none
Hybrid mail flow

    Question

  • Hello

    I am running Exchange 2013 CU10 on-prem. I have 5 CA servers and 5 MBX servers. Currently we send all email  from on-prem through EOP, and EOP accepts all smtp email for our accepted domains, and then forwards the email down to our on-prem servers. Currently we have 5 unique NAT rules from EOP to our on-prem CAS servers. Example. When running the hybrid config wizard one of the things the wizard asks for is the FQDN name for mail from O365 to on-prem. Example "smtp.mydomain.com". As I mentioned before, I am using individual  NAT for mail from EOP to on-prem. If I want to continue using the existing NAT rules that I currently have, would I need to create 5 external DNS records for "smtp.mydomain.com" that map to the external IP address for each NAT rule?  Is this a preferred solution vs. using a load balancer between EOP and on-prem for hybrid mail flow?

    Example

    "smtp.mydomain.com" maps to 12.5.6.2

    "smtp.mydomain.com" maps to 12.5.6.1

    NAT rule 1 EOP----->12.5.6.2---->NAT----->onpremCAS1

    NAT rule 2 EOP----->12.5.6.1----->NAT------>onpremCAS2

    ect

    ect


    Bulls on Parade

    Friday, November 13, 2015 3:56 PM

Answers

  • We're talking about MX records solely for the connection, not your primary domain, hence why they're "smtp.mydomain.com" and not "domain.com".  The Outbound connector will be pointed to smtp.mydomain.com, which doesn't have an A record but has five MX records.  It will choose those in a round-robin fashion and distribute your mail to the five hosts smtp1.mydomain.com through smtp5.mydomain.com.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by skipster Friday, November 13, 2015 8:09 PM
    Friday, November 13, 2015 7:26 PM
    Moderator
  • Ok, got it! so similar to this ?

    http://blogs.technet.com/b/eopfieldnotes/archive/2014/07/02/on-premises-delivery-failover.aspx


    Bulls on Parade

    • Marked as answer by skipster Friday, November 13, 2015 8:09 PM
    Friday, November 13, 2015 7:40 PM

All replies

  • Are you trying to do load balancing?  If so, create five A records, one for each IP address (e.g., smtp1.mydomain.com, smtp2.mydomain.com, etc.), create five MX records for smtp.mydomain.com one pointed to each of the five A records, then use smtp.mydomain.com as the destination in your Outbound Connector.

    If that's not what you're trying to do, please describe your objective instead of your method.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Friday, November 13, 2015 6:22 PM
    Moderator
  • I am trying to avoid using a load balancer as the endpoint for smtp traffic from EOP to On-prem. As we know the Hybrid configuration wizard creates 1 outbound connector in EOP, that uses forced TLS. The outbound connector is configured to send email to on-prem based on a FQDN name i.e. "hyrbidmail.mydomain.com" My objective is to avoid using the load balancer to be the endpoint for TLS smtp traffic for hybrid mail flow.

    Bulls on Parade

    Friday, November 13, 2015 6:34 PM
  • Forgot to mention. MX records already point to EOP, and will remain that way

    Bulls on Parade

    Friday, November 13, 2015 6:37 PM
  • Okay, did you read my post?  SMTP is often load-balanced without a load balancer using multiple MX records.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Friday, November 13, 2015 6:38 PM
    Moderator
  • My first post is the answer you're looking for.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, November 13, 2015 6:40 PM
    Moderator
  • Hi Ed,

    I'm trying to load balance the SMTP traffic from EOP to on-prem. I don't understand why I need to create multiple MX records if the MX record already point to EOP? The Hybrid config wizard creates one outbound connector, and this connector will point to a FQDN name to utilize TLS.


    Bulls on Parade

    Friday, November 13, 2015 6:44 PM
  • We're talking about MX records solely for the connection, not your primary domain, hence why they're "smtp.mydomain.com" and not "domain.com".  The Outbound connector will be pointed to smtp.mydomain.com, which doesn't have an A record but has five MX records.  It will choose those in a round-robin fashion and distribute your mail to the five hosts smtp1.mydomain.com through smtp5.mydomain.com.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by skipster Friday, November 13, 2015 8:09 PM
    Friday, November 13, 2015 7:26 PM
    Moderator
  • Ok, got it! so similar to this ?

    http://blogs.technet.com/b/eopfieldnotes/archive/2014/07/02/on-premises-delivery-failover.aspx


    Bulls on Parade

    • Marked as answer by skipster Friday, November 13, 2015 8:09 PM
    Friday, November 13, 2015 7:40 PM
  • Please feel free to mark posts as helpful and/or the answer as appropriate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, November 13, 2015 8:07 PM
    Moderator
  • For this approach we need multiple external Io's and multiple dns mx records right? But what names should be on the san ssl certificate when using this setup, also Al mx records or only the root fqdn?
    Thursday, March 31, 2016 5:47 AM
  • Please explain "multiple external Io's" since that's a term I'm not familiar with.  You need an MX record for each combination of e-mail domain and server to which mail for that domain is sent.

    https://en.wikipedia.org/wiki/MX_record

    You need at least one MX record for each e-mail domain, i.e., each domain to the right-hand side of the @ symbol, and more if you want mail sent to multiple servers for that domain.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 31, 2016 6:15 AM
    Moderator
  • Hi Ed,

    Sorry my autocorrect change ip's to Io's :-( it should read

    For this approach we need multiple external ip's and multiple dns mx records right ?

    If we have 4 Exchange 2013 in hybrid setup (@contoso.com) we create hybrid.contoso.com root domain for mail routing, we need to create 4 MX records (MX1 to MX4.hybrid.contoso.com) and thus need 4 external ip's ?

    Do we then also need to add MX1 to MX4.hybrid.contoso.com on the ssl certificate?

    Thursday, March 31, 2016 7:40 AM
  • You do not need multiple IP addresses.  An MX record points to an A record for an SMTP host.  That SMTP host can accept mail for any number of domains.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, March 31, 2016 5:39 PM
    Moderator
  • This is what we did for hybrid mail flow with on-prem Exchange 2013

     All MX records point to O365. We configured one outbound connector. The connector uses a smarthost to send email for all accepted domains. The connector is configured to use TLS and the TLS domain fqdn name is "hybridmail.mydomain.com" This same name is the CN name on a cert that is installed on all CAS and MBX  servers and is enabled for the SMTP service.

    We have 8 DNS records on the internet for hyrbidmail.mydomain.com, and we have 8 NAT rules that allow smtp traffic from the O365 servers to the individual CAS servers. We are basically using DNS RR. this setup has been working perfectly now for around 4 months.


    Bulls on Parade

    Thursday, March 31, 2016 6:21 PM
  • @ED
    Let's make is visual for @mydomain.com

    "mx1.mydomain.com" maps to 1.2.3.4
    "mx1.mydomain.com" maps to 1.2.3.4

    How are we going to NAT one protocol (SMTP) on one IP address (1.2.3.4) to multiple (internal) Exchange servers?
    If we use TMG for publishing we only can 'target' one IP address. Can 'other' firewall do this?

    @skipster
    So your situation is as follow?

    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4
    "hybrid.mydomain.com" maps to 1.2.3.4

    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    Friday, April 1, 2016 5:45 AM
  • You show two records that are identical.  I don't get the point.

    Regarding the NAT, you can use a load balancer or a separate IP address for each Exchange server and let SMTP senders do the load balancing, which works pretty well.

    You can do it these two ways.

    mx1.mydomain.com maps to 1.2.3.4 and points to Exchange server 1.

    mx2.mydomain.com maps to 1.2.3.5 and points to Exchange server 2.

    Or

    mx1.mydomain.com maps to 1.2.3.4 and points to a load balancer that balances traffic to Exchange server 1 and 2.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, April 1, 2016 6:37 AM
    Moderator
  • Hi ED, that because you said

    "You do not need multiple IP addresses.  An MX record points to an A record for an SMTP host"

    But in your last post you mention 2 ip's thus multiple ip's or 1 ip with nlb.

    Friday, April 1, 2016 2:31 PM
  • Its like this. We use a unique external ip for each CAS server.

    "hybrid.mydomain.com" maps to 1.2.3.5
    "hybrid.mydomain.com" maps to 1.2.3.6
    "hybrid.mydomain.com" maps to 1.2.3.7
    "hybrid.mydomain.com" maps to 1.2.3.8
    "hybrid.mydomain.com" maps to 1.2.3.9
    "hybrid.mydomain.com" maps to 1.2.3.1
    "hybrid.mydomain.com" maps to 1.2.3.2
    "hybrid.mydomain.com" maps to 1.2.3.3

    NAT rule 1 EOP----->1.2.3.5---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.4---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.3---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.2---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.1---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.8---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.9---->NAT----->onpremCAS1
    NAT rule 1 EOP----->1.2.3.6---->NAT----->onpremCAS1


    Bulls on Parade

    Friday, April 1, 2016 4:55 PM
  • You don't need multiple IP addresses pointing to the same host.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, April 2, 2016 12:17 AM
    Moderator
  • Two IP addresses if you have two hosts, yes.  But one if you have one host.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, April 2, 2016 12:18 AM
    Moderator
  • Can the TLS SMTP hybrid mail flow be load balanced, does this not change the x-header as smarthost would do?

    And if you load balance you need to add the LB ip address to the receive connector, not greatest solution imho, cause of source ip will the  load balancer.

    How do you fix this ?

    Saturday, April 2, 2016 5:45 AM
  • In answer to your first question, I've never seen any issues with that.

    As to your second question, it's tricky and sometimes undesirable to perform the configuration required to preserve the source address of the SMTP senders.  Usually what you have to do is use the load balancer as Exchange's default gateway, which makes it more critical than you might want.  Therefore, it's often preferable to publish separate IP addresses, and A and MX records for each server and let SMTP senders do the load balancing.  If you have a message hygiene service, appliance or server between the Internet and Exchange, then the point is probably moot since they can usually do the load balancing.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, April 2, 2016 4:52 PM
    Moderator
  • OK, last question (the one that is breaking my head).
    During the HCW you enter a FQDN for mail routing.
    Does the FQDN you enter need to be on the cert?

    Reading the article below mentions transport SAN name.

    https://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx

    So if we enter hybridmail.contoso.com does it need to be on the cert?

    https://technet.microsoft.com/en-us/library/jj659055(v=exchg.150).aspx

    When using forced TLS transport, the sending and receiving servers examine the certificate configured on the other server. The subject name, or one of the subject alternative names (SANs), configured on the certificates must match the FQDN that an administrator has explicitly specified on the other server. For example, if EOP is configured to accept and secure messages sent from the mail.contoso.com FQDN, the sending on-premises Client Access or Edge Transport server must have an SSL certificate with mail.contoso.com in either the subject name or SAN. If this requirement isn't met, the connection is refused by EOP.

    NoteNote:
    The FQDN used doesn't need to match the email domain name of the recipients. The only requirement is that the FQDN in the certificate subject name or SAN must match the FQDN that the receiving or sending servers are configured to accept.

    Sunday, April 3, 2016 3:29 PM
  • Yes, the FQDN must be in the certificate because it's where the mail is going and the certificate must match for TLS to work, as stated in the text you cut and pasted.  But why would you use a different name than you already use for inbound mail?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Sunday, April 3, 2016 8:49 PM
    Moderator
  • OK thanks. We need a different name (not our MX) cause we have a antispam appliance.
    Monday, April 4, 2016 7:53 AM
  • You can add the name to your certificate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, April 4, 2016 5:22 PM
    Moderator