Messaging Gateway

Hello,
I currently have a VM Control Center on our interneal network and physical scanners in our DMZ behind firewalls.  The firewalls are configured with external IP's that route to the internal IP's of the devices in our network.  The issue we're coming across with is the LDAP configuration for Brightmail.  We initially configured LDAP servers in the directory integration with DNS names and internal IP's but quickly found the DMZ scanners couldn't talk to the LDAP servers because it was trying to use the internal IP address and couldn't resovle the DNS names because we don't want to make our LDAP servers public by placing entries in our DMZ DNS servers.

As a work around, we configured the recipient validation servers with the external firewall IP in the directory integration and it's been working fine until we came to the point of wanting to add a scanner at a remote location.  The new scanner can't connect to the LDAP servers because they are configured with the external firewall IP's for our other site.  Found that if we add an LDAP server that the new scanner can communicate to, we get tons of erros in the logs for the servers they can't communicate to the servers and there is a delay in mail delivery as the scanner waits for each LDAP server to timeout a couple times before trying another.

Has anybody ran into this situation before?  Is the only option to add a new control center at the remote location?  Hopefully in future releases there will be the ability to configure each scanner to talk to a specific LDAP server.

I don't think adding another control center is going to change anything since it is the scanner who does the LDAP checking.

The best option I can offer is to use a hostname for the LDAP server and add a DNS entry at the remote location's DNS to point to an LDAP server that is locate to that remote server.

We implemented DNS Views.  We have seperate public, DMZ, and internal views into DNS.

JASBURY27: I don't understand your primary site design.  Why didn't you simply add a 1-to-1 NAT on the inbound interface to make the LDAP interior IP address visible to your boxes in the DMZ?

JDAVIS: but he has a point, in a remote location, you may not want to point LDAP at the same LDAP hosts your other data center is using.  You probabably have a local LDAP (AD) server in the remote location (e.g. for a local exchange box, faster user logins).  You'd want to use that LDAP instead of the primary site LDAP.

ALL: adding a 2nd control center will cause problems if you are doing per-user spam quarantines, as the user may get a digest from EACH control center.

I'll post an IDEA https://www-secure.symantec.com/connect/idea/site-ldap-configuration-options