Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Inbound SMTP denied by ISA Server 2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Inbound SMTP denied by ISA Server 2004 - 13.Apr.2006 11:46:37 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi all,
I'm having a tough time publishing an Exchange server using ISA Server... exasperating. ISA Server 2004 is denying inbound SMTP requests using the default rule -- my SMTP rule(s) are, apparently, never being applied. Here's the architecture -- I'm using ISA Server 2004 behind another firewall that is doing NAT:
Internet --> Firewall --> (192.168.1.x) --> ISA Server --> (10.0.0.x)
The Exchange Server is in the 10.0.0.0 network. All I want is for inbound SMTP traffic to be routed through the ISA Server (via the SMTP filter) to the Exchange box. Should be simple, but nothing I do seems to be able to make this work. Actually I spent hours on it with another person today -- neither of us are new to networking and we're baffled. Should mention that we successfully published two web sites (unrelated to the Exchange server) using both SSL-to-SSL bridging and regular HTTP via ISA Server and it worked like a charm. And I thought that's where we'd have a problem...
The perimeter firewall is taking SMTP requests and natting them to the external IP of the ISA Server, preserving the default port (25). It's just not clear how to get ISA Server to pick up these requests, filter them, and then send them on to the Exchange box. This seems to be the way that the Web Servers are published... As I said, right now I see ISA Server rejected the SMTP traffic using the default DENY rule, so it's not seeing the ALLOW rules that have been put in place (I've tried many of them).
If we can't solve this problem we're going to use our ISA Server as a boat anchor.
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 14.Apr.2006 3:12:24 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
What is the network relationship between the 10.x network and the 192.168.x network? If it's route, then it won't work - it has to be NAT if you're going to have ISA 192.168 address be the destination of the SMTP traffic from the firewall. Then setup a server publishing rule to map the ISA external IP for port 25 to the mail server.
< Message edited by ClintD -- 14.Apr.2006 3:13:25 PM >
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 14.Apr.2006 9:35:08 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi -- thanks for responding!
The network relationship is "NAT": under Configuration...Networks...Network Rules we have NAT Relation between the Source Network (which is the "External" 192.168.x.x network) and the Destination Network (which is the "Internal" 10.x.x.x network). After setting this, we created a Server Publishing rule using the Server Publishing Rule wizard. For the IP address of the server being published, we put the 10.x.x.x address of the Exchange server. For the protocol, we selected "SMTP Server". For the "IP Addresses" page (which oddly isn't), we selected the "External" network in the "Listen for requests from these networks" selection box. I tried a lot of other things too (probably, I think, almost every other permutation of the eight or ten things that one can choose to do) and again, no luck. For testing, I connected a laptop to the Internet using a separate connection and telnetted to port 25 on the external IP. ISA Server processes the traffic, and always reports Action: Denied Connection and Rule: Default Rule.
Just to be clear, in looking at the Properties for this listener, the following are set on the tabs:
- General has "Enable" selected
- Action is set to "Allow"
- Traffic is "SMTP Server" with default port 25
- From is set to "Anywhere" with no exceptions
- To is set to the Exchange Server addr, e.g. 10.0.0.25 (have tried both options for the "Request for the published server" options)
- Networks is set to External (which is the 192.168.x.x addr on the ISA Server)
- Schedule is default Always
I must be missing something really simple -- I can't believe it's this difficult. The http traffic continues to hum along with no problem -- ISA Server acts as expected. But this is unbelievable!
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 14.Apr.2006 11:58:34 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Why did you create a Network rule that NATs from External to Internal? What happened to the default Internal to External NAT rule? Is Internal to External = NAT listed before or after your rule? Make sure Int -> Ext = NAT and delete the Ext -> Int = NAT rule and try it again.
In ISAs way of thinking, if you NAT from Internal to External, it is implied that internal resources are only accessible through a Server Publishing rule.
Once you've got the Network Rules straightened out, download FWENGMON.EXE from MSFTs site and run fwengmon /c - you should see the ISA Server listening on port 25 after that. If you don't, post the results of FWENGMON /c and we'll see what's wrong.
< Message edited by ClintD -- 14.Apr.2006 11:59:40 PM >
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 12:21:44 AM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi again and thanks for the information. I'd created the NAT rule from External to Internal because I thought that's what you implied in your first post.
There are only four Network Rules in my setup, in the following order:
1. Local Host Access which routes Local Host to all networks
2. The rule that I mentioned which NATs from External to Internal, created earlier today
3. A VPN Clients to Internal Network rule and
4. Internet Access which NATs Internal, Quarantined VPN Clients and VPN Clients to External networks. (I'm guessing that this is the default Internal to External NAT rule to which you refer.)
By removing the rule number 2, I am back to the initial configuration, so I am not optimistic. I'll try it again and post back shortly.
Thanks again!
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 3:17:58 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Now that I re-read my post, I see what you mean. Sorry about that - rule 4 is all that's needed - the FWENGMON output will strighten us out.
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 3:54:58 AM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Quick update: I removed the 2nd rule Network Rule, deleted the rule publishing the Exchange Server, and then ran the wizard again, with the same result -- denied with the default rule. Tomorrow I'll use the FWENGMON tool and hopefully we'll get some hard data!
Thanks for your assistance; I really appreciate it!
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 7:31:07 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
When you post the FWENGMON output, also post how you're testing this, OK?
As in, are you telnet'ing to port 25 on the 192.168.1 interface of ISA, or are you trying to telnet to the published mail servers 10.x IP directly?
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 1:32:54 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi,
My testing setup is a laptop on my desk connected to a DSL line that is separate from the corporate network -- it's just used for testing, so that we can see what a customer would see. The provider is different from our production providers, too. So for testing, I am completely outside, telnet'ing to port 25 on the outside (public routable) IP. I am using our production perimeter firewall (not an ISA Server); the ISA Server is just being used for testing purposes at the moment. I can see the traffic pass through the perimeter firewall and on to the ISA Server. Incidentally, I can telnet to our production Exchange Server just fine from the outside, which passes through the same perimeter firewall. Also, I can telnet to the Exchange Server from the ISA box itself -- no problem there. It's as if ISA Server is somehow not seeing the traffic as SMTP and is applying the default deny rule.
Thanks again; I'll see what I can do about getting FWENGMON working...
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 4:40:15 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi again,
The testing methodology is in my previous post. I installed FWENGMON; here is the output:
C:\testing>fwengmon /c
Creation Objects:
ID Protocol Source Destination One-Shot
-- -------- ------ ----------- --------
4 TCP(6) 0.0.0.0:0 192.168.0.100:80 No
3 TCP(6) 0.0.0.0:0 192.168.0.100:443 No
1 TCP(6) 0.0.0.0:0 10.0.0.248:1745 No
2 TCP(6) 0.0.0.0:0 10.0.0.248:8080 No
610 TCP(6) 10.0.0.248:0 10.0.0.48:1026 No
5 Creations.
The 10.0.0.248 address is the internal IP of the ISA Server and the 192.168.0.100 address is the external IP of the ISA Server. They are on separate NICs and we do not have any other IPs bound to those cards. The 10.0.0.48 address is the address of the Exchange Server on the internal network.
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 5:01:44 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
And one more thing! In reviewing the Monitoring Alerts, I see that yesterday after removing the Network Rule from the External to Internal network, the following was recorded in the log:
Description: Server publishing rule [SMTP] failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Location 325.934.4.0.2165.594.
For more information about this event, see ISA Server Help.
The failure is due to error: 0x8007000d
Chris
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 5:25:38 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
OK - that sounds good. If you don't mind, run ISAINFO from isatools.org (run the isainfo.vbe file) and send the results to clintdenhamatgmaildotcom and I'll see what's going on. Everything in there should be private addresses so you shouldn't need to change anything.
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 6:11:46 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Thanks: just sent you an email with the XML file attachment. Looks like the tool has been updated -- I ran isainfo.js on the ISA Server. The ISAInfo.hta that is included in the package is nice -- it makes it really easy to see all information that the tool collects.
Thanks again!
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 11:00:57 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
You shouldn't need the "External GWA" Network. The Alert you posted makes sense now - you have defined another External network (for the 192.168.0.100 interface) but you didn't create a Network Rule for 'Internal' to 'External GWA' = NAT (just to be clear - you don't need one - I was just trying to illustrate the concept). You should probably restart the Firewall service once you delete this.
Once you get this Network removed, ISA's IP will be recognized as External and the Network Rule will work then.
If it still fails, post FWENGMON again and any other alerts.
Clint
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 15.Apr.2006 11:59:18 PM
|
|
|
cpsagman
Posts: 9
Joined: 13.Apr.2006
Status: offline
|
Hi Clint,
Success! Thank you for solving the mystery after so many hours. I never suspected the "External GWA" network as being a problem because I did not select it when creating the rule for publishing the Exchange Server -- I always chose "External". Interestingly, I was using the "External GWA" network with my web listeners, and they worked just fine. [The reason I had the "External GWA" network in addition to the default External network is because originally I had a rule that used it to point to a different internal web server (I need to support two different web servers via the ISA Server). All seemed to work fine to both web servers but, as we found, we could not publish the Exchange Server, so I removed everything except the "External GWA" network during troubleshooting.]
Right now one of the web sites is published just fine, as well as the Exchange Server, via the External interface -- this is a great start. Now I need to figure out a good way to add the other web server to the current setup. I could probably reuse the same External interface (using the domain name in the request) but it's currently a production site and flipping the DNS entry for testing purposes is not going to fly, so I'm stuck with an IP for now. Which I think means binding another address to the External card and setting up another network and this time, a Network Rule for 'Internal' to this new 'External' = NAT, etc., or maybe that's a bad idea and I should just drop another card in the ISA Server for another External network?
Thanks again, Clint -- you really made my day.
Chris
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 16.Apr.2006 5:09:16 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I think a new NIC and associated 'Network' is the wiser idea. Glad to hear you got it going...
By the way, you can support tons of internal web servers as long as they host different URL domains - I have approximately 150 domains hosted through a single ISA Server (honestly, I have 5 that are load balancered through an f5 Load Balancer but they all have identical configs) with only a single IP bound to the ISA box - I use the Single NIC template when I roll out my ISA Servers (we have a long and entrenched investment in Check Point where I work and this is ISAs role for now).
Take it easy...
C
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 17.Apr.2006 11:55:42 PM
|
|
|
ewilson
Posts: 23
Joined: 17.Apr.2006
From: Chicago north suburbs
Status: offline
|
I have this same problem and I'm about ready to kick ISA to the curb because of it. (Well, among other frustrations like no 1-1 NAT)
I get the same message in the event log about the "publishing rule failed because there is no valid network listener, there must be a network relationship between the listener networks and published servers.. blah blah...." My listerner is an IP address on the external interface of isa, in the "External" network.
I followed the simple little wizard to publish the ip of my mail server and listen on the External network for SMTP Server protocol.
After two days ISA still refuses to pass through SMTP traffic, denying it with the default enterprise policy.
I can not tell you how aggravating it has been working on what should have taken 2 minutes to set up.
I started a new thread for my problem here: http://forums.isaserver.org/SMTP_Publishing_is_not_working/m_2002014134/tm.htm
< Message edited by ewilson -- 18.Apr.2006 6:06:38 PM >
|
|
|
|
|
RE: Inbound SMTP denied by ISA Server 2004 - 24.Apr.2006 3:16:23 PM
|
|
|
jbgarcia
Posts: 2
Joined: 19.May2005
From: Philippines
Status: offline
|
Hi Clint,
I've sent an email to you regarding my problem same with cpsagman. Our setup is a three leg network. The SMTP Server is placed in the internal network with 192.168.0.4 IP Address likewise our external interface on the ISA Server is 203.87.147.97. I've already sent the result of the isainfo tool to your gmail account and hope that helps. We don't have much downtime to waste just to do "trial and error" configuration just like we did last weekend. Until now, we can't seem to figure out what went wrong.
Please Guys, if you have thoughts on this, i would really appreciate it.
Looking forward to your favorable responses.
Regards,
Jason
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
