VEEAM Virtual Labs Exchange Traffic

[Venne]

Hello,

we've been trying to test different updates etc for productive systems in our virtual lab. For the tests we filled the application group with an exchange server, a telephony server and different client vms.
Since the tests started we noticed something that made us question the safety of our virtual lab. When someone sends a mail from client 1 to client 2 in the virt lab the different users also get the mail on their outlook in the production network. This should mean that the Exchange in the lab somehow has a connection to the productive network.

We didnt change any config made by the virt labs wizard. The proxy has the ip of the production gateway, the different vms are connected to an isolated vswitch and the proxy is connected to an isolated switch and the productive switch.

Can someone explain me how the mails also get mirrored in the production network and if its safe to proceed?

Thank you very much.

[PTide]

Hi,

What Exchange version is that? Have you configured any of the following in your virtual lab?

- Allow proxy appliance to act as internet proxy for virtual machines in this lab
- Static IP Mapping Rules

Thanks!

[Venne]

Hi,

we are using Exchange 2016.
Yes, we configured the Proxy appliance to act as internet proxy since the VMs in the lab need the internet connection for the updates etc.
We didnt configure the static ip mapping rules, we did however change the static ips manually for the Vms in the lab (to match the production ips).

[PTide]

Yes, we configured the Proxy appliance to act as internet proxy since the VMs in the lab need the internet connection for the updates etc.

Any chance that the clients access the server via http? Please try to disable proxy and see if the issue persists.

Thanks!

[Venne]

Hi,

the clients acces the exchange server via HTTPS.
Not sure whats exactly meant by "disabling the proxy" do you mean unchecking the proxy appliance in the virtual lab wizard or deleting the set proxy in the internet options of the VMs?

[PTide]

Not sure whats exactly meant by "disabling the proxy" do you mean unchecking the proxy appliance in the virtual lab wizard

This. You need to disable internet proxy checkbox. I suspect that since there is a proxy for web traffic, the isolated clients might be contacting the production server as well (since both isolated and production servers have the same IP). That might be fixed by some tuning on the proxy appliance, but first I'd like to confirm my guess : )

Thanks!

[Venne]

Hi,

we have redeployed the lab without the proxy appliance this time. Now the Client Vms connect to the exchange inside the lab. We can't test mails though because they now can't connect to outlook or have access to the internet to use OWA. This should mean that the VMs had acces to the production network while the proxy appliance still existed, richt? Is there any way to allow internet access inside the lab but also configure the proxy appliance so the traffic from the lab cant reach the production network?

Thanks

[PTide]

At this moment I don't quite understand what is your goal, so let me check if I got it right:

1. You have a production Exchange server that is accessed by clients via https.
2. You also have another Exchange server (an exact copy of the production one) and a couple of client VMs deployed in the lab.
3. The lab appliance allows HTTP(S) access for the VMs in the virtual lab.
4. When you send an email from one isolated client to another one, the email arrives in production too.
5. When you disable https access for VMs in the virtual lab, the issue is gone.
6. You want to have internet access for the isolated VMs and at the same time you do not want test emails to appear in production.

Is everything correct?

Thanks!

[Venne]

Yes you are basically correct.
The fact that the test mails appear in production isnt really a probem for us though, we are just scared that since the test mails appear some other configuration in the lab might affect the production exchange.

Our main question is probably "is it possible configure the Virt Lab/Proxy Appliance in a way that we can still get inbound internet access for updates etc but deny the traffic outwards so the production network isnt affected?"

I know this sounds like the typical "have your cake and eat it too" but we are curious to see if VEEAM Virt Labs has a solution for our case.

Thanks

[PTide]

The quick and dirty hack from the top of my head:

Log-in into the proxy appliance, and add an additional route for Exchange address:

Code: Select all

route add -host <exchange IP address> dev eth0

Where eth0 is the isolated network interface (you might have some other name). That way, all connections from the isolated VMs to Exchange will be routed into the internal network (i.e. to the isolated exchange server), while allowing outbound http(s) traffic to other IPs.

Please let me know if that works for you and if you need a more sophisticated workaround.

Thanks!

[Venne]

Hi,

just got to testing your advise, sadly adding the route doesnt seem to do the trick. We tried it with both the masqueraded aswell as the "normal" ip of the exchange in the lab. As soon as the proxy is configured the traffic reaches the clients/exchange in the production network. Do you have other ideas we could test?

Thanks!

[PTide]

Possible reasons why it haven't worked:

1) Every time a SureBackup job starts, the virtual appliance is deployed anew, thus all tweaks are not there anymore. You need to apply those every time SureBackup starts.

This can be done via usage of test scripts. You'll need to create one that logs in into the appliance and appends the routing rule.
Please note that SureBackup scripts are executed by VBR, so you might need to create a wrapper, or use plink or PS ssh module for linux commands to be executed on the proxy appliance.

2) Isolated Exchange IP and production Exchange IP do not match and your clients are still reaching to the production IP, thus the routing rule does not work.

Thanks!

[Venne]

Hi,

1) Yeah thats something we noticed a while back, so i made sure to add the route everytime the lab is redeployed, so that shouldnt be the problem.

2) Just got to checking it but sadly the production and the lab IP of the exchange are the same meaning thats not the problem either.

if the Outlook client app would work without the proxy we could probably manage without a proxy but since thats not the case we seem to be needing the proxy in the lab.

[PTide]

<...>if the Outlook client app would work without the proxy we could probably manage without a proxy but since thats not the case we seem to be needing the proxy in the lab.

I am not an expert with Exchange, so I would like to ask you for some clarification on that part. I was under impression that the clients simply accessed Exchange via browsers. Now that you've mentioned that your Outlook client app won't work without proxy, I assume that there is you've configured this thing on the clients, so every time the isolated client sends an email, it does not contact either of the Exchange servers, but contacts the proxy server first (not the appliance, but the one that you've specified in the Outlook client settings), and the proxy in turn contacts the only Exchange server that it knows about (i.e. the production one). Is that correct (a simple diagram would help, tbh)?

Thanks!