• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why no FWClient on SMTP server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Why no FWClient on SMTP server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why no FWClient on SMTP server? - 7.Nov.2002 9:13:00 PM   
vinnie

 

Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline 		Hi,

In various posts I have read that you should *not* use the firewall client on smtp servers, but instead use securenat.

Can someone please explain to me why?

My config:
* w2k DC server, internal DNS
* w2k DC server, exchange 2k, internal dns
* w2k ISA server, 128k ISDN dialup

Note: when I use my ISP's DNS server in the forwarders list of my internal dns, I get errors that the forwarder is not a recursive dns.
To sent mail I configured a smarthost in exch2000
Post #: 1
RE: Why no FWClient on SMTP server? - 8.Nov.2002 2:28:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Vinnie,

Why do you want to install the Firewall client on the mail server?

Thanks!
Tom

(in reply to vinnie)
Post #: 2
RE: Why no FWClient on SMTP server? - 9.Nov.2002 2:28:00 PM   
vinnie

 

Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline 		Uh well... Thats kind of reversing my question ;-)

I don't know why. Normally I use the fwc only for auth issues, but since the mail server has a static IP its not an issue, so I could use securenat as well.

But I would still like to know what is wrong by using it on a smtp server

(in reply to vinnie)
Post #: 3
RE: Why no FWClient on SMTP server? - 9.Nov.2002 3:51:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Vinnie,

in general you don't install the Firewall client on a server because to use server and web publishing rules, the published server should be configured as SecureNAT client, not a Firewall client.

HTH,
Stefaan

(in reply to vinnie)
Post #: 4
RE: Why no FWClient on SMTP server? - 9.Nov.2002 10:00:00 PM   
Arpophyllum

 

Posts: 22
Joined: 9.Nov.2002
From: Bellevue, WA
Status: offline 		I found this article on Technet:
Technet article.

Look at the second issue listed on the page.

Generally, I think the problem is that the Exchange server (if it has the firewall client installed) doesn't respond the way a published server should. The server publishing rules therefore aren't applied when the internal server replies to external requests and they end up getting dropped by ISA.

As an example, think of what happens when an external SMTP server tries to connect to your internal exchange server to deliver a message. On the incoming side, ISA uses the publishing rule, and establishes a session. When the Exchange server responds, the request gets intercepted by the firewall client and is directed to ISA as if it was a normal client. When that happens, the response by Exchange doesn't match up to the internal request from the external server, and ISA drops your internal server's request.

Now, I've not seen anything that explicitly states this, so if anyone has any better info, I'd be interested in it, too.

(in reply to vinnie)
Post #: 5
RE: Why no FWClient on SMTP server? - 9.Nov.2002 11:32:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

check out the simular topic http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=006517

HTH,
Stefaan

(in reply to vinnie)
Post #: 6
RE: Why no FWClient on SMTP server? - 10.Nov.2002 3:20:00 AM   
Arpophyllum

 

Posts: 22
Joined: 9.Nov.2002
From: Bellevue, WA
Status: offline 		Stefaan,

I totally see what you're saying. You clarified the mechanism for me! The general process is what I thought it was, I just didn't know what the firewall client did differently than SNAT.

Thanks,
Michael

(in reply to vinnie)
Post #: 7
RE: Why no FWClient on SMTP server? - 10.Nov.2002 11:18:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Michael,

glad I could help and thanks for the follow up! [Smile]

Stefaan

(in reply to vinnie)
Post #: 8
RE: Why no FWClient on SMTP server? - 13.Nov.2002 8:45:00 PM   
vinnie

 

Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline 		also thanx to you spouselee. Now it's clear to me why I shouldnt use the firewall client.

Altough the FWClient did work, I disabled it and cofigured the ISA server address as the gateway on my exchange server.

(in reply to vinnie)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Why no FWClient on SMTP server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts