Exchange 2013 - NLB for Inbound Mail

Hi there,

We have installed and configured Exchange 2013 in our environment (3 CAS Servers and 3 Mailbox Servers) and all is working well so far.

However 2 CAS Servers are in our main site and 1 CAS Server is in a DR site.

We have NLB set up for these 3 CAS servers (IP, for our inbound mail (Which goes via a third party), there are 2 routes set up on the third party to send email internally (1 via the main site and 1 for the DR site) but both set up to go to the NLB address internally.

Often we get incomplete packets in the firewall logs as there are 2 rules set up to forward to the same IP internally but from 2 external sources if that makes sense.

Main Site
3rd Party >>>>>>>>>> CAS01 or CAS02

Offsite DR
3rd Party>>>>>>>>>>>CAS03

Do you know if there is a better way of setting this up so email can come in via either route but not show up as incomplete?

Many Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Couple of things....
- are you using Windows NLB or a 3rd party hardware load balancer? If you are using Windows Network Load Balancing I would be looking for another solution for a production environment as it is not recommneded to use WNLB

We have NLB set up for these 3 CAS servers
- You have all of your CAS servers in the same NLB cluster?

If this above statment is true then this could be exactly why you are hvaing issues. You cannot load balance CAS across different AD SItes. Also, if this is a DR specific Site you will also have another name space like where users would connect to this Site for Mail in the event it fails over.

Any mail that gets routed to the Exchange DR site will get sent over via the CAS Load Balanced Servers in Site1.

If you also want to load balance CAS in DR you will need to add another CAS in DR and then create a second NLB Cluster for the 2 CAS servers specifically in DR.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TerellionAuthor Commented:
Hi Will,

At the minute NLB works internally across both sites (i.e I can disable the NLB NIC's on CAS01 and CAS02 to force clients to use CAS03 via the NLB Name "CAS") and it works fine.

Using WNLB and static ARP Entries on the switches on both sites, the only solution I can think of for receiving email is to set up 1 external IP address for each CAS server and then have failover set up in the 3rd party (message labs) if 1 route internally doesn't work then to use another?
Will SzymkowskiSenior Solution ArchitectCommented:
At the minute NLB works internally across both sites (i.e I can disable the NLB NIC's on CAS01 and CAS02 to force clients to use CAS03 via the NLB Name "CAS") and it works fine.

Clients only require CAS in a specific site when their mailbox is also present in there. If you are load balancing all 3 CAS servers and pointing your clients to the Load Balanced IP you are going to run into issues for sure.

If your DR site is specifically for DR and you do not have any Active Databases in the DR Site then the CAS will just sit there. You will be required to have an external IP in the DR site and also a name space as well like

If you have an external DNS provider you could always have your secondary IP (DR Site) setup as a failover priority for your (primary) connecting Name. For this to work correctly externally you will also need to ensure that your record is configured properly as well.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

TerellionAuthor Commented:
Hi Will,

We have a DAG set up and 1 of the database copies is in the DR site so we need it to work in conjunction with the main site (i.e we lose the main site but DR is still functioning they can still use the Load balanced IP to connect to the CAS and Mailbox server in the DR site if that makes sense, this has been tested and continues to work in DR only mode)

Just wanted mail inbound to be coming through both sites really but to the same Load balanced IP, sounding like it isn't a good idea...
Simon Butler (Sembee)ConsultantCommented:
Why have the complexity of having SMTP in the load balancer at all? It isn't something I usually do.

Each server should have its own host name and external IP address, with matching PTR. That means that each server can send to the internet without any problems.
Have all servers in the MX records and then email will continue to flow.

Trying to load balance SMTP simply adds additional complexity for almost no gain. Furthermore depending on the way you do it and your spam filtering solution, it can make the spam filter close to useless.

TerellionAuthor Commented:
Hi Simon, each Mailbox Server can send external without any issues using their own NAT rule in the firewall but it is the receiving bit I was wanting to resolve, as it is the CAS servers that are the ones receiving the mail.

Thanks for your help anyway :)
Simon Butler (Sembee)ConsultantCommented:
If you have the mailbox role sending email, why not have them receive email as well?

As I wrote above, you appear to be trying to overcomplicate the implementation for no real gain.

TerellionAuthor Commented:
Hi Simon,

We have split the roles of the servers so the CAS servers receive the mail and the Mailbox Servers send the mail.

I have set up in messagelabs to send to CAS01 on our primary site and then CAS03 on secondary as a failover option incase CAS01 dies.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.