E2K7 Hub Transport Default Receive Connector

Unanswered Question
Oct 23rd, 2008
User Badges:

We have recently migrated from Exchange 2003 to Exchange 2007. The Exchange 2003 servers are still up and the IronPorts deliver to those servers for the Exchange organization. I would like to use the Default Receive connector on the Exchange 2007 Hub Transport server. Having read the Exchange and IronPort documentation, it would appear that I could use TLS and Basic Authentication to establish delivery of internet mail from the IronPort to the Hub Transport server. I used the IronPort GUI to add an Outgoing SMTP Authentication profile. I then chose the newly created profile in the SMTP route configuration. I also used the CLI to require TLS for the inbound domain using destconfig.
After each attempt, I am still unable to authenticate and establish a connection. I have tried each of the following configurations for the Authentication Username in the IronPort Authentication profile:
username
domain/username
username@domain.edu
Also, I am testing this configuration from our test IronPort. I created a self-signed cert for testing to replace the default cert. There are full certs on teh Exchange servers. We are currently on AsynchOS 6.0, but plan to upgrade to 6.4.

I have been able to successfully deliver to the Hub Transport server when I create a new Receive Connector and allow for anonymous connection from a specified IP address. My preference would be to use the default with TLS and Auth.

Has anyone configured the Ironport to deliver directly to Hub Transport using the Default Receive connector? Any assistance would be greatly appreciated.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Thu, 10/23/2008 - 20:56
User Badges:

With respect to the SMTP Auth LDAP setting, you should see if you can get the free Softerra ldap browser to connect to your domain controller.

http://www.ldapbrowser.com , download ldap browser version 2.6

If you can connect, authenticate and see your user directory structure through the Softerra ldap brower, then it should work with the IronPort.

I would recommend that you create a user specifically for the Ironport,

i.e ironportldap@company.com

then, for the username / password, it should be

ironportldap@company.com

or

ironportldap@company.local

or

ironportldap@internaldomain

and whatever you set as the password.

your Base DN should be something like this:

Base DN: DC=company,DC=com

or

DC=company,DC=local

-----

Also, if you're still getting problems connecting to the ldap server, enable ldap debug logs and paste in the results here.

mwynne_ironport Thu, 10/23/2008 - 21:22
User Badges:

kluu - Thanks for the reply.

I have SMTP Auth LDAP configured and that works properly. What I am referring to is when the IronPort appliance makes an outgoing SMTP connection to the E2K7 Hub Transport server for inbound delivery of Internet email. (Profile Type Outgoing, Not LDAP) During that transaction the authentication will occur at the Exchange server. I am looking at the Exchange side, but what I was looking for was if anyone had successfully made a TLS and Basic Authentication connection from the IronPort for internal delivery either by using the Default Receive Connector or by creating a new Receive Connector on the Hub Transport server. I was hoping to expedite my troubleshooting by validating the proper configuration of the IronPort. If anyone has any info on the Exchange side, that would be great as well.

Thanks,

-Mike

gvgo_ironport Fri, 10/30/2009 - 08:39
User Badges:

Hi mwynne.

I think the IronPort can not use basic auth after TLS. I have the same issue but whit external providers..

I use Exchange Server 2007 as my internal servers, to secure communications between Ironport and Exchange you must use ldap auth . It works fine.

About TLS and then Basic Auth. There is another post in the forum and i have opened a support case.

Best regards..

Andrew Wurster Fri, 10/30/2009 - 22:15
User Badges:

yes ditto that - a few prior support cases seemed to indicate that all of exchange's available auth methods did not line up with the methods the ESA can offer up.

i thought that feature was for exchange servers and other AD-based windows machines to connect to an exchange hub...? if you want to add LDAP to the outbound auth methods, perhaps sync up with your account team for a feature request?

rsoberon_ironport Wed, 12/02/2009 - 20:40
User Badges:

I believe the default receive connector is soley for internal mail routing.

A new receive connector should be created for External mail routing.

Actions

This Discussion