I have a client that is running into some issue with Edge servers and TLS connections. Apparently, one of the Edge servers is refusing TLS connections, therefore some clients are getting NDRs stating that the edge server is not refused a TLS connection.
The client has the following infrastructure:
1 External firewall, 2 External GTM F5 HLB, 2 internal CAS Exchange servers behind a load balancer F5, 3 Mailbox servers in a DAG, multiple DCs, 2 CAS proxy servers to handle ActiveSync and OWA, 2 Edge servers to allow incoming email from External F5 HLB
Same as above. All Exchange servers runs Exchange 2013 SP1, each site has one external firewall, 2 External F5 HLB, 2 internal HLB, 2 Edge servers,
Incoming email flow below
All external email comes goes to our external DNS and MX provider [Message Labs], from there goes through to the external firewall, from the firewall goes to external GTM load balancers, from there to our Edge servers, and finally from the edge servers to the Exchange 2013 MBX servers
During last week, we had a major incident where the primary site went down, so we had to redirect all traffic at the firewall to go to the secondary site. After that, one of the edge servers on the primary site was not accepting TLS connections, and was rejecting emails
Our F5 specialist has one of the edge servers disabled on the F5 so that is the problem child, but if you run the command on the edge servers it states that the subscriptions would need to be broken or run the command on the hub transport.
At the moment, all external traffic is handle at the DR site, but we need to flip back the traffic to primary site, however we have concerns because one of the edge servers at the primary site can reject TLS connections and reject emails
Can someone please provide me with an action plan to look at this issue on the edge servers?
No changes applied to any of the exchange servers, this is first time this issue happened, some users got the NDR, but unfortunately I can't get those NDRs as they were deleted by the clients
Can you please also create a workspace for server logs analysis if required?
How can we handle this TLS issue on the Exchange 2013 edge servers?
Do you believe is related to subscription file on all edge servers?
Again, this was working well until last week when we had the network incident
By the time this incident happened, we sent email test from telnet at the edge servers, and email was successfully delivered to MBX servers and users.
As of today, because all incoming email is rerouted to the DR, all incoming email flows OK, the edge servers are the DR site are behaving well, my concern is that we need to flip back services to primary site this weekend, and the problematic edge server is located at the primary site