AnsweredAssumed Answered

Inbound SMTP NAT / Policy for Exchange 2010, 1 Gateway, 2 ISPs

Question asked by Chris Butler on Jun 29, 2018
Latest reply on Jun 30, 2018 by Charris Lappas

Hi,

 

I have a CheckPoint 5210 gateway and a Smart-1 410 Management server, both running R80.10

Our Exchange 2010 Server is a bare metal server with all exchange roles except edge transport running on the one box.

The Hub transport role connects inbound and outbound SMTP connectors to the internet without an edge transport server in the mix.

 

Currently, the network object for the Mail server has a static NAT set on it, which adds automatic address translation rules and enables our externally facing IP address that translates to mail.fliinvestors.com.

The existing setup is already deployed and has been for some time, it works fine for the most part.

 

However, predating my employment here, the MX records were set up to go first to mail.fliinvestors.com and if not available, to a couple of other services that will redirect email to a spillover mailbox outside of our system. A single mailbox.

 

The problem is, since there is no way to have MX wait a bit before going to the next choice, if there is the slightest glitch in our FIOS business 75/75 service I spend a lot more time each day than I would like forwarding emails from that mailbox, to the correct person(s) within our company, and changing the reply-to address in my forwarded email to match the original sender.

 

We have FIOS connected to one of the 5210 interfaces.

We are not ready to try setting up ISP redundancy yet so that is not the route I want to take at this time..

But we DO have a secondary ISP (LightPath) which is connected to another interface on the gateway., Currently that connection is not doiing anything for us.

 

What I am trying to achieve is purely limited to dealing with inbound SMTP, (not ActiveSync or Autodiscover or any of the HTTPS stuff that exchange does, just inbound SMTP.)

 

So, I would like to

1) Configure another MX record with our DNS registrar which points to an IP address from the range that is allotted to us from LightPath (but NOT the IP address assigned to the LightPath interface directly)

2) I want to set up NAT such that, if an SMTP connection fails to reach the FIOS IP and hits the LightPath IP, it will make it to the Exchange Server's SMTP connector

3) If I have to, I can set up a second inbound SMTP connector on the Hub Transport, if I can use the same one for both, even better.

4) Outbound SMTP emails need only go out the existing FIOS IP,

 

The upshot is, the LightPath internet connection may be slower (10/10 Mbs) but it has a full SLA for dedicated bandwidth,

If FIOS is twitchy, emails come in through LightPath and I don't have to spend all this time forwarding stuff.

 

Ultimately I might even want to move everything Exchange related onto Light Path and use FIOS for everything else, but for now, just this little failover would make me a much happier camper.

 

OH, and one other question. Will this setup prevent us from enabling Mail Transfer Agent on the firewall when we are ready to do so?

 

Thanks all!

 

Chris.

Outcomes