Friday Quiz

I'm not sure this is appropriate, but this question will certainly be PAQ'd so here it goes:

Answer this question completely and accurately and get 2,000 points:


I have two Exchange server in the same routing group.  No other servers exist in the ORG.
My Exchange server is named ""
My Bridgehead server is named ""
My Email domain is
I have a DNS server named "INS1" for internal DNS ( with IP
I have a DNS server named "NS1" for external DNS ( with IP

My mailbox server has one NIC with IP address

My FE server has two NICs with the following IP addresses:

External NIC:
Internal NIC:

Both IP's are in 24 bit subnets

Gateway for 131.107.3/24 is
Gateway for 192.168.0/24 is

I have a firewall ( between my 131.107.3/24 subnet and the Internet and I have another firewall ( between the 131.107.3/24 and 192.168.0/24 subnets.


I want to configure an Internet Email present using the resources listed above.  Everything you need is there.  Please describe, in detail, what needs to be done to do this.

I know the answer and will be the judge of who gets the points.  Closest answer gets full credit.  Here are some hints:

DNS - Which records do I need, how is forwarding setup, if at all, and which EX server uses which NS server?
Firewall - What ports need to be opened?
Connector - What connector do I need, if any, and how should it be configured?
NICs - How do I configure my NICs to deal with this?

There are several problems that need to be solved there.  It's possible that I blew it and missed something above.  If so, point that out and do the best with what I provided and you get credit.

My goal here is to throw some spice into a dull day on the forum and create a thread that might be useful to answer the countless SMTP questions that will be answered here.

Good luck!  ;)

LVL 10
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ok Onehump i will take 50 points for dns configuration.
U have public dns and i will cofigure it for(we assume u only have a NS
and mail server in ur DMZ
@           IN SOA  (
                  6            :serial number
                   900        :refresh
                   600         :retry
                   86400      :expire
                   3600    )   :minimum TTL

@               NS

@               MX
exbh1          A131.107.3.126
ns1              A132.107.3.10
No foewarders will be configured here.This name server will use root hints to resolve.since this is ur public dns no records of ur internal records will exist here.

for ur internal DNS server SOA will be ur and the only diff will be that u will enable forwarders to ur external dns server.

On ur internel firewall u will allow tcp and udp DNS (53)from INS1 and will deny any DNS(53) from  192.168.0/24
all ur internal clients will be facing (including ur backend exchange )to internal DNS server and all ur external clients will be facing ur external (public)DNS server.

As far as missing something about DNS u could say u need two public dns servers on at all times but i am not a cop.
David WilhoitSenior Consultant, ExchangeCommented:
Interesting.First problem I see is the dual homed FE server. SMTP on the bridgehead will be configured to run on the internal NIC only, and of course, no DNS server will be configured directly on the SMTP VS.  On the external, we need to make sure it doesn't register itself on the internal DNS server, and vice-versa.

Inbound port 25 from the internet, NAT back to the internal NIC on the FE/BH server (fuzzy on this one).Only necessary ports are open, and are directed to the DMZ server. Mail is relayed back to the BE mailbox server. FE server is designated as a front-end (we are assuming E2K enterprise edition, although this is changed with 2003 standard edition). After configuration of SMTP and host headers that point to the backend, dismount your stores. The drawback here is that after you dismount the stores on the front-end, DSNs cannot be sent out.

Firewall between the internal zone and the DMZ will have to allow all the usual ports,Kerberos on 88, LDAP on 389 and 3268 (GC) but you can opt to disallow the netlogon service and DSAccess with a couple of registry keys, so that RPC doesn't have to be open thru the firewall. But at this point, FE cannot authenticate users anymore. That would require anon access to the DMZ box, which is a security hole in of itself, so I'd allow 135 thru the internal DMZ, and specify the bindback port at something over 1024, I use 1245. You specify this on all backend servers, and any server in the internal subnet that you deem necessary.

If this FE is the OWA server as well, you should set up SSL, use basic authentication for Web Access. I always configure SMTP logging as well on the front end.

I'd configure the SMTP connector on the BE. It would forward all mail thru the FE, and would only accept mail from the FE.

Just realized I'm tired, someone else take it from here  :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OneHump u almost got away with murder.When i first wrote my response i had a few but now i an sober.So here goes my answer
To fix the problem just reverse ur domains and the rest is already
explained.If u keep the present setup an NDR will be generated for every
email that comes in.Disregard my first post.If u think my answer is right
tell me then i will tell u why it wont work.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Now before i go to bed i should mention that u could also make this setup work if in ur u create the same number of users
as and contacts corresponding to each user in and enable forwarding in each users properties page.
OneHumpAuthor Commented:
OK, here is the answer.  I'm going to split points between you two for participation.  ;)

We're going to assume that exmail1 is my DC/GC/FSMO since others were not specified.

*DNS*     IN     MX     10     IN     A     IN     A     IN     A



Source * - Dest     TCP/UDP    53  <-- DNS from Internet to NS1
Source - Dest *     TCP/UDP    25  <-- DNS from NS1 to Internet
Source * - Dest   TCP    25  <-- SMTP port from Internet to exbh1
Source - *          TCP    25  <-- SMTP port from exbh1 to internet


Source - Dest     TCP    25  <-- SMTP from exbh1 to exmail1
Source - Dest     TCP    25  <-- SMTP from exmail1 to exbh1
Source - Dest     TCP/UDP    389  <-- LDAP from exbh1 to exmail1
Source - Dest     TCP/UDP    389  <-- LDAP frin exmail1 to exbh1
Source - Dest     TCP    3268  <-- GC to AD from exbh1 to exmail1
Source - Dest     TCP    3268  <-- GC from AD from exmail1 to exbh1
Source - Dest     TCP    691  <-- LSA from exbh1 to exmail1
Source - Dest     TCP    691  <-- LSA from exmail1 to exbh1



Place exbh1 in a routing group called 'Bridgeheads'
Place exmail1 in a routing group called 'North America'

Create 1 SMTP connector for exbh1 with adderss space *, scope Organization, route using DNS
Create 1 RGC between 'Bridgeheads' and 'North America'

You could leave both servers in the same RG but, in planning for growth, I like separating them.  There is also LSA jabber that goes on so it's always best to segregate boxes between firewalls.  This adds a connector.




IP -
Mask -
Default gateway -


-NIC1 (external)

IP -
Mask -
Default gateway -

-NIC2 (Internal)

IP -
Mask -
Default gateway -

-Add static routes:

route add mask /p  <--  Creates static route for internal subnet

That's it.  Now here is where I blew it.  I needed to put exmail1 into the zone.  This is because it's not good to name the machine one thing and call it something else in DNS.  This would not be a problem now, but would be if other MXs were added.  Other than that, I think that's it.  This could certainly be extended for OWA/POP/IMAP/IM.

There is a lot of info here, so I might have missed something.  :o|


OneHump thanks for the points.I thought this was a real trick question
and not just a configuration one.That is why when i posted my first
answer i told myself this cant be so i changed my answer and decided to  put ur exchanges in two diff forest and tested it and mail would not relay to ur private domain unless  u reversed ur Public and private network setup.Well OneHump There are  two things i love (besides gambling,women and boose)mystery and comady so there was no mystery and the joke is on me.
Since i have been posting to this site there was one interesting question that i answerd and i never got a reply back so i will try to
find it and i will post it later this week so u and kidego could give it a shot.Thanks again.
OneHumpAuthor Commented:
Sounds good.  I don't think EE can complain since it builds up their PAQs.  I kept seeing questions related to this sort of thing when I was cleaning old cases.  I wanted a URL to refer people to.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.