Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP Server publishing does not work
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SMTP Server publishing does not work - 23.May2007 7:45:14 PM
|
|
|
gburch
Posts: 13
Joined: 3.Apr.2007
Status: offline
|
I have ISA Server installed, and have verified network connectivity on the correct interfaces, and that routing info it correct.
I have removed all Firewall Policies I can from the ISA server, to begin with a clean slate.
I have then set up an array access rule to allow SMTP and SMTP SERVER protocols from 'anywhere' to the mail server in my DMZ. This rule applies to all users, at all times for all content types.
Next, I have used the 'Publish a mail server' wizard to create a publishing rule from 'anywhere' to the address of the mail server, and have selected all networks as listners.
I have the WAN interface of the ISA box connected to and ADSL router, and DMZ/LAN interfaces connected to the respective networks.
When I send SMTP traffic to the network's public IP Address, the connection is denied by the Enterprise Default Rule, with a result code of 0xC004000D (FWX_E_POLICY_RULES_DENIED). The Client IP is an external address, and the Destination IP is the address of the WAN Interface of the ISA box.
Is there something else I need to set up to allow incoming connections?
When I modify the array access rule to allow smtp traffic with a destination of both the mail server and 'Local Host', then I see SMTP connections being initiated and closed a few seconds later, but still with the same destination IP. This suggests to me that the ISA box is attempting to deal with incoming connections itself instead of forwarding them to the address specified by the publishing rule.
What do I need to do to correct this?
|
|
|
|
|
RE: SMTP Server publishing does not work - 24.May2007 10:53:21 AM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
When I send SMTP traffic to the network's public IP Address, the connection is denied by the Enterprise Default Rule, with a result code of 0xC004000D (FWX_E_POLICY_RULES_DENIED). The Client IP is an external address, and the Destination IP is the address of the WAN Interface of the ISA box.
The error would indicate that you have issues and miss-configurations with your network interfaces. (Internal/External)
Looks like you have created two rules for the same purpose and you should not use “all networks” for the listeners, only the external network!
Other issues could be internal routing but you need to fix the publishing rule and network interface issues first.
RB
HTH
|
|
|
|
|
RE: SMTP Server publishing does not work - 24.May2007 11:12:37 AM
|
|
|
gburch
Posts: 13
Joined: 3.Apr.2007
Status: offline
|
quote:
ORIGINAL: Rotorblade
The error would indicate that you have issues and miss-configurations with your network interfaces. (Internal/External)
Can you be a little more specific? As far as I can tell, all the interfaces are correctly configured. There are 3 interfaces, one for the LAN, one for the DMZ and one for the WAN, which connects directly to the ADSL Router. I have assigned the interfaces to the appropriate networks.
Could this be a NAT issue? The ADSL router has NAT enabled for connections coming from the Internet, could they be conflicting?
quote:
Looks like you have created two rules for the same purpose and you should not use "all networks” for the listeners, only the external network!
Is the array access rule redundant if a web publishing rule has been set up then?
The reason I have 'all networks' enabled for listners at this stage is so that I know I'm not blocking the traffic. Once I have it working, I can remove the listners on the interfaces that I don't need.
quote:
Other issues could be internal routing but you need to fix the publishing rule and network interface issues first.
I have checked the routing table on the box, which all seems to be correct. Is there anywhere else within ISA that routing needs to be configured?
Thanks for your help
|
|
|
|
|
RE: SMTP Server publishing does not work - 24.May2007 6:03:53 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
quote:
Can you be a little more specific? As far as I can tell, all the interfaces are correctly configured. There are 3 interfaces, one for the LAN, one for the DMZ and one for the WAN, which connects directly to the ADSL Router. I have assigned the interfaces to the appropriate networks.
I could if you post your NIC configurations but you didn’t so the error would indicate an issue possibly with the network definitions. (Could be the redundant rules too.)
quote:
Could this be a NAT issue? The ADSL router has NAT enabled for connections coming from the Internet, could they be conflicting?
Nope, don’t think so. Does outbound access work?
quote:
Is the array access rule redundant if a web publishing rule has been set up then?
The reason I have 'all networks' enabled for listners at this stage is so that I know I'm not blocking the traffic. Once I have it working, I can remove the listners on the interfaces that I don't need.
Listeners listen for traffic on the external interface. If you have “All networks” that means all networks! This is causing a conflict with your access rules. You need to create internal routing access rules for the DMZ servers and access allow rules for Internal to local host access if they do not already exist in the ISA system policy.
quote:
Is the array access rule redundant if a web-publishing rule has been set up then?
They are, with the two rules you have defined. You’re going from “Anywhere” to the DMZ mail server and have included both the SMTP (outbound) and SMTP Server (inbound) protocols in the first rule. You then defined a server-publishing rule that basically does the same.
You should not include both protocols in the same rule. Create separate access rules for outbound that apply from the Internal or DMZ network to the external.
Order of rules is also very important. Publishing rules must and should be placed above all other rules at the top followed by Secure-NAT server related rules, explicit deny rules and then general access with the default rule last.
quote:
I have checked the routing table on the box, which all seems to be correct. Is there anywhere else within ISA that routing needs to be configured?
Possibly, the reason I mentioned possible routing issues are because you have no routing rules or access rules configured for your DMZ or internal network for anything else but publishing. There are no access rules configured for DNS, which is a must. With your scenario, routing issues are very common mistakes and publishing will fail.
Right now, I see the problem being with the two redundant rules and a possible miss-configuration with the network definitions and web listeners. The link below may help with configuration.
http://www.isaserver.org/articles/2004pubdmzservers.html
RB
HTH
|
|
|
|
|
RE: SMTP Server publishing does not work - 25.May2007 4:49:52 AM
|
|
|
gburch
Posts: 13
Joined: 3.Apr.2007
Status: offline
|
I've cracked it.
It was set up to use routing rather than NAT between perimeter and external networks.
Thanks for your help
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
