Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Why no FWClient on SMTP server?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Why no FWClient on SMTP server? - 7.Nov.2002 9:13:00 PM
|
|
|
vinnie
Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline
|
Hi,
In various posts I have read that you should *not* use the firewall client on smtp servers, but instead use securenat.
Can someone please explain to me why?
My config:
* w2k DC server, internal DNS
* w2k DC server, exchange 2k, internal dns
* w2k ISA server, 128k ISDN dialup
Note: when I use my ISP's DNS server in the forwarders list of my internal dns, I get errors that the forwarder is not a recursive dns.
To sent mail I configured a smarthost in exch2000
|
|
|
|
RE: Why no FWClient on SMTP server? - 8.Nov.2002 2:28:00 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Vinnie,
Why do you want to install the Firewall client on the mail server?
Thanks!
Tom
|
|
|
|
|
RE: Why no FWClient on SMTP server? - 9.Nov.2002 2:28:00 PM
|
|
|
vinnie
Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline
|
Uh well... Thats kind of reversing my question ;-)
I don't know why. Normally I use the fwc only for auth issues, but since the mail server has a static IP its not an issue, so I could use securenat as well.
But I would still like to know what is wrong by using it on a smtp server
|
|
|
|
|
RE: Why no FWClient on SMTP server? - 9.Nov.2002 3:51:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Vinnie,
in general you don't install the Firewall client on a server because to use server and web publishing rules, the published server should be configured as SecureNAT client, not a Firewall client.
HTH,
Stefaan
|
|
|
|
|
RE: Why no FWClient on SMTP server? - 9.Nov.2002 10:00:00 PM
|
|
|
Arpophyllum
Posts: 22
Joined: 9.Nov.2002
From: Bellevue, WA
Status: offline
|
I found this article on Technet:
Technet article.
Look at the second issue listed on the page.
Generally, I think the problem is that the Exchange server (if it has the firewall client installed) doesn't respond the way a published server should. The server publishing rules therefore aren't applied when the internal server replies to external requests and they end up getting dropped by ISA.
As an example, think of what happens when an external SMTP server tries to connect to your internal exchange server to deliver a message. On the incoming side, ISA uses the publishing rule, and establishes a session. When the Exchange server responds, the request gets intercepted by the firewall client and is directed to ISA as if it was a normal client. When that happens, the response by Exchange doesn't match up to the internal request from the external server, and ISA drops your internal server's request.
Now, I've not seen anything that explicitly states this, so if anyone has any better info, I'd be interested in it, too.
|
|
|
|
RE: Why no FWClient on SMTP server? - 10.Nov.2002 3:20:00 AM
|
|
|
Arpophyllum
Posts: 22
Joined: 9.Nov.2002
From: Bellevue, WA
Status: offline
|
Stefaan,
I totally see what you're saying. You clarified the mechanism for me! The general process is what I thought it was, I just didn't know what the firewall client did differently than SNAT.
Thanks,
Michael
|
|
|
|
RE: Why no FWClient on SMTP server? - 13.Nov.2002 8:45:00 PM
|
|
|
vinnie
Posts: 5
Joined: 7.Nov.2002
From: Netherlands
Status: offline
|
also thanx to you spouselee. Now it's clear to me why I shouldnt use the firewall client.
Altough the FWClient did work, I disabled it and cofigured the ISA server address as the gateway on my exchange server.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
