Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing a pop3 server on a DMZ (perimeter)
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing a pop3 server on a DMZ (perimeter) - 5.Jan.2005 2:52:00 PM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
I've used the wizard tried it manually, alas nothing works.
I tried to publish the pop3 server on my dmz = 192.168.20.27 and configured the listerer that it should listen on my external network 44.1.1.201.
However when I look in the log it says that's it blocked by the default rule and strangly the destination is localhost. I understand that the ISAserver runs as a proxy and has to redirect everything coming through the external interface on port 110. The problem is it doesn't.
Am I missing something? Does the wizard create all the rules and if not what should I create more?
Thanks
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 5.Jan.2005 6:11:00 PM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Are you routing or nat'ing to the DMZ?
From memory, you may need to NAT in order for the publishing rules to work.
Try changing the DMZ associated network rules to use NAT.
JJ
[ January 05, 2005, 06:12 PM: Message edited by: Jason Jones ]
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 5.Jan.2005 6:51:00 PM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
Tried both: routing and nating (is that good English?) Anyway, it just got stuck.
I've published 3 webservers on the DMZ and there all working fine.
The webservers can be reached from the internal and external network.
I've tried to add rules by hand to allow pop3 comming from all directions but no luck there either. BTW I can reach the mailserver from the ISAserver but not from a client outside
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 6.Jan.2005 12:07:00 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Have u configured the server pubs rules to make the request appear to come from ISA as opposed to the original client...give this a try
JJ
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 6.Jan.2005 9:09:00 AM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
Tried that too, no luck.
I'm thinking of rebuilding the d*mn thing from scratch. But I'm still hoping for something to help me out. For future references
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 6.Jan.2005 10:00:00 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
I have used server pubs for several customers using POP3 and IMAP and not had any real problems - the "appear to come from ISA" or NAT options are the normal solutions to most problems from my experience.
However, I dont tend to use ISA based DMZ networks...
Sorry...
JJ
[ January 06, 2005, 10:01 AM: Message edited by: Jason Jones ]
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 6.Jan.2005 10:17:00 AM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
Any reason for not using a DMZ with ISA?
I assume that even with a template on 2004 it's common practice to use a DMZ.
Why would you not use a DMZ?
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 6.Jan.2005 2:43:00 PM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
I'm not saying DONT...I am just saying I dont tend to be involved in installs where they are used - hence my experience of servers pubs is normally to the internal LAN as ISA is already in a packet filter DMZ or is bridged between a packet filter DMZ and the LAN.
At the end of the day it shouldn't make any differnce really. Servers pubs shouldnt be difficult to get working the items I mentioned above are just the normal issues I have personally seen...
Hope you get it sorted...
JJ
[ January 06, 2005, 02:45 PM: Message edited by: Jason Jones ]
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 7.Jan.2005 11:03:00 AM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
The funny thing is when I look at the log it seems the the internal client tries to connect to the localhost. Which makes me wondering how can I verify that a connection is forwarded to the right host. Is there a way to monitor this?
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 7.Jan.2005 4:28:00 PM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
Still frustrated that it still doesn't work.
I executed netstat -an and found out that there is nothing listening on any of the ISAserver nic's
The webserver publishing does show op at port 80 8888 etc but nothing on port 110!
Is this common?
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 10.Jan.2005 5:09:00 PM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Are you using private or public addresses for your DMZ?
Have you seen Tom's new book, as this has a section on publishing DMZ servers?
JJ
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 11.Jan.2005 10:23:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
you can't publish on the published network.
( ie : you can't publish 10.1.1.1 on ISA NIC 10.1.1.253 ) It's a safety measure added after RC1. This is because you can directly access 10.1.1.1 if you're on the 10.1.1.0 LAN ( using 10.1.1.253 as a DG )
Lex P
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 13.Jan.2005 3:46:00 PM
|
|
|
Arjan12345
Posts: 9
Joined: 5.Jan.2005
Status: offline
|
I've solved the publishing to the internal.
It was a Route vs. Nat problem
However SPOP3 and SSMTP doesn't come through on the external interface.
I've used the same nat'ed scheme for the DMZ > external.
Funny is that I can publish POP3 en SMTP on the external but nothing secured.
BTW. We're using MERAK as a mailserver.
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 14.Jan.2005 11:57:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi Arjan,
If you get TCP NOT SYN packet errors in ISA , then turn it back to route.
LexP
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 14.Jan.2005 12:32:00 PM
|
|
|
ItoA
Posts: 8
Joined: 12.Jan.2005
Status: offline
|
How did you make it run?
I have/need to publish RDP(3389), POP(110) an SMTP(25) services from my DMZ but when i make the publish rule service listener does not comes up in any ISA adapters...
I've tested NAT an Route relationship between DMZ and WAN networks but it did'nt work.
My servers in DMZ can't access to the Internet, they can resolve DNS queries but anything else.
I've saw firewalllog file and get a [FWX_E_NETWORK_RULES_DENIED 0xC0040012] error when i try to ping remote servers.
Could it be this the problem? how can i solve it?
Thanks in advance.
quote:
Originally posted by Arjan12345:
I've solved the publishing to the internal.
It was a Route vs. Nat problem
However SPOP3 and SSMTP doesn't come through on the external interface.
I've used the same nat'ed scheme for the DMZ > external.
Funny is that I can publish POP3 en SMTP on the external but nothing secured.
BTW. We're using MERAK as a mailserver.
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 14.Jan.2005 2:10:00 PM
|
|
|
ItoA
Posts: 8
Joined: 12.Jan.2005
Status: offline
|
I have solved my problem!...
I had a double NAT translation in both directions DMZ->WAN and WAN->DMZ. I deleted WAN->DMZ NAT rule and it made Internet access working at the DMZ.
I was able to publish RDP server service in DMZ and it is working but fix that ISA server do not bind any port to this service at any server's interface, so you won't be able to view it using netstat -an command.
Hope it helps somehow in the same way...
|
|
|
|
|
RE: Publishing a pop3 server on a DMZ (perimeter) - 14.Jan.2005 2:19:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Ok ,
I think this is your issue :
you have a ISA server , let's say 10.1.1.1.
Let's presume it has only 1 IP address and 1 nic to make things simple.
You have a exchange server on 10.1.1.2 and want ISA to publish port 110 and 25 on NIC 10.1.1.1
Now , that's not possible because ISA doesn't let you. ISA is made to refuse it on purpose because it thinks "why would I want to publish anything on the same network segment as the server is on now ?"
In other words, if you have a 10.1.1.3 client , it will be able to access your Exchange server directly on 10.1.1.2 instead of having to publish it on 10.1.1.1
ISA prohibits mistakes like this.
I think something alike is happening to your DMZ
Prolly you have an external IP like 88.99.11.11 and your other server is located at 88.99.11.12 and then you can't publish on that nic.
hope it's a bit clear ,
LexP
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
