Firewall Question - Active/passive broadband connections to maintain various IT services

plan to buy a firewall support active and passive internet connections, when active internet connection down, will failover to passive internet connection automatically, when active internet connection back on, will rollback to active internet connection automatically. Found a sonicwall should able to do this already.


public ip, default gateway and dns are different for active and passive internet connections, so when failover or rollback, they will change as well


IT services to maintain when active internet connection down are
- office internet access
- email service provided by exchange 2007
- internal/external web-based erp service provided by apache tomcat


office internet access
- achieve by add passive internet connection DNS to Windows DNS forwarder


email service provided by exchange 2007
- smtp achieve by additional MX record with passive internet connection's public IP and larger Preference Number (lower priority)
-

internal/external web-based erp service provided by apache tomcat
- By additional A record with passive internet connection's public IP for apache tomcat



Any comments?


Any idea what need to do to maintain Outlook Anywhere and Outlook Web Access? Just additional A record as well?


Thx a lot!

Some of ideas don't make sense.


??? This is on your LAN? If so, no action, unless it resolves DNS for external users, too.


Again, is this on your LAN? If so, again, no-action required here.

The issue you have is that you appear to have users external to your network, that need to know when your primary service is down so that they know to use the alternative connection and public IP address.

You need some mechanism that can dynamically update your DNS so it reflects the current config accurately (with caveats) or otherwise re-design your DNS completely so that you are performing DNS resolution for your domain.

The problem is that DNS is fairly dumb, so once a client has asked "where is xyz.com", unless it knows or you tell it that the IP is different, it will just respond as normal, and the user will face a connection error.

If the original DNS request relies on contacting your (down) server, it will try a list of DNS servers until it gets a response. This will enable you to have two DNS servers serve two different IPs for the domain, or one server sever different IPs depending on which IP address the request came from (I'm not sure which software can do this).

I hope this makes sense. In summary, it is your external users that will have problems; your internal network should be largely unaffected if the router does its job in switching connections.

Best regards,
AstroTux.