• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IIS hijacked my publishing rules.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> IIS hijacked my publishing rules. Page: [1]
Login
Message << Older Topic   Newer Topic >>
IIS hijacked my publishing rules. - 15.Mar.2011 5:31:18 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Greetings!

I'm running FTMG 2010 SE SP1 RU3, on Server 2008 R2 SP1, domain joined.

I have not installed Forefront Protection.

Onto the same box, I recently installed Exchange Server 2010 SP1 RU2 in an edge role.

Today, I discovered that all of my HTTP published sites were unresponsive.

I found that IIS had been installed, and the default website was bound to port 80.

I stopped the DWS, restarted fwsrv, and my published websites returned.

Why did this happen?

Can I remove IIS altogether?

Thank you!

Tim ==
314-283-3420
Post #: 1
RE: IIS hijacked my publishing rules. - 24.Mar.2011 3:54:04 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You have to uninstall everything and start over.

TMG must be on a machine all by itself.  It is a Firewall just like Cisco ASA, Sonicwall, ect,...it can even be purchased in a "hardware appliance" format.  You aren't going to install Exchange and IIS on a Sonicwall or an ASA,...TMG must be treated the same way..

< Message edited by pwindell -- 24.Mar.2011 3:55:08 PM >


_____________________________

Phillip Windell

(in reply to TimTrace)
Post #: 2
RE: IIS hijacked my publishing rules. - 24.Mar.2011 4:02:56 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Phillip, thanks for discussing.

I'm confused by your response to my original post. I've read much documentation, official and otherwise, devoted to the concept of installing Exchange edge servers on TMG. Back before he was romanced away by M$, Jim Harrison himself wrote a ISAServer.org article on installing IIS6 SMTP onto an ISA server as an SMTP gateway. Even GFI's MailEssentials and MailSecurity products rely on SMTP transport sinks, or at least they used to when I was using them 3 years ago. The GFI deployment documentation dealt nicely with installing their products onto an existing ISA server.

Can you help me to better understand your point?

Thanks.

< Message edited by TimTrace -- 24.Mar.2011 4:04:07 PM >

(in reply to pwindell)
Post #: 3
RE: IIS hijacked my publishing rules. - 24.Mar.2011 4:17:14 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
That is MS, not M$,...and Jim has been with MS ever since he left the Navy many years ago. He has transfered to one of the Security divisions of the company,..but ISA/TMG is a security product and Jim was still hanging with us Forefront guys when we were out there with him a few weeks ago.

Jim may come up with creative ways to do things,...he has the skills,...and that is fine....and if you find that article and want to follow it and try that,..that is fine,...Jim knows what he is talking about.  But I am never going to recommend that TMG share the machine with any other product other than products that are specifically engineered to do exactly that with them, such as the GFI product specifically designed and written to be installed as a plugin to ISA/TMG.

Installing IIS's SMTP Service is not the same thing as installing the Web Server part of the product.  The SMTP Service does not conflict with ISA/TMG,...the Web Service does.

Exchange, by design, requires the "web service" for the sake of OWA and should not be installed on the TMG/ISA.

< Message edited by pwindell -- 24.Mar.2011 4:21:35 PM >


_____________________________

Phillip Windell

(in reply to TimTrace)
Post #: 4
RE: IIS hijacked my publishing rules. - 24.Mar.2011 5:07:24 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Thanks, Phillip, for continuing the discussion. You've been around here a long time and you seem tuned into TMG.

I'm still confused. This Microsoft TechNet blog, Using Mail Protection with Exchange EdgeSync on Forefront TMG, includes the installation of an Exchange 2007 SP1 or SP2 edge server role onto the TMG server. The blog was authored and reviewed by some people who in my opinion should be reasonably conversant with all things TMG.

Relevant to the mentioned blog, my deployment is Exchange 2010 SP1 edge. I wonder if that's a significant difference in this situation. I submitted feedback on the blog, but if/until the author or one of the reviewers responds, I was hoping you'd comment. Thanks.

< Message edited by TimTrace -- 24.Mar.2011 5:10:56 PM >

(in reply to pwindell)
Post #: 5
RE: IIS hijacked my publishing rules. - 24.Mar.2011 5:46:32 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
And I said,....if you find that article and want to follow it and try that,..that is fine,...

I don't run Exchange2007,...don't know anything about it.  I also don't run any of the other Forefront Products beyond ISA, such as their anti-spam and AV products or UAG.

But at the beginning of the article it says, "In Forefront TMG we're introducing support for Exchange Edge Subscription - also called EdgeSync" meaning this is something intensionally designed two work this way,...which fits into what I said classifies as being "OK".   That does not justify installing other products on the TMG beyond the boundaries of what the article is exactly saying.

Also slightly more than half way down the article it says, "I will use OWA on the internal network to send mail from the Exchange Organization to the External SMTP server".  This means that OWA is not on the Ex-Edge,...hence the Ex-Edge is not running a "Web Service" which is the primary problem with trying to run a regular Exchange/IIS/OWA on the same box with TMG.  So if you use exactly what they are using, and do it exactly the way they do it,...then go for it.



_____________________________

Phillip Windell

(in reply to TimTrace)
Post #: 6
RE: IIS hijacked my publishing rules. - 24.Mar.2011 5:53:33 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I know that Exchange2007 is drastically different than Exchange2003 but the differnce may not be so much between Exchange2007 and Exchange2010.  However there could be enough of a differnce to mean something, I don't know.    I have never seen a living breathing copy of Exchange2010 and have only installed Exchange2007 once in a Lab.

_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 7
RE: IIS hijacked my publishing rules. - 24.Mar.2011 6:39:00 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Thanks again, Phillip, it's been nice sharing with you.

It seems to me that the core of the problem is that Exchange 2010 Setup, even when installing just the edge transport role, desires also to install the IIS Application Server with port 80 bound to the default IP. There doesn't seem to be any way to convince Exchange 2010 Setup otherwise.

To anyone else reading this topic who may have direct experience with installing the Exchange 2010 edge transport role onto an existing TMG 2010 installation ... may I ask if you've stumbled across the problem of IIS snagging port 80 away from a TMG web listener?

(in reply to pwindell)
Post #: 8
RE: IIS hijacked my publishing rules. - 24.Mar.2011 7:13:24 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
2 things....

1. Philip, Don't muddy the waters when you don't know what you're talking about.....

2. Tim, have you seen this?
http://blogs.technet.com/b/isablog/archive/2010/09/01/problems-when-installing-exchange-2010-service-pack-1-on-a-tmg-configured-for-mail-protection.aspx

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to TimTrace)
Post #: 9
RE: IIS hijacked my publishing rules. - 24.Mar.2011 7:17:02 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
And here...You did install Exchange before TMG?

http://www.howexchangeworks.com/2010/02/tmg-2010-exchange-edge-2010-forefront.html

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to SteveMoffat)
Post #: 10
RE: IIS hijacked my publishing rules. - 24.Mar.2011 11:37:56 PM   
TimTrace

 

Posts: 119
Joined: 31.Oct.2001
From: St. Louis MO
Status: offline
Thanks much, Steve, for joining in the discussion.

WRT your first reply, I believe I'm immune from that particular problem. I'm patched up to FTMG 2010 SE SP1 RU3. Also, I don't use Microsoft's email protection. I use onlinespamsolutions.com as my MX, and my TMG SMTP publishing rule includes a computer set that explicitly allows SMTP traffic from the vendor's CIDR blocks.

With regards to your second reply ...
  • 1> Installed 2008 R2 and patched
  • 2> Installed TMG and patched
  • 3> Created all my publishing and access rules
  • 4> Installed IIS7 SMTP and configured it as a smarthost (I'd run that way for a decade with ISA 2000/IIS5, 2004/IIS6 and 2006/IIS6)
  • 5> Enjoyed a stable config for a week with no problems
  • 6> Completely removed IIS7
  • 7> Installed Exchange 2010 prerequisites as directed by Exchange edge role setup
  • 8> Installed Exchange edge role and patched
  • 9> Became entirely confounded by my hijacked HTTP listener port
  • 10> Google brought me to this blog, but the Windows RMS wasn't to blame
  • 11> Drawing from the RMS issue described in the blog, I stopped the DWS and restarted FWS and regained my HTTP listener port
I thought that Exchange setup would be aware of the existence of TMG, and not mess with port 80. Obviously I was wrong :)

You've shared some especially good stuff, and further suggestions will be appreciated. Thanks for helping.

< Message edited by TimTrace -- 24.Mar.2011 11:52:11 PM >

(in reply to SteveMoffat)
Post #: 11
RE: IIS hijacked my publishing rules. - 25.Mar.2011 10:11:31 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

1. Philip, Don't muddy the waters when you don't know what you're talking about.....


Take a break Steve.  I told him I don't use Exchange2007 and run ISA instead of TMG.  When he showed me the link to that article and I looked at it I said it would be fine. But we all tell people to not install other products on ISA/TMG and you do so as well,...so get over it,...I guess not everyone is as wise as you.  You're a time zone ahead of me you should have been here yesterday dealing with it before I had a chance you muddy your waters.




_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 12
RE: IIS hijacked my publishing rules. - 25.Mar.2011 11:53:32 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
@ Philip....it's a supported config...

@ Tim....You need to start again & install Exchange before you install TMG....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 13
RE: IIS hijacked my publishing rules. - 25.Mar.2011 11:59:03 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

@ Philip....it's a supported config...


Yes it is.  And after I saw the article the OP gave the link to I acknowledge that and told him to "go for it".   Did I realize that particular case was supported before hand?,...no,...unfortuneately and much fun as it would be,..I don't always know everything about every thing in every situation.

So what your problem then?

_____________________________

Phillip Windell

(in reply to SteveMoffat)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> IIS hijacked my publishing rules. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts