Solved

Exchange 2010 firewall config

Posted on 2013-05-24
9
355 Views
Last Modified: 2013-05-29
Hello,

Exchange 2010 with Server 2008 R2 on all servers behind Cisco ASA 5510 environment.

My only experience installing Exchange is limited to a Typical installation where all roles are installed on one server, ie small environments.  I'm setting up a new environment consisting of three servers:

exch1 - Mailbox role
cas1 - Hub/CAS role
cas2 - Hub/CAS role

For a single server setup, I would normally just create an external A record for mail.domain.com, a CNAME record for Autodiscover pointing to mail.domain.com, and MX records pointing to an inbound host (ie Postini, MXLogic, FOPE, etc).  How does the A record work for environments with multiple CAS servers?  Specifically how is the firewall configured?  Generally I would just configure an ACL for the WAN IP on ports 25 and 443, then configure a static NAT to my single Exchange server; however, in my current setup with multiple CAS servers, how is the NAT configured?

I've been researching my CAS array options, but I'm still a little confused on the process because I've found conflicting info when asking The Google.  Here are the sites I've used thus far:

http://technet.microsoft.com/en-us/magazine/ff626260.aspx
http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx
http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

The list goes on...

I have to say upfront that I am not very well versed with firewalls and know only the basics to allow for my Exchange connections.  Any detailed assistance would be greatly appreciated.  Thanks!
0
Comment
Question by:terminalb
  • 3
  • 3
  • 3
9 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39194517
First - the Cisco - be aware of the SMTP scanning it does and disable it. See this MSKB article:http://semb.ee/fixupsmtp

RPC CAS Array - this is an INTERNAL only thing. It should not be configured externally at all. It should not resolve externally, it does not have to be on the SSL certificate. It is for TCP MAPI traffic from Outlook only.

Do you have a load balancer? Do you have a unique URL for both servers?

For SMTP traffic the basic option is to have a seperate IP address for both servers, seperate host name, PTR etc and have both servers in the MX records on a 1:1 NAT.

For SSL traffic, you can have autodiscover going to both servers. For OWA, you can only go to one or other of the servers, unless you have a load balancer.
If you have a load balancer then you can point the traffic (NAT) at the load balancer virtual IP address and let it sort out where the traffic should go.

You can use the same internal IP address for the RPC CAS Array and web traffic, just not the same host name.

Simon.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194535
From the outside, nothing really changes and you still only need 1 A record. The key to running multiple CAS servers is a Network Load Balancer (NLB) on the inside, this can be done via an appliance or through software (Windows NLB). Hosts of a NLB cluster share a single IP.

Check this article out, shows you step by step on how to configure an array using Windows NLB

http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array/
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194554
Right, that's pretty much the track I was on but must have spaced in realizing the cluster itself was assigned a single IP.

So does this mean I point all client connections to the cluster IP, ie pop.domain.com, owa.domain.com, autodisocver.domain.com, etc?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194579
No.
The DAG cluster IP address is just for database functionality. You should not be using it for client connections.
WNLB is not recommended by the Exchange product team and generally sucks.
If you aren't using a load balancer then you will have to point everything at either of the servers.

Personally I wouldn't have bothered with a design with seperate CAS and mailbox servers. I haven't implemented that design in the last 18 months. All three roles on the same server would have been my preferred design.

Simon.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:terminalb
ID: 39194581
Sembee2, I didn't see your post until now.

I will be using WNLB since purchasing additional hardware is out of the question.

By "unique URL For both servers", you mean externally, correct?  If so, I have not yet crossed that bridge.  One of my associates just deleted my mailbox server from VMWare and I've been tied up putting out that fire.

"For SSL traffic, you can have autodiscover going to both servers."  I'm trying to wrap my head around this one.  The only Autodiscover DNS option that utilizes any type of priority would be an SRV record.  So do you mean create two SRV records with an equal priority (ie 10) pointing to something like mail1.domain.com and mail2.domain.com?
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194592
I'm not using a DAG, I'm using a CAS array.  In fact, now that I'm installing WNLB for use with my CAS array, I've prevented any type of DAG functionality since it's incompatible with WNLB.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194601
The short answer is yes, you would do your NATing to the shared IP of the load balancer
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194622
You can run DAG in a WNLB environment, as long as the Mailbox and CAS roles are on separate servers, and from your description this is the case
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194724
I don't see the point in running two client access servers if you don't have a DAG. I will be blunt, but I think your design is very poor. You are protecting client access (Against what?) without protecting the important bits - the data.

It would have been better to have bought two Exchange licences and put the additional funds towards a virtual load balancer.

There is no load balancing or availability in DNS, the most you can do is round robin, where you have both IP addresses in the DNS record.
There are virtual load balancing options - you can even go open source with Zen (Which I run at home).

Simon.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now