Solved

connecting to exchange over internet through ISA Server

Posted on 2003-10-30
3
201 Views
Last Modified: 2010-04-08
I am attempting to connect to an exchange server over the internet through an ISA server.
The client works fine when using the proxy client 2.0 server. However, with the same ports open on the isa server, i have no luck. The hosts file is setup correctly. If i open all IP traffic on the isa server in protocol rules it works correctly.
These are the ports I have open. sounds to me like I need some other port open for this to work?

135
53
1024-1027
143
88
389
3268
445
80
0
Comment
Question by:Petro026
3 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 9653417
Hi Petro026,
Step 1. Configure DNS
Before you begin configuring any ISA Server components, you must ensure that your DNS infrastructure will support MAPI client access. Check DNS to ensure that a Host (A) record for your Exchange server exists on your external DNS server.

To configure DNS

On the DNS server, click Start, click Settings, and then click Administrative Tools.
Click the DNS icon.
Expand the external DNS server node.
Expand the namespace within which you are working, for example, exchange.nwtraders.com.
Double-click the record for your Exchange server.
Ensure the host name of the Exchange server is pointing to the external IP address of the ISA Server computer.
Note   If the host name of the Exchange server is not the same on both the internal and external DNS computers, create an entry in the Hosts file on the client computer that will resolve the NetBIOS name for the Exchange server with the external IP address for the ISA Server computer.
Step 2. Configure the Exchange server as a SecureNAT client
For the Exchange server to communicate successfully, it must be configured as a SecureNAT (Network Address Translation) client. This type of client routes Internet traffic using its default gateway.

To configure the Exchange server as a SecureNAT client

On the Exchange server, click Start, click Settings, and then click Control Panel.
Open the Network and Dial Up Connections applet.
Right-click the LAN connection of the Exchange server, and click Properties. The connection’s Internet Connection Properties page appears.
Highlight the Internet Protocol (TCP/IP) option, and then click Properties.
If you are configuring a simple network, in which no routers separate the Exchange server from the ISA Server computer, set the Default Gateway to be the ISA Server computer’s internal IP address.
If you are configuring a complex network, in which routers separate the Exchange server from the ISA Server computer, configure the Default Gateway of the Exchange server to the IP address of the local segment’s router. Additionally, ensure that all traffic bound for the Internet is routed to the internal interface of the ISA Server computer.
Adding Routes
For a complex network, it is recommended that the ISA Server have a route defined for all network segments on your internal network. The routing table can be manually populated using the ROUTE ADD command, or by using a dynamic routing protocol such as Routing Information Protocol (RIP).

The syntax for the ROUTE ADD command is as follows:

ROUTE ADD “destination network ID” MASK “Default Gateway IP Address”

Note   If your Exchange server receives a reserved IP address from a DHCP server, you need to change the default gateway in the scope properties.
Step 3. Review the local address table
Because the local address table (LAT) defines what servers are located on your internal network, it is the basic requirement for a secure environment. You need to ensure that all servers that are required to make Exchange services available are located in the LAT.

To review the LAT

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Network Configuration tree, and then click Local Address Table (LAT).
The LAT is configured when ISA Server is installed. In the details pane, you will see a range of IP addresses that define the internal network.

Confirm that the IP addresses for the Exchange server, the SMTP server, Active Directory domain controllers, and an internal DNS server are all in the LAT.
If you need to add an additional address or set of addresses, follow these steps:
Right-click the Local Address Table (LAT) folder, click New, and then click LAT Entry…
Enter the range of IP addresses in the From and To fields. If you want to define individual servers, type the same IP address in both fields.
Provide a Description for the entry, and then click OK.
Step 4. Create a site and content rule
Create a site and content rule that allows internal clients access to all Internet sites and to all Internet content.

To create a site and content rule

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Right-click Site and Content Rules. The Site and Content Wizard appears.
Type a name for the new site and content rule, for example Allow All, then click Next.
On the Rule Action page of the wizard, select Allow for the Response to client requests for access option, and then click Next.
On the Rule Configuration tab, select Allow access based on destination, and click Next.
On the Destination Sets tab, select Apply this rule to All destinations, and then click Next.
Review your choices to confirm they are correct, and then click Finish.
Step 5. Configure a client address set
Create a client address set to specify the internal Exchange servers, which the protocol rule (explained in Step 6. Create protocol rules) will use.

To configure a client address set

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Expand the Policy Elements tree, and then select the Client Address Sets folder.
Right-click the Client Address Sets folder, click New, and click Set.
Type a Name for the client address set, for example Microsoft Exchange Servers.
Click the Add button.
Type the IP addresses for your Exchange server, and then click OK twice to close both dialog boxes.
Step 6. Create protocol rules
Configure a protocol rule that enables your internal Exchange servers to communicate with external servers and clients. This rule will allow two outbound protocols, DNS and SMTP, and will apply only to the client address sets you created for your internal Exchange servers.

To create protocol rules

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Right-click Protocol Rules, click New, and then click Rule.
Type a protocol rule name to describe the Exchange server protocol, and then click Next.
Select Allow, and then click Next.
In Apply this rule to, choose the Selected Protocols option.
Choose the DNS Query and SMTP options from the Protocols box, and then click Next.
Select Always, and then click Next.
In the Client Type dialog box, for the Apply the rule to requests from option, select Specific computers (client address sets), and then click Next.
In the Client Sets dialog box, click the Add button, choose the client address set that defines your Exchange server, and then click the Add button.
Click OK, and then click Next.
Review your selections on the Completing the New Protocol Rule Wizard dialog box, and then click Finish.
Step 7. Change the authentication method
To authenticate the Outlook client with an internal domain controller, you must configure the Exchange server to act as a proxy for the Outlook client.

To change the authentication method

On the Exchange Server computer, click the Start button, and click Run.
Type regedit and click OK.
Go to the HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters key.
Right-click the Parameters key.
Choose the New option, and then choose DWORD Value.
Type No RFR Service.
Set the value to 1.
Step 8. Create a server publishing rule
Next, ISA Server requires a server publishing rule that provides external MAPI Outlook clients connectivity to the internal Exchange server.

To create a server publishing rule

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Expand the Publishing folder, and right-click the Server Publishing Rules folder. Click New, and then click Rule. You will see the New Server Publishing Rule Wizard dialog box appear.
Type a Server publishing rule name, and then click Next.
In the Address Mapping dialog box, type the internal and external address of the ISA Server computer in the appropriate fields.
In the Protocol Settings dialog box, for the Apply the rule to requests from option, choose the Exchange RPC Server protocol, and then click Next.
Choose the default Any request from the Client Type dialog box, and then click Next.
Review your choices for accuracy in the Complete the New Server Publishing Rule Wizard dialog box, and click Finish.
Configure the Clients
This section describes how to configure Outlook clients to enable connectivity to the Exchange server, and work around issues with new mail notification.

By publishing the Exchange server, clients can use the same configuration when connecting by means of the Internet as they would when connecting locally. However, if the internal and external names of the Exchange server differ, you may need to create a separate profile.

To configure Outlook 2000 clients

Right-click the Microsoft Outlook icon on the desktop, and then click Properties.
If a profile does not exist, click the Add button, choose Microsoft Exchange Server, and then click Next. Enter the name of the Exchange server, and then click Next. Click the Finish button.
If a profile already exists, click the Show Profiles... button.
Choose the appropriate profile, and then click Properties. You will see the Properties page for the profile. Highlight the Microsoft Exchange Server information service, and then click Properties.
On the General tab, verify that the Exchange server can resolve the name of your mailbox, by selecting the Check Name button.
If you cannot connect, create an entry in the local Hosts file that maps the external IP address for the Exchange server to its NetBIOS name.
Click the Advanced tab. Choose Encrypt information both when using the network and when using dial-up networking.
Select the Enable offline use box, and then click OK. Click OK to close the profile’s Properties box.
To configure Outlook 2002 clients

Go to the Mail applet in Control Panel. You will see the Mail Setup - Outlook dialog box.
Click the Show Profiles button.
If a profile does not exist, follow these steps:
Click the Add… button, and then enter a name for the profile.
Select the Add a new e-mail account option button, and then click Next.
Select the Microsoft Exchange Server option, and then click Next.
Type the name of the Microsoft Exchange server and the User Name of your mailbox. When prompted, enter your password.
Click Next, and then click Finish.
If a profile already exists, choose the profile for your Exchange server.
Click the E-mail Accounts… button.
Select the View or change existing e-mail accounts option button, and then click Next.
Choose the e-mail account for your Exchange server, and then click the Change button.
On the General tab, verify that the Exchange server can resolve the name of your mailbox by retyping your mailbox name, and then clicking the Check Name button.
If you cannot connect, create an entry in the local Hosts file that maps the external IP address for the Exchange server address to its NetBIOS name.
Click the More Settings button.
Click the Advanced tab. Select Encrypt information both when using the network and when using dial-up networking.
Click OK to close the Microsoft Exchange Server dialog box, and return to the E-mail Accounts dialog box.
Click Next, and then click Finish.
Click the Close button on the Mail Setup dialog box, and then click OK to close the Mail dialog box.
ISA Server Feature Pack 1 for RPC Publishing
Using the new feature pack, you can make Exchange 2000 Server available more quickly to your Outlook clients. These features make using RPC publishing over the Internet easier and more useful:

Exchange RPC filter enhancements. The ISA Server Exchange RPC filter has two major enhancements so that Outlook can now connect securely to Exchange 2000 Server through a firewall.
RPC Filter Configuration Add-in Wizard. In the past, to provide RPC access, the All RPC servers option was used. Because the wizard has more granularity, you can create new ISA Server protocol definitions that include one or more RPC interface UUIDs. These protocol definitions are used in server publishing rules for ISA Server so that external clients can access the UUID interfaces on the internal RPC server.
Encryption Enforcement
Administrators who publish Exchange for Outlook clients on the Internet can now require Outlook to use encryption. Previously, administrators had to rely on users configuring Outlook on their own.

To enforce encryption

Click Start, and then click Run. Type regedit, and then click OK.
Open HKEY_LOCAL_MACHINE\Software\Microsoft\FPC\PluginRPC.
Change the value of MinimumAuthenticationLevel from 1 to 6.    
Outbound RPC
Outlook clients behind an ISA Server computer can now access Exchange 2000 Server computers in front of the ISA Server computer. When you install the feature pack, a new protocol definition is created called RPC. You can use this protocol rule so that internal clients can access Exchange servers outside the firewall.

To configure outbound RPC

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.
For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

Right-click the Protocol Rules folder, click New, and then click Rule…
On the Welcome page, type a name for the protocol rule. For example, type Allow outbound RPC. Then, click Next.
On the Rule Action page, select Allow. Then, click Next.
On the Protocols page, in Apply this rule to, select Selected protocols. Then, in Protocols, select RPC. Then click Next.
On the Schedule page, select the appropriate schedule. Then click Next.
On the Client Type page, select the appropriate client type. Then click Next.
Click Finish.    
Additional Resources
The following documents can be used as references when configuring these scenarios:

Configuring and Securing Microsoft Exchange 2000 Server and Clients — http://www.microsoft.com/isaserver/techinfo/deployment/ISAandExchange.asp
ISA Server and Acceleration Resource Site — http://www.isaserver.org/
Shinder, Thomas. “Configuring Exchange RPC Publishing in a Back to Back ISA Server Environment.” http://www.isaserver.org/pages/article_p.asp?358
Shinder, Thomas. “Using the Exchange RPC Filter to Publish Microsoft Exchange.” http://www.isaserver.org/pages/article_p.asp?351
ISA Server Home - http://www.microsoft.com/ISAServer/
155831 - XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall
256976 - XCLN: How MAPI Clients Access Active Directory
270836 - XCLN: Exchange 2000 Static Port Mappings
280132 – XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls
291000 - External MAPI Clients Cannot Connect with RPC
298369 - XADM: How to Configure a Global Catalog Server to Use a Specific Port When Servicing MAPI Clients
305572 - OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation
308599 – XCCC: How to Configure Internet Security and Acceleration Server to Publish an Internal Exchange Server


From Technet

PeteL
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
If you don't know how to downgrade, my instructions below should be helpful.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now