Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP publishing from DMZ
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SMTP publishing from DMZ - 3.Mar.2004 10:29:00 AM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
I have the following config.
Internal Exchange 2003 set with SMTP connector to forward to smart host in DMZ. ISA2004 beta with a DMZ using private address range 192.168.7.0, internal using 192.168.1.0 and external public ip addresses. In the DMZ i have an SMTP gateway machine (mailsweeper) which does filtering etc and then passes mail to the smtp connector on exchange. I have this setup working with Firewall-1 but on ISA 2004 i can only get the mail to come in from externally to mailsweeper in the DMZ but not DMZ/Exchange. Any ideas, i have Pertimeter to DMZ set to route and used the SMTP publishing options in ISA2004b.
|
|
|
|
|
RE: SMTP publishing from DMZ - 3.Mar.2004 2:33:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
What is the route relationship between the DMZ and the Internal network? Did you create an AR to the Exchange Server on the Internal network, or did you publish the SMTP server using the DMZ interface as the listener?
This config works great in ISA 2004 too.
Thanks!
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 5.Mar.2004 1:16:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Hi Tom
I tried both NAT and routing to the internal network but with no success. Am giving it another try today so will see how i get on.
Al
|
|
|
|
RE: SMTP publishing from DMZ - 5.Mar.2004 4:52:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Ok here goes with my latest attempt and sorry for the length of this one.
Some background first, at the moment i have a Firewall-1 setup with a mail gateway product called mailsweeper in the DMZ. The Firewall-1 setup has a number of valid external ip addresses and one of those is assigned in our isp's DNS records for mail. The DMZ is on a private ip network 192.168.3.0 and the internal network is 192.168.1.0. Internally i have Exchange 2003 with the SMTP connector forwarding to a smarthost with the ip address of the mailsweeper server.
To make this all work on Firewall-1 i have 4 rules setup. The first two allow SMTP from the mailsweeper server to the Exchange server and vice versa. The other two allow all networks except internal to and from the mailsweeper server for SMTP traffic. Traffic uses NAT from the DMZ to the internet and routes from DMZ to LAN.
This all works fine and has done for a while.
I am trying to setup something similar with ISA 2004 beta so i can get rid of the Firewall-1 and as it works quite differently i am not sure how to do this. I have tried various combinations but all i can get working is the traffic coming from the internet to go to the mailsweeper server but nothing else seems to happen.
I had our external DNS provider add an MX record for the ip on new firewall with a lower priority (it is on a separate isp and has different ip addresses). I then set up a new DMZ on the new firewall 192.168.6.0. To move things over I change ip address and DG for the mailsweeper server to the appropriate values for that DMZ as well as the smart host ip address setting in Exchange and move it over to the new DMZ.
I then used the SMTP publishing rule to allow what i thought was all appropriate traffic but the only one that seems to work it to allow external to the mailsweeper server. The rule it creates is allow SMTP from external to 192.168.6.X (ip of mailsweeper) and listen on the external ip address i had added to external DNS records (which is assigned to the isp facing nic on the isa server. I have tried creating a myriad of rules similar to my existing setup to get the rest of the traffic flowing but still no luck whatsoever.
My network config currently (although i have tried a few combinations) is Permimeter configuration is internal to perimiter = route. Permiter access Permimter to External = NAT
Getting pretty frustrated at this so any help would be most appreciated.
PS I do also have a web server in the DMZ publishing succesfully as well as publishing OWA working fine.
|
|
|
|
|
RE: SMTP publishing from DMZ - 8.Mar.2004 12:00:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Hi Tom
The comminication seems to work from external to the DMZ but not the other direction. ie i get mail coming into the DMZ but none leaves.
As far as lan to DMZ or DMZ to LAN goes nothing seems to happen either way.
|
|
|
|
|
RE: SMTP publishing from DMZ - 8.Mar.2004 12:06:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
From what I've seen so far, there are two areas where the problem is most likely to lie:
1. The Access Rules are misconfigured
2. The route relationship is misconfigured
Also, in this specific config, I'd also look at how SMTP traffic is being routed inbound and outbound. Check the smart host configs on all the machines involved in the path.
HTH,
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 8.Mar.2004 12:30:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Hi Tom
Quick question on how this should be done. Would publishing the SMTP server in the DMZ with external listener as well as publishing the internal exchange SMTP connector with a listener in the DMZ be the general way to go about this?
|
|
|
|
|
RE: SMTP publishing from DMZ - 9.Mar.2004 12:08:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
1. For the SMTP server on the DMZ, I would publish it with the listener on the external interface of the ISA firewall, then forward the connection to the DMZ SMTP server. Network relationship between External to DMZ = NAT.
2. For the SMTP service on the Internal network, I would publish the server using the DMZ interface and forward the connection to the SMTP service on the Internal network. Network Relationship between DMZ to Internal=Route.
These publishing rules address the inbound path. Are you having problems with the outbound path as well?
Thanks!
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 9.Mar.2004 1:34:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Unfortunately i also have problems outbound so any pointers there appreciated. I will hopefully get another chance to try this out this afternoon but as testing delays mail while i test i can only try every so often and for so long then i have to put it back as before to let the mail sort itself out.
|
|
|
|
|
RE: SMTP publishing from DMZ - 9.Mar.2004 11:58:00 PM
|
|
|
ljp1967
Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline
|
Hi Tom,
Could this be a DNS query issue in regards to the external smtp servers doing a lookup of the mx record to determine if it is valid...?
do they need packet filters for this traffic into the dmz on the isa box..?
ljp
[ March 10, 2004, 12:03 AM: Message edited by: ljp1967 ]
|
|
|
|
|
RE: SMTP publishing from DMZ - 10.Mar.2004 11:53:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ljp,
Reverse DNS queries by providers like AOL create a lot of problems, and it is possible. There should be a reserver lookup record for the published SMTP servers, so if its missing, some providers might reject the messages (I never use reverse lookups, wastes processing and network resources and provides almost no antispam protection).
Not sure what the problem is right now, I'm still thinking its a subtle Access Rule config or network config issue.
Thanks!
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 10.Mar.2004 11:54:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by AWJ:
Unfortunately i also have problems outbound so any pointers there appreciated. I will hopefully get another chance to try this out this afternoon but as testing delays mail while i test i can only try every so often and for so long then i have to put it back as before to let the mail sort itself out.
Hi Al,
In the case of outbound rules, you're looking at issues with Access Rules and smart host configs.
Let us know how things are turning out for you!
Thanks!
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 10.Mar.2004 4:11:00 PM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Events overtook me on this one as my old Firewall died yesterday.
Anyway after a bit more trying (and failing) i decided to move the SMTP gateway server out of the DMZ and into the LAN. Set up rules to allow SMTP in and out, reconfigured settings on gateway and exchange to point them to each other again and hey presto it works fine. Will have another try at moving to DMZ but in the mean time hopefully allowing SMTP traffic into my LAN to a dedicated SMTP gateway is not too much of a risk.
|
|
|
|
|
RE: SMTP publishing from DMZ - 11.Mar.2004 1:29:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
Its an acceptable risk. I work out the details of this scenario and publish them on this site next week. Shouldn't take me too long to complete.
Thanks!
Tom
|
|
|
|
|
RE: SMTP publishing from DMZ - 11.Mar.2004 10:41:00 AM
|
|
|
awj
Posts: 104
Joined: 26.Feb.2004
From: UK
Status: offline
|
Look forward to it then i will have another try. Once i know i am using the correct method it will be much easier to troubleshoot. The problem was that i was unsure if i just had a mistake in the config somewhere, was trying to set it up wrongly or both. Each time i tried, it was delaying mail as i had a combination of 2 MX records which needed to fail over then the internal SMTP communications between 2 servers with timeouts and retry times it was hard to know if any changes had the desired effect as they might not show up for 15-20 minutes. In this scenario when email is not flowing you can't test too many things out as it takes up to 20 minutes to try each one and with the number of permutations it would have taken weeks and by then my users would have lynched me!
|
|
|
|
|
RE: SMTP publishing from DMZ - 11.Mar.2004 11:21:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Al,
LOL! You bet. That's why I always test my ISA firewall configs in VMware first. You can easily simulate that setup on a VMware network, using a single host computer running VMware and creating four virtual machines on the network. Works just like a physical lab at a fraction of the price!
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
