Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on troubleshooting SMTP Server Publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> RE: Discussion about article on troubleshooting SMTP Server Publishing Page: <<   < prev  1 2 [3] 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on troubleshooting SMTP Se... - 8.Mar.2006 4:06:31 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Bit,

Before we go any farther, DO NOT USE TEMPLATES unless you have a deep understanding of how they work. You should be using the edge firewall template.

OK, now assuming that you have used the edge firewall template.

I'm not clear on the configuration. You say things are working from the DMZ to send inbound SMTP, but then it looks like the DMZ network ID isn't working.

Since you're NATing from the Internet through the Cisco to the ISA firewall's external interface, what Network Rule applies to the connection from the IP address on the Cisco LAN interface and the ISA firewall Network to which the SMTP server belongs?

Thanks!
Tom


_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bitconfused)
Post #: 41
RE: Discussion about article on troubleshooting SMTP Se... - 11.Mar.2006 8:56:34 PM   
bitconfused

 

Posts: 2
Joined: 3.Mar.2006
Status: offline 		Hey Tom,

Thanks for the reply; I would like to know the impact of switching from my current config to Edge.  If I have typical (mail, DNS, RDP and Web rules) is it a big issue to switch with ISA 2004?  As for learning more on templates, I will switch back one way or another, and to understand them better I have gone and purchased another one of your books, "Dr. Tom Shinder's Configuring ISA Server 2004".  If there is a better option please let me know. ;-)

As for my issue, I am able to send mail from the mail server to the outside world without issue, through the DMZ (not ISA but the physical one created by having the two firewalls).  However, when in the DMZ I can not telnet to port 25 on the published IP of the ISA Server.  Meanwhile, while in the DMZ I can telnet to other published services on their native ports IMAP, PPTP, POP3, HTTP...all work fine when I publish them.  Here is the strange part, I can telnet to my exchange server, from the DMZ, "IF" I tell ISA to listen to port 3232 (randomly assigned) via telnet.  Then I forward inbound port 25 from the Cisco's internet side and translate it to 3232 so the it hits the 3232 being listened for on the SMTP published IP (my workaround), weird, I know!

I know my forwarding rules on the Cisco are correct as I can access all of the aforementioned services through the Cisco into my DMZ and subsequently through ISA into my backend network.  I have also gone as far as to use other routers that are forwarding SMTP in other locations backing up their config, and uploading it to a spare, making the appropriate changes for my network only to end up with the same results. :-(

Also I must apologize as I did not understand your last question?

"Since you're NATing from the Internet through the Cisco to the ISA firewall's external interface, what Network Rule applies to the connection from the IP address on the Cisco LAN interface and the ISA firewall Network to which the SMTP server belongs?"

I believe the rules on the Cisco are correct as other routers (Linksys BEFSX41 and RV08) and yield the same results.  On the ISA external interface I have my services published as to allow the ISA to listen for them based on the port and they all work, except port 25 on the SMTP server rule. I am not sure if I have correctly answer your question, if not could your possibly re-phrase?

Thanks for you guidance! :D

Bit.

(in reply to tshinder)
Post #: 42
RE: Discussion about article on troubleshooting SMTP Se... - 13.Mar.2006 2:34:33 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Bit,

First, to be honest, whenever I see references to people who use the templates, I shut down. Why? People who use the templates do so without understanding what those templates do and then get themselves in more problems than they would have had they started from scratch.

Check out http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bitconfused)
Post #: 43
RE: Discussion about article on troubleshooting SMTP Se... - 13.Mar.2006 2:42:13 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hmmm. Looks like I already went through the template rap :)

Do you have a network diagram? In the diagram, show the request/response paths that are not working for you.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 44
RE: Discussion about article on troubleshooting SMTP Se... - 20.Sep.2006 5:41:20 PM   
zob

 

Posts: 5
Joined: 27.Jan.2006
Status: offline 		Hi Tom, thanks for the article, it helped me spot a gateway problem on the Exchange server.

I've come across an oddity though.

We allow 10.6.18.x to relay through the SMTP server as we have a bunch of legacy apps feeding mail to the users. We therefore chose to have requests appear to come from the original client and avoid the relaying issue.

However, when we connect to the SMTP server via telnet from an external site and do an ehlo it shows the connection as coming from the ISA server! The Exchange server then happily relays any and all mail coming in via the ISA server.

Have you any idea why this could be happening? 

Regards
Kevin Brown 

(in reply to tshinder)
Post #: 45
RE: Discussion about article on troubleshooting SMTP Se... - 21.Sep.2006 2:26:16 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kevin,

Not sure what's not working here. Can you give some more details?

thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to zob)
Post #: 46
RE: Discussion about article on troubleshooting SMTP Se... - 21.Sep.2006 3:00:25 PM   
zob

 

Posts: 5
Joined: 27.Jan.2006
Status: offline 		Hi Tom,

When I telnet into the mailserver from an external IP and type an "ehlo" I would expect to see...

ehlo
250-whatever.co.uk Hello [123.35.101.18]
250-TURN
250-SIZE
...

What I actually see is

ehlo
250-mydomain.co.uk Hello [10.6.18.2]
250-TURN
250-SIZE
...

This tells me that the mailserver believes the connection is coming from a system internal to the network and means it will relay any mail from external sources as if they were internal. The ISA server is not presenting the incoming connection IP to the mailserver as requested in the listener options. It is sending the ISA IP address as the source instead.

Hope this clarifies the issue

Regards
Kevin

(in reply to tshinder)
Post #: 47
RE: Discussion about article on troubleshooting SMTP Se... - 21.Sep.2006 3:05:19 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kevin,

OK, got it!

Configure the SMTP Server Publishing Rule to preserve the client IP address.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to zob)
Post #: 48
RE: Discussion about article on troubleshooting SMTP Se... - 21.Sep.2006 4:03:05 PM   
zob

 

Posts: 5
Joined: 27.Jan.2006
Status: offline 		Hi Tom,

I have, and it doesn't, hence my confusion!

I've selected  "Requests appear to come from the original client" on the To tab of the listener properties. Is there something else I should be doing too?

Many thanks for your help.

Kevin

(in reply to tshinder)
Post #: 49
RE: Discussion about article on troubleshooting SMTP Se... - 23.Sep.2006 5:28:37 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kevin,

That is pretty interesting!

Is it working? What I mean is if you configure the SMTP server with a default gateway address that is NOT the ISA Firewall, will it work?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to zob)
Post #: 50
RE: Discussion about article on troubleshooting SMTP Se... - 25.Sep.2006 11:21:48 AM   
zob

 

Posts: 5
Joined: 27.Jan.2006
Status: offline 		Hi Tom,

The rule works fine for SMTP traffic, rather too well as the SPAM relaying attack that brought this problem to my attention proved!

If I change the gateway address any connections result in the telnet screen shown in your article, just an underscore for each line entered.

I've opened a case with MS on this one as even they think this is odd. As usual they've asked for a ton of reports & logs. I'll put those together today and let you know how I get on.

Regards

Kevin 

(in reply to tshinder)
Post #: 51
RE: Discussion about article on troubleshooting SMTP Se... - 26.Sep.2006 1:21:57 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kevin,

OK, so if you change the gateway address on the SMTP server, and you have the ISA Firewall preserve the client IP address, you just see the lines, which is how it should work.

But when you configure the SMTP Server Publishing rule, you see the IP address of the ISA Firewall in the SMTP Server's log files.

Whoa.

Let us know what you find out from MS.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to zob)
Post #: 52
RE: Discussion about article on troubleshooting SMTP Se... - 7.Jul.2007 2:56:16 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Hi Tom,
Very good article. I followed all steps and now when  I try to telnet from external to SMTP Server it fails to make connection. My Exchange server DG is IP Address of ISA server internal NIC.

Thanks

(in reply to tshinder)
Post #: 53
RE: Discussion about article on troubleshooting SMTP Se... - 8.Jul.2007 2:03:50 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I called my ISP and found that on cisco router static route were there which points to old firewall. I changed my ISA server ip address to IP address of old firewall and it's working fine now.

(in reply to bhavin78)
Post #: 54
RE: Discussion about article on troubleshooting SMTP Se... - 9.Jul.2007 10:36:23 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Great! Good to hear you got things working and thanks for the follow up.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bhavin78)
Post #: 55
RE: Discussion about article on troubleshooting SMTP Se... - 10.Jul.2007 12:50:33 PM   
natch

 

Posts: 8
Joined: 10.Jul.2007
Status: offline 		Hi all,

I have been looking into SMTP related issues in this forum in order to solve my problem but haven't come across the answer yet, hopefully someone can help.

I have ISA2006 STD installed on Windows Server 2003 SP2, it is configured in 3 Leg Perimeter mode (I did use template). LAN is 192.168.17.0/24 (LAN NIC is 192.168.17.250), DMZ is 172.16.10.0/16 (DMZ NIC is 172.16.10.1), WAN IP of ISA is public. In my testing I have allowed ping requests to the external IP and receive responses from clients in the external network.

I have Symantec Mail Security for SMTP setup in the DMZ on a separate server, IP 172.16.10.2, DG of 172.16.10.1), An SMTP Server publishing rule is setup to handle requests from External to 172.16.10.2.

If I attempt to telnet on port 25 from external clients to the WAN IP of ISA, nothing happens, i just return to a prompt (i.e. no "connection failed" message). If I access the monitoring of the ISA server and Log SMTP Server as per Tom's article nothing shows in the logging session. I don't suspect this is a DNS issue as I am using IP addresses only, I haven't changed any A records or MX records until I can verify this is working.

The only network component upstream from the ISA external interface is a Cisco router that is managed by our ISP, the external NIC for ISA has the IP address of the Cisco router as it's DG.

Hopefully I have provided enough information to set the scenario!

Regards,
Chris

(in reply to tshinder)
Post #: 56
RE: Discussion about article on troubleshooting SMTP Se... - 11.Jul.2007 10:29:36 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		First, never use the templates, they're ruin you nine out of ten times :)

Second, I notice that you're using private addresses in the DMZ. The template sets a route relationship between the DMZ ISA Firewall Network and the default External Network. You might need to change that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to natch)
Post #: 57
RE: Discussion about article on troubleshooting SMTP Se... - 12.Jul.2007 3:26:18 AM   
natch

 

Posts: 8
Joined: 10.Jul.2007
Status: offline 		Hi Tom,

Thanks for the help. I have reverted back to the original config (pre 3-leg template) and created the DMZ and network rules manually. As soon as I created the mail publishing rules I was able to telnet to the symantec mail security for smtp gateway box in the DMZ.

Now I am trying to establish connectivity between symantec mail security for smtp and my backend exchange server. This is a little different as the backend exchange server is at another office location connected by a site to site vpn, connectivity between the internal network (protected by ISA) and the remote office (ISA server is not used at remote office) is established and happily working, but I am having similar problems telnetting from the DMZ to exchange.

To test I configured IIS SMTP on a computer (192.168.17.1) on the internal (ISA protected) network, which would then smtp relay over VPN to the exchange server. My publishing rules appear to be correct as I can telnet to 192.168.17.1 on port 25. However when Symantec Mail security for SMTP attempts to relay to the IIS SMTP, it returns an error. To test further I placed the Symantec product on the internal network and it was then able to relay to the IIS smtp relay and onwards to the exchange server. Still not sure why it wouldn't work from the DMZ to internal network, but i'll leave it on the internal network for now.

Thanks,
Chris

< Message edited by natch -- 12.Jul.2007 9:35:25 AM >

(in reply to tshinder)
Post #: 58
RE: Discussion about article on troubleshooting SMTP Se... - 14.Jul.2007 3:37:56 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Chris,

Is the branch office behind the Internal Network's ISA Firewall NIC?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to natch)
Post #: 59
RE: Discussion about article on troubleshooting SMTP Se... - 15.Jul.2007 2:56:30 PM   
natch

 

Posts: 8
Joined: 10.Jul.2007
Status: offline 		Hi Tom,

The branch office that contained the Exchange server was not behind the internal network's ISA firewall NIC, it was connected using a site to site vpn created on the ISA firewall.

Before you ponder that however, that branch office now no longer exists and the exchange server has been relocated to the new office (and therefore protected by ISA firewall). I still have Symantec Mail Security on the internal network rather than DMZ, and it is forwarding mail appropriately. I would still prefer to have the Symantec Mail Security sitting in the DMZ but will have to wait for a free weekend to retest that scenario.

Thanks for your help.

Oh and i'm also having some OWA publishing woes, a separate thread has been started: http://forums.isaserver.org/m_2002049006/mpage_1/key_/tm.htm#2002049006

Chris

< Message edited by natch -- 15.Jul.2007 3:38:02 PM >

(in reply to tshinder)
Post #: 60

Page:   <<   < prev  1 2 [3] 4   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> RE: Discussion about article on troubleshooting SMTP Server Publishing Page: <<   < prev  1 2 [3] 4   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts