Most organizations are spread across multiple locations in today’s business world. Exchange being such a critical application, it’s essential to make sure that it is up and running around the clock without any downtime. Regarding High Availability and Disaster Recovery, Exchange 2013 has many features due to new improvements and some changes with DAGs as compared to Exchange 2010. How would you provide a redundant path to send and receive emails from the Internet if an entire primary site goes down and exchange is running from the DR site? Of course we can add additional servers in the DMZ to take up the load if one or more server goes down. What though could you do if the complete Datacenter goes down?
Let’s consider an example where we have two datacenters where Exchange servers are hosted. The primary datacenter is in New York and has internet access to send and receive external emails through the internet and the other datacenter in Dallas. Both are interconnected by a high speed WAN network.
Figure 1 (seen below) is a visual representation of the above scenario:
Figure 1. Email flow between primary, secondary datacenter and internet.
In the above example the first datacenter (New York) has Exchange servers with DAG configurations and provides the site resiliency option using the alternative datacenter at Dallas. It also has the internet connectivity to send and receive internet email. The second datacenter in Dallas hosts only the Exchange server. If the Exchange servers in the primary datacenter are lost, the DAG will activate the passive copies of a mailbox database in Dallas and users will be able to connect to Dallas Exchange servers to access their email.
With the loss of the primary datacenter in New York, we also loose the DMZ. This will impact the internet mail flow to the organization. Users will not be able to send and receive email over the internet. This can cause a huge data loss (not to mention revenue loss). Let us work on a solution by providing a redundant path to send and receive email over the internet.
In our design example Exchange is configured in both AD sites. The primary site in New York hosts the Active copies while the secondary site in Dallas hosts the passive copies. New York is the only AD site which is connected to internet. To provide alternative internet mail flow we need to connect the Dallas AD site to the internet through the Dallas DMZ. Figure 2, shows these details. Just a connection to the internet at Dallas will not serve the purpose though.
Figure 2. New internet mail flow configuration through Dallas datacenter.
Let’s list down the simple steps to configure Dallas to send and receive mail over internet.
Configuring Dallas Site to Accept Messages via Internet
- Create and configure a new DMZ in Dallas
- Connect Dallas DMZ to internet through a different ISP (Internet Service Provider) than the New York AD site.
- Add and configure new Sendmail servers and other gateway servers(Iron port etc.) at Dallas DMZ
- Configure Sendmail servers to accept email from Internet and forward to internal Dallas Exchange 2013 CAS server
- Configure Dallas Exchange 2013 CAS server’s to accept email from DMZ through receive connector on SMTP port 25.
- Finally last but not least, the most important task is to configure Internet DNS with a new DNS MX record entry, but with higher preference than New York Sendmail DNS MX record
All email from internet will be sent to the DNS MX record with lowest preference and if lowest preference is not reachable/available, then the email will be send to next highest preference. It is recommended to keep higher preference for MX record in different regions. This provides the alternative path to accept email, if the primary site goes down.
Configuring Dallas Site to Send Messages to Internet. (some steps already defined above)
- Dallas is already connected to internet, now you just configure Sendmail and other servers (DLP etc.) to accept email from Dallas Exchange 2013 CAS servers only and forward it to Internet
- Create and configure new Send connector to send email to Internet. We need to make sure that the source servers are Exchange 2013 Dallas CAS servers only and destination servers are Sendmail/Iron port servers in DMZ
- Finally, configure SPF (Sender Frame work Policy) and Sender ID at the DNS with Public/External IP address of the Dallas Sendmail servers. This is to certify that new Sendmail in Dallas DMZ is a trusted sender and email can be safely accepted at the target
It’s important to configure SPF and Sender ID correctly. Any misconfigurations can lead to non-delivery of messages to the target recipient. Most organizations accept email from the internet only if the message is from a trusted source.
Configuring alternative paths to send and receive internet messages are expensive. You would need similar number of servers, overall network infrastructure (DMZ and Exchange 2013 servers), configuration, and even the network bandwidth at Secondary site. This would be in case it must take up the complete internet email load in the event of primary datacenter failure.