IIS hijacked my publishing rules. (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General


TimTrace -> IIS hijacked my publishing rules. (15.Mar.2011 5:31:18 PM)


I'm running FTMG 2010 SE SP1 RU3, on Server 2008 R2 SP1, domain joined.

I have not installed Forefront Protection.

Onto the same box, I recently installed Exchange Server 2010 SP1 RU2 in an edge role.

Today, I discovered that all of my HTTP published sites were unresponsive.

I found that IIS had been installed, and the default website was bound to port 80.

I stopped the DWS, restarted fwsrv, and my published websites returned.

Why did this happen?

Can I remove IIS altogether?

Thank you!

Tim ==

pwindell -> RE: IIS hijacked my publishing rules. (24.Mar.2011 3:54:04 PM)

You have to uninstall everything and start over.

TMG must be on a machine all by itself.  It is a Firewall just like Cisco ASA, Sonicwall, ect,...it can even be purchased in a "hardware appliance" format.  You aren't going to install Exchange and IIS on a Sonicwall or an ASA,...TMG must be treated the same way..

TimTrace -> RE: IIS hijacked my publishing rules. (24.Mar.2011 4:02:56 PM)

Phillip, thanks for discussing.

I'm confused by your response to my original post. I've read much documentation, official and otherwise, devoted to the concept of installing Exchange edge servers on TMG. Back before he was romanced away by M$, Jim Harrison himself wrote a ISAServer.org article on installing IIS6 SMTP onto an ISA server as an SMTP gateway. Even GFI's MailEssentials and MailSecurity products rely on SMTP transport sinks, or at least they used to when I was using them 3 years ago. The GFI deployment documentation dealt nicely with installing their products onto an existing ISA server.

Can you help me to better understand your point?


pwindell -> RE: IIS hijacked my publishing rules. (24.Mar.2011 4:17:14 PM)

That is MS, not M$,...and Jim has been with MS ever since he left the Navy many years ago. He has transfered to one of the Security divisions of the company,..but ISA/TMG is a security product and Jim was still hanging with us Forefront guys when we were out there with him a few weeks ago.

Jim may come up with creative ways to do things,...he has the skills,...and that is fine....and if you find that article and want to follow it and try that,..that is fine,...Jim knows what he is talking about.  But I am never going to recommend that TMG share the machine with any other product other than products that are specifically engineered to do exactly that with them, such as the GFI product specifically designed and written to be installed as a plugin to ISA/TMG.

Installing IIS's SMTP Service is not the same thing as installing the Web Server part of the product.  The SMTP Service does not conflict with ISA/TMG,...the Web Service does.

Exchange, by design, requires the "web service" for the sake of OWA and should not be installed on the TMG/ISA.

TimTrace -> RE: IIS hijacked my publishing rules. (24.Mar.2011 5:07:24 PM)

Thanks, Phillip, for continuing the discussion. You've been around here a long time and you seem tuned into TMG.

I'm still confused. This Microsoft TechNet blog, Using Mail Protection with Exchange EdgeSync on Forefront TMG, includes the installation of an Exchange 2007 SP1 or SP2 edge server role onto the TMG server. The blog was authored and reviewed by some people who in my opinion should be reasonably conversant with all things TMG.

Relevant to the mentioned blog, my deployment is Exchange 2010 SP1 edge. I wonder if that's a significant difference in this situation. I submitted feedback on the blog, but if/until the author or one of the reviewers responds, I was hoping you'd comment. Thanks.

pwindell -> RE: IIS hijacked my publishing rules. (24.Mar.2011 5:46:32 PM)

And I said,....if you find that article and want to follow it and try that,..that is fine,...

I don't run Exchange2007,...don't know anything about it.  I also don't run any of the other Forefront Products beyond ISA, such as their anti-spam and AV products or UAG.

But at the beginning of the article it says, "In Forefront TMG we're introducing support for Exchange Edge Subscription - also called EdgeSync" meaning this is something intensionally designed two work this way,...which fits into what I said classifies as being "OK".   That does not justify installing other products on the TMG beyond the boundaries of what the article is exactly saying.

Also slightly more than half way down the article it says, "I will use OWA on the internal network to send mail from the Exchange Organization to the External SMTP server".  This means that OWA is not on the Ex-Edge,...hence the Ex-Edge is not running a "Web Service" which is the primary problem with trying to run a regular Exchange/IIS/OWA on the same box with TMG.  So if you use exactly what they are using, and do it exactly the way they do it,...then go for it.

pwindell -> RE: IIS hijacked my publishing rules. (24.Mar.2011 5:53:33 PM)

I know that Exchange2007 is drastically different than Exchange2003 but the differnce may not be so much between Exchange2007 and Exchange2010.  However there could be enough of a differnce to mean something, I don't know.    I have never seen a living breathing copy of Exchange2010 and have only installed Exchange2007 once in a Lab.

TimTrace -> RE: IIS hijacked my publishing rules. (24.Mar.2011 6:39:00 PM)

Thanks again, Phillip, it's been nice sharing with you.

It seems to me that the core of the problem is that Exchange 2010 Setup, even when installing just the edge transport role, desires also to install the IIS Application Server with port 80 bound to the default IP. There doesn't seem to be any way to convince Exchange 2010 Setup otherwise.

To anyone else reading this topic who may have direct experience with installing the Exchange 2010 edge transport role onto an existing TMG 2010 installation ... may I ask if you've stumbled across the problem of IIS snagging port 80 away from a TMG web listener?

SteveMoffat -> RE: IIS hijacked my publishing rules. (24.Mar.2011 7:13:24 PM)

2 things....

1. Philip, Don't muddy the waters when you don't know what you're talking about.....

2. Tim, have you seen this?

SteveMoffat -> RE: IIS hijacked my publishing rules. (24.Mar.2011 7:17:02 PM)

And here...You did install Exchange before TMG?


TimTrace -> RE: IIS hijacked my publishing rules. (24.Mar.2011 11:37:56 PM)

Thanks much, Steve, for joining in the discussion.

WRT your first reply, I believe I'm immune from that particular problem. I'm patched up to FTMG 2010 SE SP1 RU3. Also, I don't use Microsoft's email protection. I use onlinespamsolutions.com as my MX, and my TMG SMTP publishing rule includes a computer set that explicitly allows SMTP traffic from the vendor's CIDR blocks.

With regards to your second reply ...
  • 1> Installed 2008 R2 and patched
  • 2> Installed TMG and patched
  • 3> Created all my publishing and access rules
  • 4> Installed IIS7 SMTP and configured it as a smarthost (I'd run that way for a decade with ISA 2000/IIS5, 2004/IIS6 and 2006/IIS6)
  • 5> Enjoyed a stable config for a week with no problems
  • 6> Completely removed IIS7
  • 7> Installed Exchange 2010 prerequisites as directed by Exchange edge role setup
  • 8> Installed Exchange edge role and patched
  • 9> Became entirely confounded by my hijacked HTTP listener port
  • 10> Google brought me to this blog, but the Windows RMS wasn't to blame
  • 11> Drawing from the RMS issue described in the blog, I stopped the DWS and restarted FWS and regained my HTTP listener port
I thought that Exchange setup would be aware of the existence of TMG, and not mess with port 80. Obviously I was wrong :)

You've shared some especially good stuff, and further suggestions will be appreciated. Thanks for helping.

pwindell -> RE: IIS hijacked my publishing rules. (25.Mar.2011 10:11:31 AM)


1. Philip, Don't muddy the waters when you don't know what you're talking about.....

Take a break Steve.  I told him I don't use Exchange2007 and run ISA instead of TMG.  When he showed me the link to that article and I looked at it I said it would be fine. But we all tell people to not install other products on ISA/TMG and you do so as well,...so get over it,...I guess not everyone is as wise as you.  You're a time zone ahead of me you should have been here yesterday dealing with it before I had a chance you muddy your waters.

SteveMoffat -> RE: IIS hijacked my publishing rules. (25.Mar.2011 11:53:32 AM)

@ Philip....it's a supported config...

@ Tim....You need to start again & install Exchange before you install TMG....

pwindell -> RE: IIS hijacked my publishing rules. (25.Mar.2011 11:59:03 AM)


@ Philip....it's a supported config...

Yes it is.  And after I saw the article the OP gave the link to I acknowledge that and told him to "go for it".   Did I realize that particular case was supported before hand?,...no,...unfortuneately and much fun as it would be,..I don't always know everything about every thing in every situation.

So what your problem then?

Page: [1]