This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 9%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
I want to restrict internal users in lan , not to send emails using scripts. For external we have a relay connector, so unless we add the ip to it, email will not go to the external party.
We presently have Exchange 2013 servers, with 3 CAS servers running in NLD with a virutal IP.
4 MB servers in DAG.
So, any user can send email to Virtual IP and able to send.
My concern is , if i change the permissions and remove Anonymous on the Default Frontend connector, will it have impact for the External emails that we receive.
Need suggestion help.
You can set IP restrictions on the Default Frontend Connector to specific IPs. Do not remove the anonymous perms on it.
The question is how mail enters the Exchange org. Is there a single point of IPs ( SMTP gateways)?
Whats NLD?
If you have a group of IPs that all messages sent to Exchange must pass through, then set as the Remote IP range on the Default Frontend connector and remove the 0.0.0.0-255.255.255.255 range. Then you can do what you want.
If you do not have a specific IP range you can scope to, then you can not restrict this in the way you want.
If you used a true Load Balancer, you could scope the remote IPs on the Front End connector to the Load Balancer IPs and that would force end users to send through the Load Balancer and not directly to Exchange.
If you were to set the remote IPs to just the Email gateway, then it would block ALL sending internally except for those allowed on the "relay connector".
This could potentially work for you, but prevent any email submissions directly to the Exchange Servers other than what you allowed. Give it a try and test.
Its NLB( network load balancer) , which is a CAS array, the internal email is sent to VIP of CASArray. Local Servers/applications send email to this VIP on port 25 which is Default FrontEnd on the CAS servers.
While the external incoming emails come to the Email gateway and then are accepted by the Exchange Mailbox servers on Port 25 on Default Connector.
Thanks for the suggestion, just to make sure i understood properly.
Another problem for me is get the list of the ip's/servers which are sending email to internal users.
Yep, that's the dilemma. If you scope to specific IPs, you have to make sure you know what those are.
So to your questions.
Thanks for your help, appreciate it.