Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Publishing mail server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Publishing mail server - 20.Jan.2007 5:59:35 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
I want to publish mail server behind the ISA server 2004, i have done it on ISA server 2000, but at that time the network strutcure of our office was simple. but now it has designed as VLAN.
so let me explain my problem.
All the server are in VLAN 5 so, they have 192.168.5.* Ip address as their private Ip address. Mail server has one NIC as private one "192.168.5.30", the ISA server has 2 NIC one public and the other is private "192.168.5.10".
all the Client are in VLAN 4. so they have 192.168.4.*
the first Step is making mail server SecureNAT of ISA server. i have set the Internal Ip address of ISA as a default gateway of mail server. and i have set the DNS of MDAEMON (mail server) 198.6.1.1 (UUnet).
now in ISA server i have defined a rule to let DNS Server protocol from mail server to External is allowed, is this right? So when i send an email to yahoo com the mail server could have yahoo.com Ip adress, but it couldn't
where i have don'e wrong
|
|
|
|
|
RE: Publishing mail server - 20.Jan.2007 6:19:21 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
quote:
the first Step is making mail server SecureNAT of ISA server. i have set the Internal Ip address of ISA as a default gateway of mail server. and i have set the DNS of MDAEMON (mail server) 198.6.1.1 (UUnet).
Don't you have an internal DNS server? Normally the internal DNS Server should be able to resolve all external FQDN's on behalf of any internal host, including the mail server.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 20.Jan.2007 7:00:23 AM
|
|
|
z_haseeb
Posts: 182
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline
|
What I got from your post is that....
your users want to send emails who are in VLAN4(192.168.4.*) via Local Email Server(Mdaemon) which is in VLAN5(192.168.5.*)
Why your VLAN are using 2 different IP Ranges? What my little knowledge is if you want to make a PC member of VLAN then you just via command make that PC the member of VLAN thats it....why have you change the IP ranges within a LAN/Internal...I think you are using wrong concept of VLAN....
Try This
Make 2 VLANS one for your Server and one for your Users or more but use the same range of IP's bcuz you are using one NIC for your LAN users and one NIC for Internet connnectivity........
< Message edited by z_haseeb -- 20.Jan.2007 7:21:36 AM >
|
|
|
|
|
RE: Publishing mail server - 20.Jan.2007 12:30:33 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi z_haseeb,
what's wrong with different IP ranges, subnets or network ID's on the internal network? ISA supports that perfectly. Check out the following articles :
My favorite design for an internal routed network is described in my article How to Implement VPN Off-Subnet IP Addresses.
BTW --- there are even people using ISA Server as an internal firewall between the clients and the servers.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 21.Jan.2007 12:13:52 AM
|
|
|
z_haseeb
Posts: 182
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline
|
quote:
ORIGINAL: nnmmss
I want to publish mail server behind the ISA server 2004, i have done it on ISA server 2000, but at that time the network strutcure of our office was simple. but now it has designed as VLAN.
so let me explain my problem.
All the server are in VLAN 5 so, they have 192.168.5.* Ip address as their private Ip address. Mail server has one NIC as private one "192.168.5.30", the ISA server has 2 NIC one public and the other is private "192.168.5.10".
all the Client are in VLAN 4. so they have 192.168.4.*
the first Step is making mail server SecureNAT of ISA server. i have set the Internal Ip address of ISA as a default gateway of mail server. and i have set the DNS of MDAEMON (mail server) 198.6.1.1 (UUnet).
now in ISA server i have defined a rule to let DNS Server protocol from mail server to External is allowed, is this right? So when i send an email to yahoo com the mail server could have yahoo.com Ip adress, but it couldn't
where i have don'e wrong
HI Stefaan
Sir...I did not say that ISA does not support Different Network ID's or IP's. I said that he is not using DMZ or 3-LEG Senerio. He is using only one NIC for Internal. Thats why I said use VLANs but use same IP addresses if you are using single NIC. Off course if you will use 3-LEG network senerio thn you can use different Network ID's or IP's (How in a single NIC ISA can route traffic from one Network ID/IP's to a different Network ID/IP's).....
AM I right Sefaan......
_____________________________
MCP, IT ADMINISTRATOR
Interest ISA Server2004
|
|
|
|
|
RE: Publishing mail server - 21.Jan.2007 6:03:16 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
how about my problem?
any help for that?
|
|
|
|
|
RE: Publishing mail server - 21.Jan.2007 6:29:53 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi z_haseeb,
I don't agree with you on this one. Maybe we have a little language problem but let's see if I can explain my point of view a little bit better with a small diagram. quote:
LAN A -------------+
(10.10.10.0/24) ! LAN C
[Router] -------------- [ISA] ---- Internet
! (192.168.1.0/24)
LAN B -------------+
(172.16.16.0/24)
On the internal network we have 3 LAN's each with their own Network ID. A router or layer-3 switch interconnect those LAN's. So, we have a classic internal routed network. ISA is connected to LAN C (the 192.168.1.0/24 Network ID) and have the proper routes for LAN A and B with as gateway the router interface belonging to LAN C (the 192.168.1.0/24 Network ID). The default gateway on the router or layer-3 switch should point to the ISA internal interface.
This is a perfect supported scenario. How the LAN's A and B are created, either physical (LAN) or logical (VLAN) is completely irrelevant for ISA server as long as ISA has a proper route to them.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 22.Jan.2007 2:37:03 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
I have 2 DNS server on VLAN 5 192,168.5.20 and 192.168.5.30 but none of them are forwarded to external DNS. they both are for Internal Lan DNS.
but if i make the Mail server as a SecureNAT of ISA server and define a rule for allowing DSN server Request from ISA to mail server and Vice Versa, should there be any problem?
|
|
|
|
|
RE: Publishing mail server - 22.Jan.2007 3:24:44 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
a solid DNS infrastructure is very critical for a good working ISA server. Therefore you should adopt the following best practice for a well designed DNS infrastructure:
1. internal NIC on ISA is first in order.
2. internal NIC on ISA is configured with internal DNS server.
3. internal DNS server is configured with your ISP DNS servers as forwarders.
4. external NIC on ISA do *not* have any DNS configuration.
5. ISA has a rule allowing the DNS protocol from your internal DNS server to the configured forwarders for all users (anonymous).
Also, all internal hosts should use the internal DNS servers.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 23.Jan.2007 1:57:24 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
i did as you said, the internal DNS server forwards to 198.6.1.2 and 192.9.9.3
i defned th rule which let all users user protocol DNS and DNS Server and Netbios Name server from the Internal DNS server to external. but when type
nslookup www.cnn.com 192.9.9.3 i get this error
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.9.9.3: Timed out
Server: UnKnown
Address: 192.9.9.3
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
of if i type
nslookup www.cnn.com
i get this error (192.168.5.20 is internal dns server)
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.5.20: Timed out
Server: UnKnown
Address: 192.168.5.20
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
what i have done wrong?
and you said ISA has a rule allowing the DNS protocol from your internal DNS server to the configured forwarders for all users (anonymous).
i just find this (in system policy)
Network services: Allow DNS from ISA Server to selected servers (from localhost to ALL networks)
that was all?
|
|
|
|
|
RE: Publishing mail server - 23.Jan.2007 2:52:29 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
did you try 198.6.1.2 instead of 192.9.9.3. According to my tests 192.9.9.3 seems not to respond.
If it still doesn't work, what is the ISA logging telling you?
HTH,
Stefaan
< Message edited by spouseele -- 23.Jan.2007 2:54:24 PM >
|
|
|
|
|
RE: Publishing mail server - 24.Jan.2007 1:44:07 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
Hi Stefaan
i don't see anything on ISA log file, it seems that request is coming to ISA server.
thanks
|
|
|
|
|
RE: Publishing mail server - 24.Jan.2007 2:57:43 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
I hope you did configure the internal DNS server as a SecureNAT client. Did you?
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 28.Jan.2007 6:45:36 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
Hi Stefaan
Sorry for delay,
yes the mail server server is SecureNAT of ISA, the protocol Rule is deinfed to let the DNS Request goes out, but no success
|
|
|
|
|
RE: Publishing mail server - 28.Jan.2007 3:32:13 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
my question was quote:
hope you did configure the internal DNS server as a SecureNAT client. Did you?
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 31.Jan.2007 1:20:12 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
no i didn't. you mean both Mail server and Internal DNS Server should be secureNAT?, i've just made Mail server the secureNAT of ISA server, isn't it enough?
|
|
|
|
|
RE: Publishing mail server - 31.Jan.2007 2:27:09 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
quote:
you mean both Mail server and Internal DNS Server should be secureNAT?
Yes! Because you do *not* install the Firewall client on a server, you configure the servers as SecureNAT client if they need outbound access (e.g. DNS server) or if they need to be published (e.g. mail server).
After you've done that and assuming you have the proper access rule in place, the internal DNS server should be able to resolve external FQDN's.
HTH,
Stefaan
|
|
|
|
|
RE: Publishing mail server - 4.Feb.2007 6:54:35 AM
|
|
|
nnmmss
Posts: 85
Joined: 30.Nov.2004
Status: offline
|
Hi Stefaan
Now my mail server is published and Users from out side can check their email by outlook for SMTP and POP3
but i have still having problem for publishe web mail.my mail server is mdaemon and its web mail is worldclient which works on port 3000 of http porotocol. i defined a web server publishing rule with these sepcifictaion:
Action : Allow
From anywhere
To: Server --> Invalid Ip address of Mail server
Traffic : Http
Listener: Networks --> External
Port: 3000
public name: valid Ip address of ISA server
but i can not access the web mail, the request reaches to the ISA sever but it denies the connection. what is wrong of my web publishing rule?
|
|
|
|
|
RE: Publishing mail server - 4.Feb.2007 11:54:31 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi nnmmss,
because of the TCP port 3000, are you sure it is really HTTP? How did you verify that?
Assuming it is HTTP, you should use FQDN's instead of IP addresses in the Web publishing rule and this requires a properly configured internal and external DNS server.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
