Solved

WAN failover and A, MX records

Posted on 2009-07-01
10
1,544 Views
Last Modified: 2013-11-16
I am looking for the proper way to setup my new Sonicwall 2400 with dual WAN connections to work with Exchange 2003 server.  I have my DNS setup like the below example.  I think I am doing something wrong here.  When I nslookup mail.mydomain.com I get both IPs listed below.  How do I properly route incoming mail through my primary ISP and then have the secondary ISP only route mail when failover kicks in. My question is very similar to (http://www.experts-exchange.com/Networking/Misc/Q_21595855.html).  But that didn't really give me the answer I was looking for.  What am I missing here?  Thanks in advance!

A records
mail.mydomain.com        7200         20.20.20.20 (primary ISP static)
mail.mydomain.com       7200        30.30.30.30 (failover ISP static)

MX records
mail.mydomain.com.(10)        7200
0
Comment
Question by:cbsykes
  • 5
  • 3
  • 2
10 Comments
 
LVL 7

Expert Comment

by:rcflyr
ID: 24758321
you need to have separate A records for each server and put them in priority

A records
mail.mydomain.com        7200         20.20.20.20 (primary ISP static)
mail2.mydomain.com       7200        30.30.30.30 (failover ISP static)

MX records
mail.mydomain.com.(10)        7200
mail2.mydomain.com.(20)        7200
0
 

Author Comment

by:cbsykes
ID: 24758344
ok...that makes sense...but how do you configure Exchange to accept that?  My current SSL certificate for Exchange is only for mail.sykes-cpa.com.  Also, how would this be setup on the firewall?  THANKS!
0
 

Author Comment

by:cbsykes
ID: 24758393
you mentioned "each server"...I only have one Exchange server if I understood you correctly...
0
 
LVL 7

Expert Comment

by:rcflyr
ID: 24758434
Are you hosting your own DNS?  You could set a short TTL and do DNS failover so mail.mydomain.com is always the mx server, but mail.mydomain.com switches to the secondary IP in case the primary is unreachable.  There are companies out there that offer services like this: http://www.dnsmadeeasy.com/pages/dns.html
0
 

Author Comment

by:cbsykes
ID: 24758483
no Network Solutions...is there any other way to set this up without going thru a provider like that?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:rcflyr
ID: 24758870
You can NAT both external addresses to the same internal address.
0
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24762016
Consider your inbound mail and out bound mail separatly.

In bound is actually easy.

Create a second NAT mapping for your Excahnge server within the public IP range of the second ISP.
Create a DNS entry for each public IP address which can now see your ES.
Choose the MX number to prioritise. If both WANS are active all the time, you could give both names the same MX number, it'l "round robin". Else make the preferred wan the lower number.
Make the relay host you fall back to if you're totally off line the highest.

So

Mail1.mydomain.com in a isp1.123.123.2
Mail2.mydomain.com in a isp2.123.234.3

IN MX 10 mail1
IN MX 20 mail2
IN MX 30 relayhost.myisp.com


Now the outside world thinks youhave two servers. Actually, both IP addresses reach your sonicwall and end up on the SAME server but *it* doesn't care which route an inbound mail has taken. So long as an inbound SMTP sessio nreaches EITHER of those IP addresses your mail flows in.

If you are using failover and not load-balance, i.e. if WAN2 is not active until WAN1 fails... no difference! It doesn't matter to have MX records pointing at unavailable servers, the system is *designed* to cope. Mail will all go to mail1 whilst wan1 is up. Mail sent to mail2 will fail over to relay and then be sent to mail1. (But only spammers will send mail to mail2 when mail1 is up anyway!) WHEN the first WAN fails, then WAN2 is activated by the Sonic and now mail to mail1 fails, and falls back to mail2, which is now accepting inbound mail.



So far as outbound mail is concerned, remember it can be sent from Mail1 or Mail2. You have to make sure either will work. SFP records should show both mail1 and mail2 as valid sources of your mail. If you do direct-send, that's all. If you send via a smarthost, you need to make sure the smarthost will accept mail from mail1 or mail2, which may require your ISp to add the IPs to their relay-allowed list or you might need to obtain a user account from them to use SMTP-Auth.


External access.

This can't be automated. If a user in the field uses OWA to read his mail, he will brows to mail1.mydomain.com/exchange. But if WAN1 is down, the user will have to know he should try mail2.mydomain.com as an alternative.  Similarly external users who use POP or IMAP will have to know to try both, like wise Sharepoint or, indeed, ANY service based on the same box which is visible from outside the LAN.

0
 

Author Comment

by:cbsykes
ID: 24762536
Thanks for the info!  Ok...I do have the Sonicwall setup for failover only when the primary WAN goes down.  One of the problems I have been having is setting up the A records.  What would they be in your example?  Also, I have Exchange and Sharepoint behind this firewall...each with their own public IP from the primary WAN ISP...however...my failover ISP only gives me one public IP...so I have to NAT Exchange and Sharepoint appropriately.  When I have the NATing all setup on the Sonicwall...I start getting certificate errors when browsing to OWA....even when the WAN is not failing over.  Apparently...OWA is gathering the Sharepoint 3rd party certificate when it should be gathering the Exchange cert.  All this could be a result of the way my DNS is setup.  Right now I have two A records for Exchange (like my above ex.) and I have two A records for my Sharepoint setup the same way.  But I guess that is incorrect to have to exact host names resolving to two different IPs.  I hope this gives you more clues as to what I am experiencing.  Thanks so much for your time!

Sharepoint A records (my similar setup)
sharepoint.mydomain.com     10.10.10.10 (primary ISP)
sharepoint.mydomain.com      20.20.20.20 (failover ISP)
0
 

Author Comment

by:cbsykes
ID: 24762764
So I am assuming that Sharepoint needs to have two different A records setup similar to Exchange...just curious why I can't have the same host name (sharepoint.sykes-cpa.com) resolving to both ISPs like in my example above?  It would nice to have our clients be able to access the Sharepoint site without have to use (sharepoint2.mydomain.com) if the primary ISP is down.  Is there a way around this so that it is seamless for our clients?  Thanks!
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24763569
If Sharepoint anD Exchange are the same box, then you could use the SAME dns records. Otherwise use Cnames e.g.

mail1  in  a 10.10.10.10

spoint1 in cname mail1

If SP is a different machine, it needs its own of course, but yes, essentially, it will appear on a different public IP depending which WAN port is active.


One way to achieve that might be to use DynDNS. Have the ES/Spoint machine set your DynDNS lookup every ten minutes, say. and alias your entries to your DDNS, e.g.

spoint in cname myaccount.dyndns.org

but I'm not at all sure how often the DNS server would re-evaluate the CNAME... this is NOT a solution, it's an idea to test out!!!


0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Suggested Solutions

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now