PACSAdmin
asked on
Exchange 2010 unable to recieve external emails when firewall points to it
Have recently installed Exchange 2010 into an existing 2003 Organisation. Currently everything is coexisting fine and we are able to send and receive emails. Users with legacy exchange mailboxes can access OWA using https://oldexchangeserver/exchange internally and https://mail.ourdomainname.com/exchange
I have moved some test mailboxes to the 2010 server and can access using webapp at https://newexchangeserver/owa internaly
(please note i have not setup a legacy namespace as i plan to move all mailboxes soon as there are not many)
Our firewall does basic nat translation to the oldexchange server. If i change the nat rule to the new exchange server I can no longer receive emails externally and I cannot connect to https://mail.ourdomainname/owa
i cant see it as the nat rule itself as all i am doing is changing the server it is pointed to and have confirmed this is OK
I have setup the receive connector to accept anonymous users here is the output of the command get-receiveconnector :fl
RunspaceId : 1e98eadc-b558-42c9-ae54-0e 0aca28b504
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {:::25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification Enabled : True
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : EXCHANGE2010.ourdomain.loc al
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou t : 00:05:00
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou rce : unlimited
MaxInboundConnectionPercen tagePerSou rce : 100
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff ff:ffff:ff ff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
LiveCredentialEnabled : False
Server : BENEXCH
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default EXCHANGE2010
DistinguishedName : CN=Default EXCHANGE2010,CN=SMTP Receive Connectors,CN=Protocols,CN =EXCHANGE2 010,CN=Ser v
ers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative Grou
ps,CN=Our Company,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC
=domain,DC=local
Identity : EXCHANGE2010\Default EXCHANGE2010
Guid : 413ac4f1-dafa-44e9-b1f4-05 0425e8d1b9
ObjectCategory : domain.local/Configuration /Schema/ms -Exch-Smtp -Receive-C onnector
ObjectClass : {top, msExchSmtpReceiveConnector }
WhenChanged : 7/09/2010 9:45:38 AM
WhenCreated : 4/09/2010 11:55:29 AM
WhenChangedUTC : 6/09/2010 11:45:38 PM
WhenCreatedUTC : 4/09/2010 1:55:29 AM
OrganizationId :
OriginatingServer : OURDC.benrad.local
IsValid : True
I have moved some test mailboxes to the 2010 server and can access using webapp at https://newexchangeserver/owa internaly
(please note i have not setup a legacy namespace as i plan to move all mailboxes soon as there are not many)
Our firewall does basic nat translation to the oldexchange server. If i change the nat rule to the new exchange server I can no longer receive emails externally and I cannot connect to https://mail.ourdomainname/owa
i cant see it as the nat rule itself as all i am doing is changing the server it is pointed to and have confirmed this is OK
I have setup the receive connector to accept anonymous users here is the output of the command get-receiveconnector :fl
RunspaceId : 1e98eadc-b558-42c9-ae54-0e
AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {:::25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotification
EightBitMimeEnabled : True
DomainSecureEnabled : False
EnhancedStatusCodesEnabled
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
AdvertiseClientSettings : False
Fqdn : EXCHANGE2010.ourdomain.loc
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeou
MessageRateLimit : unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSou
MaxInboundConnectionPercen
MaxHeaderSize : 64 KB (65,536 bytes)
MaxHopCount : 30
MaxLocalHopCount : 8
MaxLogonFailures : 3
MaxMessageSize : 10 MB (10,485,760 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 5000
PermissionGroups : AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ff
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
LiveCredentialEnabled : False
Server : BENEXCH
SizeEnabled : EnabledWithoutValue
TarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default EXCHANGE2010
DistinguishedName : CN=Default EXCHANGE2010,CN=SMTP Receive Connectors,CN=Protocols,CN
ers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
ps,CN=Our Company,CN=Microsoft Exchange,CN=Services,CN=Co
=domain,DC=local
Identity : EXCHANGE2010\Default EXCHANGE2010
Guid : 413ac4f1-dafa-44e9-b1f4-05
ObjectCategory : domain.local/Configuration
ObjectClass : {top, msExchSmtpReceiveConnector
WhenChanged : 7/09/2010 9:45:38 AM
WhenCreated : 4/09/2010 11:55:29 AM
WhenChangedUTC : 6/09/2010 11:45:38 PM
WhenCreatedUTC : 4/09/2010 1:55:29 AM
OrganizationId :
OriginatingServer : OURDC.benrad.local
IsValid : True
update your receive connector to allow anonymous connections on the permissions group tab for the "Default SERVER" receive connector
sorry, re-reading :)
ASKER
I knew that would be the first comment so i specificlly wrote
"I have setup the receive connector to accept anonymous"
"I have setup the receive connector to accept anonymous"
ASKER
thats OK i hid it at the bottom
that's what happens when you have a kid talking to you while on the phone and reading a post :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have no other receive connectors other than client.
Can telnet to it internally but not externally.
Can telnet to it internally but not externally.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not quite sure what you are getting at?
I am changing the nat rules that are setup to route 25 and 443 to the new exchange2010 Server. I want 25 and 443 to go directly to the new exchange receive connector to test OWA and email connectivity to the new server before i move all the mailboxes over and decommision the old exchange server.
I was assuming that once 25 and 443 were directed to the New Server that i would be able to access https://mail.ourdomain.com/owa and receive emails through this connector and have them route to the 2010 mailboxes. Is this assumption wrong or does mail flow still need to go though the old server
I am changing the nat rules that are setup to route 25 and 443 to the new exchange2010 Server. I want 25 and 443 to go directly to the new exchange receive connector to test OWA and email connectivity to the new server before i move all the mailboxes over and decommision the old exchange server.
I was assuming that once 25 and 443 were directed to the New Server that i would be able to access https://mail.ourdomain.com/owa and receive emails through this connector and have them route to the 2010 mailboxes. Is this assumption wrong or does mail flow still need to go though the old server
No that is correct
Enable logging and see if the connection reaches your server
Enable logging and see if the connection reaches your server
ASKER
I checked that under Server configuration -- Hub Transport -- Log settings tab that logging was enabled
also clicked on manage Diagnostic Logging properties and upped the logging properties for smtpReceive to expert
changed the nat back to the new server and attempted to send an email from outside into our mail server
checked under the "..\logs\protocolLog\SmtpR eceive" directory. The location is empty so am i gueesing right in saying the smtp receive connector is not getting hit.
also clicked on manage Diagnostic Logging properties and upped the logging properties for smtpReceive to expert
changed the nat back to the new server and attempted to send an email from outside into our mail server
checked under the "..\logs\protocolLog\SmtpR
ASKER
also checked the nat rules logging on the Cisco ASA and that seems ok too seems to be translating the address OK
ASKER
fixed it.
Installed wireshark on exchange server and verified 25 and 443 was hitting it so it had to be a routing issue. Turned out to be simple misconfiguration of gateway.
Installed wireshark on exchange server and verified 25 and 443 was hitting it so it had to be a routing issue. Turned out to be simple misconfiguration of gateway.
ASKER
even though i fixed the issue myself i am awarding points to endital for pointing me in the right direction which ultimatly led to resolution