Microsoft Exchange 2019 on premise
-
Hi all,
I am trying to configure an Exchenge Server 2019 on premise behind pfSense 2.7.0 with no success.
I have several IP on my WAN interfase, one of the is the IP I have to use with Exchange Server. I have configured a virtual IP and used it in NAT rules, but I have no incomming emails, outgoing emails are working.
Do you have some configuration tips?Thanks in advance!
Matias
-
Do you see any traffic on the firewall rules linked to the NAT port forwarding?
Have you also checked the Windows Firewall on the Exchange server?-Rico
-
Hi Rico,
I have this Exchange Server working with another firewall, so Exchange configuration is OK. I am trying to migrate to pfSense.
I think one of the problems is that incoming and outgoing traffic from internet in Exchange Server is under WAN IP when it must be under configured virtual IP for emails purpose. Do you know how to configure this?Thanks,
Matias
-
To achieve this, you’ll need to create an outbound NAT rule.
You can find more information here:
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html-Rico
-
@matisardi said in Microsoft Exchange 2019 on premise:
@matisardi said in Microsoft Exchange 2019 on premise:under WAN IP when it must be under configured virtual IP
If you have two public IPs you can use 1:1 NAT to forward all ports to the Exchange Server, which you can then control via firewall rules. That will also automatically handle outbound NAT.
Or you can use a virtual IP in your NAT rule, and handle outbound NAT yourself.
pfSense 2.7.0
Unrelated to your problem, but 2.7.2 has been out for quite a long time now. Also several patches for it.
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html -
Hi all,
Thanks Rico and SteveITS.
I have updated pfSense to v. 2.7.2 and configured a virtual IP and an Outbound rule. I can see the correct external external IP from Exchange Server now.
But I still cannot reach port 25 from outside, I tried "telnet mxserver 25" and cannot connect.
I have a NAT rule configured to accept port 25 on the virtual IP and redirect to the exchange internal IP.
Any idea?Thanks,
Matias
-
When doing "telnet mxserver 25" from the internet I receive "421 4.3.2 Service not available" error.
Is the problem in pfSense or in Exchange?Thanks,
Matias
-
@matisardi That sounds like you're connecting to something, which is returning that error.
You might look through https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
-
'421 4.3.2 Service not available' is Exchange.
-Rico
-
Hi,
I think I know where the problem is. PFSense is forwarding traffing from port 25 with the original IP and not with the pfSense internal LAN IP. I have IP restrictions on the Default Fronend rule of the Exchange Server and the pfSense IP is allowed, but no original IP.
In my old firewall, I have a setting where you can check "Requests appear to come from the original client" or "Requests appear to come from the firewall server". I do not find this setting in pfSense.Thanks,
Matias
-
@matisardi Sounds like it. If you need that restriction then I think "outbound NAT" will accomplish that in pfSense, though personally I've never used that for inbound traffic like that.
Or just remove the restriction and let the firewall control access from the Internet.
When we had clients with Exchange we'd use our spam filter service and only allow those IPs through the firewall.
-
Hi all,
SMTP problems solved. I had to remove IP restictions on Exchange Server and added an extra mail flow rule.
I don't understand why some features in my old Forefront (ISA) Server are not available in pfSense.
Now I am dealing with OWA. I get security warning because of certificate. I am trying to configure Squid Reverse Proxy, is it the rigth way?Many thanks,
Matias
-
Hi all,
Exchange Server working.
Configured with Squid Reverse Proxy and a firewall rule, NAT rule not configured.
Many Thanks!Matias
