Kemps Load Balancer and Exchange 2010

I ran into an interesting issue where misconfiguration of kemp load balancer turned a Exchange 2010 environment into open relay internal to organization and internal client machines will be able to send out email to external recipient without authenticating

Setup was something like this

Internet SMTP Traffic –> Barracuda Anti Spam Firewall (DMZ – 192.168.1.1) —> Kemp Load Balancer (SMTP, HTTP, HTTPS Load Balancing (172.16.1.20) –> Exchange 2010 Hub Transport Servers (172.16.1.X)

Kemp Load balancer supports layer 7 Transparency, it supports two modes Non-transparent (where Kemps IP address is passed to the server instead of client IP address trying to access server) and Transparent mode (where Actual client IP address is passed to the server, instead of Kemps).

Now since Kemps was passing traffic from internet to hub transport server – A separate receive connector was setup which was allowing (192.168.1.1) to relay anonymously to exchange servers, but Kemps was setup in non-transparent mode i.e for any SMTP traffic passing through it was showing Kemps’ IP address as source IP instead of client IP address, so if a machien on internal machine connect to Kemps’ and send SMTP traffic it was appearing to coming from kemp and in turn will be allowed to submitted to Exchange 2010 server, to fix this after troubleshooting and spending several days with Kemps on phone we came up with following configuration… This only applies Configure Kemps Load balancer in a single armed configuration since that is how we were using Kemps

disable SNAT (System Configuration –> Misc Options –> SNAT Control) , Configure SMTP Service Properties (Virtual Server Configuration for SMTP –> Force L7 checked , Layer 7 Transperancy Checked)

Set Default Gateway on all Exchange Hub Transport Servers to Kemps HA(Cluster IP address)

This will configure load balancing the way it should…

Advertisements

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s