• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

3 Exchange Servers behind firewall - supporting different domains

Hello,

We have a small development environment where we have multiple set ups of the same solution repeated.

In each solution is an Exchange server providing the mail functionatily and each solution is set up as completely different public domains .i.e. (1) www.acb1.com (2) www.abc2.com (3) www.abc3.com.
All of these solutions are set up behind one firewall, with different public IP's mapped to each.

Email is workign fine from to and from other domains on the internet. However, we are having trouble working out a way for email to work between the 3 domains on the inside of the firewall.

Has anyone come accross a similar problem?
Does anyone know a way to achieve being able to email Public domains on the internet and internall too?


Thanks,
-Craig
0
chouckham
Asked:
chouckham
  • 4
  • 4
2 Solutions
 
simonpainterCommented:
That's not too hard. The NAT on the ASA will not allow the internal servers to route to each other via the public IP addresses. What you have to do is set up SMTP connectors using the different domains in the address space tab and then specify the correct internal IP or resolvable FQDN in the smarthost box.
Hope this helps, let me know if you need more info.
0
 
chouckhamAuthor Commented:
Hi Simon,

If you could explain a little further that would be great. (points increased)
The systems are a mixture of Exchange 2003 and 2007.

Thanks,
-Craig
0
 
simonpainterCommented:
OK, right now I am assuming that all your mail is using MX delivery.

Server foo1
domain foo.com
int eth 192.168.0.1
ext eth 66.66.66.1

Server bar1
domain bar.com
int eth 192.168.0.2
ext eth 66.66.66.2

Server flake1
domain flake.com
int eth 192.168.0.3
ext eth 66.66.66.3

If any of the servers has mail to send to the other they currently look up the MX record for the domain and that comes back as externally natted address on the ASA. Due to some complexity in how NAT works the internal devices can't route to the external addresses and the whole thing fails.
What you have to do is create two SMTP connectors on each box with the address space of the domain that they are sending to and the internal address of the server. You are also wise to set up a third one that provides the routing to the internet if you have not already done so.


On server foo1
SMTP connector 1
Address space bar.com
Smarthost 192.168.0.2
Cost 1
SMTP connector 2
Address space flake.com
Smarthost 192.168.0.3
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

On server bar1
SMTP connector 1
Address space foo.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 2
Address space flake.com
Smarthost 192.168.0.3
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

On server flake1
SMTP connector 1
Address space foo.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 2
Address space bar.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

As for the specifics of how to set up the smtp connectors take a look at http://technet.microsoft.com/en-us/library/aa996625(EXCHG.65).aspx 
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
chouckhamAuthor Commented:
Great - i have followed all that.

Should any services be restarted before the new routes are used?
0
 
simonpainterCommented:
It's always worth restarting the smtp service when you make any changes to SMTP related things. Message tracking will help you work out if they are using the new connectors yet.
0
 
chouckhamAuthor Commented:
Its working on the Exchange Server - thanks!

However ive just notice that the application server isnt using the exchange server for outbound mail -its sending it through a virtual SMTP service within IIS.

Do you know how to configure this in the same way?

(points increase to 500)
0
 
simonpainterCommented:
The IIS smtp server cannot be configured in this way. What you will have to do is either configure the application server to send mail (relay) via one of the exchange servers or configure the IIS SMTP server to relay the mail to one of the exchange servers which will then distribute it accordingly.
Whichever is the receiving exchange server (either getting the mail from the IIS SMTP server or direct from the application) will have to allow relaying from the specific source. This can be done by authorising a single IP address or by using domain credentials depending on your requirements (IP is easier because you only need make the change on the receiving end and don't have to worry about accounts expiring).
Microsoft have an article here http://www.microsoft.com/technet/security/prodtech/exchangeserver/excrelay.mspx on allowing relaying from a specific IP.

0
 
chouckhamAuthor Commented:
Excellent help! - much appreciated
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now