Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP Publishing Issue - Unable To Telnet
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SMTP Publishing Issue - Unable To Telnet - 6.Mar.2008 7:55:16 PM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
Hi, I'm hoping someone can help me...I'm having a problem publishing our exchange server through ISA 2004.
A bit of background first....
The ISA server is an ISA server 2004 on Windows 2003 SP1 with 2GB RAM & Dual Xeon processors. Exchange server is a Windows 2003 SP2 server with 4GB RAM and Exchange 2003 SP2.
We have two internet connections, one which is a BDSL (2mb link) and the other is a standard ADSL connection (1.5mb link). The standard ADSL link is connected to the ISA server and the other link is connected to a linux firewall.
Initially Exchange was just going through the BDSL link (linux firewall) but we wanted to put it through the ISA server instead so we moved it all across to go through ISA.
I have published the Exchange server through ISA in accordance to this site - http://www.microsoft.com/technet/isa/2004/plan/exchage2003.mspx - although have not published OWA etc, only the base exchange server. I also changed the gateway etc and changed the MX records so that the ISA connection was the primary MX record and the other link was the secondary MX record. so it should all techincally be working. Well, mail is going out, but doesn't appear to be coming in correctly...although I'm not entirely sure on this.
If I telnet to the primary MX record (ISA server) using the external IP address all I get is a blank screen where as if I telnet to the secondary MX record (linux firewall) I get the following... '220 domainname.net.au Microsoft ESMTP Mail Service, Version: 6.0.3790.3959 ready at Fri, 7 Mar 2008 09:39:20 +0900'.
If I telnet to the exchange server internally from the ISA server I also get the above message, so internally from ISA it's ok but not externally.
Any help with this is appreciated.
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 7.Mar.2008 9:02:00 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Hi,
Just to confirm, the default GW on the Exchange is set to the Internal NIC of the ISA server? (SecureNAT client) Is the Exchange in the same Subnet as the ISA? Can you telnet the Exchange from the ISA? Can you post your publishing rule specifics?
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 7.Mar.2008 9:16:36 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Also...
You ISA has at least Two or more NIC’s?
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 7.Mar.2008 9:45:33 AM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
Yeah, the GW for exchange is set to the internal NIC of the ISA server (ISA server has two NIC's - internal & external) and the exchange is in the same subnet as the ISA server. The subnet is 255.255.0.0. I can telnet the exchange server from the ISA server (internally).
I have a number of different policies within ISA but for Exchange I have done exactly as indicated in the article I posted earlier. Basically added the exchange server as a 'computer' under the toolbox options, then published the exchange server (inbound rule) and allowed all traffic inbound for SMTP server. Then created an outbound rule for port 25 to listen on external network. I've also published a DNS server (inbound) and created an outbound rule for DNS as well.
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 7.Mar.2008 10:00:32 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Anything showing in the ISA server’s event logs? Is IIS/SMTP services installed on the ISA?
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 7.Mar.2008 10:23:17 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
Basically added the exchange server as a 'computer' under the toolbox options, then published the exchange server (inbound rule) and allowed all traffic inbound for SMTP server.
Why are you using a computer set? For the Outbound Access? “Seeing is believing as they say” so if you want assistance, post the publishing rule so we can help you!
quote:
I've also published a DNS server (inbound)
Are you hosting your own public DNS? I would think not if this is your AD DNS, I would recommend removing the Inbound rule! All is needed is outbound DNS rule for the Exchange server
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 9.Mar.2008 9:10:30 AM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
There aren't any errors showing up in the event log for ISA. IIS is installed but not SMTP.
I created a computer set for the inbound rule. Is this not required? We are hosting our own DNS but if it is not required to publish it in ISA for exchange then I'll remove it.
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 10.Mar.2008 12:10:12 AM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
I tried removing the published DNS server but when I did mail stopped coming in so I'm assuming I do need the published DNS server after all...although that would tend to indicate that we are receiving mail through the ISA connection. Having said that though I still cannot telnet to port 25 through the ISA connection and there is definitely an issue with being able to send and receive emails to and from certain domains.
I did a DNS test on the our system and got the following error...not sure if this sheds any light on the subject...
'Mailserver connection test
HELO, MAIL FROM, RCPT TO, QUITConnect to mailserver mail.domainname.net.au FAILED (could be greylisting)
Connect to mailserver mail1.domainname.net.au FAILED (could be greylisting)'
The publishing rule for exchange is as follows:
General - Enabled
Action - Allow
Traffic - SMTP Server
From - Anywhere
To - 'Exchange Server'
Networks - External
Schedule - Always
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 10.Mar.2008 10:38:13 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
I tried removing the published DNS server but when I did mail stopped coming in so I'm assuming I do need the published DNS server after all...although that would tend to indicate that we are receiving mail through the ISA connection. Having said that though I still cannot telnet to port 25 through the ISA connection and there is definitely an issue with being able to send and receive emails to and from certain domains.
If you’re publishing your own public DNS; internally what IP is the Exchange server's A zone/MX record pointing to? The ISA’s DNS settings should be configured on the Internal ISA NIC and using an Internal DNS server that is configured properly to resolve Internet queries. Would it be possible that the zone records are resolving to the public IP and looping back through the ISA?
Could it be possibly that your SPAM filter is tripping you up? Possibly SPF record checking?
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 12.Mar.2008 11:31:09 AM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
I've checked the NIC configurations, both internal & external have the internal DNS server set as the default DNS server. Should it be removed from the external adapter?
I don't think that it is the antispam software we're using as it wasn't affecting it when we weren't using ISA...although I guess I could be wrong. I will check that.
One other thing to note regarding this problem...although this may not be the right group to bring it up under but it may be relevant so I'll mention it.....we've been expriencing really slow internet browsing through ISA. When you ping google.com.au or another external website you get a response time of 2300ms...this may or may not be related but thought I'd mention it (did try this internet connection without ISA connected and it's the speed it should be..just not when ISA is connected).
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 12.Mar.2008 1:34:32 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
I've checked the NIC configurations, both internal & external have the internal DNS server set as the default DNS server. Should it be removed from the external adapter?
Yes, definitely do so. There should be no DNS setting on the external.
quote:
One other thing to note regarding this problem...although this may not be the right group to bring it up under but it may be relevant so I'll mention it.....we've been expriencing really slow internet browsing through ISA. When you ping google.com.au or another external website you get a response time of 2300ms...this may or may not be related but thought I'd mention it (did try this internet connection without ISA connected and it's the speed it should be..just not when ISA is connected).
Glad you did mention. DNS could be the contributing factor but it’s not the only thing that could cause the slowness issues in ISA. If DNS is not resolving correctly or you have not properly planned and implemented your DNS design appropriately Internally / Externally to support ISA publishing; you’re going to have issues such as yours. The articles below may be of some help there.
http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 12.Mar.2008 9:20:24 PM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
Thanks for the info.....I've been looking over everything again and have made a few changes to the network configuration on the ISA server.
Basically changed it so that the internal NIC is configured with the internal DNS address and the external NIC is not configured with any DNS setting. I've also changed the order of the NIC's as the internal one was set under the external. After making the changes I restarted the ISA firewall and checked it but still having problems.
I then looked again at all the firewall rules and decided to export all the current settings and then start from scratch again.
I selected the 'Edge Firewall' Template and started again. I selected the 'Allow limited web access and access to ISP network services' and applied the rule. This resolved my slow browsing problem that I was getting so I'm assuming that one fo the rules we set up had caused problems. I then went through and started adding all the rules we did have back in one by one and testing connection after setting each one.
I published the SMTP server and tested...all ok...then created an outbound SMTP rule and tested again and discovered that after doing that internet browsing was extremely slow again. I then deleted the rule and the problem was gone again. I decided to create the outbound rule again but this time selected 'internal' network as the outgoing source instead of just the exchange server. After applying that rule it seemed ok for a minute or so but then went extremely slow again...ping response times of 2300ms which is pretty bad.
So...after all that it seems as though the rule for outbound SMTP is causing browsing problems and more than likely my email/telnet problem. Not really sure where to go from here since I'm creating the outbound rule as per Microsoft's instructions. Any help would be appreciated.
|
|
|
|
RE: SMTP Publishing Issue - Unable To Telnet - 13.Mar.2008 9:27:49 AM
|
|
|
sgraham978
Posts: 16
Joined: 6.Mar.2008
Status: offline
|
I've change the emails back to the BDSL internet account and removed the outgoing smtp rule until I can get a solution or until I decide whether or not it's still worth trying to get it to work...I'll keep looking for a solution in the meantime.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
