Solved

Load-Balancing Exchange CAS with Kemp - Ironport in the Mix

Posted on 2013-11-06
8
205 Views
Last Modified: 2015-04-01
Hi all,

We are running into a strange issue where we get messages queuing on our Ironport device and not delivering when we introduce a load-balancer in front of our CAS array. As soon as we remove the LB, set DNS back in order, flush the DNS cache on the Ironport all the messages start flowing. This only affect mail coming from outside of our network.

Does anyone have any experience with this mail flow: Outside email -> Ironport -> Kemp LB -> CAS Array ?

The specs are: Exchange 2010, Ironport C350, Kemp 7-0.4.

Any help is greatly appreciated.

Thanks.
0
Comment
Question by:PoorNonProfit
  • 3
  • 2
8 Comments
 
LVL 19

Expert Comment

by:Kash
Comment Utility
0
 

Author Comment

by:PoorNonProfit
Comment Utility
Yes, we have those documents and it is setup per their instructions. The strange part is the Ironport seems to be the one not delivering the messages. Without the LB, the Ironport continues to deliver to the CAS array, with the LB the Ironport seems to queue them as though it can't find where to deliver the messages. We are using CNAMES and confirm that the Kemp is setup with the proper services to deliver the messages as internal ones come through fine.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
The CAS array shouldn't be used for anything other than Outlook TCP MAPI traffic. You should not be using the address for anything else.

Therefore you should configure another address for the other traffic. The CAS Array also does not need to be in the SSL certificate and if you have used the CAS Array address for HTTPS traffic then you should change that. It simply confuses the clients and the Exchange.

As this is email delivery, you have an SMTP template in the Kemp for delivery? Are you using the same or a different virtual IP address?
Can you telnet in through the Kemp on port 25?
Have you got restrictions on the Receive Connectors to only accept email from the Ironport device? If the Kemp isn't configured correctly then it can appear to be coming from the wrong address.

Simon.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:PoorNonProfit
Comment Utility
Thanks for your reply, Simon.

We do have an SMTP template and I have attached a screenshot of our kemp VSes.
We are using the same virtual IP for all services.
We can telnet through the Kemp on port 25.
We have zero restrictions on our receive connectors and at one point had one with all connections allowed for testing to no avail.

The next time we attempt this we plan to enable more detailed protocol logging on the receive connectors to try and determine if Exchange is refusing the messages though on the Ironport there is no indication that they are being refused.

In this case it seems as though they are being queued on the Ironport and it cannot figure out where to deliver these messages.
kemp-vs.jpg
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
Comment Utility
Logging on the Receive Connectors is about the only thing you can do. The Kemp devices should just pass the traffic straight through, without any problems. It would tend to suggest that something is blocking the traffic and Exchange is rejecting it.

Simon.
0
 

Author Comment

by:PoorNonProfit
Comment Utility
That is what we figured, we will be doing some more detailed analysis once we attempt a cutover again. Thanks again for your help!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now