«  
  »

Exchange DAG and windows firewall

By Mitch Roberson, on August 22nd, 2010

So As many of you know Exchange 2010 has the Database availability group. With that they have recommended that a DAG be setup with a MAPI network and a Replication network. The replication network should be on a network that is not able to route to the MAPI network. If it is then you need to ensure that there are routes for the replication network.  If they are on the same subnet these routes are already added by default.

It is usually a recommendation that you have 2 separate nics for this configuration. This is considered a multi-home box. As most people know when you have 2 NIC’s you should not put a gateway on one of the nic’s it can cause some problems if you do.

First thing to remember is that the MAPI network is the nic that should have the gateway. I also recommend you rename the network objects so it is easier to deal with and know which one is for which.

image

once this is complete then the problem really begins as you can see from the screen shot the REP network is listed as Unidentified This creates some problems with the windows firewall. And from my understanding windows 2008 R2 does not support the firewall being disabled because it disables some of the crypto stuff.

I have looked far and wide for an answer or a script to try to change the location from unidentified to something else but have not found anything there are several posts that I have seen that talk about adding a gateway to the second nic then it will allow you to modify the config but It does not work on 2008 R2.

So why is this a problem. Well all NICs that are unidentified networks are set in the firewall as public this means they are very restricted on inbound traffic. This works great for outbound traffic. and in some cases you may never realize the problem because the DAG will start to use the MAPI network even if you have set it not to replicate.

So here is what I have been doing In the advanced firewall I right click on the top object, I then go to each tab and click on the custom button shown below.

image

I then uncheck the repl network so that non of the firewall locations will be used with that nic. What this does is basically tell the firewall it is not supposed to work with this NIC.

 

image

This seems to work pretty well for me.

 

Then to verify that the replication network is being used you can run

get-mailboxdatabasecopystatus –id “mailboxdatabase\server” –connectionstatus |fl

This will give you the ability to see which network is being used for replication

Exchange   , , , ,  
«  
  »

190 comments to Exchange DAG and windows firewall

1 2 3 4
1 2 3 4

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«  
  »