Solved

Exchange 2010 firewall config

Posted on 2013-05-24
9
392 Views
Last Modified: 2013-05-29
Hello,

Exchange 2010 with Server 2008 R2 on all servers behind Cisco ASA 5510 environment.

My only experience installing Exchange is limited to a Typical installation where all roles are installed on one server, ie small environments.  I'm setting up a new environment consisting of three servers:

exch1 - Mailbox role
cas1 - Hub/CAS role
cas2 - Hub/CAS role

For a single server setup, I would normally just create an external A record for mail.domain.com, a CNAME record for Autodiscover pointing to mail.domain.com, and MX records pointing to an inbound host (ie Postini, MXLogic, FOPE, etc).  How does the A record work for environments with multiple CAS servers?  Specifically how is the firewall configured?  Generally I would just configure an ACL for the WAN IP on ports 25 and 443, then configure a static NAT to my single Exchange server; however, in my current setup with multiple CAS servers, how is the NAT configured?

I've been researching my CAS array options, but I'm still a little confused on the process because I've found conflicting info when asking The Google.  Here are the sites I've used thus far:

http://technet.microsoft.com/en-us/magazine/ff626260.aspx
http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx
http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

The list goes on...

I have to say upfront that I am not very well versed with firewalls and know only the basics to allow for my Exchange connections.  Any detailed assistance would be greatly appreciated.  Thanks!
0
Comment
Question by:terminalb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39194517
First - the Cisco - be aware of the SMTP scanning it does and disable it. See this MSKB article:http://semb.ee/fixupsmtp

RPC CAS Array - this is an INTERNAL only thing. It should not be configured externally at all. It should not resolve externally, it does not have to be on the SSL certificate. It is for TCP MAPI traffic from Outlook only.

Do you have a load balancer? Do you have a unique URL for both servers?

For SMTP traffic the basic option is to have a seperate IP address for both servers, seperate host name, PTR etc and have both servers in the MX records on a 1:1 NAT.

For SSL traffic, you can have autodiscover going to both servers. For OWA, you can only go to one or other of the servers, unless you have a load balancer.
If you have a load balancer then you can point the traffic (NAT) at the load balancer virtual IP address and let it sort out where the traffic should go.

You can use the same internal IP address for the RPC CAS Array and web traffic, just not the same host name.

Simon.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194535
From the outside, nothing really changes and you still only need 1 A record. The key to running multiple CAS servers is a Network Load Balancer (NLB) on the inside, this can be done via an appliance or through software (Windows NLB). Hosts of a NLB cluster share a single IP.

Check this article out, shows you step by step on how to configure an array using Windows NLB

http://exchangeserverpro.com/how-to-install-an-exchange-server-2010-client-access-server-array/
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194554
Right, that's pretty much the track I was on but must have spaced in realizing the cluster itself was assigned a single IP.

So does this mean I point all client connections to the cluster IP, ie pop.domain.com, owa.domain.com, autodisocver.domain.com, etc?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194579
No.
The DAG cluster IP address is just for database functionality. You should not be using it for client connections.
WNLB is not recommended by the Exchange product team and generally sucks.
If you aren't using a load balancer then you will have to point everything at either of the servers.

Personally I wouldn't have bothered with a design with seperate CAS and mailbox servers. I haven't implemented that design in the last 18 months. All three roles on the same server would have been my preferred design.

Simon.
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194581
Sembee2, I didn't see your post until now.

I will be using WNLB since purchasing additional hardware is out of the question.

By "unique URL For both servers", you mean externally, correct?  If so, I have not yet crossed that bridge.  One of my associates just deleted my mailbox server from VMWare and I've been tied up putting out that fire.

"For SSL traffic, you can have autodiscover going to both servers."  I'm trying to wrap my head around this one.  The only Autodiscover DNS option that utilizes any type of priority would be an SRV record.  So do you mean create two SRV records with an equal priority (ie 10) pointing to something like mail1.domain.com and mail2.domain.com?
0
 
LVL 2

Author Comment

by:terminalb
ID: 39194592
I'm not using a DAG, I'm using a CAS array.  In fact, now that I'm installing WNLB for use with my CAS array, I've prevented any type of DAG functionality since it's incompatible with WNLB.
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194601
The short answer is yes, you would do your NATing to the shared IP of the load balancer
0
 
LVL 4

Expert Comment

by:iammorrison
ID: 39194622
You can run DAG in a WNLB environment, as long as the Mailbox and CAS roles are on separate servers, and from your description this is the case
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39194724
I don't see the point in running two client access servers if you don't have a DAG. I will be blunt, but I think your design is very poor. You are protecting client access (Against what?) without protecting the important bits - the data.

It would have been better to have bought two Exchange licences and put the additional funds towards a virtual load balancer.

There is no load balancing or availability in DNS, the most you can do is round robin, where you have both IP addresses in the DNS record.
There are virtual load balancing options - you can even go open source with Zen (Which I run at home).

Simon.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what you should include to make the best professional email signature for your organization.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question