Go Premium for a chance to win a PS4. Enter to Win


Friday Quiz

Posted on 2003-10-24
Medium Priority
Last Modified: 2008-02-26
I'm not sure this is appropriate, but this question will certainly be PAQ'd so here it goes:

Answer this question completely and accurately and get 2,000 points:


I have two Exchange server in the same routing group.  No other servers exist in the ORG.
My Exchange server is named "exmail1.mydomain.net"
My Bridgehead server is named "exbh1.mydomain.com"
My Email domain is mydomain.com
I have a DNS server named "INS1" for internal DNS (mydomain.net) with IP
I have a DNS server named "NS1" for external DNS (mydomain.com) with IP

My mailbox server has one NIC with IP address

My FE server has two NICs with the following IP addresses:

External NIC:
Internal NIC:

Both IP's are in 24 bit subnets

Gateway for 131.107.3/24 is
Gateway for 192.168.0/24 is

I have a firewall (ef1.mydomain.com) between my 131.107.3/24 subnet and the Internet and I have another firewall (if1.mydomain.net) between the 131.107.3/24 and 192.168.0/24 subnets.


I want to configure an Internet Email present using the resources listed above.  Everything you need is there.  Please describe, in detail, what needs to be done to do this.

I know the answer and will be the judge of who gets the points.  Closest answer gets full credit.  Here are some hints:

DNS - Which records do I need, how is forwarding setup, if at all, and which EX server uses which NS server?
Firewall - What ports need to be opened?
Connector - What connector do I need, if any, and how should it be configured?
NICs - How do I configure my NICs to deal with this?

There are several problems that need to be solved there.  It's possible that I blew it and missed something above.  If so, point that out and do the best with what I provided and you get credit.

My goal here is to throw some spice into a dull day on the forum and create a thread that might be useful to answer the countless SMTP questions that will be answered here.

Good luck!  ;)

Question by:OneHump
  • 4
  • 2
LVL 26

Assisted Solution

Vahik earned 1000 total points
ID: 9618489
Ok Onehump i will take 50 points for dns configuration.
U have public dns and i will cofigure it for(we assume u only have a NS
and mail server in ur DMZ
@           IN SOA ns1.mydomain.com  admin.domain.com.  (
                  6            :serial number
                   900        :refresh
                   600         :retry
                   86400      :expire
                   3600    )   :minimum TTL

@               NS ns1.mydomain.com.

@               MX 10exbh1.mydomain.com
exbh1          A131.107.3.126
ns1              A132.107.3.10
No foewarders will be configured here.This name server will use root hints to resolve.since this is ur public dns no records of ur internal records will exist here.

for ur internal DNS server SOA will be ur domain.net and the only diff will be that u will enable forwarders to ur external dns server.

On ur internel firewall u will allow tcp and udp DNS (53)from INS1 and will deny any DNS(53) from  192.168.0/24
all ur internal clients will be facing (including ur backend exchange )to internal DNS server and all ur external clients will be facing ur external (public)DNS server.

As far as missing something about DNS u could say u need two public dns servers on at all times but i am not a cop.
LVL 24

Accepted Solution

David Wilhoit earned 1000 total points
ID: 9618636
Interesting.First problem I see is the dual homed FE server. SMTP on the bridgehead will be configured to run on the internal NIC only, and of course, no DNS server will be configured directly on the SMTP VS.  On the external, we need to make sure it doesn't register itself on the internal DNS server, and vice-versa.

Inbound port 25 from the internet, NAT back to the internal NIC on the FE/BH server (fuzzy on this one).Only necessary ports are open, and are directed to the DMZ server. Mail is relayed back to the BE mailbox server. FE server is designated as a front-end (we are assuming E2K enterprise edition, although this is changed with 2003 standard edition). After configuration of SMTP and host headers that point to the backend, dismount your stores. The drawback here is that after you dismount the stores on the front-end, DSNs cannot be sent out.

Firewall between the internal zone and the DMZ will have to allow all the usual ports,Kerberos on 88, LDAP on 389 and 3268 (GC) but you can opt to disallow the netlogon service and DSAccess with a couple of registry keys, so that RPC doesn't have to be open thru the firewall. But at this point, FE cannot authenticate users anymore. That would require anon access to the DMZ box, which is a security hole in of itself, so I'd allow 135 thru the internal DMZ, and specify the bindback port at something over 1024, I use 1245. You specify this on all backend servers, and any server in the internal subnet that you deem necessary.

If this FE is the OWA server as well, you should set up SSL, use basic authentication for Web Access. I always configure SMTP logging as well on the front end.

I'd configure the SMTP connector on the BE. It would forward all mail thru the FE, and would only accept mail from the FE.

Just realized I'm tired, someone else take it from here  :)

LVL 26

Expert Comment

ID: 9621953
OneHump u almost got away with murder.When i first wrote my response i had a few but now i an sober.So here goes my answer
To fix the problem just reverse ur domains and the rest is already
explained.If u keep the present setup an NDR will be generated for every
email that comes in.Disregard my first post.If u think my answer is right
tell me then i will tell u why it wont work.

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 26

Expert Comment

ID: 9622040
Now before i go to bed i should mention that u could also make this setup work if in ur MYDOMAIN.com u create the same number of users
as MYDOMAIN.net and contacts corresponding to each user in MYDOMAIN.net and enable forwarding in each users properties page.
LVL 10

Author Comment

ID: 9628722
OK, here is the answer.  I'm going to split points between you two for participation.  ;)

We're going to assume that exmail1 is my DC/GC/FSMO since others were not specified.



mydomain.com     IN     MX     10 exbh1.mydomain.com    
exchange.mydomain.com     IN     A


exmail1.mydomain.net     IN     A
exbh1.mydomain.net     IN     A



Source * - Dest     TCP/UDP    53  <-- DNS from Internet to NS1
Source - Dest *     TCP/UDP    25  <-- DNS from NS1 to Internet
Source * - Dest   TCP    25  <-- SMTP port from Internet to exbh1
Source - *          TCP    25  <-- SMTP port from exbh1 to internet


Source - Dest     TCP    25  <-- SMTP from exbh1 to exmail1
Source - Dest     TCP    25  <-- SMTP from exmail1 to exbh1
Source - Dest     TCP/UDP    389  <-- LDAP from exbh1 to exmail1
Source - Dest     TCP/UDP    389  <-- LDAP frin exmail1 to exbh1
Source - Dest     TCP    3268  <-- GC to AD from exbh1 to exmail1
Source - Dest     TCP    3268  <-- GC from AD from exmail1 to exbh1
Source - Dest     TCP    691  <-- LSA from exbh1 to exmail1
Source - Dest     TCP    691  <-- LSA from exmail1 to exbh1

Reference:  http://support.microsoft.com/default.aspx?scid=kb;en-us;278339


Place exbh1 in a routing group called 'Bridgeheads'
Place exmail1 in a routing group called 'North America'

Create 1 SMTP connector for exbh1 with adderss space *, scope Organization, route using DNS
Create 1 RGC between 'Bridgeheads' and 'North America'

You could leave both servers in the same RG but, in planning for growth, I like separating them.  There is also LSA jabber that goes on so it's always best to segregate boxes between firewalls.  This adds a connector.




IP -
Mask -
Default gateway -


-NIC1 (external)

IP -
Mask -
Default gateway -

-NIC2 (Internal)

IP -
Mask -
Default gateway -

-Add static routes:

route add mask /p  <--  Creates static route for internal subnet

That's it.  Now here is where I blew it.  I needed to put exmail1 into the mydomain.com zone.  This is because it's not good to name the machine one thing and call it something else in DNS.  This would not be a problem now, but would be if other MXs were added.  Other than that, I think that's it.  This could certainly be extended for OWA/POP/IMAP/IM.

There is a lot of info here, so I might have missed something.  :o|


LVL 26

Expert Comment

ID: 9630901
OneHump thanks for the points.I thought this was a real trick question
and not just a configuration one.That is why when i posted my first
answer i told myself this cant be so i changed my answer and decided to  put ur exchanges in two diff forest and tested it and mail would not relay to ur private domain unless  u reversed ur Public and private network setup.Well OneHump There are  two things i love (besides gambling,women and boose)mystery and comady so there was no mystery and the joke is on me.
Since i have been posting to this site there was one interesting question that i answerd and i never got a reply back so i will try to
find it and i will post it later this week so u and kidego could give it a shot.Thanks again.
LVL 10

Author Comment

ID: 9643493
Sounds good.  I don't think EE can complain since it builds up their PAQs.  I kept seeing questions related to this sort of thing when I was cleaning old cases.  I wanted a URL to refer people to.

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question