Oh, well that's where I'm messing up. It's a 192.168.3.0 address on the
perimeter network- can't get there from here. I guess I'll have to make the
perimeter "internal" then?
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
http://www.ISAserver.org
Tim,
That's where I was going. When you have a route relationship, you point to the actual IP address used by the published SMTP server. The ISA listener will "port steal" the connection and forward it. Remember not to use the same address (actually same socket) that you're using to publish any other SMTP servers.
Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, December 19, 2005 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SMTP publishing
http://www.ISAserver.org
I've not swapped DNS to my secondary mail server yet. mx for mail and mail2 currently point to external interface of my primary connection on a different ISA box. But I see where you are going- mx will point to the external interface of the ISA box hosting the secondarly connection. As it is, I telnet to the IP of the external interface, and the publishing rule fails. I know I didn't mention that part, but it's not relevent here (yet).
This has got to do with the way ISA is viewing the "perimiter" network differently than the "internal" network. I wondering if I should tell it I have 2 internal networks rather than 1 internal and one perimiter.
Ideas?
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 19, 2005 11:43 AM
Subject: [isalist] Re: SMTP publishing
http://www.ISAserver.org
OK, let me see if I have this straight:
1. Network Rule DMZ to External = Route 2. Publish DMZ SMTP Server to External Network
OK, here's a million dollar question:
Is DNS pointing to the IP address on the ISA firewall or the IP address of the SMTP server?
Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Monday, December 19, 2005 11:40 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: SMTP publishing
>
> http://www.ISAserver.org
>
> OK- pretty straight forward article... But here's the deal.
> In that config,
> they call the "perimiter network" the DMZ itself. As in this:
>
> DMZ
> |
> ISA Box
> |
> Internal Network.
>
>
> They publish SMTP from the External interface to the Internal
> Interface.
> Done it a million times. But in my case, this is a bit different:
>
> Internet
> |
> ISA Box --- Permiter Network (DMZ)
> |
> Internal Network
>
> I want to publish from the External Interface into the DMZ-
> not into the
> Internal network. If I publish to the Internal, then it
> actuall works.
> When I publish to the DMZ Perimiter, it says SMTP denied by
> the default rule
> from External to Local-Host. The Permiter network here is
> set to route--
> but of course, I can't just set an access rule-- the DMZ is
> 192.168.3.0 and
> I must *publish* to it, not just route to it.
>
> Any ideas?
>
> t
>
>
>
>
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
>
>
> ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, December 19, 2005 9:11 AM
> Subject: [isalist] Re: SMTP publishing
>
>
> http://www.ISAserver.org
>
> Enable SMTP service logging and get ready to fire up NetMon,
> but take a
> quick read of this great article that will shed some light
on possible
> SMTP service issues and SMTP filtering at the ISA firewall.
>
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/fir
> ewall-exch
> ange2003.mspx
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Monday, December 19, 2005 10:54 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP publishing
> >
> > http://www.ISAserver.org
> >
> > Yo-
> >
> > I too have this funky issue with SMTP publishing just on this
> > one box. This
> > one is an External, Internal, Perimeter Network setup-- when
> > I go to publish
> > from the External IP to the Perimeter segment, the rule is in
> > place just
> > fine, but I get the Default Rule denied the traffic. It
> > showed that it
> > denied SMTP (not SMTP Server, btw) from the External to Local
> > Host. The
> > network segments are set up correctly, with the right IP's
> > and all. The
> > perimeter network is set to route. It just won't work.
> >
> > The only thing different about this box is that this is the
> > one that still
> > shows "192.168.7.180" in my Domain Controller built-in
> > Computer Sets that it
> > won't let me edit out. I did the whole ADSI Edit thing and
> > ntdsutil, but
> > that site was gracefully removed, and it no longer referenced
> > anywhere. Odd
> > thing is that my perimeter network is 192.168.3.0
255.255.255.0 (NOT
> > 192.168.7.0) so I'm not sure what all the hubbub is about.
> >
> > Jim? Tom? Anyone?
> >
> > t
> >
> >
> > -----
> > "I may disapprove of what you say,
> > but I will defend to the death your
> > right to say it."
> >
> >
> > ----- Original Message ----- > > From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, December 16, 2005 11:03 AM
> > Subject: [isalist] SMTP publishing
> >
> >
> > > http://www.ISAserver.org
> > >
> > > I just created a rule to publish SMTP from my Exchange 2003
> > server, but
> > > I'm
> > > getting 0x8007274c errors on the ISA server when I try to
> > telnet to port
> > > 25.
> > > I do establish a connection, but get no response.
> > >
> > > The Exchange server is a front end server and I have OWA
> > and RPC over HTTP
> > > published through ISA for this same server. I can telnet
> > to this server
> > > internally.
> > >
> > > I don't see anything written to the smtpsvc logs on
> > Exchange and a netstat
> > > doesn't show any connection from the ISA server, so it
> > looks like the
> > > external telnet connection to ISA is made OK, but traffic
> > isn't making it
> > > from ISA to Exchange.
> > >
> > > Also, I can make a telnet connection from the console of
> ISA to the
> > > Exchange
> > > server.
> > >
> > > I'm stumped. Anyone have an idea?
> > >
> > > Jeff
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
