Solved

Configuring Exchange for Fortigate 40c firewall with dual internet connections

Posted on 2014-01-03
7
1,269 Views
Last Modified: 2014-01-08
Hello Experts!

We have a fortigate 40c firewall connected to Charter Business (WAN1) and TDS (WAN2) ISP's. While we purchased the TDS for a backup connection, it seems silly to pay for it and have it sit idle... I was hoping to configure it for load balanced Internet connection.

I set up the balancing in the firewall based on fortigate documentation and our email stopped sending. I assumed it would use the policies created for WAN1 and use that path for sending emails, but it looks like I assumed incorrectly.

Do any of you know how I can keep both connections weighted equally and either give mail both routing options or force mail to only use WAN1 for it's path?

Thank you for your help!!!

Nance
0
Comment
Question by:NanceS
  • 4
  • 2
7 Comments
 
LVL 15

Expert Comment

by:jerseysam
ID: 39753735
Could be that you need to change your MX records to include the external IP of the other WAN?
0
 

Author Comment

by:NanceS
ID: 39754864
So, would I copy the MX info in our DNS server as the same name but the new ip address? Would that work for SMTP? We could receive mail with both internet connections enabled, but sending was backlogged. This surprised me because I figured the policy in the firewall would give it the correct path.

Thanks!

Nance
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39754962
I may be barking up the wrong tree.

Just thinking that I used to use a dray trek dual wan router and our mx records only listed 1 IP. I pushed all mail through this 1 WAN. If that wan failed or I needed to use the secondary line then I would need to change my MX records to the other IP.

This may not be the case with you but just a thought. Maybe mail out is not going as the IP it is coming from is not recognised as correct. This is presuming of course that all ports etc are opened accordingly etc

Some mx records allow you to enter multiple IP info as secondary.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:NanceS
ID: 39754976
I may not be sharing enough either...

Here's the whole scenario.

I had both internet connects enabled. When distance was 10 on Wan1 and 20 on Wan2 all worked well, but Wan2 sat idle... so I thought I'd try to load balance the internet connect. I set both distances to 10  and gave them a spill over measure... which worked amazingly for internet and phones... but not so much for sending mail. All outbound mail backed up in the queue until I set the back up as secondary (unused) I did call TDS that morning and had reverse dns set up to avoid being blacklisted and they assured me it was for failover only.. I called back and had them cancel it... to no change, still couldn't send mail. It wasn't until we set TDS to backup only that mail started sending again and cleared the queue.

Nance
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39760529
Don't touch your MX records for this.  MX records only dictate incoming mail routing.

In the Fortigate config you should be able to use source-based load-balancing.  This will allow you to determine which link the mail server sends on.  This will be determined via NAT rules.
0
 

Author Comment

by:NanceS
ID: 39761878
Thanks... I'll take a look at source based load balancing... I had all but given up on it working...
0
 

Author Closing Comment

by:NanceS
ID: 39765102
After much research - our fortigate is a 40c and doesn't support the routing that is needed to force our exchange traffic to only flow on WAN1... due to this we are unable to load balance our two internet connections and have the smaller pipe designated solely as a backup.

Thank you for all the efforts!

Nance
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now