Exchange

Exchange 2013 on Windows Server 2012 with multiple IP addresses on a single NIC

Many people want to use multiple IP addresses on a single NIC interface with Exchange 2013 and Windows Server 2012. There are several reasons for this multi-homed IP configuration, such as various receive connectors for diverse applications (fax, SharePoint, gateways, etc.), or for an additional IIS website, amongst other things.

The behavior that changed since Windows Server 2008 is that the source IP address on a NIC will always be the lowest numerical IP address. The challenge for every Exchange administrator is to configure the correct firewall settings for the appropriate IP address. Lets make an example:

You install the first Exchange 2013 server in your environment with the „primary“ IP address of 10.35.3.200. Afterwards you decide to add an additional IP address to your MAPI network adapter, such as for a further receive connector. The secondary IP address would be 10.35.3.100. No you have two issues:

  • The server registered two DNS names for the same server
  • The server is now sending all outbound traffic from 10.35.3.100, because 100 is lower than 200.

Let’s go a bit deeper and explain the “weak host model“ and the “strong host model“ for multi-homed servers and how they choose the source IP address selection.

The “weak host model” is used in all Windows operating systems prior to Windows Vista. This means that the OS will accept any and all IPv4 packets addressed to the computer. Advantages of the weak host model such as the better network connectivity which makes it easier to find any packets arriving at the server using tools such as netmon. The biggest disadvantage of this model is the inferior security compared to the strong host model.

Note: IPv6 packets already uses the strong host model, also for operating systems prior to Windows Vista.

The “strong host model“ is used in all Windows operating systems since Windows Vista+. The OS  only accepts IP packets that are sent to the specific IP address at the NIC interface where the packet is received. The TCP/IP stack supports the strong host model for both IPv4 and IPv6 and is configured by default. However, it can also be configured to use the weak host model, which is necessary in some scenarios. An advantage is the improved security through the now segregated traffic and more efficiently utilized bandwidth. However,that has a negative effect on overall network connectivity, as it is more sluggish to move a specific source IP packet to a specific destination IP packet.

Note: Exchange 2013 will always use the preferred IP address within the same network for all outbound traffic from the send connector, even if the send connector has multiple IP addresses configured.

Microsoft recommends to set the “Register this connection’s addresses in DNS“ fort he TCP/IP v4 properties for a MAPI network adapter, independent from the number of configured IP addresses on the network interface, on every Exchange 2013 server. This setting causes all the secondary static IP addresses from your MAPI network adapter to be registered in DNS as well. In its turn, this leads to multiple static DNS entries for a single server.

DH1

To prevent the server from registering all of its IP addresses into DNS, use the Set-NetIPAddress cmdlet from the Windows PowerShell and set the flag “SkipAsSource“ to True. By using this flag, the new IPs added will not be used for outgoing packets unless the application specifically binds to it. Use the following cmdlet to prevent the IP address 10.3.35.100 being registered into DNS:

Set-NetIPAddress –IPAddress 10.3.35.100 –InterfaceAlias „Local Area Connectoin“ –SkipAsSource $True

Important: Don’t disable the “Register this connection’s addresses in DNS“ for Exchange 2013 because it will cause an issue with Managed Availability where it will repeatedly restart your server.

You can check the initial SkipAsSource settings with the following cmdlet:

Get-NetAdapter –InterfaceAlias „Local Area Connection“ | Get-NetIPAddress | Select IPAddress, SkipAsSource

DH2

As you can see, both IP addresses 10.35.3.83 and 10.35.3.82 are registered in the local DNS servers and both IPs use outgoing traffic from the Exchange 2013 server.

In our example we will set the flag SkipAsSource for the IP address 10.35.3.83 to True to prevent

Set-NetIPAddress –IPAddress 10.35.3.83 –InterfaceAlias –SkipAsSource $True

DH3

The IP address 10.35.3.83 will not be registered in the local Microsoft DNS server because the flag SkipAsSource was set to True.

Important: The common problem with Windows Server 2012: if for some reason you need to set the SkipAsSource flag to True, please don’t edit the IP configuration of your MAPI network adapter afterwards via the GUI! If the GUI is used, the SkipAsSource flag will be set to False (default) for the IPs that were modified. If you want to change an IP address and the SkipAsSource flag is set to True, use the PowerShell cmdlets Get-NetAdapter, Set-NetAdapter, and New-NetIPAddress to edit, add, or delete an IP address from your MAPI network adapter.

Note: All cmdlets are only available in Windows PowerShell 3.0+. If you are using Windows Vista and Windows Server 2008, install the following hotfix: KB975808

If you are using Windows 7 or Windows Server 2008 R2, install the following hotfix: KB2554859

For all Windows operating systems prior to Windows 8 or Windows Server 2012, use the Netsh cmdlet to change the SipAsSource flag.

If you would like to set the flag to multiple servers, you can use the following PowerShell script. This script will use the input you define in the variables $primIP and $nicInterface. Save the script under your preferred path as a .ps1 file extension, for example „SkipAsSource.ps1“ and run the script via the cmdlet .\SkipAsSource.ps1 from your PowerShell.

$primIP = “10.35.3.83” //set the primary NIC ip address of your MAPI network

$nicInterface = “Local Area Connection” //define the network adapter alias of your MAPI network

[array]$secIPs = (gip).IPv4Address | Where-Object {$_.InterfaceAlias -eq $nicInterface -and $_.IPAddress -ne $primIP} //get all IPv4 addresses excluding the primary IP address for your MAPI network

Set-NetIPAddress -IPAddress $primIP -InterfaceAlias $nicInterface -SkipAsSource $false //set the flag SkipAsSource of the primary IP address to False
Set-NetIPAddress -IPAddress $secIPs.IPAddress -InterfaceAlias $nicInterface -SkipAsSource $true //set the flag SkipAsSource of all other IP addresses, except the primary IP address of your MAPI network to False

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s