Well, it doesn't work well in a non-enterprise setup for an enterprise network for one. Our boss wanted to save some money and bought standard version which pretty much tied our hands on a lot of things. It took us over a year to get it configured correctly as there was scant documentation when we started using it. (Thank God for Google.) We had problems with the services dying but not appearing to be dead. The services all running, but no traffic was getting out or in. We couldn't use the web publishing rules without setting up host files on the server and the web servers. We had to install certificates in both the firewall and the web servers for all of our hosted web sites. Not to mention the fact that web publishing rules do not pass the origination IP address to the web servers. We had to switch all of our web rules over to server publishing rules with custom protocols set up for HTTP. Also, there is no scripting for remote management. You can use the ISA MMC console, but you cannot script in standard edition from a remote machine. Most of the issues could have been resolved with an upgrade to enterprise edition and an array created with more than one ISA server. The concept is not a bad one; however, firewall and proxy should probably be kept on separate devices. I also didn't like having to restart the firewall and proxy services every time I made a change. The new firewall we are using was much simpler to configure, manage and is more featured. We will probably bring ISA back up at some point as a proxy only so we can control our internal users' accesses. I wish I had kept a log of all of our issues, but then, no sense spamming this list with pages of bad stuff. :) -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 2:11 PM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ Hi Chris, Just out of curiousity, what was the problem with ISA? I host about 15 email domains, compete SMTP, POP3, IMAP3, secure OWA, and secure RPC, SMTP spam whacking, the whole nine yards, complete inbound and outbound. No problems at all with about 99.99% uptime. All ISA on all gateways. I'd like to see in what kind of scenario that ISA doesn't work. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 12:07 PM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ Yeah, it's a fortinet firewall/av/content filter appliance. We just switched from MSISA to this as ISA was causing us no end of grief. We can live with this issue now that open relay is closed off. Thanks for the inputs though. -----Original Message----- From: Mark Fugatt [mailto:mark@xxxxxxxxx] Sent: Thursday, September 18, 2003 12:20 PM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ Well, I just tested it via telnet and your not an open relay now, this is very interesting, so your firewall is actually modifying the SMTP Header, so its more than just a firewall right? Mark Fugatt MCT, MCSE, Microsoft Exchange MVP Pentech Office Solutions Inc Tel: 585 586 3890 Cell: 585 576 4750 Fax: 585 249 0316 www.4mcts.com www.exchangetrainer.com -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 11:56 AM To: [ExchangeList] http://www.MSExchange.org/ No. It is set up just like in your document and in the MS documents. This is were my dilemma comes in. I have made the requested change that I told you about however and have submitted to ordb for a retest. I will let you know their results. All my other smtp traffic seems to be carrying on. Though I do have a queue of over 9000 aol emails that can't seem to go out now. :) -----Original Message----- From: Mark Fugatt [mailto:mark@xxxxxxxxx] Sent: Thursday, September 18, 2003 11:46 AM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ And is the checkbox selected? Mark Fugatt MCT, MCSE, Microsoft Exchange MVP Pentech Office Solutions Inc Tel: 585 586 3890 Cell: 585 576 4750 Fax: 585 249 0316 www.4mcts.com www.exchangetrainer.com -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 11:45 AM To: [ExchangeList] http://www.MSExchange.org/ It is a *. -----Original Message----- From: Mark Fugatt [mailto:mark@xxxxxxxxx] Sent: Thursday, September 18, 2003 11:28 AM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ I would find it highly unlikely that your firewall is causing the problem, I have never seen a firewall cause Exchange to relay. On the SMTP Connector, is the address space * and do you have the "Allow messages to be relayed to these domains" checked? Mark Fugatt MCT, MCSE, Microsoft Exchange MVP Pentech Office Solutions Inc Tel: 585 586 3890 Cell: 585 576 4750 Fax: 585 249 0316 www.4mcts.com www.exchangetrainer.com -----Original Message----- From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 11:22 AM To: [ExchangeList] http://www.MSExchange.org/ We do, but I have verified their settings as well. It looks like possibly it is relaying because the firewall is passing its internal address as the sender. One suggestion was to change "only the list below" with the internal IP range to "All except the list below" and add the internal IP of the firewall. I will give that a shot and let you know. If this is the solution, feel free to add it to your article. My IT team got this information from the following: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=u9Q3 TwpeDHA.1760%40TK2MSFTNGP09.phx.gbl&rnum=1&prev=/groups%3Fhl%3Den%26lr%3 D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dprevent%2Bopen%2Brelay%2Bexchange%2B20 00%2Bbehind%2Bfirewall -----Original Message----- From: Mark Fugatt [mailto:mark@xxxxxxxxx] Sent: Thursday, September 18, 2003 9:57 AM To: [ExchangeList] Subject: [exchangelist] RE: Open Relay on exchange 2000 http://www.MSExchange.org/ Yes, you are indeed an open relay, unplug your Exchange server NOW, read my article again and double-check all your settings, do you have any SMTP Connectors? Mark Fugatt MCT, MCSE, Microsoft Exchange MVP Pentech Office Solutions Inc Tel: 585 586 3890 Cell: 585 576 4750 Fax: 585 249 0316 www.4mcts.com www.exchangetrainer.com -----Original Message----- From: Chris Allen [mailto:callen@xxxxxxxxxxxxxxxx] Sent: Thursday, September 18, 2003 9:40 AM To: [ExchangeList] http://www.MSExchange.org/ I have read the article on http://www.msexchange.org/pages/article.asp?id=54 and Microsoft's knowledge base articles (310380, 314734, and 304897) and verified through each of these that my exchange server is not set up as an open relay. However, ORDB.org ran a test on it and list it as such. When I found out about this, I attempted to send an open relay message from outside my network and was also able to do it. Any advise on how to stop open relay beyond what was published in these articles? We put in a new firewall two days ago (also the same day the site was submitted to ORDB) but I am not sure how a firewall would open relaying when exchange has it turned off. Any advise would be appreciated. Thanks in advance. Chris Allen Systems Administrator ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mark@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mark@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mark@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mark@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: callen@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')