Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP Server Publishing Rule
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SMTP Server Publishing Rule - 24.Mar.2005 9:55:00 PM
|
|
|
BMurnock
Posts: 5
Joined: 24.Mar.2005
Status: offline
|
I have configured an SMTP server publishing rule using the ôPublish a Mail Serverö wizard on an ISA Server 2004 SP1. I have followed the steps described in the ISA Server 2004 book and examples from this site. Even though the SMTP Server rule is configured correctly and enabled, inbound SMTP traffic is denied. When I port scan, it shows that port 25 is filtered. When I use netstat, it doesnÆt show that the server is even listening on TCP 25. When I view the ISA server logs after trying to telnet to TCP 25, it shows that SMTP is denied by the ôLast Default Rule (yes, the SMTP Server rule is placed before the ôLast Default Ruleö).
Here is my configuration for the SMTP Server rule after running the ôPublish a Mail Serverö wizard-
General Tab û enabled
Action Tab û allow; log requests matching this rule
Traffic Tab û SMTP Server (allowing inbound TCP 25 with SMTP filter selected)
From Tab - Anywhere
To Tab û IP address of internal Exchange 2003 SP1 server; requests appear to come from the original client
Networks Tab û External network with single external IP address configured
Schedule û Always
Additional configuration info-
This is in a test environment. ISA Server is configured with the ôBack Firewallö template. The relationship between the internal and external networks is ROUTE not NAT. I am using a split DNS environment. The only other access rules are Outbound SMTP and Outbound DNS. The only other publishing rule is for OWA, which is working correctly.
For some reason, it will not open up TCP 25 on the external interface of the ISA server. What am I missing? Please help!
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 9:59:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
First of all netstat cannot be used to reliably view ISA holes - there is a MS knowledgebase article on this.
Why are you using route rather than NAT? Is this server's external NIC on the internet?
What does your LAT look like?
|
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 10:13:00 PM
|
|
|
BMurnock
Posts: 5
Joined: 24.Mar.2005
Status: offline
|
A front-end firewall will have the public IP address (and connection to the Internet) and will be responsible for NAT. I didnÆt think it necessary to have NAT on both the front-end and back-end firewall. Ultimately, the LAN and DMZ (separated by the ISA Server 2004) segments will have different private IP subnets. My ISA Server is currently in a test environment and not directly accessible to the front-end firewall. Right now I have a 10.10.100.x/24 subnet on the internal interface and a 10.20.200.x/24 subnet on the external interface with the ROUTE relationship. The external interface is configured with 10.20.200.2/24, 10.20.200.3/24 (listening on TCP 443 for OWA) and 10.20.200.4/24 (should be listening for TCP 25 for SMTP Server rule). I can successfully access OWA from the external interface with the help of a modified HOST file.
[ March 24, 2005, 10:16 PM: Message edited by: BMurnock ]
|
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 10:16:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
What segment does the Exchange server reside?
|
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 10:19:00 PM
|
|
|
BMurnock
Posts: 5
Joined: 24.Mar.2005
Status: offline
|
Exchange is at 10.10.100.3/24 and trying to publish SMTP Server to 10.20.200.4/24.
|
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 10:22:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
The reason I ask is that it's possible you have a routing issue and are only getting successful tests because your DNS cache was not flushed, hence the HOSTS entry will not be read. You're obviously testing from the outside, have you opened ping/tracert temporarily to verify end to end routing is correctly configured?
|
|
|
|
|
RE: SMTP Server Publishing Rule - 24.Mar.2005 10:48:00 PM
|
|
|
BMurnock
Posts: 5
Joined: 24.Mar.2005
Status: offline
|
I created an access rule that allowed PING from anywhere to anywhere. Since my external computer is in a simulated DMZ, I had to create a static route on my external computer pointing 10.10.100.x/24 to the interface of the ISA Server at 10.20.200.2. I was able to successfully PING up to and through the ISA Server to the internal hosts.
IÆm publishing the SMTP rule to the external interface of the ISA Server at 10.20.200.4/24. My external computer is at 10.20.200.10/24. I canÆt think of a reason as to why it would not be able to communicate on the same subnet.
Heck, let me turn NAT back on. Ok, so that worked. But I donÆt understand why! Why canÆt you use the SMTP Server publishing rule with ROUTE instead of NAT. IÆm trying only to get from one computer to another on the same subnetà.if ISA would just publish the server. IÆm confused!
This requires me to run back-to-back NAT, which seems like a waste of computing resources. Hopefully someone can explain why I must use NAT instead of ROUTE for this scenario.
|
|
|
|
|
RE: SMTP Server Publishing Rule - 25.Mar.2005 1:18:00 AM
|
|
|
gazc
Posts: 71
Joined: 31.Jan.2005
From: UK
Status: offline
|
I had the exact same problem with my dns, and mail server, I also am natting at the edge router and the isa box, no one replied to my queries.....
I thought it was logical to turn of nat because the edge device took care if it.
Wyldwolfe:D come on mate, your a isa sharpshooter....any ideas?
|
|
|
|
|
RE: SMTP Server Publishing Rule - 30.Mar.2005 12:09:00 AM
|
|
|
BMurnock
Posts: 5
Joined: 24.Mar.2005
Status: offline
|
Straight from Dr. Shinder's ISA Server 2004 book, page 295-
"if the source Network and the Destination Network both use Public addresses, then you can define a ROUTE relationship. If both the source and destination Network use private addresses, then you can use a ROUTE relationship"
So the questions still stands... Why can't you use a ROUTE relationship when publishing an SMTP server when both the source network and destination network use a private address?
|
|
|
|
|
RE: SMTP Server Publishing Rule - 30.Mar.2005 12:45:00 AM
|
|
|
Anders
Posts: 19
Joined: 11.Apr.2002
From: Denmark
Status: offline
|
Publishing rules demands by their nature NAT (publishing use the ISA Server as a proxy and even though the ISA Server can show the originating IP address when it delivers the packets to the published server it is not done by routing the address but by encapsulating it into the packet). When the ISA Server is in reality routing the packet this is not an option. This is also why only stateful inspection is applied in this scenario - you can deploy the message screener anyhow though
Hence when NAT is not applied publishing rules will not function - but I guess you have learned this through hard empirical research by now (admittedly the same way it came to my attention sometime ago).
When routing you are required to use Access rules.
Cheers,
Anders
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
