Forum Discussion
dennypayne
Dec 18, 2008Employee
What Hamish is referring to is the fact that the LTM by default will deny any traffic that is not explicitly allowed. So if the Ironport servers are trying to initiate outbound connections through LTM as their gateway, there has to be some mechanism to let those packets go outbound through the LTM. The easiest thing to do is to set up the wildcard forwarding virtual server as he described, since normally you don't know what IP address the servers are trying to reach.
So you would create a new virtual server as type Network, with 0.0.0.0/0.0.0.0, port 0, and change it from Standard to Forwarding(IP). You can also enable it only on the internal VLAN so that traffic is only allowed outbound, not inbound. You will also need to make sure that LTM's gateway knows how to route traffic back to the Ironport source IP's through the external LTM address.
Alternatively, you could create a SNAT enabled on the internal VLAN that changes the outgoing source IP to an address on the LTM, then you don't have to worry about the routing back inbound. This may even be required in this instance if the mail servers that the Ironports are connecting to would possibly reject mail that does not appear to be coming from the "correct" IP address according to their reverse DNS lookups.
Hope this helps,
Denny