Configuring Barracuda and Exchange with TLS
Posted on 2010-08-26
We are running into a frustrating issue and are looking for some help. Up until recently, we were running a Back-End Exchange 2003 server along with a Front-End Exchange 2003 server (without OWA). Both were running MS Server 2003 Enterprise. We have since implemented a Barracuda Spam and Firewall 300 device that has replaced our FE Exchange server. We completely removed Exchange from the FE and all traces of that server have been removed from AD as well. We then turned around and gave the Barracuda the same host name and IP as the (now removed) FE sever. So everything is in place and mail seems to traverse perfectly fine.
Now for the dilema:
We are required to enable TLS for secure communications between the BE and the Barracuda. We have TLS enabled on the Barracuda and a valid certificate. We also have TLS enable on the Exchange BE Virtual Server and the Connector (in order to use TLS for both incoming and outgoing mail) along with a certificate loaded and the Require Secure Channel and Use 128-bit Encryption settings turned on with the cert. As soon as all those goodies are turned on, mail no longer flows. The Connector in the queue fails trying to send mail to the Barracuda stating that "an SSL error occrued" and incoming mail is "deferring" in the Barracuda log stating that the conneciton has been dropped with the BE.
So in experimenting with this, we have found that if we remove the BE Exchange certificate (by either uninstalling it or by turing off the Require Secure Channel and Use 128-bit Encryption settings) mail will flow in from the Barracuda. And if we remove the TLS setting from the Connector, mail will flow out. So if we remove both...mail flows both ways again, without having to change any settings on the Barracuda.
When the BE was orginally setup with the FE Exchange server (before the Barracuda came into the picture) everything was working well with TLS. Now it seems the BE and Barracuda don't want to play nice with TLS involved.
So the questions are:
1) Has anyone been through this type of configuration with TLS and how did you get it to work?
2) Does the certificate indeed need to be on the BE Exchange with TLS enabled, or is Barracuda able to handle all the encryption? (that would instantly solve this problem, wouldn't it?)
3) Should a new certificate be created for the BE in order for it to talk with Barracuda over TLS (as opposed to the BE and FE certificate that was working previously)?
This is a new device to everyone on the team that I work with, so this is all new to us. We have been working with Barracuda Tech Support and currently have them stumped. So any advice or ideas are greatly appreciated.