Solved

Publishing Groupwise server through ISA 2000 Firewall

Posted on 2004-08-09
17
306 Views
Last Modified: 2012-06-27
Anyone done this or know how?  I can't find much help either on novell.com or isaserver.org.

I've done the Secure Mail Server publishing on ISA, opening up port 25 inbound and outbound to the internal groupwise server (10.5.1.5).  The external is NATed on 192.168.1.5 which is an IP bound to the external NIC on the ISA server.

The 192.168.x.x addresses are in our DMZ.  Then we go "outside" through a Checkpoint Firewall.

Telnetting to 192.168.1.5 25 from a machine in the DMZ, it seems to connect, but it never has a "welcome/ready" response, the screen is just blank, and then it disconnects after about 15 seconds.

Running a netstat -na on the ISA server shows that 192.168.1.5 is listening on port 25.

Any ideas???

Are there other ports I need to establish rules for to get Groupwise to work?

I've read TID10011226 and TID10054739 but still no luck....
0
Comment
Question by:TheCleaner
  • 9
  • 6
17 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 11762268
When you say "GroupWise" I take it you mean "the GroupWise Internet Agent (GWIA)", right?

What VERSION of GroupWise? Any SPs? Running on what PLATFORM? Solaris? Linux? NetWare? If the latter, what VERSION? Any SPs? We're Experts, not mindreader - when writing your problem description, please remember that we're not there, we can't see over your shoulder, and we don't work with your network every day.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11762587
oops...sorry PsiCop...understood on your response.

Yes, I believe I mean the GWIA...I'm not a Novell guy though...basically I want to provide basic SMTP traffic, then I'll worry about Webaccess, etc, later.

The version of Groupwise is 6.0.4 not sure about SPs (don't know how to check...I suck at Novell)

It's running on a Netware 6 support pack 3 server.

Thanks!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11762766
OK, GroupWise v6.0 SP4 running atop NetWare v6.0 SP3. You can tell the NetWare version and Support Pack level by, at the NetWare console prompt, typing --> version

You tell the GroupWise version by looking at the GroupWise screens.

OK, so from the outside, you telnet to the external address, and the firewall NATs that over to the server's internal address. Does this server have more than one NIC, and if so, is GroupWise configured to listen only to one NIC?

Are there any error messages on the GWIA screen? Turn up logging to "Diagnostic" (use ConsoleOne to change the GWIA properties and either restart the GWIA or wait for it to detect the change and restart itself).
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11763179
PsiCop,

Thanks for the quick replies first of all...


From "outside" the ISA server (technically still in the DMZ, but I wanted to make sure that part worked before tackling our external firewall), I telnet to 192.168.1.5 25 which is one of the IP addresses on the external ISA NIC.  I've created the Mail Server publishing rule in ISA to include incoming and outgoing SMTP and SMTPS to route from 192.168.1.5 to the internal IP on the Groupwise/Netware server of 10.5.1.5.

However, you may be on to something, because the Groupwise server has 2 NICs with two separate IPs bound to it, one is 172.16.1.5 and the other is 10.5.1.5 (we are switching IP schemes).  Currently our mail comes in to an "old firewall" that is NATed to the 172.16 IP address.

Is there a way to find out if Groupwise is only listening on that one address?

I guess I could also delete the Mail Server publishing rule and recreate it with the 172.16 address and see if it works then...then at least I would know I'm doing the right thing on the ISA server...??
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11763265
Yes, if GroupWise was configured to only listen to one address, that would be in the GWIA configuration, probably under ConsoleOne (altho it could be in either the configuration file for GWIA located - by default - in the SYS:SYSTEM directory of the server hosting the agent; or in the command-line parameters - if any - passed to the agent when it is loaded as specified in the default file SYS:SYSTEM\GWIA.NCF). If nothing is specified in this regard, then the agent will bind to all available addresses.

I strongly recommend that you grab the company charge care and step down to your fave bookstore and pick up a copy of the GroupWise v6.5 Administrator's Guide by Tay Kratzer, ISBN 0-7897-2982-2. It will help you understand GroupWise. The vast majority of the material is applicable to v6.0.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11763542
Thanks for the recommendation...however we are migrating to Exchange this fall, so this is just a temp issue.

I'll check the GWIA config and logs...

Do you know of any additional ports that would need to be opened besides port 25 inbound and outbound?
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11764114
Sorry to hear you plan to move to an E-Mail infrastructure that will triple your TCO (according to Gartner, Exchange's TCO is about $12/month per user, while the TCO for GroupWise is about $4/month per use). Nothing like replacing an E-Mail system that's relatively immune to most malware with one that's going to make you vulnerable to every virus and trojan that comes down the pipe. I have to confess, that doesn't make much sense to me, but hey, its your hair and blood pressure, not mine. And perhaps your competitors will be making better business decisions - that's what happened to Lucent. Good luck....you'll need it.

To answer your query, no, GroupWise uses the standard SMTP ports. Can you insert a host between the NATting and the GroupWise server to check that the interface on the GroupWise server is working properly? Do you have any network sniffing capability to view the session negotiation between the NAT and the SMTP agent? Have you verified that the SMTP daemon is loaded on the GroupWise server (check the GWIA log)?
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11764217
Well, the move to Exchange is mainly to facilitate the school's "requirement" to be a complete MS shop.  Thus my existence here.

I agree with what you said though...


For the second part...SMTP traffic is still working fine through the old setup..old firewall nat'ed to GW server.  I can also internally telnet to port 25 on the internal IP and all is good.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 34

Expert Comment

by:PsiCop
ID: 11764291
I guess whoever made that decision has never heard of Sasser, Netsky, Phatbot, Slammer, Melissa, et. al. ad nauseum. Ah, well, after their server infrastructure has been botted by some 16-year-old twerp in Moscow and they get blacklisted on every RBL, they might wake up, but I doubt it. Anyone dumb enuf to want to migrate to all M$ is probably too dense to figger things out.

OK, I have to say that this is beginning to sound more like a networking problem than a GroupWise problem. I mean, you've ascertained that GroupWise is working, and the old firewall setup handles this, its only the introduction of the new firewall that has screwed things up. Hence my belief that this is a config issue with the new firewall. I'm at a loss for any other explanation right now, given what you've presented as the facts of the case.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11764692
new info:

from inside our network, telnetting to 10.5.1.5 25 (new internal IP of Groupwise server), it works fine...I get the Ready prompt and can run tests.

From the ISA server itself I can telnet to 10.5.1.5 25 and all works fine.

However, after opening up port 25 inbound/outbound to 10.5.1.5 and then on the ISA server itself using the NAT address of 192.168.1.5 25 it seems to connect but is just a blank dos window.

I read on the TID10054739 that we look to be using Configuration 1 - GW SMTP gateway is the mail host.

According to this, on the firewall I'm supposed to permit inbound to port 25, but then it says OUTBOUND - Permit connection from the IP address of the SMTP gateway to any IP address on all high ports.

I'm not certain how in ISA to configure it to allow all high ports outbound (which I assume is 1024 to 65535)...but there is a way to set "secondary connections" on additional ports, which could be what it is needing?

Very strange....
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11768962
In the Cisco environment, I would suggest "permit ip any any established", but I dunno how that translates to the ISA box

Yes, "high" ports are generally 1025+
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11926358
Hello?
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 11930660
Hello.

Nothing seemed to work through the ISA server...we tried and tried anything we could think of.

Turned out we had to publish a dual nic groupwise, 1 internal and 1 in DMZ, then allow port traffic through the external Checkpoint FW in to the DMZ address.

sure hope ISA2004 is easier.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11934182
Ah. Well, that's interesting.

Be sure that the NetWare server does not route. It doesn't, by default, but just double-check that it can't be used as a stovepipe around your firewall.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12841148
Fine by me.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12867166
PAQed with points refunded (300)

modulo
Community Support Moderator
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
The purpose of this video is to demonstrate how to set up a Mailchimp Template which will let the user create a uniform look for all of their campaigns. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mail…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now