• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 421
  • Last Modified:

Barracuda 300 and Exchange 2003 Front End and Back End Server Question

Current environment is an Exchange 2K3 F/E Server and 2K3 B/E Server. We currently use Postini to filter our email and we are placing the Barracuda inside our network to filter incoming mail only. I am currently placing the Barracuda inside on my private network. I have it configured but my problem is this:

What changes do I need to make to allow my front end server to now go to the Barracuda first instead of the B/E server first. This is the only problem I am being plagued with. I am finding very llittle info online regarding this. Barracuda is telling me my setup is fine and that I just need to point my F/E to the Cudda. But How????????
0
pterranova13
Asked:
pterranova13
  • 8
  • 7
  • 2
2 Solutions
 
raigjCommented:
Go to your firewall  under rules..create a rule from WAN to the ip address of the barracuda.. log on to barracuda and there is a setting where you put the ip address of your exchange server..so all incoming traffic from WAN will go to barracuda then to you exchange server..let me know if this help
0
 
overcld9Commented:
The Front-End server can redirect to the spam appliance if you add it as a smarthost on the send connector for your email domain on the Front-End server. (I would use the Barracuda IP as the smarthost address)

Hope this is what you are looking for

-Sean
0
 
pterranova13Author Commented:
Where am I placing this smarthost?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
overcld9Commented:
Open Exchange System Manager on your front end server.

Expand Administrative Group/Servers/Connectors

Find your Internal Connector (The Connector Responsible for Intenal Mail with the address space of your domain). If you only have a default connector create a new connector by right clicking on connector and clicking new connector.

On the general tab put in the ip address of your barracuda (in brackets i.e. [192.168.1.200] under Forward all mail through this connector to the following smart host

Next click address space

Click add and add the internal email domains that you want the barracuda to handle.

Click apply and all mail addressed to you mail domain will be routed to the barracuda, the barracuda will then route to your back-end server.

Let me know if this works.

-Sean


0
 
overcld9Commented:
BTW if your network is setup correctly you should have a firewall between the Exchange F/E server and your private LAN. If this is the case just follow Raigj's solution and port forward inbound port 25 to your Internal LAN IP of the barracuda.
0
 
pterranova13Author Commented:
We are using a checkpoint firewall and my director does not want to change the settings there. Therefore I would just create a conntianer on my F/E server to allow all incomming traffic to filter to the Barracuda then from the barracuda to the B/E server.

Is this correct? This will not affect the outgoing mail container??
0
 
overcld9Commented:
That won't work. If you have a firewall that is already configured, it will point to your backend server. This needs to be changed or it will not work... There is no way to route from the F/E to the Firewall, to the Barracuda to the B/E server unless you change the address of the Barracuda to be the address of the b/e server and then change the ip of the B/E server to something different. This in itself will more than likely cause you a whole host of issues. The absolute without a doubt easiest solution is to change the port 25 rule on your firewall from the exchange server to the barracuda. This will not effect anything else as the barracuda will pass direct to the b/e server once it has scanned the messages coming across port 25.

If this is not available as a solution. You would have to place the Barracuda on the same side of the firewall as F/E server.

Hope this helps
-Sean
0
 
pterranova13Author Commented:
How would changing the rule on the Firewall work for clients who say have a lan to lan with us and bring their mail directly to my F/E server?
0
 
pterranova13Author Commented:
Butw wouldn't the connectors between the f/e and b/e server be what is governing the mail flow
0
 
overcld9Commented:
Yes but only in the same function as sending mail over port 25. The F/E server provides an access to the B/E server, as it receives mail, it forwards it on the the B/E server where the mail is stored. What you want to do is scan inbound 25 mail inbetween the two. The F/E has to go through the gateway of the firewall to get to the b/e. At this point where the mail goes is the role of the port forwarding of the firewall. The firewall does not care if you have f/e & b/e topology, only sees that you have inbound port 25 and the rules say all inbound port 25 goes here (here being your b/e server currently) To Scan Mail Before it get to the b/e server but after the f/e server you have to be the intermediary between the two servers. The only difference between how the F/E server sends ,mail to the b/e is that it is authenticating as oppossed to using anonymous access. The authentication should not be affected.

Your f/e is already set to send mail through the firewall, the firewall is set to forward that mail to the b/e server, changing your inbound port 25 forward to go to the barracuda will force all inbound mail to the b/e servers to be scanned. After the barracuda scans the mail it will send it to the b/e server.
0
 
pterranova13Author Commented:
Ok here is the scoop. Speaking with the person who handles the firewall right now all that is stated in the firewall is that if there is SMTP traffic then go through and the connectors between the servers are directed the mail.

On a side now, what if I was to place the Cuda in my public DMZ and traffic the mail from it to the F/E server first. I would place an ACL on the Internet Router to allow all SMTP traffic that would be destined for F/E server to the Cuda's address first and then everything else would continue to work as it is currently. I think with this setup I would have to make little to no changes on my outside spam filter system (Postini) and all traffic will pretty much still flow as it is current but just go through the Barracuda first.

Am I confusing you yet???????
0
 
overcld9Commented:
Your last post would be the ideal situation and how most companies protect themselves with the spam firewall.  It would not require any changes to Postini.
0
 
pterranova13Author Commented:
i will have to create an ACL allowing traffic to flow from my internet router to my Barracuda first. Would you be able to give me the syntax for this? ACL's are still a little new to me.

thanks!
0
 
overcld9Commented:
You should only need a simple rule that should already exist. The rule in short should be inbound port 25 forwarded to the address of the barracuda. The only thing you should have to do is change the address in the firewall from the F/E to the Barracuda. Should be a simple change.
0
 
raigjCommented:
follow the instructions that I gave you..let me know if this helped
0
 
pterranova13Author Commented:
We  do not have a ACL forwarding emails. I should create this on my Border router (Internet Router)?
0
 
overcld9Commented:
You need to discover what forwards email to the F/E server. An easy way to find this out is to check what ip your mxrecord belongs to. If you do not know your mxrecord ip, go to http://www.mxtoolbox.com and enter your domain. Once you have the IP, find out which device has that ip. It sounds to me like you have your F/E server directly attached to your internet router with no firewall in between. If this is the case, you will need to change the ip address of the barracuda and change the ip of the f/e server. If you have a block of static public IPs you need only have one available. It is very important that you have a firewall between your f/e server and your internet router. If your internet router also functions as a NAT firewall, then you would change the port 25 redirector on your border router.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now