Email routing not working through public IP

I have installed an exchange server in branch which is connected to main office by VPN
I created a send connector with source branch ex. to route email to MAIN ex.server.

Everything working but when the VPN goes down internal emails are working within branch not coming to MAIN office.I want to route emails through public IP when VPN goes down

Attached a word doc. to understand the current situation.
emailflow.docx
LVL 29
MAS (MVE)Technical Department HeadAsked:
Who is Participating?
 
Jamie McKillopConnect With a Mentor IT ManagerCommented:
I suppose you could change the DNS records for the hub trasport servers to point to your public IPs. So, VPN goes down, in Site A you modify the DNS records for the hub transport servers in Site B to point to the public IP of Site B. In Site B you modify the DNS records for the hub tranport servers in Site A to point to the public IP of Site A. You would have to make sure you change everything back as soon as the VPN is restored. You are also going to have to make sure you add your public subnets to AD sites and services and associate them with the corresponding site.

JJ
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can created 2 send connectors ... one that will use VPN connection to route emails to Internal IP of Main server .... if VPN is down disable the First and Enabled Second Send connector that will route via Public IP.

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Enable or Disable a Send Connector
http://technet.microsoft.com/en-us/library/aa996564.aspx

- Rancy
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So its like a failover point you have 2 Send connectors at the same time one with Internal IP and second one with Public IP .... currently keep the Public IP send connector disabled .... if you have VPN issues Disable the Internal Send connector first and then Enable Public send connector and restart the Transport service.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
Is it possible to send only by external IP?
So that we can avoid this issue.

if possible please let me know how it can be done

I already have a send connector with public IPs but it does not work when the VPN is down.

When I enable VPN it is delivered immediately without delay. i.e. it is transferring to HUB in mail office and get delivered.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
It is but the email delivery would be slow and isn't a good option making your emails travel Out and In and again Out :(

For email to route from External You would need to White list your Branch IP and the domain address @mydomain.com on the firewall and allow it to relay :)
This is a bit risky as you don't want to allow anything else to relay via your Firewall or outgoing servers using Internet .... hope you understand what i am saying !!

Its good if you use it only till your VPN issues are there once restored get back internal ..... its good :)

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
If that is the case we dont need an ex.server in branch as all of them are POP users.
when the VPN is up they can connect directly to MAIN server.

My intention is to make it working when the VPN is down.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
If that is the case we dont need an ex.server in branch as all of them are POP users - Totally agree on this point.

when the VPN is up they can connect directly to MAIN server - Yes they should

I can understand .... but its a bit risky !!

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
As per my first question before installing exchange someone else recommended to use only public IP as VPN is not stable.

or can we do like this add all the IPs (internal and external) in the send connector to send email from branch?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can use if for POP3 ...... you can do that as well but make sure users are aware as some emails might delay ...

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
let's do that. please guide me how to do that. delay is not a problem.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
put the public ip in the send connector as smarthost. restart the Transport services ...... but your POP would connect to the Mailbox to send emails from the HUB in the same Domain .....

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
I already have mailboxes locally and configured send connector.
but still it is not sending to the public IP. It is stuck some where. When I restore the VPN connection I will receive the mail in seconds. Even if I disable the send connector also I will receive the mail. i.e. it is not sending the email by the new send connector.

I allowed this IP in receive connector as well
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Remove from the receive connector .... look POP3 works directly with an INcomming and Outgoing server ... what are those and which server is that ?

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
-->Remove from the receive connector .
I am not clear on this


POP3 is working fine. Servers mentioned are branch ex.server address
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So ideally its using Branch server for email flow ..... so if you want to work with MAIN HUB server you need to enable POP with that address to bypass your exchange server.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
how they can connect to MAIN HUB server if the vpn is down?

You mean they will connect through external IP?
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
awaiting ur reply
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
POP clients do use the Outgoing and Incomming server details so if they are external so they would simmply do that way .... its the settings on the POP client "Outlook".

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
outgoing and incoming servers are branch server. when the vpn is down I can send email from branch to main office but it will not reach the destination. it will stuck in the queue. as soon as vpn is up i will rcv the emails immed.

BTW it is not using the new send connector to send email.

if we can configure branch server to use the new send connector our problem is solved
0
 
Jamie McKillopIT ManagerCommented:
Hello,

Are both Exchange servers in the same AD forest? If so, you cannot control routing between the servers with Send connectors. Send connectors are intended to control mailflow outside your organization. Exchange internal routing is done based on AD sites and is done hub server to hub server direct communication using internal hostnames.

Depending on the number of users you have at the branch office and your available internet bandwidth, you might be better off moving all the branch office mailboxes to the main office and have your users connect over the internet connection.

JJ
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
I expect this answer as I read this in MS article but I thought of any workaround for this. I asked a question before installing an ex.server in branch, see this

external IP of branch is getting black listed frequently due to malware in pcs. That is the reason I thought of installing a server as a gateway and blocked all the SMTP traffic to internet except from the new ex.server.

If they connect directly to the main server what is the use of an ex.server in branch, that even all POP users.

Is there a workaround to make this work as we have 2 more branches with the same issue?
0
 
Jamie McKillopIT ManagerCommented:
The solution to your original blacklisting problem should have been to block outbound port 25 from any systems except for your Hub Transport server and also to NAT you Hub Transport server to a dedicated external IP. Once you delisted that IP from any blacklist, you would have been fine. You can still do this but it will not solve you issue of internal email flow being disrupted when your VPN goes down. If you can't fix your VPN issues and maintain a stable site-to-site VPN, my suggestion is to move all yoru mailboxes to HO and have your clients connected to a public IP for POP and SMTP that is mapped to your Exchange servers at HO.

JJ
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
is it possible to do something if create a new domain name for the branch users.
e.g. UK.domain.com.
I want branch server send email by  external ip to HO which is only domain.com
0
 
Jamie McKillopIT ManagerCommented:
Not unless you create separate AD forests for your branch sites.

JJ
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
abbasiftt: Let me get back a bit .....

1. We have 2 sites Branch and HO Office.
2. Users on Branch use POP and Branch server to route emails to HO Office (Internally).
3. You want to try and use the External IP of HO Office in case VPN is down ?

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
All the 3 statements are true
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
How many Send connectors do you have with Just Branch server as Bridgehead ?

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
I have 2 send connectors in the exc.org.
But only one send connector has branch server as source server. (which is routing mails as smarthosts to HO ex. servers)
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
So the entry in the Smart host is the Internal IP of the HO exchange server right ?

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
yes, But even if I disable the send connector/restart transport service and send an email it will deliver to the rcpt mailbox. But only when the VPN is up. i.e. it is not using branch send connector to send email to HO
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
The reason it works even without the Send Connector is because internal Exchange does not require Send connectors ... Transport services on HUB server can communicate within themselves and send email.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
so what is the solution for this?
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
For internal Send Connector wouldnt work ... however for External you can specify a Smarthost to your firewall .... and if the connection is down the server should try that route ..... let me know if there is a possibility of testing with stopping of firewall connection between both site somewhere over weekend to give it a try :)

1. Have Send Connector smarthost to External IP of HO server. but need to check if port 25 is open for external from Branch.
2. Once the VPN connection is down ... both Branch and HO .. HUB servers cannot communicate to send emails thats when the Send Connector and smarthost would come into picture.
3. As i said earlier it also needs to be checked if Firewall or ExternalIP server will accept and allow emails from Branch server to route emails.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
From branch server I can telnet by external ip and send test email.
but when the vpn is down it is not routing through the new send connector
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What happens to those emails.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
when I send an email after disconnecting vpn email from branch sits in the branch server  queue
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Do you have the Send Connector created with Internal relay and set to the Public IP ?

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
yes.
with * and cost 2
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is the Branch open to send emails via internet ..... not sure though.

- Rancy
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
yes.
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
awaiting your reply
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Last time after the disconnect did you try to send the email to internal users or external ?
Are you able to telnet to Public IP and drop an email Internal and External ?

- Rancy
0
 
Jamie McKillopConnect With a Mentor IT ManagerCommented:
"when I send an email after disconnecting vpn email from branch sits in the branch server  queue"

Are you talking about internal email or email sent to external domains? As I stated previously, the VPN MUST be functional for your internal email to route between your exchange servers. There is no way around this. Setting up send connectors and smarthosts will not resolve your problem. They are for sending to external domains only. For site-to-site routing internally, the Hub transport servers at each site must be able to contact each other by internal hostname. By definition, that would be by using the internal private IPs of the servers, thus requiring the VPN to be functional.

JJ
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
I send internal email.
I did not try external emails. majority of the emails are internals emails from branch
0
 
Jamie McKillopIT ManagerCommented:
OK, like I said, for internal email there is no way to route when your VPN is down. For external email, I recommend you create two send connectors for the * namespace. One send connector will use your hub transport servers in HO as source servers and the other send connector will use your hub transport servers in your branch office as source servers. Setup all your hub transport servers to use DNS and not smarthosts. With this setup, each office will send email out directly to external domains and your VPN will not impact sending externally.

JJ
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
Is it possible to route all the emails through global IP as if there is no VPN?

Even if there is traffic no problem.
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
Thanks to all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.