I am working out the last bit of kinks and getting ready to migrate to my Exchange 2013 DAG Server(s) VMware environment, (From my Exchange 2007 bare metal server).

I have a question regarding networking. (I apologize if this is not the proper place to post this question, and if it isn't, let me know where I should post it).  I have a Cisco ASA 5505 firewall that currently has NAT rules and access lists that coincide to my Exchange 2007 Server for passing\filtering email.

My question is this: Do I need to create new rules that tie to each one of my Exchange 2013 Server IP's, or can I point everything to my DAG Virtual IP address, and the emails will flow to whichever server has the active database where the respective mailbox resides? 

I'm hoping the latter will work, otherwise every time I decide to add a new server to the DAG, I'll then have to add all these settings into my firewall.

Thanks for your thoughts and consideration.

Its not supported to connect to the DAG IP address in that manner. You should use a load balancer or DNS round robin etc...and create a namespace that represents the CAS/Client Connection endpoint as as well as the SMTP endpoint. Then on the firewall, you create rules for those IP(s) and you can add and remove servers from the load balancer or DNS round robin consideration.

Hi ,

As soon as you complete moving the mailboxes from exchange 2007 to exchange 2013 then you can edit the rules defined in your Firewall to re point the mail flow to exchange 2013 Server IP address or else to the ip address of the LB if you have it in your environment for exchange 2013 servers.

Note : DAG IP address is one of the cluster resource and you should not use that IP address for directing the mail flow from your firewall .

In case if you would have single server with both the roles (CAS +MBX) and not configured in LB then you need to redirect the mail flow from your firewall to that exchange server IP address and not to the ip address of the DAG .

Okay, I don't have a load balancer appliance, and I apologize but I'm not familiar with DNS Round Robin.  However, I went out and read an article about this, and it looks pretty straightforward.  It appears that Round Robin is enabled on DNS servers by default.  (I have not disabled it).

https://technet.microsoft.com/en-us/library/Cc787484(v=WS.10).aspx

With that said, I already have the same, multiple A Records in my Forward Lookup Zone that point to my IP Addresses of the current Exchange 2013 nodes in my DAG. 

Name                Type         Data

Exchange2013   Host (A)   192.168.1.1

Exchange2013   Host (A)   192.168.1.2

Are these above entries then correct, and is this all that needs to be done then?

Lastly, to answer my initial question then, I will have to add additional config to the firewall if and when I add another Exchange 2013 Server to the DAG?

Thanks.