tshinder
Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by Jac Goudsmit:
Interesting article, Tom, and thanks for the hints about the Network Monitoring tool!
I just set up an ISA server 2004 and I'm a little stumped by a similar problem (or maybe not).
My box has 3 networks, LAN, WAN and DMZ. I use NAT network rules from LAN->WAN and DMZ->WAN; there is no network rule that connects LAN and DMZ. For various reasons, I prefer not to use a route rule between DMZ and WAN. You could say I just have two LANs, one that has published servers on it and one that doesn't. The addresses inside the LAN and DMZ don't overlap.
I've set up an SMTP server publishing rule, which works perfectly: no matter where you are (LAN or WAN), you can make a connection to the SMTP server connected to the DMZ, by using one of the ISA server's WAN addresses (it uses two IP addresses on the same WAN port).
I also want to publish the same SMTP server on port 2525, so that off-site workers don't have to deal with ISP-imposed port-25 filtering. So I created a server publishing rule that publishes the same SMTP server on port 2525 on the same external address, and overrides the incoming port to 2525.
The problem is that this works great for connections that come from the External network, but for some reason not from the inside. When I do a telnet from a computer on the LAN to the ISA server's external address, I seem to get connected but all I get is an empty screen, no SMTP signon message. As soon as I type something, the connection is closed without message. ISA monitoring says the connection from my computer is initiated (because of the unrestricted Internal->External rule) but it shows "Unidentified IP Traffic" as protocol. Network Monitor doesn't see any port 25 or 2525 traffic on the DMZ, and no relevant traffic on the LAN (I can paste some data if that helps).
Something similar happens with two other publishing rules that I use to publish an HTTP and HTTPS server on alternate ports: when I connect to them from the outside, no problem. But from the inside: Page could not be displayed.
It appears that any publishing rules that change the port number between source and destination, don't work if the connection is made from another network than the address of the listener. If the packet has to do a three-way hop inside ISA server (from LAN to WAN, then from WAN to DMZ), the ISA server apparently drops the packet if the destination port needs to be changed.
Is this a bug or am I overlooking something? I thought, maybe I should add a rule from internal network to local host, but this is not allowed. Adding a route between LAN and DMZ is not an option: the SMTP server in the DMZ doesn't listen on port 2525.
I also tried allowing incoming connections on ALL networks for the port 2525 listener (instead of just on the one address on the External network) but this has no effect. I tried telnetting to the LAN address of the ISA server instead, no effect either.
Am I forced to use a route rule between DMZ and WAN, instead of a NAT? This would be devastating because I only have two IP addresses available for this particular setup, and I would like to use more than two machines to publish services (actually dividing the services over more than one machine is one of the main reasons I'm setting up the ISA server in the first place).
===Jac
Hi Jac,
Create a NAT or route relationship (I think route is much better) because the DMZ and internal network. Then publish the SMTP server on the DMZ to the hosts on the Internal Network using a listener on the Internal Network.
HTH<
Tom
|
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
Discussion about article on troubleshooting SMTP Server... - 
RE: Discussion about article on troubleshooting SMTP Se... - ![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread