- 

Geoff Roberts
Computer Systems Manager
Saint Mark's College
Port Pirie, South Australia
geoffrobxATstmarksxdotppxdotcatholicxdoteduxdotaux
Remove the x's

0
Geoff
7/27/2007 12:20:11 AM
> Some web based stuff gets confused about which interface it should be
> talking to.
> Remote Manager is not usable from outside as it tries to contact the
> 'inside' network
> rather than the outside. This isn't greatly bothering anyone and 
> important
> things like iMangler and NetStorage and even iFolder 2 and 3 seem to 
> cope
> quite readily with it.


I think linux does a better job with dns hosting for this purpose.  In
Netware, you have to maintain 2 completely separate DNS systems.  One that
is visible to the outside world and contains only your public DNS
information.  The other one is internal only and contains all of your public
DNS information PLUS any internal information that you want AND you can
change any of the public IP addresses to internal ip addresses.  The
downside is that you have to make DNS entries in 2 separate locations if you
want to change or add a DNS entry.

I've heard that linux can hand out different ip's based on where the DNS
query is coming from--but I don't know if that's standard linux or not.

I have also seen a number of firewalls that will allow you to "hijack" dns
queries and pass back internal information based on your configuration (if
the firewall sees a dns query for host.domain.com it'll return the internal
ip address instead of NAT'ing the dns query and allowing the public ip to be
returned).





 
> The private network is completely separate, DSL line with Cisco 877 box 
> NAT
> to 10.0.  
> There is another DSL line with a Cisco 877 that feeds that entire
> 'real'subnet to the Pix, which has two NAT outlets, one for the DMZ and 
> a
> 'backup' gateway for the 10.0 network that I can redirect lusers to if 
> the
> other DSL line goes down. With some slapping around I can persuade the
> servers to use 10.0 for their gateway as well, it gives us separation 
> and
> redundancy.


>> By the way, this is basically NOT a DMZ.  If you have 1 machine with a 
>> nic in the DMZ and a nic in the private network, you are no longer
> separate
>> networks.  Unless perhaps you have BorderManager running on the server. 

> 
> 
> No, but it doesn't route from one side to the other, ie you can't route 
> from
> the 30.0 network to the 10.0 network through any of the servers.
> 
>> You need a firewall between your DMZ and your private network.
> 
> See what you mean, I think.  Not sure if it's an issue or not.  (No 
> expert
> in such things)


This is a paranoia question.  The theory behind a DMZ is that it is where
you put all your machines that will actually allow inbound conversation from
the internet (they are exposed).  By definition, that is assumed to be more
vulnerable.  So the entire purpose of setting up a DMZ is to ALSO isolate it
from your private network.  From the perspective of your private network,
you should consider the DMZ to be just as bad as the internet.  Hence the
idea that you would put a firewall between you and the DMZ, the same way
that you would put a firewall between you and the internet.  The reason that
having 1 machine with a nic in the DMZ and a nic in the private network
"breaks" the "theory" of a DMZ is that a hacker from the internet now just
needs to exploit a vulnerability on that machine in your DMZ and, if he
gains control of that machine in your DMZ, he now has direct access to your
private network--thus defeating the purpose of creating a DMZ.

Now that is, of course, all theory.  My point is that if you have a machine
in the DMZ that also has a nic in the private network--then it's pretty much
the same as putting THAT machine in the private network and doing port
translation into the private network instead of the DMZ.

Personally--I don't use DMZ's because they feel too much like a placebo that
involves unnecessary complications.

Ted
0
Ted
7/30/2007 4:05:25 PM
Reply:

Similar Artilces:

To Gwia or not to Gwia
Hi everyone. I have 6.5.7 that is on a 10+ years box. It's time to put it to rest - I said but the boss does not want to spend the money - heard that before! It a suite using on GW and Gwava no other products. There are worried about email failure. So I'm trying GWAVA's Reload product. It works fine for the backup and the disaster recovery BUT you have no Gwia. Can I set up another Netware box with just the Gwia on it and disable the main box Gwia so that when the system fails ( and it will) we will have a email running service? Also is there a license issue here...

GWIA 450 Host Down on 1 domain
I'm getting a 450 Host Down message on GWIA only when sending to 1 specific domain. I can telnet to port 25 and do an NSLookup to the MX record and it responds ok. I tried creating a Route.cfg with the ip address up the remote domain and still got the same condition. GWIA 6.5.4 Hi, dhoffrogge@comcast.net wrote: > > I'm getting a 450 Host Down message on GWIA only when sending to 1 > specific domain. I can telnet to port 25 Directly from your GWIA server? This is exactly what a 450 host down says. YOur gwia can not connect to port 25 of the resolved ...

GWIA: 450 host down...on a host that is NOT down
Hi all. i'm getting an annoying 450 host down error on my GWIA. We sent some important emails and we didn't notice they were not going out until way later. Then we checked and we were having 450 host down on that host. Some time ago we used to experience this very same problem, but then it stopped (couldn't say exactly what we did, since I was not in charge of communications back then) Obviously, I did a telnet on port 25 to the mail exchanger of the problematic domain. It was up and running. What could be causing this behaviour? How can I solve this probl...

Gwia 450 host down
Hello, I'm getting 450 host down errors from one particular site. I've used the gwip and tested the mx connectivity and it does connect, but very slowly. I can alos connect froma workstation, again, the response time back from the foreign server is slow. Is there a GWIA setting/timeout that controls how long the GWIA should wait before declaring the host down with a 450 error? thanks ConsoleOne, GWIA object, SMTP/MIME, Timeouts. >>> Guinevere<Guinevere@ftj.com> 3/9/2005 11:07 AM >>> Hello, I'm getting 450 host down errors from one part...

GWIA
new to groupwise GW 6.5 (SP3) I can receive mail from the outside world however I cannot send out any message to the outside world.. I always get a 450 Host down error here is my gwia.cfg file Any ideas ?? Thanks in advance Doug ;====================================================================== ; GroupWise 6 GWIA ; Startup File ;---------------------------------------------------------------------- ; This contains the configuation options for GroupWise Internet Agent. ; Use ConsoleOne to modify this file with Advan...

GWIA
Hi Recently I noticed a lot of Host Down instances according to the stats on the GWIA web interface. With 3 days of uptime the numbers were 216 "sent" email and 560 "host down". Further checks revealed this sort of error in the logs: MSG 6201 Analyzing result file: MAIL/DATA:\GRPWISE\MAILINT\WPGATE\GWIA\result\r99589a6.040 02-17-09 00:08:07 0 MSG 6201 Detected error on SMTP command 02-17-09 00:08:07 0 MSG 6201 Command: domain.com.au 02-17-09 00:08:07 0 MSG 6201 Response: 450 Host down (domain.com.au) 02-17-09 00:08:07 0 MSG 6202 Analyzing result file: ...

groupwise 5.5 GWIA out
i'm getting this message "Mailer-Daemon@gwiaout.mycompanydomain.com" The message that you sent was undeliverable to the following: amoralezz@yahoo.com (access denied) Possibly truncated original message follows: when we use other email clients to send e-mails out. if anyone knows what is wrong please help me. we run Groupwise 5.5 regards, anthony Look at GWIA Access Control -- Michael J. Bell Novell Support Connection Volunteer Sysop Author of Guinevere (http://www.openhandhome.com) PLEASE: Do not e-mail me privately unless specifically asked. I...

450 host down (mydomain) on GWIA
Can somebody explain how I am getting these. Everything seems to be working. Mail is entering and exiting. I only have one PO, which is on another machine, so I'm not sure why I am getting these at the GWIA. I am assuming that internal mail should not make it to the GWIA. I am getting mail from the internet in my mailbox so how can it say the host is down. What host is it talking about? Mike McCarron Do you have the entries for both servers in the HOSTS file? This is important to GWIA. "Michael P. McCarron" <mccarron@osfphila.org> wrote in mess...

Host Down error on GWIA Domain
On a GW 6.5 SP1 system, I am still getting the '450 Host Down' Error at times when an outbound message is going to our own domain. In the log file it looks like: "DMN: MSG 5494 Send Failure: 450 Host down (MYDOMAIN.COM)" Where MYDOMAIN.COM is our own Internet domain. I have followed the suggestions of TID 10060050 and put an entry in the Route.cfg file for the GWIA like so: mydomain.com [192.168.100.10] Where 192.168.100.10 is the internal private IP address of our BorderManager server that is also running the GWIA. Why do messages that originate ...

Error 450 Host Down on GWIA
Greetings, We are experiencing errors on the GWIA agent, when sending emails to some domains. Apparently, the problem is related to higher priority Mail Exchange (MX) hosts not responding to requests of the GWIA as explained in Novell's support TID number 100534469 (http://support.novell.com/cgi-bin/search/searchtid.cgi?/10053469.htm ). It says: "This problem has been reported to development. Customer can either install the non-enhancement pack GW 5.5.2 GWIA or create a ROUTE.CFG in the domain\WPGATE\gwia directory with the hostname they are having problems reaching ...

groupwise 5.5 gwia out
I've tested out 2 different e-mail clients our .bat one and outlook express. i think our GWIA-Out is having a problem sending mail using those clients. Could there be something in the way it processes the mail that is coming from an e-mail client that is not groupwise 5.5 mail client? regards, anthony Naw, but it's nearly impossible to safely set up 5.x in a way you don't expose yourself for spam relay... -- Michael J. Bell Novell Support Connection Volunteer Sysop Author of Guinevere (http://www.openhandhome.com) PLEASE: Do not e-mail me privately unless ...

450 Host down error on the GWIA
Do you have a e-mail firewall system such as Proofpoint in place? We have this happen when our firewall is having problems such as rebooting for the coninuous updates that it receives from the vendor or an influx of spam. Ususally the GroupWise "Agents/gwia/defer" directory will start collecting items in it and that tells us that the mail is not going through the firewall system. We then check our firewall box and 95% of the time it is having a problem. I hope this helps in your case. Hi, rtolbert@ccisd.net wrote: > > Do you have a e-mail firewall system ...

GWIA host/domain setting
Hi there, When I telnet to the GWIA on the private side IP I get a connection message that says 220 www.delphian.org GroupWise Internet Agent 7.0.2 HP Copyright (c) 1993-2007 Novell, Inc. All rights reserved. Ready The private side IP otherwise resolves to mail.delphian.org, which is correct, so the local DNS seems to be working right. "www" is actually hosted and does not resolve to a private IP. There are no hosts entries either on the workstation or server end that define www otherwise. I can't find any GWIA setting where www.delphian.org is used. ...

Link Non-GroupWise Domain To GWIA
I have a non-GroupWise domain containing several external POs. The external POs contain external users with gateway aliases to addresses in other systems. The gateway alias type for these users is SMTP and shows the Post Office as GWIA under the primary domain. The GWIA in the primary domain has recently been shut down in favor of using another GWIA created in a secondary domain on a different server. The primary and secondary domain MTAs are direct-linked via IP and working. The problem encountered is messages addressed to the users in these external POs are sent to the gwia queue d...

Web resources about - gwia and 450 Host down for own domain - novell.groupwise.7x.gwia

Domain name - Wikipedia, the free encyclopedia
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control on the Internet . Domain names ...

Apple registers three car-related domain names, hinting at its electric vehicle project
... during media events while Tim Cook has resisted denying the project . The biggest tease to date comes in the form of new car-related domain ...

Apple registers a series of car-related domains
Apple registered three car-related domains in December, according to a recent report, potentially signaling the developing of the much-rumored ...

New domain registration sparks iCar chatter
You may not be able to buy an Apple Car yet, but an Apple Car website could be in the works.

Apple snaps up a trio of car-related web domains
... evidence is lending further weight to the possibility that we may one day cruise down the street in an Apple Car. Listings on domain search ...

NY Public Library releases 180,000 free public domain pictures
The New York Public Library has made 180,000 old-timey, out-of-copyright pictures available as high-res downloads through its Digital Collections ...

The Public Domain Once Again Loses In The New Year
... of every year under US Copyright Law, creative and scientific works that have reached the end of their copyright terms go into the public domain. ...

Anne Frank's Diary and Adolf Hitler's Mein Kampf Both Enter the Public Domain on Friday
A copyright fight is brewing in Europe this week as the deadline after which two key WWII-era texts will fall within the public domain steadily ...

Microsoft expands Get Windows 10 campaign to domain-joined Win7, Win8.1 PCs
Windows 7 Pro and 8.1 Pro users joined to an Active Directory domain are about to be pummeled by nagware, and the arcane blocking process is ...

Apple Just Called Dibs On A Few Car-Related Domain Names
... it happen eventually, and it we may just be getting closer to that day—in December, the company registered several car-related website domain ...

Resources last updated: 1/17/2016 2:12:55 AM