Hi, This is breaking my heart because I had it working before I rebuilt ISA. Here goes: My users can sent/receive email through my Exchange server published through ISA. However, when they try to access their internet mail in their mailboxes on their ISP's mail server they can't. They're using Outlook with the internet mail service. They have the firewall client enabled and working. I've enabled a protocol rule using the Built-in packet filters, but no go...
As Krusty would say "...so I'm an IDIOT.."! Be that as it may, what am I doing wrong? Configuration:ISA SP1;FP1 W2KSP4
what do you exactly mean with "I've enabled a protocol rule using the Built-in packet filters"?
You should allow the POP3 and SMTP protocol in a protocol rule and of course have a site&content rule allowing access to the required destination.
Now, if something isn't working as expected, you should consult the ISA logfiles. They are your primary resource for debugging. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.
for testing purposes I always recommend to create first an open protocol (all IP traffic, any request) and open site&content (any destination, any content, any request) rule. Once that is working you can fine tune the configuration.
Yep, Got an open protocol functioning. The current sutuation is as follows: Modified my protocol rule to all destinations (instead of just the IP of the ISP's mail server. Changed the Applies To to everyone (instead of a restricted set of accounts).
This is the one that kills me: Disabled the firewall client on the client PC and BINGO! mail flows.
The thing is, I thought that the firewall client was necessary for Outlook client or OutlookExpress to function
BTW, all my internal PC clients are configured as web proxy clients and firewall clients.
Might I be missing a patch or SP ?
Current config W2k SP4 ISA SP1 FP1. No other mods.
you said "Modified my protocol rule to all destinations". You probably mean the site&content rule. Isn't it?
If it works only if you disabled the Firewall client, then that means to me that the PC clients are also configured as a SecureNAT client.
So, let's first check out your basic ISA server configuration. I suggest you use Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html as baseline. Next check the LAT and make sure the LAT contains *only* the IP range used on the internal network. At last, how is your DNS infrastructure setted up?
The client PCs are DHCP clients and they pick up the IP of the internal VLAN router (192.168.1.2) as their DF GW, which routes to the internal IF of ISA (192.168.1.1) The client PCs have IE6 configured to be web proxy clients, pointing at the internal IP if the ISA and bypassing it for local traffic. The firewall client updates from ISA successfully when the Update Now button is clicked. The good advice to double-check the ISA IF settings was followed Nothing looked to be wrong but I'll give you some more details on my setup which might help you shine a light on the problem
My ISA is tri-homed.
Internal (192.168.) Two internal DNS servers No default GW
External (172.25.7) It actually connects to a private packet-switched network, and out to the Internet through another firewall (not ISA). This firewall is not on my site and I have no control over it.
The external IF of my ISA has a default GW of this firewall's internal IF Two DNS servers are configured on the external ISA IF One has an IP on the 172.25 network The second is a public DNS server belonging to the ISP that holds our POP3 mail.
The third IF is called INTRA It's IP range is 10.100.34 It has no default GW There are two DNS servers on this network and are configured on the INTRA IF. (You might be surprised that this setup works at all )
I'm ginig to reinstall the firewall client on a test PC (It was installed prior to me rebuilding ISA so a fresh copy can't hurt?)
ok, first of all I would slightly change the internal routing infrastructure and place the ISA internal interface on a seperate VLAN. That will optimize the routing a little bit.
Because you have an internal routed network and the default gateway of the internal network is the ISA internal interface, all internal hosts are SecureNAT clients too!
Next, are all those DNS server entries needed on the ISA interfaces? I suspect a DNS problem with such a configuration. Let's explain it a little bit more.
By default the ISA server performs the DNS resolving on behalf of Web Proxy and Firewall clients. However, a SecureNAT client must be able to resolve FQDN's on his own. I assume now that all the clients has DNS entries pointing to the internal DNS servers. So, when you disable the Firewall client, the host will behave as a SecureNAT client for non-HTTP/HTTPS traffic and the internal DNS servers will be used. However, if the Firewall client is enabled, the host will behave as a Firewall client for non-HTTP/HTTPS traffic and ISA will very likely do the DNS resolving.
Now, you can check out my little theory in two ways: - check out the Firewall log: when the Firewall client is enabled you should find some entries with operation=GHBN (Get Host by Name). - with the Firewall client enabled, try to access the mailboxes by IP address instead of by FQDN. That should work.
Blimey! That clearifies the issue perfectly. I've been scratching my,- oh lets say head ( ) for the past few days over the firewall client problem and you've solved it. Many thanks. I'll checkout the logs tomorrow to test your prognosis. Best of luck,
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> No POP3 Access Through ISA 
No POP3 Access Through ISA - 
RE: No POP3 Access Through ISA - ![[Confused]](/image/smiles/confused.gif)
![[Roll Eyes]](/image/smiles/rolleyes.gif)
)![[Embarrassed]](/image/smiles/redface.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
![[Frown]](/image/smiles/frown.gif)
![[Eek!]](/image/smiles/eek.gif)
![[Cool]](/image/smiles/cool.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread