Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 firewall config

Posted on 2013-05-24
9
Medium Priority
?
428 Views
Last Modified: 2013-05-29
Hello,

Exchange 2010 with Server 2008 R2 on all servers behind Cisco ASA 5510 environment.

My only experience installing Exchange is limited to a Typical installation where all roles are installed on one server, ie small environments.  I'm setting up a new environment consisting of three servers:

exch1 - Mailbox role
cas1 - Hub/CAS role
cas2 - Hub/CAS role

For a single server setup, I would normally just create an external A record for mail.domain.com, a CNAME record for Autodiscover pointing to mail.domain.com, and MX records pointing to an inbound host (ie Postini, MXLogic, FOPE, etc).  How does the A record work for environments with multiple CAS servers?  Specifically how is the firewall configured?  Generally I would just configure an ACL for the WAN IP on ports 25 and 443, then configure a static NAT to my single Exchange server; however, in my current setup with multiple CAS servers, how is the NAT configured?

I've been researching my CAS array options, but I'm still a little confused on the process because I've found conflicting info when asking The Google.  Here are the sites I've used thus far:

http://technet.microsoft.com/en-us/magazine/ff626260.aspx
http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx
http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

The list goes on...

I have to say upfront that I am not very well versed with firewalls and know only the basics to allow for my Exchange connections.  Any detailed assistance would be greatly appreciated.  Thanks!
0
Comment
Question by:terminalb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39194517
First - the Cisco - be aware of the SMTP scanning it does and disable it. See this MSKB article:http://semb.ee/fixupsmtp

RPC CAS Array - this is an INTERNAL only thing. It should not be configured externally at all. It should not resolve externally, it does not have to be on the SSL certificate. It is for TCP MAPI traffic from Outlook only.

Do you have a load balancer? Do you have a unique URL for both servers?

For SMTP traffic the basic option is to have a seperate IP address for both servers, seperate host name, PTR etc and have both servers in the MX records on a 1:1 NAT.

For SSL traffic, you can have autodiscover going to both servers. For OWA, you can only go to one or other of the servers, unless you have a load balancer.
If you have a load balancer then you can point the traffic (NAT) at the load balancer virtual IP address and let it sort out where the traffic should go.

You can use the same internal IP address for the RPC CAS Array and web traffic, just not the same host name.

Simon.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194535
From the outside, nothing really changes and you still only need 1 A record. The key to running multiple CAS servers is a Network Load Balancer (NLB) on the inside, this can be done via an appliance or through software (Windows NLB). Hosts of a NLB cluster share a single IP.

Check this article out, shows you step by step on how to configure an array using Windows NLB

http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array/
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194554
Right, that's pretty much the track I was on but must have spaced in realizing the cluster itself was assigned a single IP.

So does this mean I point all client connections to the cluster IP, ie pop.domain.com, owa.domain.com, autodisocver.domain.com, etc?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194579
No.
The DAG cluster IP address is just for database functionality. You should not be using it for client connections.
WNLB is not recommended by the Exchange product team and generally sucks.
If you aren't using a load balancer then you will have to point everything at either of the servers.

Personally I wouldn't have bothered with a design with seperate CAS and mailbox servers. I haven't implemented that design in the last 18 months. All three roles on the same server would have been my preferred design.

Simon.
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194581
Sembee2, I didn't see your post until now.

I will be using WNLB since purchasing additional hardware is out of the question.

By "unique URL For both servers", you mean externally, correct?  If so, I have not yet crossed that bridge.  One of my associates just deleted my mailbox server from VMWare and I've been tied up putting out that fire.

"For SSL traffic, you can have autodiscover going to both servers."  I'm trying to wrap my head around this one.  The only Autodiscover DNS option that utilizes any type of priority would be an SRV record.  So do you mean create two SRV records with an equal priority (ie 10) pointing to something like mail1.domain.com and mail2.domain.com?
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194592
I'm not using a DAG, I'm using a CAS array.  In fact, now that I'm installing WNLB for use with my CAS array, I've prevented any type of DAG functionality since it's incompatible with WNLB.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194601
The short answer is yes, you would do your NATing to the shared IP of the load balancer
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194622
You can run DAG in a WNLB environment, as long as the Mailbox and CAS roles are on separate servers, and from your description this is the case
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194724
I don't see the point in running two client access servers if you don't have a DAG. I will be blunt, but I think your design is very poor. You are protecting client access (Against what?) without protecting the important bits - the data.

It would have been better to have bought two Exchange licences and put the additional funds towards a virtual load balancer.

There is no load balancing or availability in DNS, the most you can do is round robin, where you have both IP addresses in the DNS record.
There are virtual load balancing options - you can even go open source with Zen (Which I run at home).

Simon.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
Considering cloud tradeoffs and determining the right mix for your organization.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question