G'day! We are a bit on the bleeding edge here with Exchange 2007. As you know, it is all new architecture on with Edge, HUB, CAS, and MBX (Mailbox) servers. We have got everything but for some reason are unable to get one of the edge servers to connect properly and run with ISA. With MS' Best Practices Analyzer from the toolbox we get an error that says "Exchange Server: Registry cannot be accessed. Cannot connect to the registry of server edge1. This could be a result of permissions problem. Error: Security Error. We brought the Edge out of the DMZ and it works fine, so clearly we have botched the rules on the ISA. After a day at it, suggestions would be GREATLY appreciated.
Good question! I've been wondering the same thing. I'm installing Windows Essential Business Server now and I'll take a look at the rule base to see if there's anything there that enables access to the Edge Server co-located on the TMG to allow these communcatinos. Perhaps we will be able to translate this information into something we can use for off-box Edge Servers.
That sounds good. I am convinced Microsoft has the best firewall on the market. Unfortunately, there is no expert at Microsoft Japan so we are going to have to become the experts here.
Talked to a friend last night, we're thinking that we have to redo the network adapter order as this has to be it. With ISA if you don't have it exact, things don't work I am told (ie. Internal LAN access on top).
We've got ISA in front of Edge, CAS, and eventually the MBX. I think it is not anything to do with the rest of the network, but more just making sure we've got all the right rules on the ISA box.
Will let you know what we find out. If you have any ideas, those are very welcome.
We ended up having to rebuild our Edge, HUB, and CAS servers. We rebuilt ISA (2006) as well. I think you have to be really careful about the person who sets things up. Our Japanese engineer who did the original builds was still on EX 2003 mentality. Exchange 2007 is a whole different animal.
We can successfully synchronize all the exchange services between LAN and DMZ, the subscriptions are working fine.
We're having problems publishing the DNS Servers on the DMZ.
Publishing rules are in place with the correspondent External IP and DNS Server protocol.
From within the DMZ when you use DNSLint it seems to be publishing properly. When you use DNSLint from outside of the network it says UDP port 53 not responding.
For a test we replaced the ISA with another firewall and everything worked. We are pretty sure it is just an ISA issue or rule that is missing or misconfigured.
Thanks for the idea. A bit stumped here, but this is what we've got.
Nslookup Answering to your questions Let me send you a quick diagram from our network. DMZ Ns1.xxxx.net 10.20.0.2 Ns2.xxx.net 10.20.0.3 Edge1 10.20.0.4 Cluster LAN Hub-cas 10.10.0.5 Mbx 10.10.0.7 AD 10.10.0.6 ISA 3 nics LAN 10.10.0.1 DMz 10.20.0.1 External 6 IP 228.xxx.xxx..xxx = pppoe connection 228.xxx.xxx.xx1 -= listener for ns1 DNS SERVER RULE 228.xxx.xxx.xx2 -= listener for ns2 228.xxx.xxx.xx3 -= listener for edge SMTP SERVER RULE 228.xxx.xxx.xx5 -= listener for OWA PUBLISHED SITE All mx records and cname are in place and work just fine,
Strangely enough, we can get easily leave the system working with a Juniper router.
Network Rules LAN AND DMZ To External NAT LOCALHOST to everything route. DMZ LAN TO DMZ LAN ROUTE. PPPOE With the ISA. Nslookup works only behind the isa firewall never did from the internet.
I am not really sure what to go from here. Does any of the detail above reveal in chinks in our armor?
Really appreciate you looking at this and enjoying your book and website. Very helpful. This is the second ISA in our Datacenter. Only difference is 2004 vs. 2006. We are so close here.