Jump to content


Photo

Exchange 2010 and Barracuda Spam FW 300

send connector owa exchange firewall

  • Please log in to reply
15 replies to this topic

#1 howithink

howithink
  • Members
  • 13 posts

Posted 30 July 2015 - 03:26 PM

We will try to use Barracuda Spam FW 300 to work with our Exchange 2010.

 

I have everything setup on the Barracuda spam FW and i think i know what to do on the exchange as well.

 

My steps to switch emails from Exchange to Barracuda:

 

Step 1: On Barracuda : Basic>Outbound>Relay using trusted IP> IP address of exchange server

 

Step 2: On Barracuda : Domain>Domain Manager> Added Exchange Domain

 

Step 3: On Cisco FW: Change Public IP pointed to Exchange server to Barracuda Device. (NAT)

 

Step 4: Create Send connector in Exchange to smarthost to Barracuda spam device.

 

Step 5: Disable existing send connectors (so we don't send out duplicates)

 

That should be all on my part. At least this is what i am told by Barracuda technical support.

 

My concerns:

1. I am already using Barracuda spam for out other Linux servers and in the Firewall there is already an entry for a public IP of our Linux server, which now points to Barracuda device.

 

Can i have multiple public IP addresses pointing to same internal device... i don't think it should be an issue, but nonetheless worth asking.

 

2. Our employees use OWA (https://mail.company.com/OWA) to check emails from home or mobile on their phone. OWA points to mx record of : mail.company.com which points to exchange server.......

 

If i change FW to point that record to barracuda, wont this break my OWA? Email will flow, but how will my employees access mail through OWA?

 

Please advise as soon as possible.

 

thanks,

 



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 30 July 2015 - 04:15 PM

 Hello,

 

To answer #1 you can NAT any IPS generally to the same IP Address if you'd like..depending on your firewall

 

for #2,  you are correct this would point it to the Barracuda instead of exchange/owa.. so we'd suggest you use a different hostname maybe in the MX Records such as "barracuda.company.com" that way anyone who is configured to mail.company.com will not have to change their client configurations



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 howithink

howithink
  • Members
  • 13 posts

Posted 30 July 2015 - 04:47 PM

Matt,

 

Once again thank you for your assistance.  So should i create another MX record called barracuda.companyname.com and point that IP to where? the Exchange or the Barracuda device? Once i do that, then what?



#4 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 30 July 2015 - 04:50 PM

Hello,

 

Yes I personally would create:

 

A DNS A record barracuda.mycompany.com pointing to your NAT IPs that goes to your Barracuda

then add this A record into an additional MX records, and trial out mail flowing to the barracuda and ensure it works as you like. 

Once comfortable you can remove the exchange record from your MX

then firewall your exchange on port 25 so no mail from the internet can email it directly

 

 

Hows that sound?



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#5 howithink

howithink
  • Members
  • 13 posts

Posted 30 July 2015 - 05:00 PM

OK so let me understand this. and please forgive my ignorance....

 

1. i have several public ip addresses available. i will take a public IP and call it barracuda.mycompany.com to create an A'record

 

2. i will then create an MX record called called barracuda.mycompany.com with metrix of 30 (since the other two are using higher metrics)

 

3. i will then update this public record for ptr:

@. TXT "v=spf1 mx ptr ptr:ca.mycompany.com ptr:mycompany.net mx:mail.mycompany.com mx:mx2.mycompany.com mx:barracida.mycompany.com ip4:<public ip> ip4:<public id.  ip4:<public ip of new barracuda device> ~all"

 

4. Then on my firewall i will create an entry for the barracuda.mycompany.com new public ip and map it to the internal ip of barracuda device.

 

Does that should correct? How will mail flow to this barracuda? Do i need to make any changes in Exchange so it knows to use that new barraucda......Mx record?

 

thanks....



#6 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 30 July 2015 - 05:20 PM

You got it all spot on correct!

 

Do you want to then use the barracuda to filter outbound email?



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#7 howithink

howithink
  • Members
  • 13 posts

Posted 30 July 2015 - 05:25 PM

Yes, for that i will need to create a send connector to the barracuda device in exchange correct?

 

So once i make the fw change for the barracuda and i see emails coming through, then all i do is disable to smtp entry from the existing mail.company.com fw entry correct? This way OWA, ActiveSync and everything will still work, just all emails flowing through barracuda......?



#8 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 30 July 2015 - 05:29 PM

You are correct :)

 

OWA/Activeysnc use https so the SMTP port being blocked will let mail flow still

 

 

Here is an article on 2007 exchange outbound setup

 

http://www.barracuda...50160000000HNQn



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#9 howithink

howithink
  • Members
  • 13 posts

Posted 30 July 2015 - 05:51 PM

What about imap4 and pop... That doesnt go through barracuda correct? or do i map those to the new barracuda fw access list as well...

 

Update: i have made all the changes, both publicaly and on the firewall.. As of now, i have not disabled smtp on the original exchange fw entries.... waiting to see if mail will flow through barracuda... By the way, will it still hit the mx record of mail.mycompany.com or mx of barracuda.mycompany .com ? i would think the later since the metric of that is higher... so i might not see mail coming through barracuda...



#10 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 30 July 2015 - 05:58 PM

any externally used services should stay pointed to mail.company.com.. and have this direct to your exchange

 

the BSF should just accept the port 25 etc

 

if you have any questions on the mail flow, please don't hesitate to call support!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#11 Rick

Rick
  • Members
  • 3 posts

Posted 31 July 2015 - 08:51 AM

For a while, it could hit both MX records since DNS propagation might take some time. Even after DNS have been propagated, the MX with higher value might get hit by spammer. Ideally, you want both MX to receive email for let's say, 24h before you close port 25 on your old, higher value MX. If you still have an anti-SPAM service and you feel like you could keep receiving emails from your higher value MX, this could become some sort of failover in case you have issues or want to do maintenance on the Barracuda. If not, you can configure your firewall to deny connection on the higher value MX and configure Exchange accordingly.



#12 howithink

howithink
  • Members
  • 13 posts

Posted 31 July 2015 - 11:24 AM

This appears to be the case i believe.

 

Looks like both MX records are receiving emails. Its been 16 hours so far and all the DNS prorogation records (few exceptions, overseas) show MX records to be updated.

 

The new MX record i created was given a metric of 10 while the old MX records were changed to 30 and above. 

 

What's concerning me is the fact that in my firewall, the new NAT i created to allow SMTP only for the new MX record shows 0 hits on the counters, yet half the emails are coming to this MX record while half the email are going to the old MX records. I should have seen at least some traffic, which it clearly is getting.

 

My suspicions are that last week, we used the same BSF for another mail server (linux based) with a completely separate MX record and public ip. I pointed that public IP within the FW to point to BSF. 

 

Now last night when i created the new MX record for our Exchange servers (completely different domain from our linux servers)  and assigned it a completely different public IP which points to the same BSF internally. 

 

Do you guys think that might be a cause of why no traffic is seen on that NAT (counters are empty) that its getting confused.  Dont know, just thinking out loud. 



#13 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 31 July 2015 - 11:26 AM

that's entirely plausible. The firewall may be confused  and a reboot or rule recreate may be necessary to fix



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#14 howithink

howithink
  • Members
  • 13 posts

Posted 31 July 2015 - 01:23 PM

Had the FW looked over by cisco and everything is good. Do you think maybe since i created this new mx record called barracuda.mycompany.com, that i should add this to BASIC>OUTBOUND>RELAY TRUSTED IP section???



#15 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 31 July 2015 - 01:25 PM

No Do not that to the outbound section as it can permit un necessary relaying.

 

Call support so we can review with you!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#16 howithink

howithink
  • Members
  • 13 posts

Posted 31 July 2015 - 01:36 PM

thanks. i did and was told not to.... Will keep it as is for now. Will look into and update this thread next week. thanks for you assistance so far.