Re: Exchange Problem

  • From: "Dominic" <emaildominic@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 14 Apr 2005 06:14:44 +0530

Increased security in windows 2003 sp 1. SCW ( Security configuration Wizard) 
might be the culprit. From the control panel , open the windows firewall and 
see if any know port is blocked.

Also read this blog . I am sure this will help. You also have a roll back 
option of SCW.

Now that Windows 2003 SP1 is out, I wanted to mention a tool that has shipped 
as part of Windows 2003 SP1. While the tool itself is not installed by SP1, the 
shortcut to the Help file is placed on the server desktop when SP1 is installed.

What does that have to do with Exchange? About the tool:

Security Configuration Wizard (SCW) is an attack surface reduction tool that is 
part of Windows Server 2003 SP1.  SCW uses a roles-based metaphor (e.g. "File 
Server", "Web Server", "Domain Controller", etc.) to determine the desired 
functionality of a particular type of server, then disables functionality that 
is not required for the role(s) the server needs to perform.  Specifically, SCW:

    - Disables unneeded services
    - Blocks unused ports
    - Allows further (address or security) restrictions for ports that are left 
    - Prohibits unnecessary web extensions (if running IIS)
    - Reduces Protocol Exposure (SMB, LanMan, LDAP)
    - Defines an Audit Policy

SCW guides you through the process of creating, editing, applying, or rolling 
back a security policy based on the selected roles of the server. The security 
policies that are created with SCW are XML files that, when applied, configure 
services, network security, specific registry values, audit policy, and if 
applicable, Internet Information Services (IIS).

So - really, what does all this have to do with Exchange, you ask?

There is a known issue with Exchange server installed into a non-default path 
(something other than %ProgramFiles%\Exchsrvr) where SCW is run and application 
of resultant policy might cause Exchange Server not to be accessible by clients 
anymore. The possible gotcha is in the "Network Security" portion of SCW which 
configures the Windows Firewall. This portion of SCW is used to turn on and add 
exceptions to the Windows Firewall. Exceptions are added by pointing the 
Windows Firewall to the EXE file to the application that is exempt from 
firewall blocking. SCW however expects those applications (in our case - 
services) to be in their default installation paths.

Now, before we start to get nervous, we should understand that the SCW will 
indicate to the Administrator if it runs into this problem. In other words - 
the UI will indicate there are issues with services that were "not found", and 
the Admin will have a chance to correct this before any changes are made to 
server configuration.

Once you get to the SCW part that configures Network Security, and if you are 
running SCW on the server that is not installed into the default installation 
path, you will see this:

In above example - the MTA Stacks, System Attendant and Store are the services 
that SCW expects to find in one location, but the actual EXE files are not 
physically there. If we continued to run SCW here and said YES to the popup 
that will warn you that some services were not found - after the server reboot, 
those services would not be accessible by their clients, as Windows Firewall 
would block their ports.

Please see the following article for information how to configure SCW to point 
to valid file locations, as well as how to recover if the server is already in 
the situation where services are blocked by Windows Firewall after SCW policy 
was applied:

896742 After you run the Security Configuration Wizard in Windows Server 2003

There are few extra things I wanted to mention on this:

At the end of the SCW run, you will save the policy under a name you can 
choose. SCW lets you then take this policy and apply it to other servers in 
your Organization.

The possible problem here is - if the policy was created on the "default 
installation path" Exchange server, it will cause problems after import on the 
"non-default installation path" Exchange server, and vice versa. The above 
warnings (and a chance to correct them before policy application) are seen only 
during the policy creation not during the policy import.

Additionally - assuming that Windows Firewall was activated on the server and 
exceptions were added to the firewall policy, if administrator then adds a 
component or a service to the server (for example, POP3, IMAP4 or SRS are 
enabled) - the service will effectively be blocked from it's clients until the 
SCW is re-run, the added service is approved through it and policy is 
reapplied. Alternatively, you can manually add the service into exceptions of 
Windows Firewall.

I personally love the tool, but - we just have to be careful when using it!


  ----- Original Message ----- 
  From: Andrew English 
  To: [ExchangeList] 
  Sent: Thursday, April 14, 2005 4:56 AM
  Subject: [exchangelist] Exchange Problem

  It seems that I am having a problem with my exchange server since I install 
SP1 for Windows 2003 Server. I am running Exchange Enterprise 2003 and use one 
storage system for 3 domains, the main one and the other two 
which are UPN addresses. The issue is that I can receive emails on my other 2 
domain UPN addresses without any problem, its my (primary) 
that is no longer working. When I send email to my SR accounts from an external 
source the bounce, however if I telnet to I get my 
exchange box.


  Also I am not getting any errors in the logs, I also see the email leaving my 
machine via Trend's ScanMail monitor but it doesn't go anywhere. (shrug)


  Any ideas?





  List Archives:
  Exchange Newsletters:
  Exchange FAQ:
  Other Internet Software Marketing Sites:
  World of Windows Networking:
  Leading Network Software Directory:
  No.1 ISA Server Resource Site:
  Windows Security Resource Site:
  Network Security Library:
  Windows 2000/NT Fax Solutions:
  You are currently subscribed to this Discussion List as: 
  To unsubscribe visit
  Report abuse to listadmin@xxxxxxxxxxxxxx 

Other related posts: