Default Gateways and Exchange Server

Sometimes, you need to step back and take a different look at a problem. When you are "in the weeds", you can't necessarily see the forest for the trees.

Exchange Server is a networking application. Now, before you say "duh!", think about it. If your network is having issues, this means that Exchange Server may have issues too.  However, since Exchange Server is always doing something on the network - it may appear that the problem is with Exchange.

I recently saw an issue that was caused by a problem with multiple default gateways.

A very common configuration on an Exchange Server is to have one NIC (Network Interface Card) be the "public" or "untrusted" interface. Through this NIC flows all traffic destined for the Internet. Then, the Exchange Server has another NIC that is the "private" or "trusted" interface that connects to the "internal" network. This NIC is generally for such things as backups, monitoring, etc.

When you configure a NIC with a fixed IP address, you are asked to supply three things: an IP address that uniquely identifies this server, a netmask that defines the size of the network that the IP address is a member of, and a default gateway to be used when an IP address isn't part of the same network as the server.

(Of course, there are many other properties you may configure as well - but these three are the ones that are required to put a computer "on the net".)

Notice the use of the default gateway: it is the destination where information not on the local network is sent. So, for a trivial example, if your local network is "DC-Server" and "Exchange-Server" and you want to send an e-mail to "" then that information will go out your default gateway.

As you may have noticed, Windows allows you to enter multiple default gateways on a single NIC. This is for a very rarely used feature of IP called "dead gateway detection". In this case, if one default gateway should happen to go offline, Windows would automatically switch to another gateway. This is not a load-balancing technique or performance enhancing technique.

If you are looking for load-balancing or performance enhancing mechanisms, you should be looking at NICs that support "teaming" and/or switches that support EtherChannel.

Now, consider what happens when, in both the public and the private NIC, you enter a default gateway. Which one is really the default?

Huh. Think about it.

What is Windows to do? Flip a coin?

Well, that is about what happens. Windows becomes a non-deterministic router (this means that you cannot conclusively define which default gateway that Windows will always use). Windows will switch back-and-forth between the default gateways.

What does this mean to you, the Exchange/network administrator? It means that Exchange, on the public interface, will appear to come offline and online at unpredictable intervals. Why only on the public interface? Because there is a specific defined route to access the private network. Not on the public interface though.

So...don't do this. It isn't a good idea on Windows networks, in general, because of the non-deterministic nature of the routing that will occur. And specifically for Exchange, it is known to cause problems.

Here is one reference for you: Multiple default gateways detected.

And even though these KB articles were written for Windows NT 3.5, they still apply today: KB 157025 and KB 159168.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Published Wednesday, April 09, 2008 5:59 AM by michael
Filed under: ,


Friday, April 11, 2008 9:50 AM by subject: exchange

# Weekend reading

How-to: Connect your Windows Mobile device to an Exchange server (WM5) Microsoft Publicly Posts Additional

Sunday, April 13, 2008 7:38 AM by Elan Shudnow

# re: Default Gateways and Exchange Server

Just wanted to add something to this from an ISA perspective.

If the ISA Server is in the DMZ, and you leave the Default Gateway to go out the public interface (recommended), your public gateway may be restricted to disallow LDAP/LDAPS authentication if that's the method you are using for pre-authentication.

The router that the internal network uses allows 389/636.  Because of this, you can trick ISA to thinking there is a second gateway and use it.  This of course, is by using static routes.

So, leave your default gateway to your public interface, and you can do static routes for your internal subnets to use a next hop (default gateway) of the internal router.

So let's say you have 5 different internal subnets:

You must first make sure that your internal router that you use for static routes can route to each subnet.  This router will be

route add mask if interfacehere -p

Now you just add add routes for each other subnet.

You can also not add 5 different route adds and just do 1 big subnet catch all.

route add mask if interfacehere -p.

All your other subnets are on the same network as the above route add so all data in the 192.168.* subnet will route through the private NIC that attaches to the local network.

Hope that helps!