quote:

---

Originally posted by <JohnLeo>:
I had a question about one section of the configuration:

"Create DNS and SMTP Protocol Rules
The Exchange Server needs to forward mail it receives from the Outlook MAPI clients to SMTP servers on the Internet. An Access Rule allowing outbound access to the following protocols may be required:

DNS (TCP and UDP 53)
SMTP (TCP 25)
A DNS Access Rules allows the Exchange SMTP service to resolve MX domain names. You can configure the Access Rule to allow only the Exchange Server access to it, or you can configure the Access Rule to allow all machines on the network to use it.

Access control on the DNS Access Rule depends on which machine is responsible for resolving the MX domain names. You might want to forward the DNS queries from the Exchange Server to an internal DNS server and let the DNS server on your internal network take care of name resolution.

The SMTP Access Rule is required for the Exchange Server to send out mail to external mail domains. Access controls on the SMTP Protocol Rule depend on which machine actually sends the mail to the external SMTP servers.

If the Exchange Server is sending the mail directly to the Internet SMTP servers, allow only the Exchange Server access to the SMTP Protocol Rule. If you are using an outbound SMTP relay, allow the relay access to the SMTP Protocol Rule. If you are using a mail relay, make sure the SMTP relay server has access to the DNS Protocol Rule are well, since it will need to resolve Internet MX mail domains. The exception to this requirement is if the SMTP relay (or the Exchange Server) is configured to use an internal DNS server, then allow only the internal DNS server to resolve Internet host names."

Where are these rules supposed to be configured.

Thanks.

---

quote:

---

Originally posted by JRV:
WS2003 Gold domain, Exchange 2003 SP1 on WS2003 Gold, ISA 2000 SP2 on Win 2003 Gold, Outlook 2003 SP1. Different external & internal domain names.

However, Outlook "just doesn't work" right now . At least it doesn't on the public Internet. The message from OL2003 on the remote machine is "Task 'Microsoft Exchange Server' reported error (0x8004011D): 'The server is not available. Contact your administrator if this condition persists.'"

I've gone over this article with a fine-toothed comb, as well as its several predecessors on your site. Also followed http://isaserver.org/articles/outlookrpcdns.html and http://isaserver.org/tutorials/2004illegaltldsplitdns.html. Still not working; can't figure out what I've overlooked.

Answering what seem to be the most frequent issues after scanning this board: Split DNS is set up, and I get correct internal and external name resolution when I ping the mail server names from inside and outside the LAN. The Exchange server is a SecureNAT client. I'm aware of the WS2003SP1 hotfix for ISA 2000 SP2, but we're still at WS2003 Gold. Client's ISP passes port 135 as does remote user's ISP.

Here are my questions:

1. You've documented this technique in several articles on isaserver.org & the ISA-Exchange Kit (we've been planning to do this for a long time, so I've read them all!). In prior versions, you've said it's necessary to create an external "A" record for a GC, similar to what you do for the Exchange server, pointing to the external IP. But this article adds discussion of the No RFR Service=1 value in the HKLM\...\MSExchangeSA parameters key. Does "No RFR Service=1" eliminate the need for the external GC "A" record and likewise in the internal split DNS zone that corresponds to the external domain name?

2. If it's necessary to have external "A" records for a GC, can I select any GC in the domain, or does it need to be all GCs?

3. Am I correct that because I have different external & internal domain names, I have to use a HOSTS file on the external client, since the MAPI profile records the FQDN of the internal name of the Exchange server?

4. In previous versions of this article, you said to put the NetBIOS name of the mail server in the HOSTS file. In this article, you said to use the FQDN...although in this case, HOSTS was used in lieu of Split DNS with the same internal & external domain name. Is the NetBIOS name correct for my situation (different ext. & int. names)?

---

quote:

---

Originally posted by JRV:
More info...

The ISA Server is behind a SOHO NAT router. Client says this is necessary for some reason with this particular ISP; can't recall his reason, and I've not confirmed it, and until now, it's not caused any difficulties beyond having to forward a few ports to ISA's external IP. But now I'm wondering if this is where the "Outlook Just Works" problem is.

Anyway, I've forwarded port 135 to the ISA Server external IP. The NAT router logs confirm that 135 is not being blocked...but I do notice that several inbound connection attempts to ephemeral ports from the remote IP ARE being blocked by the NAT router. I gather these are the ports Exchange opens for the RDP connection as described in your article.

I guess my next move is to see if the client will allow me to put the ISA Server in the NAT router's DMZ, at least for long enough to see if it makes "Outlook just work".

But I'd sure like it if anyone can confirm that this is a likely cause of the problem.

---

quote:

---

Originally posted by JRV:
Well, it seems I'm just posting to myself at this point, but for the benefit of any lurkers, putting the ISA server in the DMZ of the NAT router enabled it to work. Since the NAT router is accomplishing nothing at this point, I'm going to see if I can persuade the client to remove it.

But at least now "Outlook just works".

---

Hi J,
That's great! Sorry to take so long to find your posts

Thanks!
Tom

(in reply to tshinder)

quote:

---

Originally posted by techleet:
Hi Tom,

In regards to your Oulook Just Works ( Enabling Full Outlook Client Access Anywhere using the ISA FirewallĘs Secure Exchange RPC Filter) article... well.. mine Just Doesn't Work.

First off, my internal Win2k3 domain structure is this:

I migrated from NT4 domain to Win2k3 domain by doing a parallel install. I used the ADMT. NT4 domain was "MYDOMAIN" and the new Win2k3 domain is "CORP.MYDOMAIN.COM". Everything went smoothly, but I have to keep the NT4 PDC up and running because of a legacy app installed on it, which means I have to keep both "MYDOMAIN" and "CORP.MYDOMAIN.COM" up and running.

The aspect of Split DNS setup is eluding me. My exchange server internal address is AMBASSADOR.CORP.MYDOMAIN.COM. I have created an A Record on our External DNS for AMBASSADOR.CORP.MYDOMAIN.COM and pointed it to my ISA 2004 server. Of course, that zone doesn't really exist, per se, to the outside world, but it exists in-house, and it works just fine when I do an NSLOOKUP from the outside.

My question is this: Will this setup work for Outlook Just Works? Do I have to change my internal domain name to MYDOMAIN.COM? Is that even possible considering I already have MYDOMAIN as a Netbios/Nt4 domain name? They both would show up as MYDOMAIN in netbios.

Hmm... my head hurts.

---

quote:

---

Originally posted by Strato:
Hi,

this is good forum and I just had one question about ISA Server 2000 and its Firewall service.
Our customers connects via this ISA Server to their hosted mail server and it is published as RPC over HTTP. Their Outlook versions vary from Outlook 2000 to 2003.
Now we had situation where following warning was recorded to event log on ISA Server.
Type: Warning
User: N/A
Source: Microsoft Firewall RPC Filter
Category: none
Event ID: 20021

Description: The publlishing RPC service <ip-address:135> cannot be reached.

After this there is that connection is regained. But this happend several times per minute and it blocked some Outlook connections. Why it happend? Do you have any comments on this?

-Strato-

---

quote:

---

Originally posted by Jas Singh:
I would like to do this. I have Exchange 2000 and ISA 2000 Server can you please tell me that how can I accomplish this. You may call me at 559-479-2763.

Thansk,

---