Load-Balancing Exchange CAS with Kemp - Ironport in the Mix

Hi all,

We are running into a strange issue where we get messages queuing on our Ironport device and not delivering when we introduce a load-balancer in front of our CAS array. As soon as we remove the LB, set DNS back in order, flush the DNS cache on the Ironport all the messages start flowing. This only affect mail coming from outside of our network.

Does anyone have any experience with this mail flow: Outside email -> Ironport -> Kemp LB -> CAS Array ?

The specs are: Exchange 2010, Ironport C350, Kemp 7-0.4.

Any help is greatly appreciated.

Who is Participating?
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
The CAS array shouldn't be used for anything other than Outlook TCP MAPI traffic. You should not be using the address for anything else.

Therefore you should configure another address for the other traffic. The CAS Array also does not need to be in the SSL certificate and if you have used the CAS Array address for HTTPS traffic then you should change that. It simply confuses the clients and the Exchange.

As this is email delivery, you have an SMTP template in the Kemp for delivery? Are you using the same or a different virtual IP address?
Can you telnet in through the Kemp on port 25?
Have you got restrictions on the Receive Connectors to only accept email from the Ironport device? If the Kemp isn't configured correctly then it can appear to be coming from the wrong address.

Kash2nd Line EngineerCommented:
PoorNonProfitAuthor Commented:
Yes, we have those documents and it is setup per their instructions. The strange part is the Ironport seems to be the one not delivering the messages. Without the LB, the Ironport continues to deliver to the CAS array, with the LB the Ironport seems to queue them as though it can't find where to deliver the messages. We are using CNAMES and confirm that the Kemp is setup with the proper services to deliver the messages as internal ones come through fine.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

PoorNonProfitAuthor Commented:
Thanks for your reply, Simon.

We do have an SMTP template and I have attached a screenshot of our kemp VSes.
We are using the same virtual IP for all services.
We can telnet through the Kemp on port 25.
We have zero restrictions on our receive connectors and at one point had one with all connections allowed for testing to no avail.

The next time we attempt this we plan to enable more detailed protocol logging on the receive connectors to try and determine if Exchange is refusing the messages though on the Ironport there is no indication that they are being refused.

In this case it seems as though they are being queued on the Ironport and it cannot figure out where to deliver these messages.
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Logging on the Receive Connectors is about the only thing you can do. The Kemp devices should just pass the traffic straight through, without any problems. It would tend to suggest that something is blocking the traffic and Exchange is rejecting it.

PoorNonProfitAuthor Commented:
That is what we figured, we will be doing some more detailed analysis once we attempt a cutover again. Thanks again for your help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.