Edge Server Setup with only 1 NIC
Hey all, I had a thread going here about this issue, but it went from problem to problem, so i started a new one that is very specific. Maybe someone else has setup their Edge server the same way and can lend me some assistance. Here is my current setup.
My Edge server sits in the DMZ network off of my main router. This server has only one network card, and is set up with a static IP of 192.168.10.200, Subnet of 255.255.255.0, and gateway of 192.168.10.1 (the router's DMZ interface IP). For the DNS servers i am using my ISPs public DNS servers. I have allowed all the required ports from my router to pass through from the DMZ to the internal network, and also configured SCM in the same mannor. I have my Edge Server internal send connector using the IP address of my internal network DNS server, and the external send connector using the NIC's defaults. I also created 2 entries in my host file for the internal EX Server, and the DNS server.
With all of this setup, i can telnet on port 25 from the HT Server to the Edge and from the Edge to the HT server. I can do this via server name or IP, so i know that the host file is setup correctly. However, when sending mail from outside the org, mail is delivered to the Edge Server, and then just sits in the queue for delivery. mail is never passed to the HT server from the Edge.
Has anyone ever setup an Edge Server with only one nic, that may be able to link me to some documentation that would help, or give me some advice on how to resolve this issue?
thank you for any help i can get !!
January 2nd, 2008 7:57pm
1 NIC is perfectly OK, there is no need for 2 NIC
have you started edgesyncronization or have you created connectors manually?
whats the error for messages in the queue not being delivered?
Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2008 9:23pm
When the NDR is sent back to the sender, this is what is shown:
edge-serv-01.domain.com #554 5.4.6 Hop count exceeded - possible mail loop ##
Original message headers:Received: from edge-serv-01.domain.com (192.168.10.1) by
edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id
8.0.685.24; Tue, 18 Dec 2007 15:13:58 -0700
Received: from edge-serv-01.domain.com (192.168.10.1) by
edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id
8.0.685.24; Tue, 18 Dec 2007 15:08:56 -0700
Received: from edge-serv-01.domain.com (192.168.10.1) by
edge-serv-01.domain.com (192.168.10.200) with Microsoft SMTP Server id
8.0.685.24; Tue, 18 Dec 2007 15:08:55 -0700
**edit** .sorry i didnt answer your other question. Yes, the edgesynch was started and i verified that it was working. the conectors were created on their own !
January 2nd, 2008 10:21pm
looks like SMTP traffic sent to your router is deliverd back to your Edge server instead of forwarding it on to HT
when you try telnet from edge to HT is it the HT that answer?
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2008 2:04pm
the name of my HT server is Exchange01.domain.com, IP Address of 192.168.0.204. whether i telnet to the name or the ip, the response comes back the same:
220 exchange01.domain.com Microsoft ESMTP MAIL Service ready
is there another test that would give me more specific results ? because it looks, by that, like it is working properly.
January 4th, 2008 12:59am
Is your router doing NAT between DMZ and Internal net,looks like it does if you read the mail header
it also looks like edge-serv-01 is receiving mail from itself but from wrong IP. It receives a mail from 192.168.10.1 (the router)
I think there is some missconfiguration in your router doing NAT and forwards port 25 in an incorrect way
Free Windows Admin Tool Kit Click here and download it now
January 4th, 2008 11:32pm
the router box that i am using is an IPCopbox. It has configurations for, what they call, DMZ Pinholes. It is the ports and IPs allowed to travel from the DMZ to the local network. i have it set to allow ports 25, 50636, and 50389 from source 192.168.10.200 (Edge-Serv-01) to Destination 192.168.0.204 (Exchange01). And Port 53 from 192.168.10.200 to 192.168.0.150 (internal DNS server). The only "port forwarding" i have setup is to forward port 25 from the internet to 192.168.10.200, to shoot the mail from the internet to my edge server. It seemed like such a simple setup, i dont know where i could have gone wrong.
Doesnt it sound like i have the router setup correctly ? Maybe the issue could be somewhere else, like in the send/receive connectors ? This is such a strange issue, that it would be sending the mail back to itself, and i have been looking all over for documented cases of this happening to others, but im coming up short.
January 5th, 2008 12:27am
for Edgesync process to work the HT server must be able to contact edge server on port 50636.Edge server only needs to talk to the internal net on port 25
look in the eventlog and see if the edgesync process is running correct. You can start the process manually with "Start-Edgesyncronization"
Router should not portforward anything that comes from the Internal net or DMZ net, only when mail is coming from Internet should there be portforwarding to your edge server.Verify this configuration
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2008 7:45pm
The edgesync is working, and just to be sure i stopped it and started it again. I checked the event viewer to verify as well as the command shell. Everything went through perfectly in that regard.
As for the port forwarding and DMZ access ... Access has been allowed between my DMZ and my internal net on port 25, and the only port forwarding going on is from my External net (Public IP) to my Edge server (in the DMZ) on port 25.
Mail sits in the submission queue with these properties:
Identity: edge-serv-01\Submission\23Subject: testing againFrom Address: test@otherdomain.comStatus: RetrySize (KB): 4Message Source Name: SMTP: Default internal receive connector EDGE-SERV-01Source IP: 192.168.10.1SCL: 1Date Received: 1/7/2008 12:16:50 PMExpiration Time: 1/9/2008 12:16:50 PMLast Error: A local loop was detected.Queue ID: edge-serv-01\SubmissionRecipients: test@domain.com
Then moves to the domain queue with this error:
451 4.4.0 Primary target IP address responded with "421 4.2.1 Unable to connect" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to alternate hosts.
this is getting to be slightly aggrivating !! any other ideas ?
January 7th, 2008 10:32pm
Did you modify the certificate configuraiton at all? I've seen the same inbound SMTP errors on an Edge Server when the Hub Transport server's self-signed certificate was removed from the server, or a third-party certificate was not properly configured.
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2008 1:35am
no, i generated the cert on the edge serv, then just transfered it directly over to the HT server on a network share, then imported the cert on the HT server. i never opened the file at all.
January 8th, 2008 2:38am
Thank you guys for tossing these possible issues at me. i figure there are only a few more things that it can possibly be! maybe i can finally get to the bottom of this !!
If anyone else has any suggestions please let me know, i would like to get this edge server up and running as soon as possible !
Free Windows Admin Tool Kit Click here and download it now
January 8th, 2008 9:26pm
Does the imported cert contains the private keys?
did you enable the cert for SMTP/TLS?
January 9th, 2008 1:53am
if you mean the certificate blob, then yes they are there and they look to match. as for enabling the cert for TLS, i dont think i know how to do that, so i would say that i have not done that. could you be a bit more specific ?
Free Windows Admin Tool Kit Click here and download it now
January 9th, 2008 4:24am
Use the Enable-ExchangeCertificate cmdlet for telling Exchange what certificate to use for what cervice.
January 9th, 2008 12:47pm
ok, well i followed the instructions for the Enable-ExchangeCertificate, and got that all set up, but I still have the same issues. this is derfinately a routing issue, i just need to figure out where the issue is and how to fix it. it makes no sense to me how the mail is flowing from the edge server to the routers DMZ interface, and back again.
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2008 9:03pm
A couple of wacky thoughts... 1 - Have you verified your 'accepted domains' tab to make sure the correct domains are there? Your edge server might be trying to pass it along. 2 - why do you have the DNS in your hosts file? You should be able to use the one on the NIC good luck! m
May 26th, 2009 10:09pm