[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 584
  • Last Modified:

Email routing not working through public IP

I have installed an exchange server in branch which is connected to main office by VPN
I created a send connector with source branch ex. to route email to MAIN ex.server.

Everything working but when the VPN goes down internal emails are working within branch not coming to MAIN office.I want to route emails through public IP when VPN goes down

Attached a word doc. to understand the current situation.
emailflow.docx
0
MAS
Asked:
MAS
  • 23
  • 19
  • 6
2 Solutions
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can created 2 send connectors ... one that will use VPN connection to route emails to Internal IP of Main server .... if VPN is down disable the First and Enabled Second Send connector that will route via Public IP.

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Enable or Disable a Send Connector
http://technet.microsoft.com/en-us/library/aa996564.aspx

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So its like a failover point you have 2 Send connectors at the same time one with Internal IP and second one with Public IP .... currently keep the Public IP send connector disabled .... if you have VPN issues Disable the Internal Send connector first and then Enable Public send connector and restart the Transport service.

- Rancy
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
MASTechnical Department HeadAuthor Commented:
Is it possible to send only by external IP?
So that we can avoid this issue.

if possible please let me know how it can be done

I already have a send connector with public IPs but it does not work when the VPN is down.

When I enable VPN it is delivered immediately without delay. i.e. it is transferring to HUB in mail office and get delivered.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
It is but the email delivery would be slow and isn't a good option making your emails travel Out and In and again Out :(

For email to route from External You would need to White list your Branch IP and the domain address @mydomain.com on the firewall and allow it to relay :)
This is a bit risky as you don't want to allow anything else to relay via your Firewall or outgoing servers using Internet .... hope you understand what i am saying !!

Its good if you use it only till your VPN issues are there once restored get back internal ..... its good :)

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
If that is the case we dont need an ex.server in branch as all of them are POP users.
when the VPN is up they can connect directly to MAIN server.

My intention is to make it working when the VPN is down.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
If that is the case we dont need an ex.server in branch as all of them are POP users - Totally agree on this point.

when the VPN is up they can connect directly to MAIN server - Yes they should

I can understand .... but its a bit risky !!

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
As per my first question before installing exchange someone else recommended to use only public IP as VPN is not stable.

or can we do like this add all the IPs (internal and external) in the send connector to send email from branch?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can use if for POP3 ...... you can do that as well but make sure users are aware as some emails might delay ...

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
let's do that. please guide me how to do that. delay is not a problem.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
put the public ip in the send connector as smarthost. restart the Transport services ...... but your POP would connect to the Mailbox to send emails from the HUB in the same Domain .....

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
I already have mailboxes locally and configured send connector.
but still it is not sending to the public IP. It is stuck some where. When I restore the VPN connection I will receive the mail in seconds. Even if I disable the send connector also I will receive the mail. i.e. it is not sending the email by the new send connector.

I allowed this IP in receive connector as well
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Remove from the receive connector .... look POP3 works directly with an INcomming and Outgoing server ... what are those and which server is that ?

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
-->Remove from the receive connector .
I am not clear on this


POP3 is working fine. Servers mentioned are branch ex.server address
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So ideally its using Branch server for email flow ..... so if you want to work with MAIN HUB server you need to enable POP with that address to bypass your exchange server.

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
how they can connect to MAIN HUB server if the vpn is down?

You mean they will connect through external IP?
0
 
MASTechnical Department HeadAuthor Commented:
awaiting ur reply
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
POP clients do use the Outgoing and Incomming server details so if they are external so they would simmply do that way .... its the settings on the POP client "Outlook".

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
outgoing and incoming servers are branch server. when the vpn is down I can send email from branch to main office but it will not reach the destination. it will stuck in the queue. as soon as vpn is up i will rcv the emails immed.

BTW it is not using the new send connector to send email.

if we can configure branch server to use the new send connector our problem is solved
0
 
Jamie McKillopCommented:
Hello,

Are both Exchange servers in the same AD forest? If so, you cannot control routing between the servers with Send connectors. Send connectors are intended to control mailflow outside your organization. Exchange internal routing is done based on AD sites and is done hub server to hub server direct communication using internal hostnames.

Depending on the number of users you have at the branch office and your available internet bandwidth, you might be better off moving all the branch office mailboxes to the main office and have your users connect over the internet connection.

JJ
0
 
MASTechnical Department HeadAuthor Commented:
I expect this answer as I read this in MS article but I thought of any workaround for this. I asked a question before installing an ex.server in branch, see this

external IP of branch is getting black listed frequently due to malware in pcs. That is the reason I thought of installing a server as a gateway and blocked all the SMTP traffic to internet except from the new ex.server.

If they connect directly to the main server what is the use of an ex.server in branch, that even all POP users.

Is there a workaround to make this work as we have 2 more branches with the same issue?
0
 
Jamie McKillopCommented:
The solution to your original blacklisting problem should have been to block outbound port 25 from any systems except for your Hub Transport server and also to NAT you Hub Transport server to a dedicated external IP. Once you delisted that IP from any blacklist, you would have been fine. You can still do this but it will not solve you issue of internal email flow being disrupted when your VPN goes down. If you can't fix your VPN issues and maintain a stable site-to-site VPN, my suggestion is to move all yoru mailboxes to HO and have your clients connected to a public IP for POP and SMTP that is mapped to your Exchange servers at HO.

JJ
0
 
MASTechnical Department HeadAuthor Commented:
is it possible to do something if create a new domain name for the branch users.
e.g. UK.domain.com.
I want branch server send email by  external ip to HO which is only domain.com
0
 
Jamie McKillopCommented:
Not unless you create separate AD forests for your branch sites.

JJ
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
abbasiftt: Let me get back a bit .....

1. We have 2 sites Branch and HO Office.
2. Users on Branch use POP and Branch server to route emails to HO Office (Internally).
3. You want to try and use the External IP of HO Office in case VPN is down ?

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
All the 3 statements are true
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
How many Send connectors do you have with Just Branch server as Bridgehead ?

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
I have 2 send connectors in the exc.org.
But only one send connector has branch server as source server. (which is routing mails as smarthosts to HO ex. servers)
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So the entry in the Smart host is the Internal IP of the HO exchange server right ?

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
yes, But even if I disable the send connector/restart transport service and send an email it will deliver to the rcpt mailbox. But only when the VPN is up. i.e. it is not using branch send connector to send email to HO
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
The reason it works even without the Send Connector is because internal Exchange does not require Send connectors ... Transport services on HUB server can communicate within themselves and send email.

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
so what is the solution for this?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
For internal Send Connector wouldnt work ... however for External you can specify a Smarthost to your firewall .... and if the connection is down the server should try that route ..... let me know if there is a possibility of testing with stopping of firewall connection between both site somewhere over weekend to give it a try :)

1. Have Send Connector smarthost to External IP of HO server. but need to check if port 25 is open for external from Branch.
2. Once the VPN connection is down ... both Branch and HO .. HUB servers cannot communicate to send emails thats when the Send Connector and smarthost would come into picture.
3. As i said earlier it also needs to be checked if Firewall or ExternalIP server will accept and allow emails from Branch server to route emails.

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
From branch server I can telnet by external ip and send test email.
but when the vpn is down it is not routing through the new send connector
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What happens to those emails.

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
when I send an email after disconnecting vpn email from branch sits in the branch server  queue
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Do you have the Send Connector created with Internal relay and set to the Public IP ?

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
yes.
with * and cost 2
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is the Branch open to send emails via internet ..... not sure though.

- Rancy
0
 
MASTechnical Department HeadAuthor Commented:
yes.
0
 
MASTechnical Department HeadAuthor Commented:
awaiting your reply
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Last time after the disconnect did you try to send the email to internal users or external ?
Are you able to telnet to Public IP and drop an email Internal and External ?

- Rancy
0
 
Jamie McKillopCommented:
"when I send an email after disconnecting vpn email from branch sits in the branch server  queue"

Are you talking about internal email or email sent to external domains? As I stated previously, the VPN MUST be functional for your internal email to route between your exchange servers. There is no way around this. Setting up send connectors and smarthosts will not resolve your problem. They are for sending to external domains only. For site-to-site routing internally, the Hub transport servers at each site must be able to contact each other by internal hostname. By definition, that would be by using the internal private IPs of the servers, thus requiring the VPN to be functional.

JJ
0
 
MASTechnical Department HeadAuthor Commented:
I send internal email.
I did not try external emails. majority of the emails are internals emails from branch
0
 
Jamie McKillopCommented:
OK, like I said, for internal email there is no way to route when your VPN is down. For external email, I recommend you create two send connectors for the * namespace. One send connector will use your hub transport servers in HO as source servers and the other send connector will use your hub transport servers in your branch office as source servers. Setup all your hub transport servers to use DNS and not smarthosts. With this setup, each office will send email out directly to external domains and your VPN will not impact sending externally.

JJ
0
 
MASTechnical Department HeadAuthor Commented:
Is it possible to route all the emails through global IP as if there is no VPN?

Even if there is traffic no problem.
0
 
Jamie McKillopCommented:
I suppose you could change the DNS records for the hub trasport servers to point to your public IPs. So, VPN goes down, in Site A you modify the DNS records for the hub transport servers in Site B to point to the public IP of Site B. In Site B you modify the DNS records for the hub tranport servers in Site A to point to the public IP of Site A. You would have to make sure you change everything back as soon as the VPN is restored. You are also going to have to make sure you add your public subnets to AD sites and services and associate them with the corresponding site.

JJ
0
 
MASTechnical Department HeadAuthor Commented:
Thanks to all
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 23
  • 19
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now