[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Exchange CAS 2010 - does it need to be internet facing - ie public IP

Posted on 2012-03-28
13
Medium Priority
?
654 Views
Last Modified: 2012-07-01
Im trying to figure what i do for A record in public DNS for autodiscover

public dns = company.com.au

internal = town.company.com.au

what IP do i use to match up autodiscover.company.com.au in my public DNS - i have all roles on 1 internal AD exchnage server. searching net tells me i put the "public facing" ip of the exchange server - I have not got 1?

Im trying to setup TMG active sync rule - TMG has one DMZ interface - its failing with unauthorized 401 - ive done the internal a record and srv record for autodiscover - but not external dns
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 1

Author Comment

by:philb19
ID: 37777302
i get green tick with test of tmg active synch rule - but error 401

phone test get invalid username password
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 37777308
Normally, you would create a NAT rule in your firewall pointing a public IP address to your CAS server, and use that public IP for your DNS entries.  What kind of firewall so you have?
0
 
LVL 1

Author Comment

by:philb19
ID: 37777326
ok thanks i have a pix 515

so nat what public ip - ? the public IP =

is it easier - or an option to put a cas ex10 srver in the dmz
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 10

Expert Comment

by:SuperTaco
ID: 37777354
You can put the CAS server in the DMZ, but you still have to NAT it.  How many public Ip addresses do you have?  have you ever assinged one to OWA>  If so use that one.  do you have PDM or are you relying on CLI do manage your firewall?
0
 
LVL 8

Expert Comment

by:thomasdavis
ID: 37777366
Records for exchange,
your ISP should give you an public ip that ties to the internal ip. Once this is done the company that hosts the public domain needs to create a records for autodiscover.domain.com, exchange.domain.com, ptr records, and (ISP will need create reverse dns records for public facing IP)  Then in the firewall you need to use NAT rule that ties to the public ip as "SuperTaco" suggested the allows internal workstations to talk to the public Ip/domain (exchange.domain.com)

Also you can run a test on exchange using http://testexchangeconnectivity.com/ 
Use http://mxtoolbox.com/ to check exchange.domain.com for PTR and Reverse DNS  for exchange.
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 37777385
Supertaco, having a CAS in the DMZ is not supported and it is not how it works in 2010.

Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

If not, forward it to your CAS server internally.
0
 
LVL 1

Author Comment

by:philb19
ID: 37777397
thanks i use both pdm and cli

my big issue really - and im lost and tearing my hair out - is activesync and TMG rule
this was easy with isa2006 and ex7

now with ex10 - its one ex10 server - all roles  TMG in dmz - created the rule - i get a green tick but error 401 unauthorised and that error i get when i use MS connectivity tool - passes everyhting - but 401 on the end - im not even sure if autodiscover has anything to do with it - when i use the connectivity tool - i dont choose autodiscover and it still fails - when i manual in the username and password - if you can help me to get this working id really appreciate it - its not SAN cert related as those tests all pass

as i say with ex07 i never had the cas role in dmz - so why should i do that with ex10 - thanks
0
 
LVL 1

Author Comment

by:philb19
ID: 37777494
" Phil, you should point the autodiscover public A record to the firewall IP (PIX in your case) and then get PIX to forward port 443 traffic on that IP to the TMG server in DMZ (if you configure tmg fully).

THANKS - is this why activesync rule is failing? - because of autodiscover - im not sure how the 2 relate TMG and autodiscover? does the active sync fail without autodiscover in public DNS? this wasnt needed with ex07?

when you say firewall IP - i have 12 public IP's in DMZ  (TMG server 1 of these)- do you mean a particular 1? - the outside interface of PIX? - fi have other service that use 443 citrix and webmail on ex07 - im afraid of breaking them (they dont use tmg) so i dont want to be forwarding all 443 to tmg - or am i misunderstanding - thanks for help
0
 
LVL 10

Expert Comment

by:SuperTaco
ID: 37777501
As previously mentioned (not by me) you shouldn't.  I didn't realize Ex2010 was supporte din the DMZ, I mostly deal with SBS.  did you migrate the server before you had the PIX in?  If so you may have to make some adjustments in exchange
0
 
LVL 1

Author Comment

by:philb19
ID: 37777530
pix been in foy years - i just installed ex10 on internal lan

tmg rules for Activesync and webmail to ex10 not working errror 401

isa2006 to asynch and webmail to ex07 mailboxes is fine

i have both ex07 with isa2006 and ex10 with tmg 2010 - the latter not working
0
 
LVL 9

Expert Comment

by:xcomiii
ID: 37804764
First of all, you have 2 option.

Either to NAT a public IP into the private IP of your Ex2010 server and just open ports 25, 80 and 443 (that is the easiest solution).

Or the second option: to publish all Exchange services trough the TMG.

If you choose the second option, Exchange server is not NAT'ed, it just have an internal IP. What you basically do, is that you NAT (publish) all the Exchange services on the TMG (which has 2 nics, 1 in DMZ and 1 on the internal network).

A simple walktrough of TMG and Exchange is here: http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
0
 
LVL 1

Accepted Solution

by:
philb19 earned 0 total points
ID: 37804802
ive sorted this out - using tmg rule - i didnt have cas internet facing url specified correctly on the exch server
0
 
LVL 1

Author Closing Comment

by:philb19
ID: 38142557
fixed myself
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question