Unable to reach Exchange 2010 Hub port 25 from Edge in DMZ?
This is a new Exchange 2010 installation and a new AD. Exchange 2010 works with Outlook inside my firewalls. I am trying to install an Edge server in my DMZ to migrate my current email solution fully to Exchange. The Edge server is installed in the DMZ.
The Edge server is reachable by ping, resolves with my internal DNS (hosted on the AD box), and I can RDP to the Edge server.
I have a linux box also in the DMZ. Using the linux box and the command "nmap -P0 -O 10.1.2.39" I am not able to find any open ports on the Exchange server.
I have the firewall between my internal network and the DMZ down for this test. I have stopped the firewall on the Exchange server. Why are the ports not accessible from the DMZ?
10.1.2.0/24 internal network
192.168.200.0/24 DMZ
Exchange 2010 HT, CAS, etc on internal network (the same box)
Exchange Edge Server 2010 in DMZ
Mike
February 1st, 2012 12:25pm
Can you telnet the Hub server on Port 25 from any other server or PC on your network i.e. not in the DMZ?
If you telnet from the Edge to the hub on port 25 does it just fail or does it connect briefly first?
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 1:37pm
I can telnet to the Hub from any box in the internal network just fine. I have the internal mail server, that I'm replacing, forwarding messages to Exchange. That part is working fine. I can also telnet from the linux box in the DMZ to the Edge server in
the DMZ. I cannot telnet from either linux box or Edge server in the DMZ to the Hub in the internal network.
I have the firewall down between DMZ and internal network.
I just tried again from DMZ to Hub on port 25 and got a "connection refused". I'm trying again from DMZ to Hub on port 80 and am getting a time out.
Mike
February 1st, 2012 1:44pm
Is the receive connector on the Hub configured to only accept traffic from certain networks?
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 1:49pm
I see a tab for "Send Connectors". I see no tab for "Receive Connectors".
Remote Domains: *
Accepted Domains: seven domains owned by this company
Email Address Policy: Default
Transport Rules: (none)
Journal Rules: (none)
Send Connectors: Default, Edgesync - Inbound to Company-AD, Edgesync - Company-AD to Internet
Edge Subscriptions: the name of the Edge server, true, company.com/Configuration/Sites/Company-AD
Global Settings: Transport Settings
For the two Edgesync connections I have the name of the Hub server and not the name of the Edge server in the FQDN.
I don't think I've changed anything else since accepting the xml file from the Edge server.
Mike
February 1st, 2012 1:56pm
Receive connectors are configured in the Server tree -> Hub Transport
________
Edit: It should be configured automatically by the edge subscription process (if that was successful).
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 2:04pm
My apologies. I'm new to the Microsoft world.
I have two receive connectors:
Default:
General: verbose (just now), hub.company.com, 10240
Network: IPv4:25, IPv6:25, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0 - 255.255.255.255
Authentication: Enable Domain not checked, Externally Secured not checked, the rest checked
Permission Groups: all checked except Partners
Client hub:
General: verbose (just now), hub.company.com, 10240
Network: IPv4:587, IPv6:587, ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0 - 255.255.255.255
Authentication: Enable Domain not checked, Exchange Server not checked, Externally Secured not checked, the rest checked
Permission Groups: only Exchange Users checked
February 1st, 2012 2:11pm
No worries :)
The network line is allowing all IPs so that looks OK.
Did the Edgesync process complete OK - no errors?
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 2:25pm
Steve,
Looks like the synchronization is ok. I get this from the Hub server:
[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode
RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146
SyncStatus : Normal
UtcNow : 2/1/2012 7:15:11 PM
Name : edge
LeaseHolder : CN=HUB,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative G
roups,CN=Company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
LeaseType : Option
FailureDetail :
LeaseExpiryUtc : 2/1/2012 7:43:56 PM
LastSynchronizedUtc : 2/1/2012 7:13:56 PM
TransportServerStatus : Synchronized
TransportConfigStatus : Synchronized
AcceptedDomainStatus : Synchronized
RemoteDomainStatus : Synchronized
SendConnectorStatus : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus : Synchronized
CredentialRecords : Number of credentials 3
CookieRecords : Number of cookies 2
[PS] C:\Windows\system32>Start-EdgeSynchronization
RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146
Result : Success
Type : Recipients
Name : edge
FailureDetails :
StartUTC : 2/1/2012 7:15:28 PM
EndUTC : 2/1/2012 7:15:28 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
RunspaceId : 22b56253-ec95-4cc9-a3d5-d99166fa1146
Result : Success
Type : Configuration
Name : edge
FailureDetails :
StartUTC : 2/1/2012 7:15:28 PM
EndUTC : 2/1/2012 7:15:28 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
February 1st, 2012 2:28pm
OK that looks good. The edge uses port 50636 to synchronise it's directory with AD so the hub can communicate with it on that port. The fact that you are getting a connection refused from the hub on port 25 tells me that you are connecting to
that server but the firewall or some other service on that box is interfering.
Can you connect to OWA HTTPS (or telnet 443) on the Exchange box from the Edge?
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 3:05pm
I get a timeout on 443. I have tried turning off the firewall on Hub, but I still cannot connect.
Before I realized the Edgesync process would keep Hub and Edge working together, I created my seven domains on Edge. When I realized the sync process was supposed to do this, I deleted four of my domains on Edge. Though the sync process is running I have
not seen the other four domains return. Should I delete all Edge domains and resync? Is this a separate topic?
Mike
February 1st, 2012 3:23pm
Well 443 is totally separate from SMTP and any kind of edgesync process - if you have no firewall between the edge and hub (or it is down as you said) then effectively these 2 servers are on the same LAN. You should be able to get some response from
the server on 443 so I'm guessing that either the firewall on the server isn't off (or there is something wrong with it) or your DMZ firewall is still blocking this traffic.
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 3:29pm
It's something on the Hub box. On the Hub box I can "telnet 192.168.100.2 22" and get the right response, but "telnet 192.168.100.2 25" hangs. When I .... crap, maybe that's it. I added a custom rule to the firewall to prevent anything from exiting the
internal network except messages coming from the current mail server. I need to modify that rule and test again.
February 1st, 2012 3:54pm
Steve,
I replied this morning, but I don't see the reply, so I am replying again. I wonder if there will be duplicates.
I modified my core router traffic rules. The core router manages the traffic between different security zones. I put some custom rules in place, outside the management interface, to prevent email traffic from being sent except from the email server. We were
having some virus issues at the time.
A high security zone can send and see anything in a lesser security zone, so Hub can see everything at Edge, but Edge cannot see stuff at Hub unless explicitly allowed.
I run the Best Practices Analyzer and it reports that Hub cannot be contacted by Edge. I can telnet to port 25 on each server from the other, so that's open now. I also have port 50636 open from Edge to Hub. What other ports do I need to open?
Mike
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 9:38am
Steve and Jessie,
I think this is all working now. I'm moving on to other parts of this installaation. Thank you very much for your help!Mike
February 4th, 2012 10:30am
Regarding the Accepted Domains sync'ing. I find that the domains are not being refreshed automatically on the Edge's Exchange Management Console (EMC). When I stop and restart the EMC, the domains are there. I may need to do a "Start-EdgeSynchronization
-ForceFullSync" to make sure the Edge is up to date with the Hub.
Mike
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 12:35pm
Hi Mike
Good news, at least you are making progress. The only ports required are 50636 and 25 - perhaps you should delete the edgesync and start again now that the comms are correct. This will also refresh all the domain info including the accepted domains
list.
Cheers, Steve
February 4th, 2012 1:39pm
Steve and Jessie,
I think this is all working now. I'm moving on to other parts of this installaation. Thank you very much for your help!Mike
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2012 6:21pm
On the receive connectors make sure anonymous is enabled. Other wise it will not connect to any server or receive mail from any source it does not trust.
February 5th, 2012 4:57am