Exchange 2003-2010 Co-existence - no mail flow from 2003BE to 2003FE if no smarthost
Assistance needed for implementing Exchange 2003 – 2010 co-exeistence; How to set up Exchange 2003 Backend server to send outgoing Internet mails through Exchange 2003 Front End server without using Smarthost.
We are in the middle of performing a migration from Exchange 2003 to 2010. So far, we have installed two new Exchange 2010 servers (one for Edge and the other for the rest of the roles) and imported a new SAN certificate on the Cas/Hub/Mailbox server.
For purposes of this discussion, I will name our relevant servers as follows:
2003BE (2003 Back end server, where the mailboxes are located) – this is on LAN
2003FE (2003 Front End server) – this is in the DMZ
2010CHM (2010 Cas/Hub/Mailbox) – on the LAN
2010Edge (2010 Edge) – in the DMZ
We are now attempting to implement a ”co-existence” stage, and noticed that we only have one-way communication from the 2010CHM to the 2003BE server (and no communication the other way).
According to multiple articles, this is usually caused by a “Smart Host” having been configured on the Virtual SMTP Server on 2003BE. And sure enough, that’s what we have on ours: Back in the beginning of time, somebody put a Smarthost entry there – and this entry points to the 2003FE server. This apparently causes mails that are supposed to go from 2003BE to 2010CHM to instead get directed to the 2003FE server, where they queue up (in a “deferred” queue – and they never get delivered to 2010CHM).
If I remove that Smarthost entry, I do indeed accomplish having mail flow from 2003BE to 2010CHM, so in that regard the “remove the smarthost entry” solution works.
However, the big problem then is this: Without that Smarthost entry, outgoing mails to the Internet start queuing up on 2003BE and do not get delivered.
As far as I know, mail flow to the Internet is supposed to be able to proceed from 2003BE to 2003FE without any smarthost entry, but clearly this is not the case in our setup.
Can anybody help by telling me how I can get Internet mail to flow from 2003BE to 2003FE without a smart host entry? Or by any other insights that may help us get this co-existence running?
I have, among other things, attempted to solve the situation by keeping the Smarthost entry on 2003BE and instead creating a “RoutingGroupConnector” between 2010CHM and 2003FE, but no go – the mails destined for 2010CHM still get cued up in a “deferred” queue on the 2003FE server (which, FYI, does NOT have a Smarthost entry).
Thanks in advance for any attention :)
We are in the middle of performing a migration from Exchange 2003 to 2010. So far, we have installed two new Exchange 2010 servers (one for Edge and the other for the rest of the roles) and imported a new SAN certificate on the Cas/Hub/Mailbox server.
For purposes of this discussion, I will name our relevant servers as follows:
2003BE (2003 Back end server, where the mailboxes are located) – this is on LAN
2003FE (2003 Front End server) – this is in the DMZ
2010CHM (2010 Cas/Hub/Mailbox) – on the LAN
2010Edge (2010 Edge) – in the DMZ
We are now attempting to implement a ”co-existence” stage, and noticed that we only have one-way communication from the 2010CHM to the 2003BE server (and no communication the other way).
According to multiple articles, this is usually caused by a “Smart Host” having been configured on the Virtual SMTP Server on 2003BE. And sure enough, that’s what we have on ours: Back in the beginning of time, somebody put a Smarthost entry there – and this entry points to the 2003FE server. This apparently causes mails that are supposed to go from 2003BE to 2010CHM to instead get directed to the 2003FE server, where they queue up (in a “deferred” queue – and they never get delivered to 2010CHM).
If I remove that Smarthost entry, I do indeed accomplish having mail flow from 2003BE to 2010CHM, so in that regard the “remove the smarthost entry” solution works.
However, the big problem then is this: Without that Smarthost entry, outgoing mails to the Internet start queuing up on 2003BE and do not get delivered.
As far as I know, mail flow to the Internet is supposed to be able to proceed from 2003BE to 2003FE without any smarthost entry, but clearly this is not the case in our setup.
Can anybody help by telling me how I can get Internet mail to flow from 2003BE to 2003FE without a smart host entry? Or by any other insights that may help us get this co-existence running?
I have, among other things, attempted to solve the situation by keeping the Smarthost entry on 2003BE and instead creating a “RoutingGroupConnector” between 2010CHM and 2003FE, but no go – the mails destined for 2010CHM still get cued up in a “deferred” queue on the 2003FE server (which, FYI, does NOT have a Smarthost entry).
Thanks in advance for any attention :)
ASKER
Hi Simon,
Thank you very much for you input.
For brevity, and because I was not sure that that connector actually was needed, I did not mention that we do, in fact, already have an SMTP connector. Address Space is *, and the 2003FE is on there as the Local Bridgehead. The "Connector scope" is set to "Entire organization".
In spite of this connector, all Internet bound e-mail strands on 2003BE if I remove the Smarthost entry on the 2003BE "Default SMTP Virtual Server".
/hans
Thank you very much for you input.
For brevity, and because I was not sure that that connector actually was needed, I did not mention that we do, in fact, already have an SMTP connector. Address Space is *, and the 2003FE is on there as the Local Bridgehead. The "Connector scope" is set to "Entire organization".
In spite of this connector, all Internet bound e-mail strands on 2003BE if I remove the Smarthost entry on the 2003BE "Default SMTP Virtual Server".
/hans
You must remove the smart host from the SMTP virtual server. Nothing you can do about that. I woudl start by deleting the SMTP connector and creating another one.
Confirm the connectivity between the servers as well.
It is also considered poor practise to have an Exchange 2003 server in a DMZ. It does nothing for security of the network. If you continue to have problems then I would have to suggest that the Exchange 2003 frontend server is brought back inside the firewall where it belongs.
Simon.
Confirm the connectivity between the servers as well.
It is also considered poor practise to have an Exchange 2003 server in a DMZ. It does nothing for security of the network. If you continue to have problems then I would have to suggest that the Exchange 2003 frontend server is brought back inside the firewall where it belongs.
Simon.
ASKER
Hi Simon,
Thanks again, and I hear you.
Deleting and re-creating the SMTP connector I already tried (and did) earlier.
As far as bringing 2003FE inside the firewall, in a sense it already is, as it has a NIC on it configured with a local IP address. I don’t see any filtering or the like on that NIC.
As far as connectivity between the servers, I have not been able to find a real clear article on exactly what is required between the two, but this article does list a bunch of ports: (http://technet.microsoft.com/en-us/library/aa997436(v=exchg.65).aspx) – do you know of any others?
The following is a list of listening ports on 2003FE. I have confirmed that I can telnet to them all (except for 1149, which is for localhost) from 2003BE. I have not detected any software firewalls (Windows or otherwise) in play so far.
Can you tell me in what other way I should test connectivity between the two?
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:111 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
TCP 0.0.0.0:691 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1051 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1053 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1108 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1114 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1136 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7937 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7938 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8710 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP [LAN IP ADDRESS]:139 0.0.0.0:0 LISTENING
TCP [PUBLIC IP ADDRESS]:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1149 0.0.0.0:0 LISTENING
Thanks again, and I hear you.
Deleting and re-creating the SMTP connector I already tried (and did) earlier.
As far as bringing 2003FE inside the firewall, in a sense it already is, as it has a NIC on it configured with a local IP address. I don’t see any filtering or the like on that NIC.
As far as connectivity between the servers, I have not been able to find a real clear article on exactly what is required between the two, but this article does list a bunch of ports: (http://technet.microsoft.com/en-us/library/aa997436(v=exchg.65).aspx) – do you know of any others?
The following is a list of listening ports on 2003FE. I have confirmed that I can telnet to them all (except for 1149, which is for localhost) from 2003BE. I have not detected any software firewalls (Windows or otherwise) in play so far.
Can you tell me in what other way I should test connectivity between the two?
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:111 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
TCP 0.0.0.0:691 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1038 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1051 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1053 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1108 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1114 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1136 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7937 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7938 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8710 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP [LAN IP ADDRESS]:139 0.0.0.0:0 LISTENING
TCP [PUBLIC IP ADDRESS]:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1149 0.0.0.0:0 LISTENING
ASKER
Hi again Simon,
Possibly in line with one of your posts, I have now activated the Edge subscription between 2010CHM and 2010Edge. As a result, mails sent to the Internet from mailboxes located on 2010CHM go out through 2010Edge.
Are you saying that I - instead of messing more with the interconnection/routing issues between 2003BE and 2003FE - could use this new "outbound route" (i.e. 2010Ege) for the mailboxes on 2003BE also? If so, how would I configure this (because at this point in time, those mails are still getting stuck on 2003BE)?
/Hans
Possibly in line with one of your posts, I have now activated the Edge subscription between 2010CHM and 2010Edge. As a result, mails sent to the Internet from mailboxes located on 2010CHM go out through 2010Edge.
Are you saying that I - instead of messing more with the interconnection/routing issues between 2003BE and 2003FE - could use this new "outbound route" (i.e. 2010Ege) for the mailboxes on 2003BE also? If so, how would I configure this (because at this point in time, those mails are still getting stuck on 2003BE)?
/Hans
If you have a Send Connector in Exchange 2010, then that should be seen by Exchange 2003 as well, and the email pass over the routing group connector to Exchange 2010 and then out to the Edge. You will need to remove the SMTP connector for that to work correctly.
Also ensure that you don't have any restrictions on the SMTP virtual server in ESM and there are NOT external DNS servers configured.
Simon.
Also ensure that you don't have any restrictions on the SMTP virtual server in ESM and there are NOT external DNS servers configured.
Simon.
ASKER
Hi Simon,
Thank you again for your assistance.
I have done as you have outlined, but unfortunately, this is still a no-go: Our 2003BE will not pass on Internet mails using the above configuration; once again, they queue up on 2003BE.
/hans.
Thank you again for your assistance.
I have done as you have outlined, but unfortunately, this is still a no-go: Our 2003BE will not pass on Internet mails using the above configuration; once again, they queue up on 2003BE.
/hans.
There has to be something odd with the configuration of the backend server. Did you recreate the routing group connector?
Is the backend server using port 25 for traffic or some other port?
Simon.
Is the backend server using port 25 for traffic or some other port?
Simon.
ASKER
Hi Simon,
Yes, something weird is going on on 2003BE. Rumor has it that Microsoft was in to have a look at the Exchange 2003 setup five or six years ago, and they could not figure something out either - this might be exactly what they could not figure out. Maybe it was them that came up with the Smarthost workaround.
Yes, by now I have recreated the routing group connector at least three times (this last one was after I found that the flow did not go through to 2010Edge as we had hoped).
Yup - just plain old vanilla port 25.
/hans
Yes, something weird is going on on 2003BE. Rumor has it that Microsoft was in to have a look at the Exchange 2003 setup five or six years ago, and they could not figure something out either - this might be exactly what they could not figure out. Maybe it was them that came up with the Smarthost workaround.
Yes, by now I have recreated the routing group connector at least three times (this last one was after I found that the flow did not go through to 2010Edge as we had hoped).
Yup - just plain old vanilla port 25.
/hans
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I pretty much concluded your option 1) also - going with a "big bang". There are other reasons for this also, which do not relate to this particular technical issue.
Thank you very much for your insights, Simon. Nice to know that - at least in this case - the fault lies with the computers, and not my head :)
/hans
Thank you very much for your insights, Simon. Nice to know that - at least in this case - the fault lies with the computers, and not my head :)
/hans
ASKER
Helpful insights topped off with a good workaround has been very helpful.
In this connector you put the frontend server as the bridgehead. Then the backend servers send the email to the frontend for delivery to the internet.
You will also need to have a Send Connector on Exchange 2010 eventually.
Personally I would switch to just a Send Connector on Exchange 2010 that sends your external out via the Edge server.
Simon.