Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA Rules With Exchange 2007
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA Rules With Exchange 2007 - 28.Apr.2008 6:35:26 AM
|
|
|
aineo
Posts: 5
Joined: 28.Apr.2008
Status: offline
|
G'day! We are a bit on the bleeding edge here with Exchange 2007. As you know, it is all new architecture on with Edge, HUB, CAS, and MBX (Mailbox) servers.
We have got everything but for some reason are unable to get one of the edge servers to connect properly and run with ISA. With MS' Best Practices Analyzer from the toolbox we get an error that says "Exchange Server: Registry cannot be accessed. Cannot connect to the registry of server edge1. This could be a result of permissions problem. Error: Security Error.
We brought the Edge out of the DMZ and it works fine, so clearly we have botched the rules on the ISA. After a day at it, suggestions would be GREATLY appreciated.
Sincerely,
Spencer
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 29.Apr.2008 6:46:35 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Spencer,
Good question! I've been wondering the same thing. I'm installing Windows Essential Business Server now and I'll take a look at the rule base to see if there's anything there that enables access to the Edge Server co-located on the TMG to allow these communcatinos. Perhaps we will be able to translate this information into something we can use for off-box Edge Servers.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 29.Apr.2008 8:13:14 PM
|
|
|
aineo
Posts: 5
Joined: 28.Apr.2008
Status: offline
|
Dear Tom,
That sounds good. I am convinced Microsoft has the best firewall on the market. Unfortunately, there is no expert at Microsoft Japan so we are going to have to become the experts here.
Talked to a friend last night, we're thinking that we have to redo the network adapter order as this has to be it. With ISA if you don't have it exact, things don't work I am told (ie. Internal LAN access on top).
We've got ISA in front of Edge, CAS, and eventually the MBX. I think it is not anything to do with the rest of the network, but more just making sure we've got all the right rules on the ISA box.
Will let you know what we find out. If you have any ideas, those are very welcome.
Sincerely,
Spencer
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 30.Apr.2008 1:26:01 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Spencer,
- I see a rule that allows the Edge access to the mail server using TCP 25
- I see a rule that allow the Exchange Server to the Edge server using TCP 25
- I see a rule that allows TCP 25 from the Edge Server to External
- I see a rule that allows Exchange EdgeSync traffic from the Mail server to the Edge server through TCP 50636
- I see a rule that allows Windows Communication Foundation between the Exchange Server and the Edge server on TCP port 808
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 9.May2008 2:27:59 AM
|
|
|
aineo
Posts: 5
Joined: 28.Apr.2008
Status: offline
|
Tom,
We ended up having to rebuild our Edge, HUB, and CAS servers. We rebuilt ISA (2006) as well. I think you have to be really careful about the person who sets things up. Our Japanese engineer who did the original builds was still on EX 2003 mentality. Exchange 2007 is a whole different animal.
We can successfully synchronize all the exchange services between LAN and DMZ, the subscriptions are working fine. We're having problems publishing the DNS Servers on the DMZ. Publishing rules are in place with the correspondent External IP and DNS Server protocol. From within the DMZ when you use DNSLint it seems to be publishing properly. When you use DNSLint from outside of the network it says UDP port 53 not responding. For a test we replaced the ISA with another firewall and everything worked. We are pretty sure it is just an ISA issue or rule that is missing or misconfigured. Any ISA Master ideas there? We're staying on it but appreciate any feedback. Best Regards, Spencer
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 12.May2008 12:51:57 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Spencer,
Excellent!
You're right, the Exchange 2007 stuff is a completely different animal and the same rules do not apply, and you've discovered.
Now, the DNS issue should be easy to solve.
Are you using a public or private address DMZ?
Is the DMZ => External NAT or ROUTE for the Network Rule?
Does nslookup from an external machine work?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 12.May2008 9:17:13 PM
|
|
|
aineo
Posts: 5
Joined: 28.Apr.2008
Status: offline
|
Tom,
Thanks for the idea. A bit stumped here, but this is what we've got.
Nslookup
Answering to your questions Let me send you a quick diagram from our network.
DMZ
Ns1.xxxx.net 10.20.0.2
Ns2.xxx.net 10.20.0.3
Edge1 10.20.0.4
Cluster
LAN
Hub-cas 10.10.0.5
Mbx 10.10.0.7
AD 10.10.0.6
ISA 3 nics
LAN 10.10.0.1
DMz 10.20.0.1
External 6 IP
228.xxx.xxx..xxx = pppoe connection
228.xxx.xxx.xx1 -= listener for ns1 DNS SERVER RULE
228.xxx.xxx.xx2 -= listener for ns2
228.xxx.xxx.xx3 -= listener for edge SMTP SERVER RULE
228.xxx.xxx.xx5 -= listener for OWA PUBLISHED SITE
All mx records and cname are in place and work just fine,
Strangely enough, we can get easily leave the system working with a Juniper router.
Network Rules LAN AND DMZ To External NAT
LOCALHOST to everything route.
DMZ LAN TO DMZ LAN ROUTE.
PPPOE With the ISA.
Nslookup works only behind the isa firewall never did from the internet.
I am not really sure what to go from here. Does any of the detail above reveal in chinks in our armor?
Really appreciate you looking at this and enjoying your book and website. Very helpful. This is the second ISA in our Datacenter. Only difference is 2004 vs. 2006. We are so close here.
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 14.May2008 4:28:54 AM
|
|
|
aineo
Posts: 5
Joined: 28.Apr.2008
Status: offline
|
Fixed!
A rebuild of the External DNS servers fixed the problem. Is this a MS bug or what?
Many thanks!
Spencer
|
|
|
|
|
RE: ISA Rules With Exchange 2007 - 14.May2008 10:28:13 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Spencer,
Could be a bug, or maybe old entries were still in the DNS server cache? I usually empty the cache and reload the server data files after making changes.
Good to hear you got it working and thanks for the follow up!
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
