none
Exchange 2013 CAS proxying RRS feed

  • Question

  • Hello,

    We  have Exchange 2013/2010 environment(coexistence). 2 CAS and  2  MBX( in DAG) servers for every Exchange version. One AD site.

    1. Ex 2013 CAS servers are published  to the Internet. As mail flow  is  performed  by MBX servers  Internet  destination mail server receives HELO/EHLO FQDN specified in MBX send connector and this  name  should correspond to Internet name specified in DNS  for  the communicating  CAS server.  As we  have 2 CAS servers we  can have a situation when EHLO FQDN does  not correspond to the  checked DNS server name (PTR record). How can this be avoided? 

    Moreover what is the mechanism how mail is directed from MBX server to one of  CAS servers? MBX send connector has  no option to configure proxying CAS server.

    2. I would expect that MBX server holding the active  database copy is responsible for delivering a mail for an external recipient to CAS server. However it seems  this  is not true.  Are there any circumstances when mail can be pinged between EX2013 MBX servers. Additionally I suspect  this  behavior is the reason why mails sent from Ex2013 mailbox are multiplied and received as few copies. It is sporadic.  But still the point to be caught.

    Thank you for your help.


    • Edited by anlims Monday, December 30, 2013 6:47 PM
    Sunday, December 29, 2013 6:35 PM

Answers

  • Depends on how your NAT is set on y our firewall.  My guess is there is a specific NAT for each CAS server.  One way to handle things is to remove the specific NATs and allow both servers to get the same external IP.  However, this might impact any firewall rules that allow for HTTP/HTTPS/SMTP - depending on how complex your environment is.  The other option, if you firewall allows it, is to NAT both internal IPs to the same external IP.  Again, you will want to review your firewall rules to see if this would work.

    One last possibility is to use WNLB.  If these servers are CAS role only, this would give the pair one IP to go out on and thus you would be able to use one name as well.  

    Good example of this - http://msexchangeguru.com/2013/08/14/windowsnlb/.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    • Marked as answer by anlims Saturday, February 8, 2014 1:09 PM
    Saturday, January 18, 2014 7:04 PM

All replies

  • If you want email to take a certain route outbound, then you need to configure your Send Connector to use only one server as the source (under Scoping).  Once you do that, any emails outbound will be sent through that connector.  What do you have currently configured on your Send Connector(s)?


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Tuesday, January 14, 2014 5:06 AM
  • Thanks for the reply. 

    Currently we have 1 send conector per  mbx server to track issues. Then we  plan to set both  servers within one send connector.  Connectors are proxy enabled. The point is we  have 2 cas servers with 2 external addresses(and  2  PTR  records  accordingly). So, we  specify ehlo on mbx send connector, the request is proxied by either of cas servers and  then ehlo name possbily does not correspond to one of  PTR records.

    The idea is how to set exchange to send ehlo name based  on proxying cas server. Or perform some mechanism to have proper names check.


    Tuesday, January 14, 2014 10:11 AM
  • Why not have two A records for the same external DNS name?  Like mail.domain.com - IP1 and mail.domain.com - IP2.  Then make the FQDN on your send connector mail.domain.com.  This would eliminate any need for two different FQDNs.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Tuesday, January 14, 2014 6:34 PM
  • As I understand that would not work. A mail is received from EHLO server name mail.domain.com that is resolved in address 1.1.1.1 then reverse dns check is performed and 1.1.1.2 is returned. And this needs to be avoided.

    Wednesday, January 15, 2014 11:17 PM
  • Good point. 

    I'll be honest and tell you that most of my customers do not use the FE Proxy.  Is there are particular reason you want to use this feature?  Using Exchange 2013 without this would simplify your mail flow as well as remove this potential issue.

    As a side note, my testing revealed the same thing.  There also does not seem to be a place to specify a particular CAS server for proxying the traffic or even an order of servers to use.  Might be this way for high availability concerns.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Thursday, January 16, 2014 6:40 PM
  • Do you  mean using cas/mbx on one server or some  gateway can prevent  this from happening? 

    I am not the one who has designed this topology. So in our case there is no solution?  

    Friday, January 17, 2014 2:27 PM
  • Depends on how your NAT is set on y our firewall.  My guess is there is a specific NAT for each CAS server.  One way to handle things is to remove the specific NATs and allow both servers to get the same external IP.  However, this might impact any firewall rules that allow for HTTP/HTTPS/SMTP - depending on how complex your environment is.  The other option, if you firewall allows it, is to NAT both internal IPs to the same external IP.  Again, you will want to review your firewall rules to see if this would work.

    One last possibility is to use WNLB.  If these servers are CAS role only, this would give the pair one IP to go out on and thus you would be able to use one name as well.  

    Good example of this - http://msexchangeguru.com/2013/08/14/windowsnlb/.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    • Marked as answer by anlims Saturday, February 8, 2014 1:09 PM
    Saturday, January 18, 2014 7:04 PM
  • I guess  out firewall is not able to perform this.

    As I know WNLB is not officially supported solution for Exchange 2013. 

    So we decided to leave  it as is for now.


    • Edited by anlims Thursday, January 23, 2014 9:44 AM
    Thursday, January 23, 2014 9:43 AM
  • Just to clarify, WNLB is supported for Exchange 2013, but it is not recommended.  it is much better to deploy hardware load balancers for high availability.

    http://technet.microsoft.com/en-us/library/jj898588(v=exchg.150).aspx

    http://www.stevieg.org/2010/11/exchange-team-no-longer-recommend-windows-nlb-for-client-access-server-load-balancing/

    Thanks.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Friday, January 31, 2014 10:02 PM
  • Does it mean if WNLB is deployed and there is something wrong support case can be opened as usually?

    It is not clear how to mark replies as  helpful.

    Thank you  for your help.

    Saturday, February 1, 2014 4:25 PM
  • Not sure how to mark then question off hand, other that maybe clicking on the up arrow above the "Vote" text on the left.

    As for support, as far as I know, they will support you.  I had a client with NLB on Exchange 2013 who engaged   Microsoft Support and they were able to assist them with their issue.


    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Sunday, February 2, 2014 3:53 AM
  • Let me know if you need any further assistance on this or if you can mark your question as answered.

    JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

    Thursday, February 6, 2014 11:37 PM
  • I guess this  point is clear.  I have  marked the most  appropriate post as answer.  Thank you very much for your assistance. 
    Saturday, February 8, 2014 1:10 PM