3 Exchange Servers behind firewall - supporting different domains

Hello,

We have a small development environment where we have multiple set ups of the same solution repeated.

In each solution is an Exchange server providing the mail functionatily and each solution is set up as completely different public domains .i.e. (1) www.acb1.com (2) www.abc2.com (3) www.abc3.com.
All of these solutions are set up behind one firewall, with different public IP's mapped to each.

Email is workign fine from to and from other domains on the internet. However, we are having trouble working out a way for email to work between the 3 domains on the inside of the firewall.

Has anyone come accross a similar problem?
Does anyone know a way to achieve being able to email Public domains on the internet and internall too?


Thanks,
-Craig
LVL 3
chouckhamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

simonpainterCommented:
That's not too hard. The NAT on the ASA will not allow the internal servers to route to each other via the public IP addresses. What you have to do is set up SMTP connectors using the different domains in the address space tab and then specify the correct internal IP or resolvable FQDN in the smarthost box.
Hope this helps, let me know if you need more info.
chouckhamAuthor Commented:
Hi Simon,

If you could explain a little further that would be great. (points increased)
The systems are a mixture of Exchange 2003 and 2007.

Thanks,
-Craig
simonpainterCommented:
OK, right now I am assuming that all your mail is using MX delivery.

Server foo1
domain foo.com
int eth 192.168.0.1
ext eth 66.66.66.1

Server bar1
domain bar.com
int eth 192.168.0.2
ext eth 66.66.66.2

Server flake1
domain flake.com
int eth 192.168.0.3
ext eth 66.66.66.3

If any of the servers has mail to send to the other they currently look up the MX record for the domain and that comes back as externally natted address on the ASA. Due to some complexity in how NAT works the internal devices can't route to the external addresses and the whole thing fails.
What you have to do is create two SMTP connectors on each box with the address space of the domain that they are sending to and the internal address of the server. You are also wise to set up a third one that provides the routing to the internet if you have not already done so.


On server foo1
SMTP connector 1
Address space bar.com
Smarthost 192.168.0.2
Cost 1
SMTP connector 2
Address space flake.com
Smarthost 192.168.0.3
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

On server bar1
SMTP connector 1
Address space foo.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 2
Address space flake.com
Smarthost 192.168.0.3
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

On server flake1
SMTP connector 1
Address space foo.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 2
Address space bar.com
Smarthost 192.168.0.1
Cost 1
SMTP connector 3
Address space *
MX delivery
Cost 2

As for the specifics of how to set up the smtp connectors take a look at http://technet.microsoft.com/en-us/library/aa996625(EXCHG.65).aspx 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

chouckhamAuthor Commented:
Great - i have followed all that.

Should any services be restarted before the new routes are used?
simonpainterCommented:
It's always worth restarting the smtp service when you make any changes to SMTP related things. Message tracking will help you work out if they are using the new connectors yet.
chouckhamAuthor Commented:
Its working on the Exchange Server - thanks!

However ive just notice that the application server isnt using the exchange server for outbound mail -its sending it through a virtual SMTP service within IIS.

Do you know how to configure this in the same way?

(points increase to 500)
simonpainterCommented:
The IIS smtp server cannot be configured in this way. What you will have to do is either configure the application server to send mail (relay) via one of the exchange servers or configure the IIS SMTP server to relay the mail to one of the exchange servers which will then distribute it accordingly.
Whichever is the receiving exchange server (either getting the mail from the IIS SMTP server or direct from the application) will have to allow relaying from the specific source. This can be done by authorising a single IP address or by using domain credentials depending on your requirements (IP is easier because you only need make the change on the receiving end and don't have to worry about accounts expiring).
Microsoft have an article here http://www.microsoft.com/technet/security/prodtech/exchangeserver/excrelay.mspx on allowing relaying from a specific IP.

chouckhamAuthor Commented:
Excellent help! - much appreciated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.