Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Problems with email
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Problems with email - 9.Apr.2003 1:49:00 PM
|
|
|
fiona
Posts: 8
Joined: 31.Mar.2003
From: London
Status: offline
|
Hi,
Firstly, thank you for your help with authentication issues, which now works properly! New problem...when the site & content rules are enabled, no external mail at all are sent or received, the outgoing mail just sits in the queue. As soon as the 'Allow all' rule was enabled again, all mail that was in the queue was sent. We are using SMTP/POP3 server, and the ISA Server has been configured exactly as recommended in the article 'ISA Server SMTP Server Support'.
Any suggestions??
|
|
|
|
RE: Problems with email - 9.Apr.2003 3:06:00 PM
|
|
|
AttilaKaanSalci
Posts: 18
Joined: 8.Jan.2002
From: Trieste,,ITALY
Status: offline
|
Hi Fiona,
is your smtp/pop3 server behind isa or is an external server?
Your server/clients are Firewall or SecureNAT clients?
It may be that you're having the same problem as me.
Kaan
|
|
|
|
|
RE: Problems with email - 9.Apr.2003 3:19:00 PM
|
|
|
fiona
Posts: 8
Joined: 31.Mar.2003
From: London
Status: offline
|
The SMPT/POP3 server is behind ISA, and the clients are SecureNAT clients.
[ April 09, 2003, 03:20 PM: Message edited by: Fiona ]
|
|
|
|
|
RE: Problems with email - 9.Apr.2003 3:37:00 PM
|
|
|
AttilaKaanSalci
Posts: 18
Joined: 8.Jan.2002
From: Trieste,,ITALY
Status: offline
|
Hi Fiona,
you should have at least one allow rule, at least for a specified client address set.
I think it may depend on your site and content rules.
could you give some detail?
kaan
|
|
|
|
|
RE: Problems with email - 9.Apr.2003 3:45:00 PM
|
|
|
fiona
Posts: 8
Joined: 31.Mar.2003
From: London
Status: offline
|
I have about 6 groups, each have a specific destination set that consists of the websites which they can visit, anything that is not in the destination set is not allowed and users are redirected to a website telling them this. Each of these groups then has an allow rule that allows them access to their destination set and a deny rule that denies them access to all destinations excepted the selected destination set. This part is working ok, and restricting users as expected.
The 'Allow all' rule which i mentioned earlier is a rule that allows all users access to all destinations.
|
|
|
|
|
RE: Problems with email - 9.Apr.2003 3:51:00 PM
|
|
|
AttilaKaanSalci
Posts: 18
Joined: 8.Jan.2002
From: Trieste,,ITALY
Status: offline
|
OK, that was what I'm in trouble with.
It seems that the explicit or implicit deny of a Internet resource (lets say *.domain.com or deny all except that implicitly denies *.domain.com) causes also the firewall deny not only website (browser protocols http, https, ftp etc) but also the rest of the protocols (as smtp/imap4/pop3 etc).
Also my trouble is howto deny web protocols on a specific destination set, but allow the rest of the protocols go.
It may be that Tom or some other guru could hep us.
Kaan
|
|
|
|
|
RE: Problems with email - 10.Apr.2003 11:05:00 AM
|
|
|
fiona
Posts: 8
Joined: 31.Mar.2003
From: London
Status: offline
|
Hi Kaan,
Have you applied a Site & Content rule to your administrator account, or whatever account you user to log onto your server? I think that may have been my problem as it seems to be working for me now...
See 'Create Site and Content Rules and Protocol Rules to Support Internal Servers' part of the article at: http://www.isaserver.org/tutorials/smtpauth1.html
|
|
|
|
|
RE: Problems with email - 10.Apr.2003 9:46:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
check out the ISA log files. They will tell you exactly why the requests are blocked. Keep in mind that servers must be configured as SecureNAT clients because it is not recommended at all to install the Firewall client on them. Therefore, if internal servers need outbound access, you must allow the protocols in a protocol rule and the destinations in a site&content rule and apply those rules to a client address set.
To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.
A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called Firewall and Web Proxy log fields, a must read. Additional information can be found in the article http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284818 .
HTH,
Stefaan
|
|
|
|
|
RE: Problems with email - 11.Apr.2003 12:51:00 PM
|
|
|
AttilaKaanSalci
Posts: 18
Joined: 8.Jan.2002
From: Trieste,,ITALY
Status: offline
|
Hi,
I think I've resolved my problem.
All the clients of my ISA (Server or PC Desktop) are SNAT clients. The PC Desktops are also WebProxy clients.
I have a protocol rule that allows unauthenticated access to a set of protocols for any request. Another rule that enforces authentication on browser protocols.
I've added another protocol rule that enables all protocols without authentication to a specific client address set (servers and some administrative clients).
I leave the default allow site and content rule enabled and created a new site and content rule that denies specified dest set of domains.
I've also configured HTTP filter to forward requests to Web Proxy service.
In this manner, if a client or server tries to connect with browser protocols to one of the denied sites it will be forwarded to the web proxy that will deny the destination. Else if the client tries to connect to a denied destination with other ip protocols (i.e. smtp, pop3, imap4 etc) it will pass by the allow rule and the unauthenticated protocol rule.
But what a mess, other firewall software, permits you to specify destination:port in every rule. i think ISA is not a flexible tool.
Kaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Big Grin]](/image/smiles/biggrin.gif)
