configuring secondary OWA access

Unanswered Question
Jun 5th, 2009

I have been asked if i can setup my ASA5510 to allow for access to a secondary Exchange server for Outlook Web Access. So that if the first server went down it would automatically send mail and OWA to the new server. Although the Domain name of the server stays the same the server is at our co-location and has a different IP Address.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Fri, 05/29/2009 - 05:35

I do not understand the reasoning behind

static (outside,inside) inside_1 outside_1 netmask

static (outside,inside) inside_2 outside_2 netmask

What are these two for?

The MX records won't come into picture if the exchange server and the OWA are running on two diff. IP address. If there is going to be a second exchange server in the new location then, we need a new MX record.

They just want to add a second OWA server.

If they have another available public IP address we can easily map that to a static 1-1

static (i,o) x.x.x.x

and allow permission on the outside acl to allow 443 to this x.x.x.x from the internet.

I can't think of a way to make this automatic when fails for to automatically kickin.

They can may be add a new "A" record for this one like and have the users go to this if fails to load.

jjohnston1127 Fri, 06/05/2009 - 09:41

I was just thinking along the lines of a static one-to-one NAT both ways so when the mail is sent outbound it is identified by its IP rather than the default global PAT address all of the other internal users. That way for mail source validation purposes to a smarthost or other e-mail servers in case of SPF checks show up the same as the MX record.

Kureli Sankar Fri, 06/05/2009 - 09:51

Those destination nat may not be used at all (static (o,i)).

All inside hosts would be configured to send e-mail via outlook to the exchange server and then the exchange server will use the static (i,o) or nat/global and send it out to the internet.

jjohnston1127 Fri, 06/05/2009 - 06:50

I'm assuming you're talking about it has a different internal IP Address? If you have proper routing between the main site and your co-location, you should be able to assign another static IP to the secondary server and route through the WAN or however your sites are connected to accept requests and back through.

You would need secondary MX records for the backup server and some sort of DNS redundancy setup too so if the main server/connection goes down it will fail over.

dbasterash@cco-... Fri, 06/05/2009 - 07:43

Thank you for the reply but i am a little confused. Yes it has a different internal IP Address and they are both inside our network. let me try and explain the scenario.

A user connects from home by going to The firewall performs PAT and sends the request to the exchange server and everything is fine. Then the primary exchange server( goes down the secondary notices it and brings up it's services ( The internal clients are fine because they are connecting to and are automatically sent to the new server. But since i cannot or atlease i think you cannot have more than one PAT statement per public IP and port how do i redirect them.

Are you suggesting that externally i have 2 MX records and 2 public IPs. Then i have to PAT statements? I am sorry if my terminology is a bit off, i am pretty new to firewalling.

jjohnston1127 Fri, 06/05/2009 - 07:52

A global PAT is only used to NAT internal users to the internet. If you use static NAT both inbound and outbound relationships for two different IPs and point them to two different internal servers, setup secondary MX record you will be fine.

static (inside,outside) outside_1 inside_1 netmask

static (outside,inside) inside_1 outside_1 netmask

static (inside,outside) outside_2 inside_2 netmask

static (outside,inside) inside_2 outside_2 netmask


This Discussion