• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SNAT Outbound SMTP fails

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> SNAT Outbound SMTP fails Page: [1]
Login
Message << Older Topic   Newer Topic >>
SNAT Outbound SMTP fails - 7.May2004 10:58:00 AM   
averhoek

 

Posts: 3
Joined: 27.Nov.2003
Status: offline
We want to route all internet-traffic through our ISA-server. ISA is configured for outbound en inbound SMTP-traffic as described in "ISA Server SMTP Server support".
Our Exchange2000 server is a SNAT client.
We have no problems with DNS-resolving via ISA on our SNAT clients. Inbound SMTP is working properly, but outbound SMTP doesn't work at all. Mail messages are queued in the Exchange SMTP-connector.

I've analyzed the ISA logfiles. There I see that the outbound SMTP-sessions have sc-operation CONNECT and sc-status 13301 (Request denied by the firewall policy).

Then I did a little test. I've installed the Firewall client on our Exchange-server.
After doing that, it was possible for me to setup an smtp-session with aan external smtp-host (e.g. telnet host.domain.nl 25). In the logs I see a GHBN entry (sc-operation=0) and 2 Connect entries (port 25, sc-operation=0 resp. 20000).
Conclusion: the Outbound SMTP policy rule on ISA work fine, but only with a firewall client.

As far as I know, a firewall client can only function if you're logged in. Processes running under System Account can't use it.

So how can I solve me problem?

[ May 07, 2004, 11:00 AM: Message edited by: A.Verhoek ]
Post #: 1
RE: SNAT Outbound SMTP fails - 7.May2004 10:33:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Verhoek,

it sounds that your outbound SMTP rule requires user/group based authentication. That's fine for workstations with the Firewall client installed. However, it is not advised to install the Firewall client on servers. So, because they should be setted up as SecureNAT clients, you must make sure that your outbound SMTP rule applies to a client address set with as member your internal SMTP server. This is true for the protocol and the site&content rule.

HTH,
Stefaan

(in reply to averhoek)
Post #: 2
RE: SNAT Outbound SMTP fails - 14.May2004 10:16:00 AM   
averhoek

 

Posts: 3
Joined: 27.Nov.2003
Status: offline
Stephan, thanks for your response.

I have the following protocol rule:
Action : Allow
Protocol : SMTP
Schedule : Any
Applies to: Any request
I have only 1 Site and Content rule (default Allow rule):
Destination : All destinations
Schedule : Always
Action : Allowed
Applies to : Users and groups -> Everyone
HTTP content: All content

I've changed the "Applies to" from Everyone into Any Request. Now it's working fine.

[ May 14, 2004, 11:06 AM: Message edited by: A.Verhoek ]

(in reply to averhoek)
Post #: 3
RE: SNAT Outbound SMTP fails - 15.May2004 10:53:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Verhoek,

my advice is to use seperate protocol and site&content rules for infrastructure servers such as DNS, SMTP, etc. and apply them to a client address set (IP addresses). You can then freely use user/group based member ship on the rules for the workstations.

HTH,
Stefaan

(in reply to averhoek)
Post #: 4
RE: SNAT Outbound SMTP fails - 26.May2004 7:05:00 AM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
Why would you want to use the Firewall Client on an Exchange 2000 Server that could otherwise function perfectly as a Secure NAT Client?

I would do (and have done) the following:

1) Specify the ISA Server's private/internal IP address as the default gateway of the Exchange 2000 Server computer (thus making the Exchange 2000 Server computer a Secure NAT client).
2) Create a Client Address Set (under Policy Elements) which contains the IP address of the Exchange 2000 Server computer.
3) Create a Site and Content Rule (under Access Policy) which allows the newly-created Client Address Set to access All External Destinations.
4) Create a Protocol Rule (under Access Policy) which allows the newly-created Client Address Set to access All IP Traffic (or perhaps just the IP traffic required such as DNS and SMTP).
5) Create a Packet Filter Rule (under Access Policy) Custom Filter which allows outbound SMTP (TCP port 25) traffic. Also create a Packet Filter Rule using Pre-Defined SMTP rule which allows inbound TCP port 25 traffic on the default external interface(s) of the ISA Server.
7) Unless you are otherwise relaying inbound SMTP, create a Server Publishing Rule that publishes your Exchange 2000 Server computer for inbound SMTP.

This should be all you need and should be much simpler to troubleshoot and maintain than trying to use the Firewall Client. AFAIK the Firewall Client is designed to grab traffic from user-space WinSock applications and not system services.

Hope this helps...

--Kevin

(in reply to averhoek)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> SNAT Outbound SMTP fails Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts