Exchange Server 2010 Overview Part 1

Microsoft’s Exchange Server:

Email is a mission critical tool for business. How do you provide that capability? Hosted, in-house, BPOS? There are many options. With Exchange you gain the following:

  • A reliable and flexible messaging platform for business communications.
  • Provides e-mail capabilities
  • Also provides calendar access and contact management
  • Users can have access to their communications anywhere; through their browser, mobile device, or their Outlook client.

Exchange 2010 adds the following:

  • Provides the email typical for Exchange that we’ve come to expect. Some features are the same as Exchange 2007, but new features are notable.
  • Continues the Server Roles for your organization’s deployment strategy. (5 Roles)
  • Includes High Availability and Site Resilience
  • Allows Unified Communications through the Unified Messaging Server Role that will give users a Universal Inbox (fax’s, voicemail, etc)

5 Server Roles: – Prior to Exchange Server 2010, you installed the entire Exchange infrastructure on an Exchange Server. Eg. if a Front-end server was only needed, you still had to install the entire Exchange Infrastructure. Now you have a lighter footprint with Roles. Server 2008 also uses Roles and Features.

  • The Mailbox Role: user mailboxes with mailbox DB’s. Also contains public folders.
  • Client Access Role: connection point for all users to their mailboxes internally or externally. (MAPI, OWA, Outlook Anywhere, ActiveSync, IMAP/POP)
  • Hub Transport Role: Flow of traffic to and from the Mailbox server. (These first 3 roles need to be installed in order for Exchange to work, but not necessarily on the same server.)
  • Optional Role – Unified Messaging Role: Provides the Universal Inbox for voicemail, email, faxes, etc.
  • Optional Role (recommended)- Edge Transport Role: Perimeter-based server to handle anti-spam and anti-virus protection and additional transport rules.

Requirments for Exchange 2010:

1. Domain Controller – AD Domain controller

2. DNS Services

3. Member Server (on which you will install Exchange)


For Exchange 2010 running behind your firewall or DMZ on your internal network, you can install the following 4 roles on their own server: Client Access Server, Mailbox Server, Hub Transport Server, and Unified Messaging Server.

To add an Edge Transport Server to your network, you will need to setup a Member Server that is not a member of the Domain. You install Exchange, but only the ET server role. This will sit out on the Perimeter Network (between internal and external firewalls – DMZ). Again, the ET server cannot be a member of the Domain.

New in Exchange 2010:

Storage Architecture – There’s a new focus on the database itself, not on a storage group. Storage groups have been removed from Exchange’s DB design (Exchange 2000 – 2007)

High Availability and Site Resiliency – Database Availability Groups have replaced legacy Exchange  HA versions.

Permissions – Role-based access control has been implemented – permissions to manage exchange.

Control – A cool new Web-Based Exchange Control Panel (ECP). Carries over Exchange 2007’s exchange management console and an exchange management shell.

Voicemail and Unified Messaging – including voicemail preview, better protection.

Exchange 2010 has something for everyone. It is a complete communications platform for organizations large and small.



A good majority of the content provided in my Exchange series is derived from J. Peter Bruzzese’ excellent Train Signals Exchange Server 2010 Video Disk Series. is an invaluable source for accurate, easy to understand, IT information and training.

Networking Fundamentals – Part 2

Repeater: A repeater’s job is to repeat an electrical signal. The form that our data has taken to be sent across a cable is one’s and zeros. The repeater takes an incoming signal and then generates a new clean copy of that exact signal. This prevents maximum cable lengths from stopping transmissions and helps ward off attenuation; the gradual weakening of a signal.

Hubs – only one PC at a time can send data; if multiple PC’s are connected to a single hub, it’s One Big Collision Domain. To prevent collisions, a host will use CSMA/CD (Carrier sense multiple access with collision detection).


  • carrier sensing scheme is used.
  • a transmitting data station that detects another signal while transmitting a frame, stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to send that frame again.

Bridge – used to create smaller collision domains. Place a bridge between multiple hubs. More collision domains is more beneficial. Segmenting the collision domains does not reduce the amount of broadcasts (for example, multiple hubs separated by multiple bridges is still one big broadcast domain). Every single host will receive a broadcast.

Broadcasts are not a bad thing, broadcasts can be beneficial by providing routing updates. But we do want to lower the number of broadcasts.

Switches: each host is in it’s own collision domain. Collisions cannot occur. Each host has more bandwidth available; not sharing bandwidth. Theoretically each host can run at 200mb (100mb sending, 100mb receiving with full duplex). Switches by default do not break up broadcast domains. Microsegmentation is a term sometimes used with Cisco documentation to describe the one host/one collision effect.

A switch will do one of three things with an incoming frame:

  • Forward it
  • Flood it
  • Filter it

The switch looks at it’s Mac address table to check if there is an entry for the destination MAC address, but first the switch will look to see if there’s an entry for the source MAC address in the frame. The switch uses the source MAC address to build the table. You can statically configure MAC address tables but not recommended.

#show mac-address-table    —   The command we use to look at the mac address table on a switch.

An unknown UNICAST frame is always flooded. – If an unknown unicast frame has to hit 79 other ports in an 80 port switch, it can cause a bit of overhead on the switch/cpu.

#show mac-address-table dynamic

If the switch does not have an entry for the destination mac address, and a host replies to the flood with the correct response, the switch will create an entry for the new host.

Take into consideration the following diagram:

click image to enlarge

In this instance, hosts A and B are in the same collision domain, separated by a hub. When Host A sends out a frame destined for Host B, and the frame arrives at the switch, the switch looks at it’s dynamic MAC address table and sees that the frame is destined for the same port as it’s origin. In this case the switch will FILTER the frame (drop the frame):

Click to enlarge image

Switches never send a frame back out the same port from which the frame arrived.

Flooding: When the switch has no entry for the frame’s destination MAC address. The frame is sent out every single port on the switch except the one it came in on. Unknown unicast frames  are always flooded.

Forwarding: when the switch does have an entry for the frame’s destination MAC address. Forwarding a frame means the frame is being sent out only one port on the switch.

Filtering: when the switch has an entry for both the source and the destination MAC address; the MAC table indicates that both addresses are found on the same port. (See image above)

Broadcast frames: a frame that is sent out every port on the switch except the one that received it. Broadcast frames are intended for all hosts, and the MAC broadcast address is ff-ff-ff-ff-ff-ff.

We can statically configure a port with a MAC address but not best practice. Dynamically learned MAC addresses will age out with a default of 300 seconds (5 minutes).

Command to see help for the tables is

#mac-address-table ?


#mac-address-table aging-time ?

0-0 Enter 0 to disable aging (not a good thing to do)

10-1000000 Aging time in seconds

The benefit of Dynamically configured MAC addresses is that if the host is not seen in 5 minutes or the interface goes down; physical damage to the port, when the host is connected to a different port, the switch will dynamically update the table with the source. The current entry will be aged out. Let the switch do it’s work, and use dynamically assigned addresses.

When the switch forwards, floods, or filters the frame, there is another decision to be made – how will the forwarding be processed?

Three different processing options:

  • Store-And-Forward
  • Cut-Through
  • Fragment-Free

Store and Forward is the default method on newer switches. The entire frame is stored and then forwarded.

Store and Forward – uses FCS – allows the recipient of the frame to determine if the data was corrupted during transmission (error detection). In the incoming frame the switch will read the destination MAC address before it looks at the FCS. The switch can check the FCS before forwarding the incoming frame. Gives us more error detection than the other two methods above.

Cut-Through – switch reads the MAC addresses on the incoming frame, and immediately begins forwarding the frame before rest of the frame is even read. Cut through is a lot faster. Cannot check for damaged frames.

Fragment-Free (middle ground for speed vs. error detection) works on the presumption that the corruption will be found in the first 64 bytes of the frame for damage. If no damage, then the forwarding process will begin.

Use virtual LANs to segment a network into smaller broadcast domains. In a production network, you can have a lot of hosts and each host can send out broadcasts with a cumulative effects. Hosts tend to respond to Broadcasts with a Broadcast of their own.

Broadcast Storm: can max out a switch’s resources (memory and cpu) making the switch useless. But before this, broadcasts may take up most of the bandwidth.

Create multiple broadcast domains to limit the scope of a broadcasts.

Basic command to view vlans is

#show vlan

but for practical use, the command below is better:

#show vlan brief

By default, you will have a single vlan on modern cisco switches.

To put for example two hosts in a separate single vlan (broadcast domain),

#conf t

#interface fast 0/2

#description Connected to Host 2

#switchport access vlan 24

#switchport mode access    — to makes access to only one vlan – no trunking


#int fast 0/4

#description Connected to Host 4

#switchport mode access

#switchport access vlan 24


#copy run start

#show vlan brief

Once host2 and host4 are on the same vlan they won’t be able to ping other hosts on other vlans.

No traffic – pings or data packets can be sent from one VLAN to another without intervention of a Layer 3 device; most likely a router.


Networking Fundamentals – Part 1

In these posts, we will document the fundamentals of networking. We will begin with the basics, including the OSI model, and work our way up from Layer 1 to layer 7, but mostly concentrating on Layers 1-3.

As many have learned, the path to success in troubleshooting networks is knowing and understanding the fundamentals.

OSI (Open Systems Interconnection) model:

osi model
click to enlarge

Layer 7: Application Layer:

End users are interacting with the layer itself. When a user is being authenticated, that user is interacting with layer 7. If encryption is taking place, that is layer 6. The application layer determines if a remote communication partner is ready. For example if a modem is in use, the application layer asks if the modem is ready. Agrees on procedures for communication; data integrity, privacy and error recovery. Protocols running at layer 7: SMTP, POP3, Telnet, HTTP, FTP, SNMP.

Layer 6: Presentation Layer:

Formatting of data. For example if Word opens a file in gobbly gook, that is a presentation layer issue. No agreement has been made for formating. Compatability with the OS, ASCII, Binary, compression. JPG, MIDI, TIFF. Any file type is how data is being presented.

Layer 5: Session Layer:

Handles creation, maintenace and tear down of communication between hosts. The communication itself between two hosts is called a session. Sessions can be short. The session layer manages communication. Provides Full Duplex, Half Duplex, or Simplex. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls.

Layer 4: Transport Layer:

Establishes end-to-end connection between two systems. Session data is received from the upper layers and the transport layer makes sure the data gets to the destination in the correct sequence, and without errors. TCP (Connection-oriented) and UDP (Connectionless) are two methods of transporting data at the Transport Layer.

Layer 3: Network Layer:

IP runs at this layer, routers at this layer (routing layer), IP addresses, layer addresses, etc. Routing is a two question process: Is it a Valid path? And what is the Best Path to get there?

Layer 2: Data Link Layer:

This is where our switches and bridges run. WAPS also operate at this layer. Cable modems/DSL modems. Ethernet, HDLC, PPP, Frame Relay. There is a big difference between error detection and error recovery. Layer 2, we have error detection with FDS Frame Detect Sequence. MAC addresses/Hardware addresses/Physical Addresses/Burned In Address (BIA) are at Layer 2. There is such a thing as a layer 3 switch; a single device that can do the routing and the switching.

Layer 1:  Physical Layer:

1’s and 0’s. The Physical Layer handles the actual data being transmitted. Cables, pins, voltage running at physical layer.


  • Guaranteed Deliver
  • Error detection via sequence and ACK numbers
  • Windowing
  • Connection Oriented

TCP Three-way handshake: SYN, SYN-ACK, ACK.

Error detection is finding an error.

Error recovery is doing something about the error.

For example some layers have error detection – layer 1, but not error recovery.

In transmitting several segments, when the recipient sends the ACK number, it sends the next number in the sequence that the recipient expects to receive. An acknowledgement timer will re-send: Positive Acknowledgement with Retransmission (PAR).

Windowing is the amount of data that the sender is allowed to transmit without waiting for an ACK. The recipient decides the size of the window. This gives the recipient the ability to decide the amount of data flow. (Flow Control) Sliding Windows refers to dynamic adjustment of the size of the window itself.



  • Best effort delivery but no guarantee of delivery
  • No error detection
  • No windowing
  • “Connectionless”


Crosstalk – EM interference; a signal crosses over from one cable to another. Can be described as Near End Cross Talk (NEXT) or Far End Cross Talk (FEXT) depending on which end of the cable is being tested. PSNEXT is Power Sum Near End Cross Talk which is the calculation made when a NEXT test is run. When the NEXT result for each pair of wires is added, the result is the PSNEXT. (Not to be confused with the management software titled PSNEXT).

Straightthrough cable – used to connect a PC to a switch or a hub. The wire connected to Pin 1 on one side is connected to Pin 1 on the other, the wire connected to Pin 2 on one side is connected to Pin 2 and so forth.

CrossOver Cable – typically used between two switches, and when two switches are transmitting data over the same pair of wires, a crossover cable is used. A switch to switch connection with a CrossOver Cable is also called a TRUNK.

Rollover Cable – All eight wires in the cable will “roll over” to another pin at the remote end. eg. Pin 1 at one end rolling over to pin 8 at the other end. Pin 2 rolling over to pin 7 etc. Typically Blue Cisco cables that come with each Cisco router with a DB9 connector are Rollover cables. (Get a USB adapter so that you can use it with your laptop). These cables typically connect to the console port on the switch/router.

MAC address – Media Access Control Address (Also known as Ethernet/NIC/LAN/Physical/BIA address): used by switches to send frames to the proper destination. 48bit address.

The MAC address has two parts, the first being the Organizationally Unique Identifer (OUI). The OUI is assigned to hardware vendors by the IEEE. A given OUI is assigned to one and only one vendor. The second half of the MAC address is a value not yet used by that particular vendor.

The Broadcast MAC address: 77-77-77-77-77-77

The Multicast MAC address always starts with 01-00-5E, then 00-00-00 thru 7F-FF-FF


Outlook 2010 – Cannot create new profile; An unknown error occurred, error code: 0x80070057 – Solved!

One of our Windows 7 Pro, 32 bit users (not SP1), experienced Outlook 2010 failing on a regular basis. The client was setup with Auto-discover and the application would crash / freeze/ hang randomly as well as could be made to crash by going into the Calendar, create a New Meeting->Scheduling Assistant -> and enter another user’s name.

Additionally, we tried closing Outlook, going to the Control Panel and chosing the Mail applet. Click on Profiles -> Profiles -> Show Profiles… -> Add…

The Outlook wizard would start, but then fail with the error message:

“An unknown error occurred, error code: 0x80070057”.

The Event Viewer (Local) -> (Windows Logs: Application) would have a cryptic message with the following information:

Event 1000, Application Error

Faulting application name: OUTLOOK.EXE, version: 14.0.4760.1000, time stamp: 0x4ba8fefdFaulting module name: OUTLOOK.EXE, version: 14.0.4760.1000, time stamp: 0x4ba8fefdException code: 0xc0000005Fault offset: 0x0054ac63Faulting process id: 0x1174Faulting application start time: 0x01cc0e56a826f1c7Faulting application path: C:Program FilesMicrosoft OfficeOffice14OUTLOOK.EXEFaulting module path: C:Program FilesMicrosoft OfficeOffice14OUTLOOK.EXEReport Id: 375d88cc-7a62-11e0-a74c-b8ac6fc5d92c

Running a search on these errors produced a lot of options for repairing the problem including checking OWA IIS certificates, installing .NET on the exchange server, Exchange SP2/SP3,  editing your hosts file, Exchange PowerShell setting virtual directory, and the list goes on.

The solution that resolved this issue finally for us was to install on the Outlook client, the hotfix created by Microsoft here:;en-US;2281463

The download is not easily accessible on this page, so don’t be discouraged and go ahead and “View and request hotfix downloads” from the link at the top of the page.

This link will send you to a Hotfix Request page where you place a checkmark on the update you wish to download. Be careful because if you visit the page with a x64 machine, you will most likely be prompted to download the x64 client. It’s best to visit the hotfix page on the client that has the problem. Enter your email address and then confirm. Type in the captcha and then hit “Request hotfix.” You will be quickly emailed the link to the hotfix download as well as a password.

*Note: Prior to installing a hotfix of this nature, it is always recommended you backup your system (Windows 7 backup is a pretty good free image-based backup, my next best recommendation is something like Acronis 10.) Also, it is a good idea to take a manual System Restore point: Start -> Right-click on Computer, choose Properties, System Protection, Create.

Once the hotfix has been downloaded, when you try to run the .exe you will be prompted for the password for the file to run. Enter the password that was emailed to you and complete the setup. After the hotfix completes, for good measure, go ahead and reboot. After the restart, keep Outlook closed and go back to the Mail control panel applet. Go to Profiles ->Show Profiles… -> Add… and create a new Outlook Profile. Under “When starting Microsoft Outlook, use the profile: -> Always use this profile -> Hit the dropdown for the newly created profile.

Start Outlook. This will create a new Outlook profile for the user. Also, a new .ost file will be created which if the mailbox size is large, it may take a considerable amount of time to rebuilt the new profile. You may need to visit the old profile in the Control Panel Mail Applet to see if any data files were attached or settings/signatures were modified or need to be created or copied to the new profile.

You can test to see if the application crashes by visiting the Calendar Scheduling Assistant.

SBS Server 2003 network connection NIC unresponsive. Solved!

After several restarts/reboots, a Small Business Server 2003 would not respond to pings, and was holding a network hostage by not servicing DNS requests. When trying to repair the Local Area Connection, the following error occurred: “Windows could not finish repairing the problem because the following  action cannot be completed:
Clearing the ARP cache”

After starting/stopping the Routing and Remote services service, and disabling/enabling the NIC in the Device Manager with no luck, we tried manually clearing the arp cache with the following actions:

Check the ARP table from the command line with the command:

arp -g

See if there are entries, and if so, delete them with the command:

arp -d *

This did not help and what did resolve/solve the issue was the following actions:

  1. Shut down the server (Start -> Shutdown)
  2. Once the server has completely shut down, remove the CAT5 Ethernet cable(s) from the Network Interface Card in the back of the server. Make a note which NIC port(s) the cable(s) are plugged into if there is more than one.
  3. Remove the power cable(s) from the back of the server. With both the power and Ethernet cables unplugged, press the power button on server to flush all electricity from the motherboard and interface cards.
  4. Replace the power and Ethernet cables, and power up/start the server normally. In our case the server began responding to pings and started running normally.
  5. After logging in, check to see that all services have started that are set to Automatic. To do this, go to Start -> Administrative Tools -> Services. Sort services by Startup Type. All of the services with the Startup Type: Automatic should be in the “Started” status (except for some that normally stay stopped like Performance Logs and .NET services).

Hopefully this tip will save you some frustration from wrestling with a non-responsive NIC or hunting down Microsoft hotfix updates.

A final note that if the unresponsive server is your primary DNS/DHCP server, and while it’s down clients are unable to get out to the internet or contact other network resources, you may wish to modify your DHCP client lease settings to include some (external) DNS servers other than your primary DNS/DHCP server.

Offline Outlook Address Book – delays in syncing Outlook and Exchange 2010 – Solved!

When an administrator makes a change in Active Directory/Exchange, why do the changes not appear in the Outlook Offline Address Book immediately?

I found that it may take up to two days for the changes to appear in Outlook.

In Exchange 2010 it takes even longer to synchronize the changes in the OAB than Exchange 2007.  After the OAB is updated, which by default is once a day, it may take up to 8hrs for the OAB to be available to the client. The reason is that the OAB is generated in the MAILBOX role and needs to be copied to the CLIENT ACCESS role. The CLIENT ACCESS role checks for changes every 8 hrs. On top of these delays, if a client does not close/open his or her Outlook, it can take even longer for a change to take place.

If you want the changes to appear in your Outlook Address Book right away, you need to do the following:

  1. Make a change or changes to the OAB. An administrator can do this by going to their Exchange server, and open the Exchange Management Console. Drill down from Microsoft Exchange to ->Microsoft Exchange On-Premises ->Recipient Configuration -> Mailbox. Right-click on the user in which you want to make changes or add another SMTP address. Add or Edit the addresses, etc.EMC1
  2. Manually update OAB  in the Exchange server. Go to the Exchange Management Console -> Microsoft Exchange -> Microsoft Exchange On-Premises -> Organization Configuration -> Right-Click on Mailbox and choose Properties. Click on the Offline Address Book tab. Right-click on the default offline address book and choose Update. EMC2
  3. Restart Microsoft Exchange File Distribution service. On the Exchange server, go to Start -> Run -> type in Services.msc and hit Enter/OK. Browse to the Microsoft Exchange File Distribution service, right-click on the service and click Restart.Services
  4. You may need to Sync the Domain Controllers between sites (in a multi-site environment).
  5. Download the OAB in Outlook. Open Outlook on the client that wants the change. Go to the File tab/menu. Click on the Account Settings button and then click on Download Address Book…OutlookDownloadAddressBook

Otherwise, the process may take up to 56  hrs (24hrs to generate OAB, 8 hrs to update the CLIENT ACCESS, and 24 hrs to update Outlook).

Exchange/SBS 2003 – You do not have permission to send to this recipient. -Solved!

There are a lot of variables where a problem like this can take a while to track down and resolve, so hopefully if you encounter this issue again, the resolution will be easy.

A user called complaining they would receive a bounceback message from Exchange whenever trying to send an email as a different user, for example, “[email protected]”. They had not previously experienced this problem trying to send on behalf of that user and “something suddenly changed.”

To make a long story short, in this case, the resolution was that the From: field contained a corrupt .NK2/NickName entry for the “Promoter” address. When auto-resolving the email address for the “From” field, I had to type in the first letter of the bad entry, arrow down to the corrupt entry in the nickname list, so that it was highlighted and hit the Delete button. Next, to put in the correct “From: Promoter” address, I had to manually click the “From” button, go to the Global Address List and select “Promoter”. This resolved the correct entry and the From: field was now populated with “Promoter” instead of “[email protected]”. The message could now be sent without a failure/bounceback/error message.

Read below for the workflow that caused the problem and what I had to do to resolve it:

The user opened a new mail message. The From field is “shown” and the user typed in the first letter of the address who the email is from. In this case, “p”. This auto-resolved the nickname as an email address “[email protected]”. The user would then type in the recipients name into the To: field (in this case [email protected]) and then supply a subject, a message body, and hit send. A moment later the following email arrived from the Exchange System:

Your message did not reach some or all of the intended recipients.

Subject: test Sent: 4/27/2011 11:43 AM
The following recipient(s) cannot be reached: on 4/27/2011 11:42 AM            You do not have permission to send to this recipient.  For assistance, contact your system administrator.            MSEXCH:MSExchangeIS:/DC=local/DC=domain:servername


The first thing to check was that the user has the ability to send on behalf of the “Promoter” account:

On the SBS2003 server, go to Server Management. Click on the View menu and checkmark the “Advanced Features”. Then browse   -> Active Directory Users and Computers -> Domain.local ->MyBusiness ->Users -> SBSUsers

Right click on the account that the user is trying to send on behalf of (in this case “Promoter”). Click on the Exchange General tab. Click on the Delivery Options… button. Under Send on behalf, make sure the user that is trying to send as is listed under “Grant this permission to:”. If not, click the Add button… and add the user.

Next, in Server Management, browse to Advanced Management -> EXCHANGESERVERNAME (Exchange) ->Servers -> SERVERNAME -> Protocols -> SMTP

Right-click on “Default SMTP Virtual Server” and click Properties.

SMTP Properties.jpg
Click image to enlarge

Under the Access tab, click on the Relay… button

Under Relay Restrictions, “Only the list below” should be selected and Granted: the server’s IP address/SNM; and Granted loopback

Uncheck “Allow all computers which successfully authenticate to relay, regardless of the list above. Click on the Users… button. Under Permissions – Group or user names, make sure Authenticated Users has both Submit and Relay permission set to Allow. Click OK, OK, OK.

If any changes have been made to SMTP, right-click on Default SMTP Virtual Server under Protocols/SMTP and Stop/Start the Default SMTP Virtual Server.

Now, on the client, open a new mail message, remove the bad auto-resolving address, click on the From: button, select the account you wish to send from, and hit “Send”. See the 2nd paragraph of this post for further details on how to accomplish this part. The message should now be sent to the recipeint with the correct “From” address.





SonicWALL WAN Probe Monitoring

Ensuring your secondary WAN interface activates in the event either your primary router or primary ISP stops responding.

In the previous post, we discussed how businesses are increasingly relying on their internet for cloud-based services such as email, shared documents and applications. Using multiple SonicWALL appliances and multiple WAN/ISP interfaces, you can help protect your users from an internet outage by configuring your routers to fail-over. A SonicWALL can perform either interface or physical probing.

If Probe Monitoring is not activated, the SonicWALL security appliance performs physical monitoring only on the Primary and Secondary WAN interfaces, meaning it only marks a WAN interface as Failed if the interface is disconnected or stops receiving an Ethernet-layer signal (Layer 2).

This is not an assured means of link monitoring, because it does not address most failure scenarios (for example, routing issues with your ISP or an upstream router that is no longer passing traffic). If the WAN interface is connected to a hub or switch, and the router providing the connection to the ISP (also connected to this hub or switch) were to fail, the SonicWALL will continue to believe the WAN link is usable, because the connection to the hub or switch is good. For this reason, if you setup failover with multiple routers, then you will also want to enable a TCP-based probe at the application Layer 4 so that you can ensure your packets/probes are monitored for successful connections, and your WAN fail-over will in turn work as expected.

Under the WAN Interfaces Monitoring heading, you can customize how the SonicWALL security appliance monitors the WAN interface:


This example shows how a probe is configured correctly where you’re monitoring for successful (syn-ack’s) from

Options and Notes:

Check Interface every: Enter a number between 5 and 300. The default value is 5 seconds.

Deactivate Interface after _ missed intervals: Enter a number between 1 and 10. The default value is 3, which means the interface is considered inactive after 3 consecutive unsuccessful attempts.

Reactivate Interface after _ successful intervals: Enter a number between 1 and 100. The default value is 3, which means the interface is considered active after 3 consecutive successful attempts.

Respond to Probes: Use this field to allow the SonicWALL security appliance respond to SonicWALL TCP probes received on any of its WAN ports.

Any TCP-SYN to Port: Use this field to instruct the SonicWALL security appliance to respond to TCP probes to the specified port number without validating them first. The Any TCP-SYN to Port box should only be checked when receiving TCP probes from SonicWALL security appliances running SonicOS Standard or older, legacy SonicWALL security appliances.

Note: If there is a NAT device between the two devices sending and receiving TCP probes, the Any TCP-SYN to Port box must be checked and the same port number must be configured here and in the Configure WAN Probe Monitoring window.

Configure Probe Monitoring

Enable Logical/Probe Monitoring: Selecting this field instructs the SonicWALL security appliance to perform logical checks of upstream targets to ensure that the line is indeed usable, eliminating this potential problem, as well as to continue to do physical monitoring. Under the default probe monitoring configuration, the SonicWALL performs an ICMP ping probe of both WAN ports’ default gateways. Unfortunately, this is also not an assured means of link monitoring, because service interruption may be occurring farther upstream. If your ISP is experiencing problems in its routing infrastructure, a successful ICMP ping of their router causes the SonicWALL security appliance to believe the line is usable, when in fact, it may not be able to pass traffic to and from the public Internet at all.

To perform reliable link monitoring, you can choose TCP or ICMP (Ping) as the monitoring method, and can specify up to two targets for each WAN port. If you specify two targets, Main Target and Alternate Target, for each WAN interface, you can logically link the two probe targets so that if either one fails, the line will go down, or that both must fail for the line to be considered down. TCP is preferred because many devices on the public Internet now actively drop or block ICMP (Ping) requests.

SNWL?: Select this box if the target device is a SonicWALL security appliance. Do not check the SNWL? box for third-party devices, because the TCP probes may not work consistently.

Default Target IP: Optionally, you can enter a default target IP address in the Default Target IP field. In case of a DNS failure, when a host name is specified, the default target IP address is used.

There is much discussion below on the best strategies for setting up your probes. As always, test (and test again) your configurations in the lab prior to placing your firewall into production.




SonicWALL Hardware Failover/Load Balancing

SonicWALL Hardware Failover/Load Balancing


With businesses today relying more and more on their Internet connection for critical email and cloud-based services, there is a growing need for providing hardware and ISP redundancy to ensure continuous uptime even in event of a hardware or ISP failure. The SonicWALL security appliance performs physical monitoring only on the Primary and Secondary WAN interfaces, meaning it only marks a WAN interface as Failed if the interface is disconnected or stops receiving an Ethernet-layer signal. For this reason, please see my next post to enable Probe Monitoring to cover all your bases in the event of a routing failure.

Due to this demand, two SonicWALL PRO appliances may run in Hardware Failover mode, which will provide security and connectivity in the event that one SonicWALL or an ISP becomes unstable or unavailable. In addition, SonicOS Enhanced firmware supports the ability to create multiple WAN interfaces (XO, X3), which can provide the use of multiple Internet connections either simultaneously or as a backup.

WAN Failover and Load Balancing allows you to designate the one of the user-assigned interfaces as a Secondary or backup WAN port. The secondary WAN port can be used in a simple active/passive setup, where traffic is only routed through the secondary WAN port if the primary WAN port is down and/or unavailable. This feature is referred to as basic failover. This allows the SonicWALL security appliance to maintain a persistent connection for WAN port traffic by failing over to the secondary WAN port. The primary and secondary WAN ports can also be used in a more dynamic active/active setup, where the administrator can choose a method of dividing outbound traffic flows between the Primary fixed WAN port and the user-assigned Secondary WAN port. This latter feature is referred to as load balancing.

WAN Failover and Load Balancing applies to outbound-initiated traffic only; it cannot be used to perform inbound Load Balancing functions, such as what a content switching or Load Balancing appliance provides.

Make sure that the SonicWALL appliance has the proper NAT policies for the Secondary WAN interface. An incorrect or missing NAT Policy for the Secondary WAN port is the most common problem seen when configuring WAN Failover & Load Balancing.

The Primary and Secondary WAN ports cannot be on the same IP subnet; each WAN connection must be on unique IP subnets in order to work properly.

You cannot use the WAN failover feature if you have configured the SonicWALL security appliance to use Transparent Mode in the Network > Interfaces page.

When you establish a connection with a WAN, you can create multiple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution model maintains high performance, ensuring that one interface does not become an impasse to the point where it blocks traffic from passing. This process is WAN Load Balancing. While WAN Load Balancing addresses performance challenges, it can create other problems, including losing track of sessions. Session confusion can occur because some applications fail to adequately track multiple user sessions Load Balanced on multiple interfaces. These applications treat incoming packets as originating from different users because they use IP addresses to differentiate user sessions instead of application-layer user identification tags. To ensure that you have proper connectivity in all applications, SonicWALL provides a feature called Source and Destination IP addresses Binding, a solution that maintains a consistent mapping of traffic flows with a single outbound WAN interface.

Primary WAN Ethernet Interface: X1 should normally be the selection.

Secondary WAN Ethernet Interface: If there are multiple possible secondary WAN interfaces, select the WAN Interface to be used for Failover and Load Balancing. X3 should normally be the selection.

By default the Enable Load Balancing check box is selected.  The SonicWALL will select Basic Active/Passive Failover as the method, but there are several load balancing methods available:

Basic Active/Passive Failover: When selected, the SonicWALL security appliance only sends traffic through the Secondary WAN interface if the Primary WAN interface has been marked inactive. The SonicWALL security appliance is set to use this as the default load balancing method. If the Primary WAN fails, then the SonicWALL security appliance reverts to this method.

Preempt and fail back to Primary WAN when possible: When this check box is selected, the SonicWALL security appliance switches back to sending its traffic across the Primary WAN interface when it either resumes responding to the SonicWALL security appliances when the WAN’s physical link is restored or the logical probe targets on the WAN port resume responding.

Per Destination Round-Robin: When selected, the SonicWALL security appliance Load Balances outgoing traffic on a per-destination basis. This is a simple load balancing method and, though not very granular, allows you to utilize both links in a basic fashion.  Please note this feature will be overridden by specific static route entries.

Spillover-Based: When selected, the SonicWALL administrator can specify when the SonicWALL security appliance starts sending traffic through the Secondary WAN interface. This method allows the SonicWALL administrator to control when and if the Secondary interface is used. This method is used if you do not want outbound traffic sent across the Secondary WAN unless the Primary WAN is overloaded. The SonicWALL security appliance has a non-Management Interface exposed hold timer set to 20 seconds – if the sustained outbound traffic across the Primary WAN interface exceeds the administrator-defined bits per second (bps), then the SonicWALL security appliance spills outbound traffic to the Secondary WAN interface (on a per-destination basis). Please note this feature is overridden by specific static route entries.

Percentage-Based: When selected, you can specify the percentages of traffic sent through the Primary WAN and Secondary WAN interfaces. This method allows you to actively utilize both Primary and Secondary WAN interfaces. Please note this feature is overridden by specific static route entries.

Use Source and Destination IP Address Binding: When this checkbox is selected, it enables you to maintain a consistent mapping of traffic flows with a single outbound WAN interface, regardless of the percentage of traffic through that interface. Therefore, the outbound IP address of the connection remains consistent. However the percentage of traffic in each WAN interface may not match the percentage you specify in the Primary WAN Percentage field. This method uses only the source IP address and the destination IP address to determine when to bind a connection to a single interface and ignores all other information, such as source and destination TCP port numbers.






ActiveSynch troubleshooting on Exchange/SBS 2003

Do you have Exchange running in your environment but are having trouble connecting iPhones and Android phones? ActiveSync is much more preferable to POP or IMAP, so hunker down and fix ActiveSync on your server to get email, calendar, and contacts synched with your smartphones. Below are two of my favorite links for troubleshooting ActiveSync on Exchange and Small Business Server 2003. I was able to resolve issues on a few servers who’s certificates had expired by using the following resources:

Alan Hardisty’s ActiveSync Configuration Guide is a great starting point:

Secondly, the following website can test Exchange connectivity in a number of different ways:

The site above is able to test exchange connectivity with the following tests:

Microsoft Exchange ActiveSync Connectivity Tests
Microsoft Exchange Web Services Connectivity Tests
Microsoft Office Outlook Connectivity Tests
Internet E-Mail Tests