Would you still want to remove client for windows networks on all the external interfaces? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, December 19, 2005 7:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SMTP publishing http://www.ISAserver.org Sure you can. When the "external" interface is on a private address network and the client is on a private address network too. Sounds like this isn't your scenario. I'm thinking of this type of scenario: Inbound SMTP relay on private address DMZ between FE and BE ISA firewalls Route relationship between the SMTP server on the "internal" network. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Monday, December 19, 2005 8:58 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: SMTP publishing > > http://www.ISAserver.org > > You said I had to actually hit the SMTP server address, not > the ISA external > interface address for the "route" deal to work. You can't > hit the 1918 > address externally... > > That being said, changing the source network to the Perimiter and the > destination to External with NAT worked. Thing is, in a > route, you'd want > it the other way around... But to make the relationship the > same as an > "Internal" network, that's what I had to do. > > I'm going to see if the reverse direction in "route" will > work as well-- but > even if it does, I don't think I was a route relationship > from the External > to the DMZ, right? Or will it not matter for the same reason > I just stated > above re: 1918? > > t > > ----- > "I may disapprove of what you say, > but I will defend to the death your > right to say it." > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Monday, December 19, 2005 6:39 PM > Subject: [isalist] Re: SMTP publishing > > > http://www.ISAserver.org > > Why? If the "external" interface of the ISA firewall is on a private > address segment, you could use private addresses in the DMZ. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Monday, December 19, 2005 8:33 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: SMTP publishing > > > > http://www.ISAserver.org > > > > I'll find out in a bit-- that's the part that is confusing > > me... But hell, > > it won't work now, so we'll see. I server publish the SMTP > > server address > > in a route relationship would mean that you could never have > > a 1918 address > > in the perimiter... > > > > t > > > > ----- > > "I may disapprove of what you say, > > but I will defend to the death your > > right to say it." > > > > > > ----- Original Message ----- > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Monday, December 19, 2005 6:22 PM > > Subject: [isalist] Re: SMTP publishing > > > > > > http://www.ISAserver.org > > > > You sure about that? > > > > I thought I tested it and the port stealing thingie worked. > Now I need > > to test again! > > > > Thanks! > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Monday, December 19, 2005 3:15 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: SMTP publishing > > > > > > http://www.ISAserver.org > > > > > > Here's the catch: > > > Server publishing is *non-functional* if the source and > > > destination networks have a "route" relationship. > > > If you want to s-pub a host in the DMZ net, you need to > > > create a NAT relationship between the external net and that host. > > > > > > > > > ------------------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > ------------------------------------------------------- > > > > > > > > > -----Original Message----- > > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > > Sent: Monday, December 19, 2005 09:40 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Re: SMTP publishing > > > > > > http://www.ISAserver.org > > > > > > OK- pretty straight forward article... But here's the deal. > > > In that config, they call the "perimiter network" the DMZ > > > itself. As in this: > > > > > > DMZ > > > | > > > ISA Box > > > | > > > Internal Network. > > > > > > > > > They publish SMTP from the External interface to the Internal > > > Interface. > > > Done it a million times. But in my case, this is a bit different: > > > > > > Internet > > > | > > > ISA Box --- Permiter Network (DMZ) > > > | > > > Internal Network > > > > > > I want to publish from the External Interface into the DMZ- > > > not into the Internal network. If I publish to the Internal, > > > then it actuall works. > > > When I publish to the DMZ Perimiter, it says SMTP denied by > > > the default rule from External to Local-Host. The Permiter > > > network here is set to route-- but of course, I can't just > > > set an access rule-- the DMZ is 192.168.3.0 and I must > > > *publish* to it, not just route to it. > > > > > > Any ideas? > > > > > > t > > > > > > > > > > > > > > > ----- > > > "I may disapprove of what you say, > > > but I will defend to the death your > > > right to say it." > > > > > > > > > ----- Original Message ----- > > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Monday, December 19, 2005 9:11 AM > > > Subject: [isalist] Re: SMTP publishing > > > > > > > > > http://www.ISAserver.org > > > > > > Enable SMTP service logging and get ready to fire up NetMon, > > > but take a > > > quick read of this great article that will shed some light > > on possible > > > SMTP service issues and SMTP filtering at the ISA firewall. > > > > > > http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/fir > > > ewall-exch > > > ange2003.mspx > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > > > -----Original Message----- > > > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > > > Sent: Monday, December 19, 2005 10:54 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Re: SMTP publishing > > > > > > > > http://www.ISAserver.org > > > > > > > > Yo- > > > > > > > > I too have this funky issue with SMTP publishing just on this > > > > one box. This > > > > one is an External, Internal, Perimeter Network setup-- when > > > > I go to publish > > > > from the External IP to the Perimeter segment, the rule is in > > > > place just > > > > fine, but I get the Default Rule denied the traffic. It > > > > showed that it > > > > denied SMTP (not SMTP Server, btw) from the External to Local > > > > Host. The > > > > network segments are set up correctly, with the right IP's > > > > and all. The > > > > perimeter network is set to route. It just won't work. > > > > > > > > The only thing different about this box is that this is the > > > > one that still > > > > shows "192.168.7.180" in my Domain Controller built-in > > > > Computer Sets that it > > > > won't let me edit out. I did the whole ADSI Edit thing and > > > > ntdsutil, but > > > > that site was gracefully removed, and it no longer referenced > > > > anywhere. Odd > > > > thing is that my perimeter network is 192.168.3.0 > > 255.255.255.0 (NOT > > > > 192.168.7.0) so I'm not sure what all the hubbub is about. > > > > > > > > Jim? Tom? Anyone? > > > > > > > > t > > > > > > > > > > > > ----- > > > > "I may disapprove of what you say, > > > > but I will defend to the death your > > > > right to say it." > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx> > > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > > Sent: Friday, December 16, 2005 11:03 AM > > > > Subject: [isalist] SMTP publishing > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > I just created a rule to publish SMTP from my Exchange 2003 > > > > server, but > > > > > I'm > > > > > getting 0x8007274c errors on the ISA server when I try to > > > > telnet to port > > > > > 25. > > > > > I do establish a connection, but get no response. > > > > > > > > > > The Exchange server is a front end server and I have OWA > > > > and RPC over HTTP > > > > > published through ISA for this same server. I can telnet > > > > to this server > > > > > internally. > > > > > > > > > > I don't see anything written to the smtpsvc logs on > > > > Exchange and a netstat > > > > > doesn't show any connection from the ISA server, so it > > > > looks like the > > > > > external telnet connection to ISA is made OK, but traffic > > > > isn't making it > > > > > from ISA to Exchange. > > > > > > > > > > Also, I can make a telnet connection from the console of > > > ISA to the > > > > > Exchange > > > > > server. > > > > > > > > > > I'm stumped. Anyone have an idea? > > > > > > > > > > Jeff > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > List Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > ------------------------------------------------------ > > > > > Visit TechGenix.com for more information about our > other sites: > > > > > http://www.techgenix.com > > > > > ------------------------------------------------------ > > > > > You are currently subscribed to this ISAserver.org > > > > Discussion List as: > > > > > thor@xxxxxxxxxxxxxxx > > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Visit TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: > > > thor@xxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: jim@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx