Solved

Friday Quiz

Posted on 2003-10-24
7
584 Views
Last Modified: 2008-02-26
I'm not sure this is appropriate, but this question will certainly be PAQ'd so here it goes:

Answer this question completely and accurately and get 2,000 points:

Configuration:

I have two Exchange server in the same routing group.  No other servers exist in the ORG.
My Exchange server is named "exmail1.mydomain.net"
My Bridgehead server is named "exbh1.mydomain.com"
My Email domain is mydomain.com
I have a DNS server named "INS1" for internal DNS (mydomain.net) with IP 192.168.0.10
I have a DNS server named "NS1" for external DNS (mydomain.com) with IP 131.107.3.10

My mailbox server has one NIC with IP address 192.168.0.100

My FE server has two NICs with the following IP addresses:

External NIC: 131.107.3.126
Internal NIC: 192.168.0.101

Both IP's are in 24 bit subnets

Gateway for 131.107.3/24 is 131.107.3.1
Gateway for 192.168.0/24 is 192.168.0.1

I have a firewall (ef1.mydomain.com) between my 131.107.3/24 subnet and the Internet and I have another firewall (if1.mydomain.net) between the 131.107.3/24 and 192.168.0/24 subnets.

Question:

I want to configure an Internet Email present using the resources listed above.  Everything you need is there.  Please describe, in detail, what needs to be done to do this.

I know the answer and will be the judge of who gets the points.  Closest answer gets full credit.  Here are some hints:

DNS - Which records do I need, how is forwarding setup, if at all, and which EX server uses which NS server?
Firewall - What ports need to be opened?
Connector - What connector do I need, if any, and how should it be configured?
NICs - How do I configure my NICs to deal with this?

There are several problems that need to be solved there.  It's possible that I blew it and missed something above.  If so, point that out and do the best with what I provided and you get credit.

My goal here is to throw some spice into a dull day on the forum and create a thread that might be useful to answer the countless SMTP questions that will be answered here.

Good luck!  ;)


OneHump
0
Comment
Question by:OneHump
  • 4
  • 2
7 Comments
 
LVL 26

Assisted Solution

by:Vahik
Vahik earned 250 total points
ID: 9618489
Ok Onehump i will take 50 points for dns configuration.
U have public dns and i will cofigure it for(we assume u only have a NS
and mail server in ur DMZ
@           IN SOA ns1.mydomain.com  admin.domain.com.  (
                  6            :serial number
                   900        :refresh
                   600         :retry
                   86400      :expire
                   3600    )   :minimum TTL

@               NS ns1.mydomain.com.

@               MX 10exbh1.mydomain.com
exbh1          A131.107.3.126
ns1              A132.107.3.10
No foewarders will be configured here.This name server will use root hints to resolve.since this is ur public dns no records of ur internal records will exist here.

for ur internal DNS server SOA will be ur domain.net and the only diff will be that u will enable forwarders to ur external dns server.

On ur internel firewall u will allow tcp and udp DNS (53)from INS1 and will deny any DNS(53) from  192.168.0/24
all ur internal clients will be facing (including ur backend exchange )to internal DNS server and all ur external clients will be facing ur external (public)DNS server.

As far as missing something about DNS u could say u need two public dns servers on at all times but i am not a cop.
0
 
LVL 24

Accepted Solution

by:
David Wilhoit earned 250 total points
ID: 9618636
Interesting.First problem I see is the dual homed FE server. SMTP on the bridgehead will be configured to run on the internal NIC only, and of course, no DNS server will be configured directly on the SMTP VS.  On the external, we need to make sure it doesn't register itself on the internal DNS server, and vice-versa.

Inbound port 25 from the internet, NAT back to the internal NIC on the FE/BH server (fuzzy on this one).Only necessary ports are open, and are directed to the DMZ server. Mail is relayed back to the BE mailbox server. FE server is designated as a front-end (we are assuming E2K enterprise edition, although this is changed with 2003 standard edition). After configuration of SMTP and host headers that point to the backend, dismount your stores. The drawback here is that after you dismount the stores on the front-end, DSNs cannot be sent out.

Firewall between the internal zone and the DMZ will have to allow all the usual ports,Kerberos on 88, LDAP on 389 and 3268 (GC) but you can opt to disallow the netlogon service and DSAccess with a couple of registry keys, so that RPC doesn't have to be open thru the firewall. But at this point, FE cannot authenticate users anymore. That would require anon access to the DMZ box, which is a security hole in of itself, so I'd allow 135 thru the internal DMZ, and specify the bindback port at something over 1024, I use 1245. You specify this on all backend servers, and any server in the internal subnet that you deem necessary.

If this FE is the OWA server as well, you should set up SSL, use basic authentication for Web Access. I always configure SMTP logging as well on the front end.

I'd configure the SMTP connector on the BE. It would forward all mail thru the FE, and would only accept mail from the FE.

Just realized I'm tired, someone else take it from here  :)

DAvid
0
 
LVL 26

Expert Comment

by:Vahik
ID: 9621953
OneHump u almost got away with murder.When i first wrote my response i had a few but now i an sober.So here goes my answer
U BLEW  IT AND IT WILL NEVER WORK.
To fix the problem just reverse ur domains and the rest is already
explained.If u keep the present setup an NDR will be generated for every
email that comes in.Disregard my first post.If u think my answer is right
tell me then i will tell u why it wont work.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 26

Expert Comment

by:Vahik
ID: 9622040
Now before i go to bed i should mention that u could also make this setup work if in ur MYDOMAIN.com u create the same number of users
as MYDOMAIN.net and contacts corresponding to each user in MYDOMAIN.net and enable forwarding in each users properties page.
0
 
LVL 10

Author Comment

by:OneHump
ID: 9628722
OK, here is the answer.  I'm going to split points between you two for participation.  ;)

We're going to assume that exmail1 is my DC/GC/FSMO since others were not specified.

*DNS*

--NS1.mydomain.com

mydomain.com     IN     MX     10 exbh1.mydomain.com    
exchange.mydomain.com     IN     A     131.107.3.126

--INS1.mydomain.net

exmail1.mydomain.net     IN     A     192.168.0.100
exbh1.mydomain.net     IN     A     192.169.0.101

*FIREWALL*

--ef1

Source * - Dest 131.107.3.10/32     TCP/UDP    53  <-- DNS from Internet to NS1
Source 131.107.3.10/32 - Dest *     TCP/UDP    25  <-- DNS from NS1 to Internet
Source * - Dest 131.107.3.126/32   TCP    25  <-- SMTP port from Internet to exbh1
Source 131.107.3.126/32 - *          TCP    25  <-- SMTP port from exbh1 to internet

--if1

Source 192.168.0.101/32 - Dest 192.168.0.100/32     TCP    25  <-- SMTP from exbh1 to exmail1
Source 192.168.0.100/32 - Dest 192.168.0.101/32     TCP    25  <-- SMTP from exmail1 to exbh1
Source 192.168.0.101/32 - Dest 192.168.0.100/32     TCP/UDP    389  <-- LDAP from exbh1 to exmail1
Source 192.168.0.100/32 - Dest 192.168.0.101/32     TCP/UDP    389  <-- LDAP frin exmail1 to exbh1
Source 192.168.0.101/32 - Dest 192.168.0.100/32     TCP    3268  <-- GC to AD from exbh1 to exmail1
Source 192.168.0.100/32 - Dest 192.168.0.101/32     TCP    3268  <-- GC from AD from exmail1 to exbh1
Source 192.168.0.101/32 - Dest 192.168.0.100/32     TCP    691  <-- LSA from exbh1 to exmail1
Source 192.168.0.100/32 - Dest 192.168.0.101/32     TCP    691  <-- LSA from exmail1 to exbh1

Reference:  http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

*CONNECTORS*

Place exbh1 in a routing group called 'Bridgeheads'
Place exmail1 in a routing group called 'North America'

Create 1 SMTP connector for exbh1 with adderss space *, scope Organization, route using DNS
Create 1 RGC between 'Bridgeheads' and 'North America'

You could leave both servers in the same RG but, in planning for growth, I like separating them.  There is also LSA jabber that goes on so it's always best to segregate boxes between firewalls.  This adds a connector.



*NIC CONFIGURATION*

--exmail1

-NIC1

IP - 192.168.0.101
Mask - 255.255.255.0
Default gateway - 192.168.0.1
DNS - 192.168.0.10

--exbh1

-NIC1 (external)

IP - 131.107.3.126
Mask - 255.255.255.0
Default gateway - 131.107.3.1
DNS - 131.107.3.10

-NIC2 (Internal)

IP - 192.168.0.100
Mask - 255.255.255.0
Default gateway -
DNS - 192.168.0.10

-Add static routes:

route add 192.168.0.100 mask 255.255.255.255 192.168.0.1 /p  <--  Creates static route for internal subnet

That's it.  Now here is where I blew it.  I needed to put exmail1 into the mydomain.com zone.  This is because it's not good to name the machine one thing and call it something else in DNS.  This would not be a problem now, but would be if other MXs were added.  Other than that, I think that's it.  This could certainly be extended for OWA/POP/IMAP/IM.

There is a lot of info here, so I might have missed something.  :o|


OneHump

0
 
LVL 26

Expert Comment

by:Vahik
ID: 9630901
OneHump thanks for the points.I thought this was a real trick question
and not just a configuration one.That is why when i posted my first
answer i told myself this cant be so i changed my answer and decided to  put ur exchanges in two diff forest and tested it and mail would not relay to ur private domain unless  u reversed ur Public and private network setup.Well OneHump There are  two things i love (besides gambling,women and boose)mystery and comady so there was no mystery and the joke is on me.
Since i have been posting to this site there was one interesting question that i answerd and i never got a reply back so i will try to
find it and i will post it later this week so u and kidego could give it a shot.Thanks again.
0
 
LVL 10

Author Comment

by:OneHump
ID: 9643493
Sounds good.  I don't think EE can complain since it builds up their PAQs.  I kept seeing questions related to this sort of thing when I was cleaning old cases.  I wanted a URL to refer people to.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now