Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Incoming port 25 problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Incoming port 25 problems - 27.Nov.2006 12:11:30 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hi,
I have installed ISA 2006 on 2003 R2 with 1 public IP leg & 1 interal IP leg.
I have SBS 2003 SP1 running exchange on interal IP.
I have enabled the publish SMTP mail server policy.
Saw that mail was not arriving I checked the real time monitoring logs. SMTP connections initiating then closing in the same second without having a change to send through any data.
Outgoing is ok. I can telnet ok to the Exchange servers IP on port 25 from the ISA box. Do I need to install SMTP&/IIS on the ISA box?
I have internal DNS on the SBS 2003 box and the ISA 2006 box is hosting the primary DNS Server for the domain names. ISP is hosting the secondary. I have published the DNS Server as well.
I will tackle OWA & HTTP publishing..after I get this working...
Bought Tom's ISA 2004 book..It was the best ISA book on the shelf. I have followed the setup procedures for SMTP Server however in 2006 used the Exchange server setup wizard rather than create manual server policies.
Any ideas? Anyone?
Thanks in advance...
< Message edited by danmar -- 28.Nov.2006 10:57:34 AM >
|
|
|
|
|
RE: Incoming port 25 problems - 28.Nov.2006 11:23:41 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hi Tom,
Thanks for your reply.
The SMTP Server (Exchange 2003 SP1 on SBS 2003 machine) has it's gateway pointing to the internal address of the ISA 2006 Server, version 4.0 firewall client installed & is a WEB Proxy client too. BTW, this machine is running AD Integrated DNS internally with ISP DNS addresses entered in as forwarders. I was going to enter in the ISP DNS addresses into the ISA external NIC(as I had configured on the previous Proxy 2.0 Server) but followed your instructions in your 2004 book of setting the DNS on the internal NIC of ISA to point to the internal DNS server that is forwarding requests to ISP lookup DNS servers. Also, fyi the ISA server is hosting Primary DNS for the email domain name listening on the external NIC IP.
The SMTP Server seems enabled. Sending & receiving internal mail is working ok. Sending email to external sites is working too. Just can't get the Exchange server to receive external mail. I watched the real time monitoring and saw incoming SMTP connection initiated (receiving and sending to correct IPs) then in the same second ISA showing SMTP connection closed.
IIS is not installed on the ISA Server.
Is there any reason why ISA would initiate a protocol connection then close it straight away without giving the client a change to submit any data?
< Message edited by danmar -- 28.Nov.2006 11:57:42 AM >
|
|
|
|
|
RE: Incoming port 25 problems - 28.Nov.2006 12:09:43 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Danmar,
The Firewall client should never be installed on servers, esp. published server.
Try removing the FWC from the Exchange Server and see if that helps.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Incoming port 25 problems - 28.Nov.2006 4:40:29 PM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hello Tom,
I have performed this...bad news is it didn't fix the problem...good news is while I the Exchange 2003 server was restarting I noticed in the ISA monitoring that the status for port 25 connections was now showing "connection failed".
This leads me to believe that the problem may lie with Exchange. Do you agree?
When the Exchange server came back up the SMTP connections returned to: "Initiating" and "closed" in less than 1 second.
As I mentioned previously I can successfully connect via telnet to port 25 from the ISA to Exchange server.
|
|
|
|
|
RE: Incoming port 25 problems - 29.Nov.2006 6:04:59 PM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Yes. The Exchange Server 2003 SP1 is running on SBS2003 Server with 1 NIC gateway pointing to the ISA server.
|
|
|
|
|
RE: Incoming port 25 problems - 30.Nov.2006 9:59:13 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hi Tom,
Internal is a private address on same subnet as Exchange Server & External is ISP assigned static public IP address.
I have configured the servers the same as the NT4 Exchange 5.5 & NT4 Proxy 2.0 boxes that I am trying to replace with these 2 servers.
The Exchange 2003 Server is running on SBS 2003 and has a SBS Virtual SMTP server connector. When I open IIS there does not appear to be a SMTP connector so am a little confused about this. Mail is able to be sent to public email addresses but mail is not coming in. The ISA server initiates then closes port 25 in less than 1 sec. The listed destination address in the monitoring window is the Exchange server.
|
|
|
|
|
RE: Incoming port 25 problems - 3.Dec.2006 8:09:28 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Further to my last post I just want to add:
I can successfully Telnet to the SBS 2003 Server on port 25 and send an email to an internal address from the ISA 2006 machine. (Also when I EHLO I get all expected responses).
ISA 2006 Server is joined to the domain. IIS is not installed on the ISA Server.
SMTP connectivity verifier is successful.
no message filtering is enabled in Exchange 2003 SP1.
SMTP Server rule initiates to the correct destination then closes connection immediately.
< Message edited by danmar -- 3.Dec.2006 9:19:24 AM >
|
|
|
|
|
RE: Incoming port 25 problems - 3.Dec.2006 10:53:10 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
The ISA Firewall external IP is ISP assigned static class C IP address e.g. 203.1.1.25/27 Gateway is Cisco router connected to ISP.
ISA Internal is private IP e.g. 10.0.0.10
Exchange Server is private IP on same subnet as ISA internal i.e. 10.0.0.20
|
|
|
|
|
RE: Incoming port 25 problems - 3.Dec.2006 11:18:54 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hi Tom,
ISA - Internal NIC 10.0.0.10 255.255.255.255 no gateway DNS 10.0.0.20 WINS 10.0.0.20
ISA - External NIC 203.1.1.98 255.255.255.224 GW 203.1.1.97 (Cisco DSL router)
(The ISA Server is running a DNS Server hosting the primary zone of the domain name (containing the MX records etc.). It is listening on 203.1.1.98)
Exchange - 10.0.0.20 255.255.255.0 GW 10.0.0.10 DNS 10.0.0.20
(The Exchange server is running internal AD DNS server with ISP lookup DNS addresses as forwarders.)
Internet works, sending internal & external email works. Only problem is the incoming.
I set up the ISA server to point it's DNS server to the internal DNS server as per your ISA 2004 book & your split DNS instructions. Previously the Exchange 5.5 and Proxy 2.0 same settings as above except external NIC of the proxy had the public DNS entries for lookup i.e. no split DNS.
< Message edited by danmar -- 3.Dec.2006 11:24:39 AM >
|
|
|
|
|
RE: Incoming port 25 problems - 3.Dec.2006 11:41:32 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Sorry, typo..3AM here in Australia...
Subnet on Internal NIC is 255.255.255.0
I don't think Windows allows for a 255.255.255.255 subnet to be entered into the NIC ;)
< Message edited by danmar -- 3.Dec.2006 4:32:12 PM >
|
|
|
|
|
RE: Incoming port 25 problems - 5.Dec.2006 10:18:18 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hello Tom,
There do not appear to be any errors in Event viewer on either machine that would be meaningful to this situation...they look fairly good.
However I do have a spanner to throw into the works of this troublshooting story...And Tom...I don't think you are going to be happy to hear this....
The DSL Cisco router is connected to the External port of the "WATCHGUARD FIREBOX"! ISA 2006's External connection is connected to the Trusted port of the Firebox. The Firebox is configured in "drop-in" mode which means it isn't performing routing on it's ports and is used when there are internal servers to publish. You can see what drop-in mode is here: http://www.watchguard.com/help/lss/74/settingtheaddressesindropinmode.htm
In the real time Firebox traffic logs I am seeing entries such as this:
2/04/06 21:33 smtp-proxy[25556]: [83.46.156.250:24751 203.1.1.98:25] proxy connect failed (Connection refused)
The Firebox was forwarding all port 25 stuff to the MS Proxy 2.0 without a problem before and I assumed this was transparent that's why I didn't mention this to you before as I am new to ISA 2006 & Exchange 2003 and thought I did something wrong configuring them...but I am now beginning to realise that this may be a problem including the Watchguard & ISA or Watchguard & Exchange 2003 as any of these three systems could be dropping the connection.
I did see some posts that could be relevent:
http://forums.isaserver.org/m_2002026095/mpage_1/tm.htm#2002026264
Am not sure what he means by specifying 'all networks" in the smtp rule. I tried adding all networks to the listener accompanying External connection but it didn't work.
Also a tutorial on SMTP on the Firebox here I tried adding forward to ISA external via NAT on SMTP Proxy
http://www.fireboxsupport.com/smtp_proxy_configuration.htm
Any ideas?
|
|
|
|
|
RE: Incoming port 25 problems - 8.Dec.2006 2:46:42 AM
|
|
|
danmar
Posts: 17
Joined: 15.Feb.2005
From: Australia
Status: offline
|
Hi Tom,
Further to my previous post I am pleased to let you know that I pulled out the Watchguard and plugged the External interface of the ISA Server directly into the Cisco router and got the same result.
Basically an attempted/inititiated SMTP connection in immediately followed by "closed"
Could this be related to any permissions settings on Exchange 2003 SP1?
I can telnet ok from the ISA box and have tried both submitting the original address & ISA address on the SMTP Server policy.
Is there any troubleshooting you could recommend?
Thanks for your help so far.
|
|
|
|
|
RE: Incoming port 25 problems - 8.Dec.2006 8:59:45 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Dan,
Make sure all IIS Services are removed from the ISA Firewall
Make sure the SMTP server is a SecureNAT client to the ISA Firewall
Make sure the Server Publishing Rule is configured correctly and is listening on the External Network and forwarding to the correct IP address
Make sure the SMTP server can actually accept SMTP message (you can use Telnet to send a message, but just telnetting in doesn't prove anything)
Check packet traces on the ISA Firewall's internal and external interfaces and at the Exchange Server to check the path of the connections and the source of the problem
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
