I ran into an interesting issue where misconfiguration of kemp load balancer turned a Exchange 2010 environment into open relay internal to organization and internal client machines will be able to send out email to external recipient without authenticating
Setup was something like this
Internet SMTP Traffic –> Barracuda Anti Spam Firewall (DMZ – 192.168.1.1) —> Kemp Load Balancer (SMTP, HTTP, HTTPS Load Balancing (172.16.1.20) –> Exchange 2010 Hub Transport Servers (172.16.1.X)
Kemp Load balancer supports layer 7 Transparency, it supports two modes Non-transparent (where Kemps IP address is passed to the server instead of client IP address trying to access server) and Transparent mode (where Actual client IP address is passed to the server, instead of Kemps).
Now since Kemps was passing traffic from internet to hub transport server – A separate receive connector was setup which was allowing (192.168.1.1) to relay anonymously to exchange servers, but Kemps was setup in non-transparent mode i.e for any SMTP traffic passing through it was showing Kemps’ IP address as source IP instead of client IP address, so if a machien on internal machine connect to Kemps’ and send SMTP traffic it was appearing to coming from kemp and in turn will be allowed to submitted to Exchange 2010 server, to fix this after troubleshooting and spending several days with Kemps on phone we came up with following configuration… This only applies Configure Kemps Load balancer in a single armed configuration since that is how we were using Kemps
disable SNAT (System Configuration –> Misc Options –> SNAT Control) , Configure SMTP Service Properties (Virtual Server Configuration for SMTP –> Force L7 checked , Layer 7 Transperancy Checked)
Set Default Gateway on all Exchange Hub Transport Servers to Kemps HA(Cluster IP address)
This will configure load balancing the way it should…