Re: SMTP publishing

  • From: "JosephK" <josephk@xxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 19 Dec 2005 22:48:22 -0800

Would you still want to remove client for windows networks on all the
external interfaces?

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, December 19, 2005 7:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: SMTP publishing

http://www.ISAserver.org

Sure you can. When the "external" interface is on a private address
network and the client is on a private address network too. Sounds like
this isn't your scenario. I'm thinking of this type of scenario:

Inbound SMTP relay on private address DMZ between FE and BE ISA
firewalls
Route relationship between the SMTP server on the "internal" network. 

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Monday, December 19, 2005 8:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: SMTP publishing
> 
> http://www.ISAserver.org
> 
> You said I had to actually hit the SMTP server address, not 
> the ISA external 
> interface address for the "route" deal to work.  You can't 
> hit the 1918 
> address externally...
> 
> That being said, changing the source network to the Perimiter and the 
> destination to External with NAT worked.  Thing is, in a 
> route, you'd want 
> it the other way around... But to make the relationship the 
> same as an 
> "Internal" network, that's what I had to do.
> 
> I'm going to see if the reverse direction in "route" will 
> work as well-- but 
> even if it does, I don't think I was a route relationship 
> from the External 
> to the DMZ, right?  Or will it not matter for the same reason 
> I just stated 
> above re: 1918?
> 
> t
> 
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
> 
> 
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, December 19, 2005 6:39 PM
> Subject: [isalist] Re: SMTP publishing
> 
> 
> http://www.ISAserver.org
> 
> Why? If the "external" interface of the ISA firewall is on a private
> address segment, you could use private addresses in the DMZ.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
> 
> 
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Monday, December 19, 2005 8:33 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP publishing
> >
> > http://www.ISAserver.org
> >
> > I'll find out in a bit-- that's the part that is confusing
> > me... But hell,
> > it won't work now, so we'll see.  I server publish the SMTP
> > server address
> > in a route relationship would mean that you could never have
> > a 1918 address
> > in the perimiter...
> >
> > t
> >
> > -----
> > "I may disapprove of what you say,
> > but I will defend to the death your
> > right to say it."
> >
> >
> > ----- Original Message ----- 
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Monday, December 19, 2005 6:22 PM
> > Subject: [isalist] Re: SMTP publishing
> >
> >
> > http://www.ISAserver.org
> >
> > You sure about that?
> >
> > I thought I tested it and the port stealing thingie worked. 
> Now I need
> > to test again!
> >
> > Thanks!
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Monday, December 19, 2005 3:15 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: SMTP publishing
> > >
> > > http://www.ISAserver.org
> > >
> > > Here's the catch:
> > > Server publishing is *non-functional* if the source and
> > > destination networks have a "route" relationship.
> > > If you want to s-pub a host in the DMZ net, you need to
> > > create a NAT relationship between the external net and that host.
> > >
> > >
> > > -------------------------------------------------------
> > >    Jim Harrison
> > >    MCP(NT4, W2K), A+, Network+, PCG
> > >    http://isaserver.org/Jim_Harrison/
> > >    http://isatools.org
> > >    Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > > Sent: Monday, December 19, 2005 09:40
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Re: SMTP publishing
> > >
> > > http://www.ISAserver.org
> > >
> > > OK- pretty straight forward article... But here's the deal.
> > > In that config, they call the "perimiter network" the DMZ
> > > itself.  As in this:
> > >
> > > DMZ
> > >   |
> > > ISA Box
> > >   |
> > > Internal Network.
> > >
> > >
> > > They publish SMTP from the External interface to the Internal
> > > Interface.
> > > Done it a million times.  But in my case, this is a bit different:
> > >
> > > Internet
> > >   |
> > > ISA Box ---  Permiter Network (DMZ)
> > >   |
> > > Internal Network
> > >
> > > I want to publish from the External Interface into the DMZ-
> > > not into the Internal network.  If I publish to the Internal,
> > > then it actuall works.
> > > When I publish to the DMZ Perimiter, it says SMTP denied by
> > > the default rule from External to Local-Host.  The Permiter
> > > network here is set to route-- but of course, I can't just
> > > set an access rule-- the DMZ is 192.168.3.0 and I must
> > > *publish* to it, not just route to it.
> > >
> > > Any ideas?
> > >
> > > t
> > >
> > >
> > >
> > >
> > > -----
> > > "I may disapprove of what you say,
> > > but I will defend to the death your
> > > right to say it."
> > >
> > >
> > > ----- Original Message -----
> > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Monday, December 19, 2005 9:11 AM
> > > Subject: [isalist] Re: SMTP publishing
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > > Enable SMTP service logging and get ready to fire up NetMon,
> > > but take a
> > > quick read of this great article that will shed some light
> > on possible
> > > SMTP service issues and SMTP filtering at the ISA firewall.
> > >
> > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/fir
> > > ewall-exch
> > > ange2003.mspx
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > > > Sent: Monday, December 19, 2005 10:54 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Re: SMTP publishing
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Yo-
> > > >
> > > > I too have this funky issue with SMTP publishing just on this
> > > > one box.  This
> > > > one is an External, Internal, Perimeter Network setup-- when
> > > > I go to publish
> > > > from the External IP to the Perimeter segment, the rule is in
> > > > place just
> > > > fine, but I get the Default Rule denied the traffic.  It
> > > > showed that it
> > > > denied SMTP (not SMTP Server, btw) from the External to Local
> > > > Host. The
> > > > network segments are set up correctly, with the right IP's
> > > > and all.  The
> > > > perimeter network is set to route.  It just won't work.
> > > >
> > > > The only thing different about this box is that this is the
> > > > one that still
> > > > shows "192.168.7.180" in my Domain Controller built-in
> > > > Computer Sets that it
> > > > won't let me edit out.  I did the whole ADSI Edit thing and
> > > > ntdsutil, but
> > > > that site was gracefully removed, and it no longer referenced
> > > > anywhere.  Odd
> > > > thing is that my perimeter network is 192.168.3.0
> > 255.255.255.0 (NOT
> > > > 192.168.7.0) so I'm not sure what all the hubbub is about.
> > > >
> > > > Jim?  Tom?  Anyone?
> > > >
> > > > t
> > > >
> > > >
> > > > -----
> > > > "I may disapprove of what you say,
> > > > but I will defend to the death your
> > > > right to say it."
> > > >
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx>
> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > Sent: Friday, December 16, 2005 11:03 AM
> > > > Subject: [isalist] SMTP publishing
> > > >
> > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > I just created a rule to publish SMTP from my Exchange 2003
> > > > server, but
> > > > > I'm
> > > > > getting 0x8007274c errors on the ISA server when I try to
> > > > telnet to port
> > > > > 25.
> > > > > I do establish a connection, but get no response.
> > > > >
> > > > > The Exchange server is a front end server and I have OWA
> > > > and RPC over HTTP
> > > > > published through ISA  for this same server.  I can telnet
> > > > to this server
> > > > > internally.
> > > > >
> > > > > I don't see anything written to the smtpsvc logs on
> > > > Exchange and a netstat
> > > > > doesn't show any connection from the ISA server, so it
> > > > looks like the
> > > > > external telnet connection to ISA is made OK, but traffic
> > > > isn't making it
> > > > > from ISA to Exchange.
> > > > >
> > > > > Also, I can make a telnet connection from the console of
> > > ISA to the
> > > > > Exchange
> > > > > server.
> > > > >
> > > > > I'm stumped.  Anyone have an idea?
> > > > >
> > > > > Jeff
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our 
> other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List as:
> > > > > thor@xxxxxxxxxxxxxxx
> > > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: 
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




Other related posts: