Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SNAT and Exchange
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SNAT and Exchange - 29.Nov.2007 4:19:56 PM
|
|
|
apolloth
Posts: 14
Joined: 31.Aug.2004
Status: offline
|
OK, I've been pulling my hair out for about a week now and I seem to have a couple issues. We are using ISA 2004 primarily, but have a couple remnants on an ISA2000 box, one of which is our older Exchange server, which also publishes our, soon to be turned off, old OWA solution. We are moving to a new Exchange server with a front end box for webmail. I have already published OWA from the FE complete with SSL and it's working fine. I am not the Exchange admin, but we seem to have a couple issues and we don't know what's causing what.
Deep breath....
To get our two Exchange boxes to work, we are attempting to configure the connector on the new Exchange server. When we do, SMTP fails to send out with a "destination didn't respond error." The new Exchange server is a SNAT client of ISA 2004. Several of our other published servers are published as non SNAT clients and aside from seeing the ISA's IP as the originating IP, they work fine. When we try to do that with our Exchange box, SMTP fails. OK, so I understand that we need it to be a SNAT client. I'm not sure why it won't publish the other way, but I can live with it.
The next problem is that when we make it a SNAT client, internal mail clients on any subnet except the logical subnet Exchange and ISA are on cannot talk to the server. RDP also fails from any subnet not in the same logical segment as ISA. I have to assume that packets are going to ISA and then they are not routed back to servers inside. But why, if they are listed as internal machines are they not routing. Rules don't seem to help. Because it's a SNAT client I suspect.
After reading Jim Harrison's article on setting up ISA in a complex network, it seems that by making ISA the default gateway, it is publishable, but routing is somehow not functioning. Why can't it communicate with any other internal subnet? To remote the server I am forced to remote a server on its subnet and then hop over to it with another RDP session. This I believe is at the root of our issues. It has come up before but was never truly solved. I don't know if a "classless" setup will work for our ISA deployment.
We are under the gun to get the new Exchange box up. We need the two to talk to each other, mail to route to the proper host and publishing to work. Not much to ask eh?
I realize this is a lot of problem and not much info, but I can provide more info as needed. I've read over about every article I can find, but it's just not coming together.
Thanks in advance to anyone that can straighten this mess out.
Apolloth
|
|
|
|
|
RE: SNAT and Exchange - 29.Nov.2007 6:25:06 PM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
ISA relies on the operating system to do the routing. Hence you will need to add static routes within Windows to solve your problem. Essentially this means entering "route add -p x.y.z.x mask x.y.z.x a.b.c.d" commands to define all of your networks that ISA needs to route to.
Once this is done, make sure that all of these internal networks are covered by the definition of the internal network object in ISA.
Good luck!
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: SNAT and Exchange - 29.Nov.2007 8:34:43 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: online
|
Hi,
Basic principles to network routing and a simple answer to your problem! You need to create static persistent routes on ISA server for every subnet reachable from the internal network NIC and on the SMTP server as well.
HTH
RB
|
|
|
|
|
RE: SNAT and Exchange - 6.Dec.2007 4:29:20 PM
|
|
|
apolloth
Posts: 14
Joined: 31.Aug.2004
Status: offline
|
AAAHHHHH YES! DUH! When you're knee deep in this stuff you forget the little things. I run a gateway.bat file with a long list of static routes on some of my other servers. In the past it was mostly used for dual-homed boxes. Same issue. After writing my initial post I got mail working via the old server...that uses a list of static routes....! I haven't tried it but I will. I have confidence that this is the issue.
Thanks for the knuckle-head reminder.
Apolloth
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
