SNAT Outbound SMTP fails (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client


averhoek -> SNAT Outbound SMTP fails (7.May2004 10:58:00 AM)

We want to route all internet-traffic through our ISA-server. ISA is configured for outbound en inbound SMTP-traffic as described in "ISA Server SMTP Server support".
Our Exchange2000 server is a SNAT client.
We have no problems with DNS-resolving via ISA on our SNAT clients. Inbound SMTP is working properly, but outbound SMTP doesn't work at all. Mail messages are queued in the Exchange SMTP-connector.

I've analyzed the ISA logfiles. There I see that the outbound SMTP-sessions have sc-operation CONNECT and sc-status 13301 (Request denied by the firewall policy).

Then I did a little test. I've installed the Firewall client on our Exchange-server.
After doing that, it was possible for me to setup an smtp-session with aan external smtp-host (e.g. telnet 25). In the logs I see a GHBN entry (sc-operation=0) and 2 Connect entries (port 25, sc-operation=0 resp. 20000).
Conclusion: the Outbound SMTP policy rule on ISA work fine, but only with a firewall client.

As far as I know, a firewall client can only function if you're logged in. Processes running under System Account can't use it.

So how can I solve me problem?

[ May 07, 2004, 11:00 AM: Message edited by: A.Verhoek ]

spouseele -> RE: SNAT Outbound SMTP fails (7.May2004 10:33:00 PM)

Hi Verhoek,

it sounds that your outbound SMTP rule requires user/group based authentication. That's fine for workstations with the Firewall client installed. However, it is not advised to install the Firewall client on servers. So, because they should be setted up as SecureNAT clients, you must make sure that your outbound SMTP rule applies to a client address set with as member your internal SMTP server. This is true for the protocol and the site&content rule.


averhoek -> RE: SNAT Outbound SMTP fails (14.May2004 10:16:00 AM)

Stephan, thanks for your response.

I have the following protocol rule:
Action : Allow
Protocol : SMTP
Schedule : Any
Applies to: Any request
I have only 1 Site and Content rule (default Allow rule):
Destination : All destinations
Schedule : Always
Action : Allowed
Applies to : Users and groups -> Everyone
HTTP content: All content

I've changed the "Applies to" from Everyone into Any Request. Now it's working fine.

[ May 14, 2004, 11:06 AM: Message edited by: A.Verhoek ]

spouseele -> RE: SNAT Outbound SMTP fails (15.May2004 10:53:00 AM)

Hi Verhoek,

my advice is to use seperate protocol and site&content rules for infrastructure servers such as DNS, SMTP, etc. and apply them to a client address set (IP addresses). You can then freely use user/group based member ship on the rules for the workstations.


KevinSawyer -> RE: SNAT Outbound SMTP fails (26.May2004 7:05:00 AM)

Why would you want to use the Firewall Client on an Exchange 2000 Server that could otherwise function perfectly as a Secure NAT Client?

I would do (and have done) the following:

1) Specify the ISA Server's private/internal IP address as the default gateway of the Exchange 2000 Server computer (thus making the Exchange 2000 Server computer a Secure NAT client).
2) Create a Client Address Set (under Policy Elements) which contains the IP address of the Exchange 2000 Server computer.
3) Create a Site and Content Rule (under Access Policy) which allows the newly-created Client Address Set to access All External Destinations.
4) Create a Protocol Rule (under Access Policy) which allows the newly-created Client Address Set to access All IP Traffic (or perhaps just the IP traffic required such as DNS and SMTP).
5) Create a Packet Filter Rule (under Access Policy) Custom Filter which allows outbound SMTP (TCP port 25) traffic. Also create a Packet Filter Rule using Pre-Defined SMTP rule which allows inbound TCP port 25 traffic on the default external interface(s) of the ISA Server.
7) Unless you are otherwise relaying inbound SMTP, create a Server Publishing Rule that publishes your Exchange 2000 Server computer for inbound SMTP.

This should be all you need and should be much simpler to troubleshoot and maintain than trying to use the Firewall Client. AFAIK the Firewall Client is designed to grab traffic from user-space WinSock applications and not system services.

Hope this helps...


Page: [1]