Hello, I am testing a new Exchange 2013 deployment that is using database availability groups. Our topology is we have two hub locations with a CAS and Mailbox Server in each for site resilience and a file share witness in a third site. In testing by simulating failovers, both automatic and manual, our experience so far is overall positive with one exception. We have a software firewall (Symantec Endpoint Protection) and it is causing a lot of issues for the cluster. What I am noticing is that the virtual cluster adapter is sending over traffic using an IPv6 address link local. That address seems subject to change so I tried to unblock the traffic by the MAC address which also appears to be subject to change. The software I'm using doesn't allow to unblock based on IPv6 specific addresses and now that I can't use the MAC to unblock I'm kind of stuck. I'm reluctant to disable IPv6 as that is against recommendation. It seems that Exchange is simply not friendly with firewalls at all and I'm getting a little frustrated trying to secure it. So far, the best I can come up with is to just find the specific ports involved but allow them from all hosts and to all adapters. Does anyone else have experience that they can share with me on how you've secured your Exchange servers in a site resilient cluster scenario? Thank you in advance for your time!

Microsoft does not support restricting communication with a firewall (hardware or software) between Exchange Servers.

https://technet.microsoft.com/en-us/library/Bb331973%28v=EXCHG.150%29.aspx?f=255&MSPPError=-2147217396

On a side note I have always hated software firewalls.  If someone gets through your external hardware firewalls and into your internal network, a software firewall won't help much :)

Thank you for your response! I don't mind opening up all ports between Exchange servers and Domain Controllers but the article indicates that is okay to restrict traffic between internal clients and Exchange servers. My problem is that there are portions of the Exchange cluster that don't seem to be static (such as link local and MAC address on the virtual cluster adapter) so I cannot specify just the IP address or the MAC address to allow only communication between Exchange servers and apply restrictions to all other hosts. So I feel like I'm cornered to allowing all ports from all hosts on all adapters. I guess if that's the way it is, I'll go with that and rely on the security that Microsoft has built into the operating system and Exchange itself. Any further thoughts?

They don;t support restricting anything between Exchange Servers:

• We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers (rules that allow incoming and outgoing network traffic on any portincluding random RPC portsand any protocol that never alter bits on the wire).

From Outlook to Exchange 2013 you only need port 443

Yes, thank you, I understand that, but with all due respect, this isn't my concern. As I mentioned, I would like to allow full communication between the Exchange servers but my challenge is that to do so, each adapter on each of the Exchange servers must be uniquely identified by either an IPv4 address or MAC address. What appears to be happening is that some traffic, especially the cluster traffic between the virtual cluster adapters, is being passed as IPv6 which is not something I can use to make the firewall exception. I tried using the MAC address and that worked initially but the exception stopped working because the MAC address for the cluster virtual adapter seems to have changed, therefore breaking my exception. I am trying to avoid retaining the allow all traffic from all hosts on all adapters rule that I had to create to compensate for the apparent dynamic MAC address.

Unfortunately, after testing, it seems to be too unreliable to do anything but allow all. This may simply be a Symantec issue at this point and, right now, I too am hating at least this Symantec software firewall... This isn't optimal and I don't believe it to be very secure but I need this to work so I guess I have to leave the big hole punched and hope that Microsoft has done a good job with locking down the OS and Exchange.

'...and hope that Microsoft has done a good job with locking down the OS and Exchange."

I think you can feel confident they have. I know I do. And I would be honest if I had any concerns.

Hi,

Static IPv6 addresses are supported by Windows Server and the Cluster service. However, using static IPv6 addresses goes against best practices. Exchange 2013 doesn't support the configuration of static IPv6 addresses during setup.

Failover clusters support Intra-site Automatic Tunnel Addressing Protocol (ISATAP). They support only IPv6 addresses that allow for dynamic registration in DNS. Link local addresses can't be used in a cluster.

For more information about DAG network requirements, see the "Network requirements" section in Planning for high availability and site resilience.

Regards,

So what I am gathering from everyone is that I should just forget about the software firewall restrictions and just let the hosts do their clustering thing. :-)

So what I am gathering from everyone is that I should just forget about the software firewall restrictions and just let the hosts do their clustering thing. :-)

• Proposed as answer by Chetan Savade 17 hours 53 minutes ago

I'm going to give all replies credit as all who responded contributed to our final decision to forgo the software firewall since it was causing too many issues. We'll see if Symantec evolves any better to work with Windows clustering and perhaps try again in the future... Thank you all for your time!

• Edited by Scott_42 17 hours 14 minutes ago

I'm going to give all replies credit as all who responded contributed to our final decision to forgo the software firewall since it was causing too many issues. We'll see if Symantec evolves any better to work with Windows clustering and perhaps try again in the future... Thank you all for your time!

• Edited by Scott_42 Wednesday, July 29, 2015 2:17 PM

Hi,

I hope you have gone through this article:

Installing the Symantec Endpoint Protection client to a Windows cluster server

• http://www.symantec.com/docs/TECH91154

Regards,

CHETAN

Yes, I tried all of Symantec's recommendations but unfortunately, in testing I could not achieve a consistent, stable environment so I had to override the firewall policies. It is what it is I guess.