ISA Rules With Exchange 2007 (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion



Message

aineo -> ISA Rules With Exchange 2007 (28.Apr.2008 6:35:26 AM)

G'day!  We are a bit on the bleeding edge here with Exchange 2007.  As you know, it is all new architecture on with Edge, HUB, CAS, and MBX (Mailbox) servers.
We have got everything but for some reason are unable to get one of the edge servers to connect properly and run with ISA.  With MS' Best Practices Analyzer from the toolbox we get an error that says "Exchange Server: Registry cannot be accessed.  Cannot connect to the registry of server edge1.  This could be a result of permissions problem.  Error: Security Error.
We brought the Edge out of the DMZ and it works fine, so clearly we have botched the rules on the ISA.  After a day at it, suggestions would be GREATLY appreciated.

Sincerely,
Spencer



tshinder -> RE: ISA Rules With Exchange 2007 (29.Apr.2008 6:46:35 PM)

Hi Spencer,

Good question! I've been wondering the same thing. I'm installing Windows Essential Business Server now and I'll take a look at the rule base to see if there's anything there that enables access to the Edge Server co-located on the TMG to allow these communcatinos. Perhaps we will be able to translate this information into something we can use for off-box Edge Servers.

Tom



aineo -> RE: ISA Rules With Exchange 2007 (29.Apr.2008 8:13:14 PM)

Dear Tom,

That sounds good.  I am convinced Microsoft has the best firewall on the market.  Unfortunately, there is no expert at Microsoft Japan so we are going to have to become the experts here.

Talked to a friend last night, we're thinking that we have to redo the network adapter order as this has to be it.  With ISA if you don't have it exact, things don't work I am told (ie. Internal LAN access on top).

We've got ISA in front of Edge, CAS, and eventually the MBX.  I think it is not anything to do with the rest of the network, but more just making sure we've got all the right rules on the ISA box.

Will let you know what we find out.  If you have any ideas, those are very welcome.

Sincerely,
Spencer





tshinder -> RE: ISA Rules With Exchange 2007 (30.Apr.2008 1:26:01 PM)

Hi Spencer,

  • I see a rule that allows the Edge access to the mail server using TCP 25
  • I see a rule that allow the Exchange Server to the Edge server using TCP 25
  • I see a rule that allows TCP 25 from the Edge Server to External
  • I see a rule that allows Exchange EdgeSync traffic from the Mail server to the Edge server through TCP 50636
  • I see a rule that allows Windows Communication Foundation between the Exchange Server and the Edge server on TCP port 808

HTH,
Tom



aineo -> RE: ISA Rules With Exchange 2007 (9.May2008 2:27:59 AM)

Tom,

We ended up having to rebuild our Edge, HUB, and CAS servers.  We rebuilt ISA (2006) as well.  I think you have to be really careful about the person who sets things up.  Our Japanese engineer who did the original builds was still on EX 2003 mentality.  Exchange 2007 is a whole different animal. 

We can successfully synchronize all the exchange services between LAN and DMZ, the subscriptions are working fine.
We're having problems publishing the DNS Servers on the DMZ.
Publishing rules are in place with the correspondent External IP and DNS Server protocol.
 
From within the DMZ when you use DNSLint it seems to be publishing properly.  When you use DNSLint from outside of the network it says UDP port 53 not responding.
 
For a test we replaced the ISA with another firewall and everything worked.  We are pretty sure it is just an ISA issue or rule that is missing or misconfigured.
 
Any ISA Master ideas there?
 
We're staying on it but appreciate any feedback.
 
Best Regards,
Spencer



tshinder -> RE: ISA Rules With Exchange 2007 (12.May2008 12:51:57 PM)

Hi Spencer,

Excellent!

You're right, the Exchange 2007 stuff is a completely different animal and the same rules do not apply, and you've discovered.

Now, the DNS issue should be easy to solve.

Are you using a public or private address DMZ?
Is the DMZ => External NAT or ROUTE for the Network Rule?

Does nslookup from an external machine work?

Thanks!
Tom



aineo -> RE: ISA Rules With Exchange 2007 (12.May2008 9:17:13 PM)

Tom,

Thanks for the idea.  A bit stumped here, but this is what we've got.

Nslookup 
Answering to your questions Let me send you a quick diagram from our network.
DMZ
Ns1.xxxx.net  10.20.0.2
Ns2.xxx.net   10.20.0.3
Edge1         10.20.0.4
Cluster
LAN
Hub-cas  10.10.0.5
Mbx  10.10.0.7
AD 10.10.0.6
ISA 3 nics
LAN 10.10.0.1
DMz  10.20.0.1
External 6 IP
228.xxx.xxx..xxx = pppoe connection
228.xxx.xxx.xx1 -= listener for ns1  DNS SERVER RULE
228.xxx.xxx.xx2 -= listener for ns2
228.xxx.xxx.xx3 -= listener for edge  SMTP SERVER RULE
228.xxx.xxx.xx5 -= listener for OWA PUBLISHED SITE
All mx records and cname are in place and work just fine, 

Strangely enough, we can get  easily leave the system working with a Juniper router.
 
Network Rules LAN AND DMZ To External NAT
LOCALHOST to everything route.
DMZ LAN TO DMZ LAN ROUTE.
PPPOE With the ISA.
Nslookup works only behind the isa firewall never did from the internet.

I am not really sure what to go from here.  Does any of the detail above reveal in chinks in our armor?

Really appreciate you looking at this and enjoying your book and website.  Very helpful.  This is the second ISA in our Datacenter.  Only difference is 2004 vs. 2006.  We are so close here.




aineo -> RE: ISA Rules With Exchange 2007 (14.May2008 4:28:54 AM)

Fixed!

A rebuild of the External DNS servers fixed the problem.  Is this a MS bug or what? 

Many thanks!

Spencer



tshinder -> RE: ISA Rules With Exchange 2007 (14.May2008 10:28:13 AM)

Hi Spencer,

Could be a bug, or maybe old entries were still in the DNS server cache? I usually empty the cache and reload the server data files after making changes.

Good to hear you got it working and thanks for the follow up!

Thanks!
Tom



Page: [1]