We want to route all internet-traffic through our ISA-server. ISA is configured for outbound en inbound SMTP-traffic as described in "ISA Server SMTP Server support". Our Exchange2000 server is a SNAT client. We have no problems with DNS-resolving via ISA on our SNAT clients. Inbound SMTP is working properly, but outbound SMTP doesn't work at all. Mail messages are queued in the Exchange SMTP-connector.
I've analyzed the ISA logfiles. There I see that the outbound SMTP-sessions have sc-operation CONNECT and sc-status 13301 (Request denied by the firewall policy).
Then I did a little test. I've installed the Firewall client on our Exchange-server. After doing that, it was possible for me to setup an smtp-session with aan external smtp-host (e.g. telnet host.domain.nl 25). In the logs I see a GHBN entry (sc-operation=0) and 2 Connect entries (port 25, sc-operation=0 resp. 20000). Conclusion: the Outbound SMTP policy rule on ISA work fine, but only with a firewall client.
As far as I know, a firewall client can only function if you're logged in. Processes running under System Account can't use it.
it sounds that your outbound SMTP rule requires user/group based authentication. That's fine for workstations with the Firewall client installed. However, it is not advised to install the Firewall client on servers. So, because they should be setted up as SecureNAT clients, you must make sure that your outbound SMTP rule applies to a client address set with as member your internal SMTP server. This is true for the protocol and the site&content rule.
I have the following protocol rule: Action : Allow Protocol : SMTP Schedule : Any Applies to: Any request I have only 1 Site and Content rule (default Allow rule): Destination : All destinations Schedule : Always Action : Allowed Applies to : Users and groups -> Everyone HTTP content: All content
I've changed the "Applies to" from Everyone into Any Request. Now it's working fine.
my advice is to use seperate protocol and site&content rules for infrastructure servers such as DNS, SMTP, etc. and apply them to a client address set (IP addresses). You can then freely use user/group based member ship on the rules for the workstations.
From: Fairview Heights, IL, USA
Why would you want to use the Firewall Client on an Exchange 2000 Server that could otherwise function perfectly as a Secure NAT Client?
I would do (and have done) the following:
1) Specify the ISA Server's private/internal IP address as the default gateway of the Exchange 2000 Server computer (thus making the Exchange 2000 Server computer a Secure NAT client). 2) Create a Client Address Set (under Policy Elements) which contains the IP address of the Exchange 2000 Server computer. 3) Create a Site and Content Rule (under Access Policy) which allows the newly-created Client Address Set to access All External Destinations. 4) Create a Protocol Rule (under Access Policy) which allows the newly-created Client Address Set to access All IP Traffic (or perhaps just the IP traffic required such as DNS and SMTP). 5) Create a Packet Filter Rule (under Access Policy) Custom Filter which allows outbound SMTP (TCP port 25) traffic. Also create a Packet Filter Rule using Pre-Defined SMTP rule which allows inbound TCP port 25 traffic on the default external interface(s) of the ISA Server. 7) Unless you are otherwise relaying inbound SMTP, create a Server Publishing Rule that publishes your Exchange 2000 Server computer for inbound SMTP.
This should be all you need and should be much simpler to troubleshoot and maintain than trying to use the Firewall Client. AFAIK the Firewall Client is designed to grab traffic from user-space WinSock applications and not system services.