Dears

Recently I have deployed 4 node exchange environment and the details as below;

Exchange 2013 CU7 on Windows 2012 R2

2 CAS Role Servers with NLB

2 Mailbox Role Server with DAG.

No Smart Host used on the Send Connector

No Edge Server deployed.

In order to simplify the firewall rules and force the outbound e-mail flow through the CAS server I have enabled the "Proxy through Client Access Server" . on the send connector.

But when I test it the mail flow it shows the mailbox IP.

Can anybody help me on this?

Best regards

Muralee

• Edited by Muraleee Monday, March 23, 2015 7:13 AM Added more details.

Hi Satyajit

Thanks for the reply.

I am testing the outbound Internet Mail flow.

Best regards

Muralee

Hi,

According to your description, I understand that mail flow cannot though CAS server even though enable Proxy through Client Access Server on a send connector.
If I misunderstand your concern, please do not hesitate to let me know.

Basic on my research and Microsoft document, if you enable Proxy through Client Access Server on send connector, the Client Access server simply acts as a proxy for the connection so that the receiving host out on the internet sees the connection as coming from the Client Access server name and IP address rather than the Mailbox server. We can check message header to compare.
More details about it, please refer to Network ports required for mail flow (no Edge Transport servers) section in Network ports for clients and mail flow in Exchange 2013: https://technet.microsoft.com/en-us/library/bb331973(v=exchg.150).aspx

How do you test the outbound mail flow and get the IP for mailbox? Would you please double check the message header to get more information?

Thanks

Dear Allen

Thanks for then reply.

Yes I was checking the Message Headers. and it shows the mailbox IP.

Best regards

Muralee

Dears

I would like to add the below inputs as well.

- Do I need to restart any of the Exchange Services after enabling the option?

- In my scenario I do have 2 CAS servers does it mean that I need to additional configuration?

Best regards

Muralee

Hi Muralee,

Please let us know you are checking message headers of which message, from where.

Eg.from  @yourdomain.com email sent to @externaldomain.com

Now you should be checking email in outlook\client of externaldomain.com  or atleast an email from @externaldomain.com

Can you paste some of the header for us to review.

Hi Satyajit

I am checking the e-mail header of an email  sent from "internal domain" to "external domain"

The below header is captured from the e-mail sent from the customer (who is having the issue now) to my e-mail address(external)

Received: from mail.public.name (mail.public.name [Public IP]) by
 mail1.inet.net.sa with ESMTP id AufIYSHyX0fdpxmv; Wed, 25 Mar 2015 10:02:43
 +0300 (AST)
X-Barracuda-Envelope-From: sender@customerdomain
X-Barracuda-Apparent-Source-IP: Public IP
Received: from MB1 (Internal IP of the Mailbox server) by MB1 (Internal IP of the Mailbox server) with
 Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 25 Mar 2015 09:59:13 +0300

Regards

Muralee

Hi Muralee,

Hope this is the full header.Try analyzing the data using https://testconnectivity.microsoft.com/ Message Analyzer.

"Received: from mail.public.name (mail.public.name [Public IP])"  is the CAS IP that is been shown to external world hence its listed here.

Your internal CAS IP wouldn't be listed here.

Refer to the below article which explains this nicely.

http://exchangeserverpro.com/exchange-2013-front-end-proxy/

Hi Satyajit

Thanks for the reply , hence does it mean that the headers will show the Mailbox server IP?(if I am not mistaken)

Because as per the article it should show the Client Access Role Server in the headers,But it not showing.

(I tried it with https://testconnectivity.microsoft.com/ )

Then in my firewall what is the NAT I should make for the Outbound?

Regards

Muralee

• Edited by Muraleee 17 minutes ago

Hi Satyajit

Thanks for the reply , hence does it mean that the headers will show the Mailbox server IP?(if I am not mistaken)

Because as per the article it should show the Client Access Role Server in the headers,But it not showing.

(I tried it with https://testconnectivity.microsoft.com/ )

Then in my firewall what is the NAT I should make for the Outbound?

Regards

Muralee

• Edited by Muraleee Sunday, March 29, 2015 7:07 AM