>Fortinet Fortigate 80C
just looked at the specs, that is a dual wan appliance, you are more than
halfway there
Jean-Paul Natola
Date: Thu, 20 May 2010 17:20:24 -0400
Subject: Re: Two Separate Exchange Servers
From: m...@burianit.com
To: exchangelist@lyris.sunbelt-software.com
Right now it sounds like getting the second IP address and separate
router/firewall in place will be the best solution.
The business separation plan has occurred fairly recently and all resources
were previously shared. I will refer to the business that I am doing the IT
work for as Business A and the other as Business B. Right now, everything is
still on the same physical network, all running behind a Fortinet Fortigate 80C
(a vendor which I have not had much experience with). Business B's new
exchange server was implemented several months ago by another IT company. My
goal is to separate physical networks and resources. I'm not sure if the
Fortinet's internal interfaces can be assigned to work with different internet
IPs yet. However, even if it can, probably getting a separate unit would be
best.
I appreciate all the input.
Matt
On Thu, May 20, 2010 at 3:31 PM, Mike Griffiths <li...@themightygibbon.co.uk>
wrote:
On 20/05/2010 17:49, Burian, Matthew J. (mjb) wrote:
Anyone have any experience running two completely separate Exchange 2K7 systems
(different external domains, diff users, diff AD, etc.) one the same internet
IP address behind the same firewall? Or would this even be possible?
The situation is 2 different organizations in the same building, sharing a
single T1 internet connection and internet firewall/router.
Any input would be appreciated. Thanks!
It can be done using relay domains on the Edge transport - you basically make
one server the NAT destination for inbound port 25, and have it route all email
for the second domain direct to the other server through a connector
However, this does mean the second organisation needs to trust the first for
mail routing. If they aren't that closely related & supported by the same team
you'll be looking at some major problems (the first org basically controls mail
flow for the second, if they choose to break their own stuff it breaks inbound
mail for everyone!). You'll also need to make sure both servers can see each
other on port 25/SMTP with connectors setup (more potential network security /
trust issues), and remember not to generate NDRs for invalid recipients on the
second server or you'll get blacklisted for all the NDRs you send to spoofed
email addresses.
Yes, you can do it (and there's plenty of guidance on technet in getting it set
up), but it isn't worth the hassle of support & administration.
As others said, a second IP address is easiest and cheapest - you'd just NAT
port 25 of each IP address to the relevant server on your firewall but if this
isn't possible and the trust issues are insurmountable, invest in some form of
SMTP proxy server that sites in front of both servers and redirects email for
each domain appropriately (preferably also doing LDAP lookups to make sure it
only accepts email for genuine recipients). This should be managed by whoever
manages the firewall, since they already assume some "service provider" status.
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
