Steve Morgan's questions

First, let's start with a picture to illustrate my problem...

Naturally, IP addresses have been obfuscated for security reasons.

I have an internal LAN, 192.168.1.x behind ISA Server 2004. On this network reside a number of fixed workstations, a POP3 mail server (not Exchange) and a WAP supporting mobile clients. All devices are served by DHCP (though with reserved addresses where applicable).

On the Internet-side, I have an ADSL-connected router with a range of public IP addresses. The WAN port on the router has the IP address 123.0.0.241, the LAN port, 123.0.0.246.

Between the two, I have an ISA Server 2004 with two network cards. The first is attached to the router and has a public IP address, 123.0.0.242. The router is configured to route traffic, rather than use NAT. The ISA Server publishes the POP3 mail server on its 123.0.0.242 public IP address.

The problem is this...

When mobile devices are on-site, connected to the WAP, they belong to the 192.168.1.x subnet and connect to the mail server directly, without bothering the ISA Server.

However, when taken off-site, they must now access the POP3 server via the ISA Server on 123.0.0.242.

What I want is a single configuration for the mobile devices that works regardless of whether they're on-site or off-site.

If I configure them with the public IP of the ISA Server (123.0.0.242), they can't contact the mail server when they're on-site, because the IP is on the wrong side of the ISA Server.

Obviously, if I configure them with the private IP of the Mail Server, they can't access it when off-site.

I've tried a split DNS approach, where the FQDN of the mail server resolves to 192.168.1.2 on-site and 123.0.0.242 when off-site. The trouble is that the DNS TTL is too long, so I have to wait an eternity for the devices to refresh the IP address. The Internet-facing DNS Server isn't mine and I have no control over the TTL.

I've tried associating the FQDN of the Mail Server with both the public and the private IP addresses, relying on the DNS client's round-robin failover to eventually select the right IP address. Apart from the fact that it's a really bad idea to use the private IP address on someone else's network, some of the devices seem rather reluctant to fail over to the alternate address when you move from on- to off-site or vice versa.

I can't bind the public IP address to both the internal and external adapters on the ISA Server, as ISA Server complains bitterly (I can't say I blame it).

So, I'm stumped. What I want is for both internal and external clients to be able to access the Mail Server using a public IP address. I have some spare addresses, so I could use another, if that helps.

But I don't know where to go next. Any suggestions would be very gratefully received!

I need to implement a 'stop list' to prevent users selecting common passwords in a new online service.

Can anyone point me to such a list online anywhere?

Edited: Note that I'm only trying to eliminate the most common passwords, not an exhaustive dictionary. And, of course, this complements a reasonably strong password policy (length, use of non-alpha characters, etc.)

Thanks.

I'm currently getting Hyper-V Server 2008 R2 working on my laptop.

Things are going reasonably well, but I can't get access to the wireless network adapter (from Hyper-V itself, not a guest VM).

I believe I need to enable the Wireless Network Service feature before it'll work.

Now, I've attached to the machine (over wired Ethernet) from another Windows Server 2008 R2 machine using Server Manager. But under Features, while I can see the one feature installed (Wow64 Support), I get no option to add a feature.

Anyone know why and what I can do to workaround it? If not, how do I add the Wireless Networking feature from the command line under Hyper-V itself (which is basically Server Core)?