Solved

Exchange 2010 firewall config

Posted on 2013-05-24
9
365 Views
Last Modified: 2013-05-29
Hello,

Exchange 2010 with Server 2008 R2 on all servers behind Cisco ASA 5510 environment.

My only experience installing Exchange is limited to a Typical installation where all roles are installed on one server, ie small environments.  I'm setting up a new environment consisting of three servers:

exch1 - Mailbox role
cas1 - Hub/CAS role
cas2 - Hub/CAS role

For a single server setup, I would normally just create an external A record for mail.domain.com, a CNAME record for Autodiscover pointing to mail.domain.com, and MX records pointing to an inbound host (ie Postini, MXLogic, FOPE, etc).  How does the A record work for environments with multiple CAS servers?  Specifically how is the firewall configured?  Generally I would just configure an ACL for the WAN IP on ports 25 and 443, then configure a static NAT to my single Exchange server; however, in my current setup with multiple CAS servers, how is the NAT configured?

I've been researching my CAS array options, but I'm still a little confused on the process because I've found conflicting info when asking The Google.  Here are the sites I've used thus far:

http://technet.microsoft.com/en-us/magazine/ff626260.aspx
http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx
http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

The list goes on...

I have to say upfront that I am not very well versed with firewalls and know only the basics to allow for my Exchange connections.  Any detailed assistance would be greatly appreciated.  Thanks!
0
Comment
Question by:terminalb
  • 3
  • 3
  • 3
9 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39194517
First - the Cisco - be aware of the SMTP scanning it does and disable it. See this MSKB article:http://semb.ee/fixupsmtp

RPC CAS Array - this is an INTERNAL only thing. It should not be configured externally at all. It should not resolve externally, it does not have to be on the SSL certificate. It is for TCP MAPI traffic from Outlook only.

Do you have a load balancer? Do you have a unique URL for both servers?

For SMTP traffic the basic option is to have a seperate IP address for both servers, seperate host name, PTR etc and have both servers in the MX records on a 1:1 NAT.

For SSL traffic, you can have autodiscover going to both servers. For OWA, you can only go to one or other of the servers, unless you have a load balancer.
If you have a load balancer then you can point the traffic (NAT) at the load balancer virtual IP address and let it sort out where the traffic should go.

You can use the same internal IP address for the RPC CAS Array and web traffic, just not the same host name.

Simon.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194535
From the outside, nothing really changes and you still only need 1 A record. The key to running multiple CAS servers is a Network Load Balancer (NLB) on the inside, this can be done via an appliance or through software (Windows NLB). Hosts of a NLB cluster share a single IP.

Check this article out, shows you step by step on how to configure an array using Windows NLB

http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array/
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194554
Right, that's pretty much the track I was on but must have spaced in realizing the cluster itself was assigned a single IP.

So does this mean I point all client connections to the cluster IP, ie pop.domain.com, owa.domain.com, autodisocver.domain.com, etc?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194579
No.
The DAG cluster IP address is just for database functionality. You should not be using it for client connections.
WNLB is not recommended by the Exchange product team and generally sucks.
If you aren't using a load balancer then you will have to point everything at either of the servers.

Personally I wouldn't have bothered with a design with seperate CAS and mailbox servers. I haven't implemented that design in the last 18 months. All three roles on the same server would have been my preferred design.

Simon.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 2

Author Comment

by:terminalb
ID: 39194581
Sembee2, I didn't see your post until now.

I will be using WNLB since purchasing additional hardware is out of the question.

By "unique URL For both servers", you mean externally, correct?  If so, I have not yet crossed that bridge.  One of my associates just deleted my mailbox server from VMWare and I've been tied up putting out that fire.

"For SSL traffic, you can have autodiscover going to both servers."  I'm trying to wrap my head around this one.  The only Autodiscover DNS option that utilizes any type of priority would be an SRV record.  So do you mean create two SRV records with an equal priority (ie 10) pointing to something like mail1.domain.com and mail2.domain.com?
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194592
I'm not using a DAG, I'm using a CAS array.  In fact, now that I'm installing WNLB for use with my CAS array, I've prevented any type of DAG functionality since it's incompatible with WNLB.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194601
The short answer is yes, you would do your NATing to the shared IP of the load balancer
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194622
You can run DAG in a WNLB environment, as long as the Mailbox and CAS roles are on separate servers, and from your description this is the case
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194724
I don't see the point in running two client access servers if you don't have a DAG. I will be blunt, but I think your design is very poor. You are protecting client access (Against what?) without protecting the important bits - the data.

It would have been better to have bought two Exchange licences and put the additional funds towards a virtual load balancer.

There is no load balancing or availability in DNS, the most you can do is round robin, where you have both IP addresses in the DNS record.
There are virtual load balancing options - you can even go open source with Zen (Which I run at home).

Simon.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now