Edge Transport server in DMZ???? (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Message Routing


rgorman -> Edge Transport server in DMZ???? (27.Jul.2006 6:21:42 PM)

I installed Exchange 2007 Beta 2 yesterday.  Here was the setup...

1 three pronged ISA 2004 firewall (1 WAN, 1LAN, 1DMZ) - the LAN and DMZ both use NAT to access the internet, but I can route from the LAN to the DMZ, not the other way around...
1 Windows 2003 R2 DC with Exchange 2007 setup with the Hub Transport, Client Access, and Mailbox options selected attached to the LAN network ISA
1 Windows 2003 R2 stand alone server with Exchange 2007 installed with just the Edge Transport component installed.

I created an SMTP publishing rule on the ISA server that permitted access to the SMTP service on the Edge Tansport server (I confirmed that the rule worked by telnetting to port 25 on the WAN interface of ISA and got an ESMTP response from the Exchange SMTP service).

I created outbound client access rules in ISA for both the LAN and the DMZ to permit both computers behind the ISA server access to the Internet.

I created a client access rule that permitted the LAN network access to the DMZ.

So at this point the LAN network could get out to the internet and to the DMZ computer, while the DMZ computer could only get out to the Internet, not back in to the LAN.

I ran the New-EdgeSubscription -file "C:\EdgeSubscriptionExport.xml" command from the Edge transport server and created the XML file.  From the Exchange server on the LAN, I copied that XML file to the local hard drive and run the Edge Subscription wizard and selected the file.  I was then able to run the Start-EdgeSynchronization command to push out the configuration to the Edge Transport server. 

I then created a Receive connector on the Edge Transport server.  At this point I believe I was able to send mail outbound out to the Internet successfully.  However, when I replied back I got the following error message delivered back to my external email account...

Sorry, we couldn't deliver your message to the following people or distribution lists. We hope the information below helps you understand what happened. Please read it carefully.

You are not allowed to send e-mail messages to this recipient. Microsoft Exchange will not attempt to redeliver this e-mail message for you. Please ask your system administrator for help.
You are not allowed to send e-mail messages to this recipient. Microsoft Exchange will not attempt to redeliver this e-mail message for you. Please ask your system administrator for help.
To determine which organization rejected your message, please see the domain name of this server name: VMWAREDC.nwtraders.msft. For a server name such as edge1.contoso.com, the domain name is contoso.

Sent by Microsoft Exchange Server 2007

Diagnostic information for administrators:
Generating server: nwtraders.msft
VMWAREDC.nwtraders.msft #530 5.7.1 Client was not authenticated ##
VMWAREDC.nwtraders.msft #530 5.7.1 Client was not authenticated ##
Original headers:
Received: from mailout.test.ca ( by
VIRTUALSERVERR2.nwtraders.msft ( with Microsoft SMTP Server id
8.0.605.16; Wed, 26 Jul 2006 14:48:37 -0700
Received: from GATEWAYS-MTA by mailout.test.ca with Novell_GroupWise; Wed,
26 Jul 2006 14:48:30 -0700
Message-ID: <s4c780be.061@mailout.test.ca>
X-Mailer: Novell GroupWise Internet Agent 6.5.6
Date: Wed, 26 Jul 2006 14:48:10 -0700
From: Test <test@test.ca>
To: <administrator@nwtraders.msft>, <test@nwtraders.msft>
Subject: test in 2:48
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=__Part02278C0A.0__="
X-Guinevere: 3.2.0 ; Test
Return-Path: test@test.ca
Received-SPF: None (VIRTUALSERVERR2: test@test.ca does not designate
permitted sender hosts)

So I am wondering if I need to publish my internal SMTP server on the Hub Transport server out to the DMZ so that it can be accessed from the Edge Transport server???  How else would the mail make it in to the LAN?  When I was reading the setup guide it didn't really state that that was necessary.  The subscription was a one way subscription and I just needed to permit SMTP and LDAP out to the Edge Transport server.

Once I removed the subscription and published SMTP directly from the Internet to my Hub Transport server and created Send and Receive connectors for it I was able to successfully send and receive emails from the outside.

If anyone can shed some light on this configuration then I would appreciate it.

Thanks in advance..


Page: [1]