Solved

How can I  limit the servers that can relay email from Exchange 2013 to an outside target when using a Load Balancer?

Posted on 2014-09-14
6
210 Views
Last Modified: 2014-10-02
I am using Exchange2013 CU 5 on Win 2012 R2. I want to be able to control servers that can relay email to outside recipients. Before we had a Load Balancer, I would just add the IP of the servers to relay email to the Receive Connector and set the Authentication to Externally Secure. But we have purchased a Kemp VM Load Balancer. My testing found that, while keeping it Externally Secure,  I had to add the IP of the Load Balancer into the Receive Connector or I could not relay email to outside from any of my servers. Further testing found all I needed in the receive connector was the External Secure and the one IP of the Load Balancer. This is easier but I can no longer limit the servers that can relay SMTP email to an outside recipient.

Can anyone tell me how to limit servers that can relay SMTP email to outside when using a Load Balancer?

Thank you,
0
Comment
Question by:swfwmd2
  • 3
  • 2
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
You need to reconfigure the load balancer so it is transparent for SMTP traffic. That way Exchange will see the true IP address of the remote server. I haven't got my Kemp running at the moment so cannot look up the command... but someone else has blogged what needs to be done.

http://jaggudon.wordpress.com/2010/11/06/kemps-load-balancer-and-exchange-2010/

Simon.
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
You better disable SNAT in Kems and set default gateway on all Exchange Hub Transport Servers to Kemps.

This is the only option you can do and I don't think any other option would work for you.
0
 

Author Comment

by:swfwmd2
Comment Utility
Thank you Simon for the reference document (Zacharia missed the step to check the Transparancy box on the LB configuration)

While I understand the reason for checking the Transparency box, I am not as clear about unchecking the Server NAT box.  Can you explain why this was checked in the first place (what benefit did it provide), why it needs to be unchecked for my purpose and what I will not be able to do with it unchecked?

As far as the redirecting the Default Gateway of the Real servers – with only two Exchange servers in this site with the Load Balancer (we have one other in another site for Backups and DR), is there any big benefit of setting this gateway to the Load Balancer or big problem if we do not?

Thank you,
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:swfwmd2
Comment Utility
Disregad my last update -

Here is my current status:

I still cannot relay from the Load Balancer without putting in the IP of the Virtual Server in the Exchange receive connector.

I have done the following:
•      Checked to Transparency box on the LB

•      Unchecked the Server NAT

•      Added the Load Balancer’s Interface Address as the Default gateway on the Exchange servers


I have tested the Receive connector by successfully connecting directly to the Exchange server and able to relay but when I connect to the Load Balancer virtual IP for SMTP I cannot relay (I can relay from here if I add LB IP to Receive connector)
I can successfully send email to my inside address and when I look at the header of the email I see the IP of the LB SMTP virtual service and do not see the IP of the originating server.

Any suggestions?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
The problem must still be with the KEMPs somewhere. The default gateway setting shouldn't have caused any problems. Have you spoken to KEMP support?

Simon.
0
 

Author Comment

by:swfwmd2
Comment Utility
The Kemp Tech Support told me:
"Transparency will not work properly for clients that are on the same subnet as the virutal service, and real server. The load balancer will selectively disable transparency for those connections as the gateway of the server will not be taken into account, it will try to directly return traffic to the other machine on its local subnet."

They have another option (which I am in process of testing)-

"The only way for these connections to be transparent is to use a layer 4 service and configure for Direct Server Return (DSR). This involves creating a loopback adapter on the server so it can respond directly to the client using the VS ip address. Documentation on how to do this can be found here https://support.kemptechnologies.com/hc/en-us/articles/202380328-Configuring-Real-Servers-for-Direct-Server-Return-DSR-"

Does anyone see any issues with this course of action?
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now