Solved

Exchange 2010 firewall config

Posted on 2013-05-24
9
407 Views
Last Modified: 2013-05-29
Hello,

Exchange 2010 with Server 2008 R2 on all servers behind Cisco ASA 5510 environment.

My only experience installing Exchange is limited to a Typical installation where all roles are installed on one server, ie small environments.  I'm setting up a new environment consisting of three servers:

exch1 - Mailbox role
cas1 - Hub/CAS role
cas2 - Hub/CAS role

For a single server setup, I would normally just create an external A record for mail.domain.com, a CNAME record for Autodiscover pointing to mail.domain.com, and MX records pointing to an inbound host (ie Postini, MXLogic, FOPE, etc).  How does the A record work for environments with multiple CAS servers?  Specifically how is the firewall configured?  Generally I would just configure an ACL for the WAN IP on ports 25 and 443, then configure a static NAT to my single Exchange server; however, in my current setup with multiple CAS servers, how is the NAT configured?

I've been researching my CAS array options, but I'm still a little confused on the process because I've found conflicting info when asking The Google.  Here are the sites I've used thus far:

http://technet.microsoft.com/en-us/magazine/ff626260.aspx
http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx
http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

The list goes on...

I have to say upfront that I am not very well versed with firewalls and know only the basics to allow for my Exchange connections.  Any detailed assistance would be greatly appreciated.  Thanks!
0
Comment
Question by:terminalb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39194517
First - the Cisco - be aware of the SMTP scanning it does and disable it. See this MSKB article:http://semb.ee/fixupsmtp

RPC CAS Array - this is an INTERNAL only thing. It should not be configured externally at all. It should not resolve externally, it does not have to be on the SSL certificate. It is for TCP MAPI traffic from Outlook only.

Do you have a load balancer? Do you have a unique URL for both servers?

For SMTP traffic the basic option is to have a seperate IP address for both servers, seperate host name, PTR etc and have both servers in the MX records on a 1:1 NAT.

For SSL traffic, you can have autodiscover going to both servers. For OWA, you can only go to one or other of the servers, unless you have a load balancer.
If you have a load balancer then you can point the traffic (NAT) at the load balancer virtual IP address and let it sort out where the traffic should go.

You can use the same internal IP address for the RPC CAS Array and web traffic, just not the same host name.

Simon.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194535
From the outside, nothing really changes and you still only need 1 A record. The key to running multiple CAS servers is a Network Load Balancer (NLB) on the inside, this can be done via an appliance or through software (Windows NLB). Hosts of a NLB cluster share a single IP.

Check this article out, shows you step by step on how to configure an array using Windows NLB

http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array/
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194554
Right, that's pretty much the track I was on but must have spaced in realizing the cluster itself was assigned a single IP.

So does this mean I point all client connections to the cluster IP, ie pop.domain.com, owa.domain.com, autodisocver.domain.com, etc?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194579
No.
The DAG cluster IP address is just for database functionality. You should not be using it for client connections.
WNLB is not recommended by the Exchange product team and generally sucks.
If you aren't using a load balancer then you will have to point everything at either of the servers.

Personally I wouldn't have bothered with a design with seperate CAS and mailbox servers. I haven't implemented that design in the last 18 months. All three roles on the same server would have been my preferred design.

Simon.
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194581
Sembee2, I didn't see your post until now.

I will be using WNLB since purchasing additional hardware is out of the question.

By "unique URL For both servers", you mean externally, correct?  If so, I have not yet crossed that bridge.  One of my associates just deleted my mailbox server from VMWare and I've been tied up putting out that fire.

"For SSL traffic, you can have autodiscover going to both servers."  I'm trying to wrap my head around this one.  The only Autodiscover DNS option that utilizes any type of priority would be an SRV record.  So do you mean create two SRV records with an equal priority (ie 10) pointing to something like mail1.domain.com and mail2.domain.com?
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194592
I'm not using a DAG, I'm using a CAS array.  In fact, now that I'm installing WNLB for use with my CAS array, I've prevented any type of DAG functionality since it's incompatible with WNLB.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194601
The short answer is yes, you would do your NATing to the shared IP of the load balancer
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194622
You can run DAG in a WNLB environment, as long as the Mailbox and CAS roles are on separate servers, and from your description this is the case
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194724
I don't see the point in running two client access servers if you don't have a DAG. I will be blunt, but I think your design is very poor. You are protecting client access (Against what?) without protecting the important bits - the data.

It would have been better to have bought two Exchange licences and put the additional funds towards a virtual load balancer.

There is no load balancing or availability in DNS, the most you can do is round robin, where you have both IP addresses in the DNS record.
There are virtual load balancing options - you can even go open source with Zen (Which I run at home).

Simon.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question