I am trying to publish my Internal Exchange server with ISA 2004.
I set up a publishing rule according to the documentation. The rule is not catching the traffic for some reason and it is beig passed to the default DENY rule. The log shows deny for every packet hitting the External interface with a destination port of 25. Instead of forwarding it to Exchange to handle.
Now the real story. I have a static translation on my PIX that says anything addressed to the Public ip used for mail forward to the internal network IP of the Exchange server. I had to change this to point to the external interface of the ISA server. So now it says anything addressed to the public IP translate to the External interface of the ISA server. Is the traffic being denied because traffic is being forced to External? I thought the ISA Publishing rule would take anything addressed to External with a destination port of 25 and forward it to my Exchange server?
Current network looks like this:
PIX Outside interface is a public IP PIX Inside is 192.168.1.1 /30 ISA External is 192.168.1.2 /30 ISA Internal is 172.16.0.0
I also thought I had a routing problem on the PIX but the packets are bouncing of the External interface of the ISA server.
The network used to look like this PIX Outside interface is a public IP PIX Inside is 172.16.0.$ (corp. network)
I trying the parallel PIX ISA server thing until I am comfortable with ISA 2004's abilities.
I finally have the PIX configured and forwarding correctly.
I created a firewall policy using "Publish a Mail Server" wizard
The ISA 2004 is denying the traffic....
The Headers of my log: Action, Clent IP, Source Net, Source Port, Destination IP, Destination Net, Destination Port, Protocol, Rule
The data which matches the header in order: Denied conneciton, public IPs, External, upper port range (ex. 2949), 172.16.0.254 -my exchange server, Internal, 25, SMTP, the rule is blank (why is that)?.
I hope this makes sense.
I also get an alert "Server Publishing Failure" there was no vailid listener.
Yes, I am answering my own questions on this thread.. Funny how sleep helps.
I realize the reason ISA is denying the connections is because the SMTP publishing rule expects connections from SMTP to SMTP. From port 25 to port 25. It appears that external mail servers are sending mail from unpriveleged ports. I tested this by sending mail from my gmail account. Has anyone seen this??
ISA is blocking the packet. Symantec Corporate Virus protection only (not the firewall client) is istalled on ISA and Exchange. Exchange can receive email no problem when I route packets directly to the exchange server. This demonstrates that AV is not the problem because the same version is installed on both servers. The variable is ISA 2004 and the fact that mail servers are sending mail from unpriveleged source ports. It's like the webservers are sending mail through proxies.