This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Added 2nd ISP and setup for Load Balance - external IP shows the routed connection IP and the 5 public additional IPs - how to configure Exchange

I have a working environment with on premise Exchange and webservers on existing ISP on the WAN interface.

I have added the Metro E routed connection on WAN 2 interface.  How do I hide this address from the internet?

I have the public IP block of 5 addresses added to the WAN 2 interface as Additional IPs.

I can ping the routed IP and all 5 public IPs from the outside.

How do I setup my Exchange configuration to use two IP addresses?  Existing is using additional IPs on WAN interface.  I want to add Exchange services to the WAN 2 interface on the additional IPs.

I had this enabled but our emails were starting to get rejected due to SPF checks showing the new interface IP address (which would be expected since that address is not in the SPF setup).

I would like to set this up so one ISP would be primary for Exchange services including outbound.

Do I just duplicate all of the webserver and virtual webserver setups and point to one of the additional IPs on the new WAN 2 interface?

I already have MX records pointing to both additional IPs (one is primary) on my domain ISP



This thread was automatically locked due to age.
Parents
  • Hi  

    If you want to move your Exchange services (configured via WAF I assume) on WAN2 link, you need to duplicate the existing Webserver setup and select the WAN2 interface in it. If your internal network and real webserver have not changed, you do not need to change other settings. For the outgoing Email traffic, please check the relevant Configuration (i.e. Email Protection or MASQ rule).

    Regards

    Jaydeep

  • I do not want to move the services to the new IP, I want to have both work so if one ISP quits it will be transparent to the users.

    I have duplicated the virtual webserver setups for Exchange and the webserver and added the new IP addresses to the DNS A records at the ISP. (duplicated existing records with the new IP addresses).  Inbound Exchange traffic and web traffic resolves on either IP address as expected.  However, the new ISP is the Comcast Metro EDI which has 1 static IP on the UTM interface and the public IP block is supposed to be routed through this IP and presented to the Internet.  I can ping the internet facing IP on the interface along with the 5 public IP block that I added as additional IPs.  Exchange will send out on either IP, the original interface or the new interface.  This is an issue I need the outbound traffic to only come out on an additional IP address that is assigned as the inbound SMTP IP on each interface.  Otherwise SPF checks on sent emails randomly get blocked.

    I have set the priority on the interface load balance to 60-40 to prefer one ISP over the other.

  • Did you resolve this, Chuck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I resolved the Optional Interface on the Web Filtering page by rebooting the SG230 - the option appeared.  However it does not work.  If I go to Speedtest the IP is still being reported as the main IP address.

    So trying to do an SNAT for the SMTP outbound still reports coming from the main IP on the WAN2 interface also.

    So, no none of it is resolved.  I am back to purchasing a router to put in front of Sophos I guess.

  • There is no solution if both servers should send via the SMTP Proxy.  You could use a Multipath rule with one that didn't use the UTM as a smart host.  I think there's a suggestion in Ideas to allow SMTP Profiles to specify the WAN connection to use, so you might want to vote for and comment on that idea.  Please come back here and link us to that so others can lend their support.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I only have one Exchange server.  I am fine with the Exchange server going out on the default IP of WAN 0 which is a normal internet connection using a cable modem.  Which also carries the web server inbound and client outbound internet traffic.

    The second IPS is the Comcast Metro EDI which has a point to point connection on the WAN 2.  The 5 public IPs I have defined on WAN2 as additional IP addresses.

    I want exchange to come in and go out on .123 and the web server to come in on .125 and the outbound internet traffic to go out on .125.

    I want the system to prefer WAN 2 for all traffic except my two IPsec tunnels to Ford and GM which are tied to WAN 0.

    If either interface goes down it should be transparent to the users as I have public DNS pointing to both WAN ports - main and additional IPs on WAN 0 and just additional IPs on WAN 2.

    The issue I am seeing is I cannot get the system to stop using the point to point connection as my public IP on WAN 2

  • I think this can be done, Chuck, but I'm not sure what's where.  I'm a visual-tactile - I do a lot better with diagrams and pictures than words, so I'm a bit lost here on which IPs are on which WAN connections.  Please give us the primary and additional IPs on each connection, obfuscating them like 173.x.y.10.  And then restate what primary and secondary ones you want to use on each interface for in- and outbound SMTP and web surfing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I think this can be done, Chuck, but I'm not sure what's where.  I'm a visual-tactile - I do a lot better with diagrams and pictures than words, so I'm a bit lost here on which IPs are on which WAN connections.  Please give us the primary and additional IPs on each connection, obfuscating them like 173.x.y.10.  And then restate what primary and secondary ones you want to use on each interface for in- and outbound SMTP and web surfing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data