MCP200
asked on
F5 - Setting up exchange email
Hi There,
I have a requirement to forward all inbound and outbound for SMTP 25 (TLS) email to Symantec message lab. This question is mixture of architecture and applying the right solution on F5.The requirement is to setup a VIP on F5. My understanding is that the Traffic will be forwarded to our location, through our edge firewall (and NAT'd - public IP to private) to a private F5 VIP IP (with backend Exchange mail edge servers in a pool). Additionally, we need to have our egress mail traffic (that is sourced from the edge pool members) reverse-proxy back through the same VIP IP address (currently used for ingress traffic).
We have internal and external F5s. Would the above scenario be best done on the LTM that's facing external? Also, do I need any iRules on F5? Do you need specific natting on the F5s or just leave it as default.
Regards
Sam
I have a requirement to forward all inbound and outbound for SMTP 25 (TLS) email to Symantec message lab. This question is mixture of architecture and applying the right solution on F5.The requirement is to setup a VIP on F5. My understanding is that the Traffic will be forwarded to our location, through our edge firewall (and NAT'd - public IP to private) to a private F5 VIP IP (with backend Exchange mail edge servers in a pool). Additionally, we need to have our egress mail traffic (that is sourced from the edge pool members) reverse-proxy back through the same VIP IP address (currently used for ingress traffic).
We have internal and external F5s. Would the above scenario be best done on the LTM that's facing external? Also, do I need any iRules on F5? Do you need specific natting on the F5s or just leave it as default.
Regards
Sam
ASKER
Hi giltjr, Thanks for your reply.
Our MX record already point to Message-Lab. However, the requirement will be to change existing the public ip address and hosted smtp internally, Which I will need the smtp traffic to go through F5. Should the exchange server have an interface in DMZ external? and have the F5 forward the traffic on port 25 to the exchange server's dmz interface? Whats the best way of setting this up?
Our MX record already point to Message-Lab. However, the requirement will be to change existing the public ip address and hosted smtp internally, Which I will need the smtp traffic to go through F5. Should the exchange server have an interface in DMZ external? and have the F5 forward the traffic on port 25 to the exchange server's dmz interface? Whats the best way of setting this up?
What we did was something like below. The FW nat'ed public IP to VIP on F5 and then we had 2 EX SMTP servers that were in a single pool on the F5. The EX server was on two networks the internal one that user's used to access Exchange and then one that was isolated between the F5 and the EX server. Any server that the F5 fronted was on IP SUBNET#2.
I am assuming that you are still going to have your MX record pointing to Message-Lab and setup message lab to forward to your public IP address.
As for outbound e-mail, we never did that though the F5, but it should be easy enough to setup.
|------|
| FW |
|------|
|
| IP SUBNET#1
|
|------|
| F5 |
|------|
|
| IP SUBNET#2
|
|----------------|
| EX Servers |
|----------------|
|
| IP SUBNET#3
|
|----------|
| USERS|
|---------|
I am assuming that you are still going to have your MX record pointing to Message-Lab and setup message lab to forward to your public IP address.
As for outbound e-mail, we never did that though the F5, but it should be easy enough to setup.
|------|
| FW |
|------|
|
| IP SUBNET#1
|
|------|
| F5 |
|------|
|
| IP SUBNET#2
|
|----------------|
| EX Servers |
|----------------|
|
| IP SUBNET#3
|
|----------|
| USERS|
|---------|
ASKER
Thanks for that.
That's my approach and also would you setup automap for natting? and would you host on external load balancer or internal.
Regards,
That's my approach and also would you setup automap for natting? and would you host on external load balancer or internal.
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi giltjr
Thanks for the clarifications, i am now on the right track
two more Question please and we can solve this thread. What if I have two exchange servers are in server farm and are apart of "NLB cluster“ , would I put the NLB cluster in external DMZ? or only one physical interfaces? Because from F5 you can only point to one specific interface. And, do I need iRules on F5 for outbound emails?
Many Thanks
Thanks for the clarifications, i am now on the right track
two more Question please and we can solve this thread. What if I have two exchange servers are in server farm and are apart of "NLB cluster“ , would I put the NLB cluster in external DMZ? or only one physical interfaces? Because from F5 you can only point to one specific interface. And, do I need iRules on F5 for outbound emails?
Many Thanks
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: giltjr (https:#a42294479)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: giltjr (https:#a42294479)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
For outbound e-mail we configured our Exchange servers to relay through the Symantec service.