Create a Post
Showing results for 
Search instead for 
Did you mean: 

Inbound SMTP NAT / Policy for Exchange 2010, 1 Gateway, 2 ISPs


I have a CheckPoint 5210 gateway and a Smart-1 410 Management server, both running R80.10

Our Exchange 2010 Server is a bare metal server with all exchange roles except edge transport running on the one box.

The Hub transport role connects inbound and outbound SMTP connectors to the internet without an edge transport server in the mix.

Currently, the network object for the Mail server has a static NAT set on it, which adds automatic address translation rules and enables our externally facing IP address that translates to

The existing setup is already deployed and has been for some time, it works fine for the most part.

However, predating my employment here, the MX records were set up to go first to and if not available, to a couple of other services that will redirect email to a spillover mailbox outside of our system. A single mailbox.

The problem is, since there is no way to have MX wait a bit before going to the next choice, if there is the slightest glitch in our FIOS business 75/75 service I spend a lot more time each day than I would like forwarding emails from that mailbox, to the correct person(s) within our company, and changing the reply-to address in my forwarded email to match the original sender.

We have FIOS connected to one of the 5210 interfaces.

We are not ready to try setting up ISP redundancy yet so that is not the route I want to take at this time..

But we DO have a secondary ISP (LightPath) which is connected to another interface on the gateway., Currently that connection is not doiing anything for us.

What I am trying to achieve is purely limited to dealing with inbound SMTP, (not ActiveSync or Autodiscover or any of the HTTPS stuff that exchange does, just inbound SMTP.)

So, I would like to

1) Configure another MX record with our DNS registrar which points to an IP address from the range that is allotted to us from LightPath (but NOT the IP address assigned to the LightPath interface directly)

2) I want to set up NAT such that, if an SMTP connection fails to reach the FIOS IP and hits the LightPath IP, it will make it to the Exchange Server's SMTP connector

3) If I have to, I can set up a second inbound SMTP connector on the Hub Transport, if I can use the same one for both, even better.

4) Outbound SMTP emails need only go out the existing FIOS IP,

The upshot is, the LightPath internet connection may be slower (10/10 Mbs) but it has a full SLA for dedicated bandwidth,

If FIOS is twitchy, emails come in through LightPath and I don't have to spend all this time forwarding stuff.

Ultimately I might even want to move everything Exchange related onto Light Path and use FIOS for everything else, but for now, just this little failover would make me a much happier camper.

OH, and one other question. Will this setup prevent us from enabling Mail Transfer Agent on the firewall when we are ready to do so?

Thanks all!


1 Reply

Based on the above you will add a secondary MX record and in case that the primary record is not available, email traffic will pass through there. Your setup is fine and will not create any issues if you enable MTA role on your firewall later on. When you enable the MTA role you will need to setup your HUB Transport server to relay the emails to your MTA and then the MTA to your Exchange server. 

The only note here is to make sure you set the same protections you have for your secondary MX as you have for your primary. Spammers, often use the secondary MX records since most of the times the secondary is overlooked.


Charris Lappas 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events