>Fortinet Fortigate 80C just looked at the specs, that is a dual wan appliance, you are more than halfway there
Jean-Paul Natola Date: Thu, 20 May 2010 17:20:24 -0400 Subject: Re: Two Separate Exchange Servers From: m...@burianit.com To: exchangelist@lyris.sunbelt-software.com Right now it sounds like getting the second IP address and separate router/firewall in place will be the best solution. The business separation plan has occurred fairly recently and all resources were previously shared. I will refer to the business that I am doing the IT work for as Business A and the other as Business B. Right now, everything is still on the same physical network, all running behind a Fortinet Fortigate 80C (a vendor which I have not had much experience with). Business B's new exchange server was implemented several months ago by another IT company. My goal is to separate physical networks and resources. I'm not sure if the Fortinet's internal interfaces can be assigned to work with different internet IPs yet. However, even if it can, probably getting a separate unit would be best. I appreciate all the input. Matt On Thu, May 20, 2010 at 3:31 PM, Mike Griffiths <li...@themightygibbon.co.uk> wrote: On 20/05/2010 17:49, Burian, Matthew J. (mjb) wrote: Anyone have any experience running two completely separate Exchange 2K7 systems (different external domains, diff users, diff AD, etc.) one the same internet IP address behind the same firewall? Or would this even be possible? The situation is 2 different organizations in the same building, sharing a single T1 internet connection and internet firewall/router. Any input would be appreciated. Thanks! It can be done using relay domains on the Edge transport - you basically make one server the NAT destination for inbound port 25, and have it route all email for the second domain direct to the other server through a connector However, this does mean the second organisation needs to trust the first for mail routing. If they aren't that closely related & supported by the same team you'll be looking at some major problems (the first org basically controls mail flow for the second, if they choose to break their own stuff it breaks inbound mail for everyone!). You'll also need to make sure both servers can see each other on port 25/SMTP with connectors setup (more potential network security / trust issues), and remember not to generate NDRs for invalid recipients on the second server or you'll get blacklisted for all the NDRs you send to spoofed email addresses. Yes, you can do it (and there's plenty of guidance on technet in getting it set up), but it isn't worth the hassle of support & administration. As others said, a second IP address is easiest and cheapest - you'd just NAT port 25 of each IP address to the relevant server on your firewall but if this isn't possible and the trust issues are insurmountable, invest in some form of SMTP proxy server that sites in front of both servers and redirects email for each domain appropriately (preferably also doing LDAP lookups to make sure it only accepts email for genuine recipients). This should be managed by whoever manages the firewall, since they already assume some "service provider" status. _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3