AnsweredHot!High Availability of Exch 2016 - Fortinet 61E

Author
ahsan
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Status: offline
2018/01/24 03:55:08 (permalink)
0

High Availability of Exch 2016 - Fortinet 61E

Hi,
 
I have Fortinet 61E deployed and I want to allow my exchange server to be able to send and receive emails and OWA.
 
WAN interface is 200.200.200.1
Exch-1 is 192.168.0.10
Exch-2 is 192.168.0.11
 
Internally I have have DNS round Robin and clients access the servers via URL and randomly assess both servers.
 
For WAN, I have VIP 200.200.200.1 -> 192.168.0.10 (25 -> 25)
I cannot create same VIP for other server as it says same already exists.
 
How can I achieve the following:
VIP 200.200.200.1 -> 192.168.0.10 (25 -> 25)
VIP 200.200.200.1 -> 192.168.0.11 (25 -> 25)
 
I need to open port 25 and 443 on WAN interface and forward traffic to both internal email servers. Exchange server is DAG.
Attached is the scenario.
 
Any help will be much appreciated.

Attached Image(s)

#1
Markus
Silver Member
  • Total Posts : 113
  • Scores: 8
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 03:29:12 (permalink) ☼ Best Answerby ahsan 2018/01/25 07:17:42
5 (1)
Hi,

You can achive this with loadbalancing. Maybe you have to enable it first -> System -> Feauture Visibility
Then create two virtual server (smtp(s) and https) and then add the real servers. I'm not quite sure, but for the low ends Fortigates, you need firmware 5.6.x to create https virtual servers.

Best regards,
Markus
#2
BrUz
Gold Member
  • Total Posts : 364
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/09/30 01:26:25
  • Location: Norway
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 06:01:56 (permalink)
0
5.6.x and virtual servers works well with low end 5-9xE devices. Maybe lower also, have not tested.

Fortigate <3
#3
Markus
Silver Member
  • Total Posts : 113
  • Scores: 8
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 06:07:28 (permalink)
0
Yes, it works fine with low end Fortis, but if I remember correct, with 5.6.0, I was not able to create an https virtual server.
#4
BrUz
Gold Member
  • Total Posts : 364
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/09/30 01:26:25
  • Location: Norway
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 06:12:01 (permalink)
0
mgrosni
Yes, it works fine with low end Fortis, but if I remember correct, with 5.6.0, I was not able to create an https virtual server.


5.6.0 had several bugs like all other FortiOS big relases, never run early versions in critical production

Fortigate <3
#5
romanr
Platinum Member
  • Total Posts : 903
  • Scores: 30
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 06:27:24 (permalink)
0
Hey,
 
SSL Offloading for Virtual Servers starts with 100 Series Models.... So only 100Ds or 100Es or bigger can do.
 
As far as I remember this has always been like that...
 
Have a look in the platform feature matrix: https://docs.fortinet.com/d/fortigate-fortios-5.6-feature-platform-matrix
 
 
Br,
Roman
#6
BrUz
Gold Member
  • Total Posts : 364
  • Scores: 4
  • Reward points: 0
  • Joined: 2011/09/30 01:26:25
  • Location: Norway
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 07:11:15 (permalink)
0
Yes, SSL offloading is only bigger models, but the "virtual server" feature works perfect in small models.

Fortigate <3
#7
romanr
Platinum Member
  • Total Posts : 903
  • Scores: 30
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/25 07:14:33 (permalink) ☄ Helpfulby ahsan 2018/01/25 07:18:08
5 (1)
Correct - But there won't be any Virtual Server with HTTPS on a desktop model.
 
So you will have to do Layer 4 Load Balancing - Meaning a TCP Port 443 LoadBalance....
 
Br,
Roman
#8
Markus
Silver Member
  • Total Posts : 113
  • Scores: 8
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/26 00:12:34 (permalink)
0
Fortinet added SSL offloading also to Desktop Models (I think it was 5.6.2 or 3). I've testet it with my 60E (5.6.3 see Image).
@BrUz, full ack, never use x.0 releases in critical environments
post edited by Markus - 2018/01/26 00:13:41

Attached Image(s)

#9
ahsan
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/26 00:58:17 (permalink)
0
I am using 61-E with firmware 5.6.3. Cant see SSL offloading. Please see the screenshot.

Attached Image(s)

#10
romanr
Platinum Member
  • Total Posts : 903
  • Scores: 30
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/01/26 02:43:56 (permalink)
0
Hey,
 
I was just suprised to see it is actually really there on a 60E :-) ... nice one!
 
@ahsan
Fortigate or VDOM Operation has to be in Proxy Mode!! Have a look in the "System Settings" Menu!
 
Br,
Roman
 
PS: I am not sure if Layer 7 LB with HTTPS offloading on a Fortigate will be supported with MS Exchange 2016. We ran into troubles even with FortiADC and L7 Load Balancing and are still under investigation with that one. Layer 4 seems supported and is preferred.
post edited by romanr - 2018/01/26 03:09:42
#11
yoda
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/14 10:01:15
  • Status: offline
Re: High Availability of Exch 2016 - Fortinet 61E 2018/05/19 23:39:02 (permalink)
0
Hi,

has anyone tested SSL offloading with AV profile in place?
On my lab FG61E (firmware 5.6.4) I have configured a firewall policy for Exchange OWA with SSL offloading and default AV profile enabled.
When sending a mail via OWA - with the EICAR text in the body of the mail - I see the traffic handled by the expected FW policy but the mail get rejected by the scanning engine of the Exchange server and NOT by the firewall.
I would expect the traffic not hitting the Exchange server and have it being blocked by the firewall.
Do i miss anything?

Best,
Yoda
post edited by yoda - 2018/05/19 23:42:24
#12
Jump to:
© 2018 APG vNext Commercial Version 5.5