Solved

ISA Server blocking Outlook Express ports ( SMTP, POP3)

Posted on 2004-11-01
3,566 Views
Last Modified: 2008-11-18
Hi.

My ISA Server will not allow me or anyone to retrieve email.. i believe its the ISA server thats doing this because the internet is functioning fine and the ISP for who hosts the email is up and running.

I messed around with some filters to see if i could find the problem-- but couldnt find anything. Can someone please help?

Thanks!
0
Question by:Leo Alexander
    44 Comments
     
    LVL 9

    Expert Comment

    by:TannerMan
    Have you published the OWA server? You will need to do this in order for it to be accessbile via the web.
    The best site for ISA help is www.isaserver.org

    Hope that helps.
    Also, be careful messing with Packet Filters,,,,you can really open that ISA up to major attack.
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Absolutely does not help - spent hours on site.. best thing i found making me lose my MIND!
    http://www.isaserver.org/tutorials/Making_Outlook_Express_Work_with_ISA_Server_Quick_Start_Guide.html

    FOR SOME REASON THERE IS SO ACCESS POLICY NODE AND NO PROTOCOL RULES NODE UNDER THE MANAGEMENT CONSOLE!

    this is prob. why i cant do anything.... i tried EVERYTHING. nothing works!

    I need this solution SUPER FAST PLZ
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Your original post mentioned nothing about not able to view the console coponents

    If you can't access the full menu tree in the MMC console for ISA server then there isn't much anyone can do except suggest you try and do this....

    start>run
    mmc
    Click ok
    Click CONSOLE
    Click Add/Remove Snap-In
    Click ADD button at bottom
    Find "ISA Management"
    Highlight and click the ADD button
    Choose default of local server
    click OK, click close, click ok

    Now, using this veiw see if you can manage your ISA server
    When done save it to your desktop as a unique name.

    If this allows you to see everytyhing you need to see, then good. If not, then sadly enough you only have two choices. 1)try to re-install ISA or 2)Try to run MMC for ISA from another install of ISA server,,,,,if one exists on your network.

    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    ISA is not shown as one of the snap ins...should it be? i See a ton of other things except that.
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    oh sorry i was looking under I.. it was under M for microsoft...

    I did that- and it has the same options as the acutal management control :(
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    and here is a screen shot from the actual program

    http://magicmortgage.us/temp/ISA2.JPG
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    So when you click the link for .....

    view and create firewall policy rules

    you get nothing?
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    I get options... the MAIN option as stated on isaserver.org on what to do is expand the access policy node and right click the protocol rules node and it will open "Welcome to the New Protocol Rule wizard"

    i cant find that ANYWERE! The closest i found is The Protocol Definition Wizard, NOT the RULE wizard.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    The problem is you're running ISA Server 2004.  Access policies are configured differently than in the 2000 version.  Are you trying to get users inside the firewall to access pop3 servers outside the firewall or allow external users to access and internal server?
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    kain21,

    I was trying to allow users that are within the internal network to access the services. It was too frustrating and too much time was spent. I uninstalled 2004, and installed 2000. So far everything works- however i messed around with it from 6:30-9:30 EST tonight and doesn't seem to filter anything. Everything works so far; internet and email, but not sure if the filter isnt working because everyone's email resides on the ISP's email server?

    so basically everyone has a username@thedomainname.com ...and a password... we use outlook express to connect to the email the ISP provides. Everyone's computer is set to connect to the smtp server and the pop3 server- which is the same address for this ISP. i.e: pop.mail.com and smtp.mail.com are generic. So maybe this is why its not working? Do i have to somehow set it up on my ISA server to have the emails first downloaded to it- then people have to somehow connect to the ISA server and retrieve the emails from there? If so how? Or any references pointing to it.. very late at night now and wont be able to mess around tomorrow time wise...

    Thanks- sorry the original question is no longer an issue but i had to act fast as we were unable to connect to email.
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    smarturtle,

    You have done a plain jane install of ISA200. But, what have you changed, from the initial install, or have you? HAve you added any...

    protocol rules
    packet filter rules
    site and conent rules

    We just need to know the change you have made AFTER installing the default rules to determine if you have accidentally opened yourself up more than you needed to.
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Also,

    What are your cilents running as.....

    Web Proxy clients - IE LAN settings using a proxy server/port for your machine
    Firewall Clients - have installed the firewall client from ISA server
    SecureNAT - Workstations have a default gateway IP of your ISA server's internal IP address

    These have bearings on access as well.
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Make sure your running ISA service Pack 2 and Feature Pack 1

    IF, you have a raw install of ISA 2000....and your users are able to POP3/SMTP via your ISP, it sounds like maybe you have created a Protocol Rule set as allowing all protocols for any request......is this the case?

    If it is, disable that protocol rule.
    Disable any packet filter rule you may have created to make this work

    There is a default site and content rule for "Allow Rule". This gives ALL users access to ANY website. This can be restircted based on users, but default is ok for this.
    You would need to add two Protocol rules as:
    pop3 - using the predefined pop3 protocol deffinition and for "applies to" either any request, or restrict by users if you desire.
    smtp - using the predefined smtp protocol deffinition and for "applies to" either any request, or restrict by users if you desire.

    Now test.
    what this does is.....allows any user web access to any site and allows protocol routing for pop3 (port 110) and smtp (port 25) out to the ISP to pick up email.

    If this doesn't work then let us know along with the answers on what kind of client is being used from my previous post.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    just to further clarify on TannerMan... I would recommend applying the protocol rule to the client set that needs the protocols... if noone is going to be accessing external smtp email from your servers then they don't need the permission to get out as this could be exploited... same goes for the site and content rules...  also.. you can combine these two rules into one rule and just select the pop3 and smtp protocol...

    one last thing... if you have another server you can put isa server 2004 on and play with it i would recommend it... it has a bit of a learning curve when coming from isa server 2000 but the features in it are worth it...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    I did the setup wizard when i installed ISA 2000, creating policies and destination sets , etc etc... for each option it asked me i did something.

    Should i go back to ISA 2004? Or stay with ISA 2000? I installed a service pack that was required.. think it was service pack 1- it didnt offer a second... ill go back to the site and check to see if there is  a newer one now.
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    I decided to uninstall 2000 and go back to 2004.  :(

    Sorry for the confusion but i have decided to STICK with 2004 and we can figure the email thing out together with 2004 hopefully.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    ok... open the isa server management console... expand configuration and click on networks.... on the right hand side of the screen you will see three tabs... tasks, templates, and help... click on templates... directly underneath you will see template examples... click on edge firewall... the wizard will appear.. click next...

    it will ask you if you want to export your settings.... i recommend doing this since you can use the import feature to undo anything that is done in this wizard... just in case anything messes up...  When you export make sure you check the "export user permission settings" and "Export confidential information" boxes... after you are done exporting... click next...

    now specify your internal network address ranges... if all of your internal users are on the same subnet as the isa server and behind one adapter (i.e. no router between multiple subnets on the internal network) then you can click add adapter and select the internal network adapter on the isa server.... it will then fill the address ranges for you... click next...

    select allow limited web access and access to ISP network services.... click next and finish...

    this has created the rules necessary to allow dns, ftp, http, https outbound from the internal network.  we need to modify this rule to allow pop3 and smtp out as well...

    on the left hand side click on Firewall policy... in the middle window on the screen you will see a Web Access Only access rule... double click it and it will open a properties box... click on the protocols tab... you will see ftp, http, https listed... click on add... a new window will popup with protocol categories listed... expand mail... click POP3 and click add... click SMTP and click add... click close... you will see SMTP and POP3 listed... click ok...

    now you need to apply the changes... at the top of the middle window you will see an exclamation point... click apply next to the exclamation point to apply the changes... test the configuration from a client computer...  It should work fine...

    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Here comes another stupid question- When i go to install 2004 it says message screener cannot be installed because SMTP virtual server is not installed. Is this something i can install that comes with windows 2003 in the configure your server wizard? Or is it a seperate program all together?

    0
     
    LVL 8

    Expert Comment

    by:kain21
    you don't need to install the smtp message screener unless you are running a mail server on your internal network and need to allow smtp traffic into the network... since all the requests you are making is initiated from the internal network the message screener doesn't apply...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Ok thank you, i will proceed with the instalation of everything bu that, then i will follow your instructions on the prev. post.
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Excellent kain21!

    I believe i actually did something like that when i had ISA 2004 installed b4 i uninstalled and installed 2000. But i think i made so many policy rules and messed with the firewall they just werent functioning properly. It is working now- however, the first time i installed ISA 2004 i couldnt connect to the WEB unless i had IE pointing to a proxy for the ISA server... now it works without having to point to that proxy, but it will also work if i DO point it to the proxy. Does this matter? Will it affect anything?

    Also i just want to let you know about my configuration.

    MODEM -> Linksys (wired router) -> ISA Server WAN labelled NIC -> ISA LAN labelled NIC -> Linksys switch -> client computers & a wireless linksys router.

    The wireless router is part of the same subnet as the LAN NIC so that way everyone can be on the same subnet. The WAN NIC of the ISA server is part of the WIRED linksys router subnet which is different from the wireless subnet and LAN NIC subnet.

    Just wanted to make you aware of that setup-

    When it asked to specify my internal address i only specified the ones that are distributed by the LAN NIC and wireless router because they are on the same subnet. Only one computer uses the IP that is being supplied by the WIRED linksys router, and that is the ISA server WAN NIC.

    Will i now be able to filter emails? Like from .exe's etc...
    also, is there a way to add a message to everyone's outgoing message? like say someone sends an email from their computer, it will say send according to outlook express on their part, but on the bottom there will be a message added so that way the recipient can see it...like if i wanted to add this info is classified etc etc...

    there is no email server installed on our network- we connect to one by the smtp and pop3 which is hosted by our ISP- so im not sure if i will be able to do this message thing.

    0
     
    LVL 8

    Expert Comment

    by:kain21
    since you aren't hosting your own email i don't believe any of the filtering emails options will work for you... I believe the email filtering options are used to filter email as it enters your internal network prior to being routed to your internal exchange server... as far as not using the proxy... if you don't use the proxy you may be unable to restrict certain urls...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Is there a way i can setup an email server on my server..because i issued all the email accounts- so i know the usernames and passwords. So can i like setup all the email accounts on my ISA server then have people connect to it inorder to retrieve + send them? I also have the exchange server 2003 software but its not installed...if need be i will install that to achieve this..


    kain21- i really appreciate your help i will def. award you the points + ill increase them for your additional help.
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    I, nor anyone can access our website from the LAN.. is there a way to fix this? I also noticed this after i uninstalled ISA 2000 and BEFORE i put on 2004, i thought that when i install 2004 it will solve the issue, but it hasnt. The outside can access it though- i think? the URL is www.magicmortgage.us

    let me know- Thanks
    0
     
    LVL 8

    Expert Comment

    by:kain21
    if you install exchange server 2003 you will need to redirect your MX record for your domain to go directly to the external ip address to access your internal network.. and we'll need to setup a server publishing rule to allow smtp traffic through... as far as the website goes... are you using the magicmortgage.us domain internally as well? if so.. you may need to add a www host to the internal dns server to allow internal users to resolve the external ip address of the webserver....
    0
     
    LVL 8

    Expert Comment

    by:kain21
    your website isn't coming up externally either... is the isa server in front of the web server... if so... open isa server management... right click on firewall pocily -> new -> web publishing rule... type www.magicmortgage.us for rule name... click next.... allow... click next... type the internal ip address of the server hosting the website... click forward the original host header... leave the path blank... click next....  leave "This domain name"... in the public name box type www.magicmortgage.us... leave path blank... click next... click new... name=External... click next... listen for requests... select external... click next... check enable http... click next.. click finish.... verify external is listed in the select web listener area... click next... rule applies to all users... click next... click finish... then apply the changes by click apply next to the exclamation point....
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    kain21,

    I did that as you said.. i am now able to view www.magicmortgage.us in the LAN.... if i try it w/o the www. it will not work. I tried adding just magicmortgage.us in the property field under the www.magicmortgage.us... but still nothing- do i need to make a whole new publishing rule for it? Also still doesnt work from the outside

    Note* - ISA Server is installed on the same computer the website is running on.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    did you specify the internal ip address of the isa server when making the publising rule? if not, try changing the publishing rule to send requests to the internal ip address... also... as far as magicmortgage.us... you need to add this domain name to the web publishing rule as well...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    kain21,

    When i try to connect to the webserver/isaserver (same computer) via the network, it hangs for a bit, then prompts me for a username and password- i am already authorized because of active directory users and computers. It never did this before i installed ISA server. When i do enter a username and password, it says logon unsuccessful because the username is the same name you logged in with... if i try using the admin name for the domain controller (the webserver/isaserver) it says \\computername not accessible you might not have permission etc etc.. then on the bottom of that message it says multiple connections to a shared resource by the same user, using more than one user name, are not allowed.

    Is this happening now because of the firewall policy?

    like i said before- I do have 2 NICS on the webserver/isa server/domain controller. One nic hold the IP address of the router that is connected to the internet- the other NIC holds the IP of which is used for the internal network and users use as a gateway to connect.

    For instance my WAN NIC is using the 192.xxx.xxx.xxx schema and the LAN NIC is using the 10.xxx.xxx.xxx schema. The WAN NIC is connected to the linksys router than is connected to the internet. SO for the LAN NIC i only put IP address and Subnet. All computers on my network connect to the LAN NIC ip address as a GATEWAY and whatever IP i specify using the 10.xxx.xxx.xxx schema. Internet and everything works fine- except for the website with the www. infront and being accessed externally- i will do what you said to above and see if that works. I really appreciate your help!
    0
     
    LVL 8

    Expert Comment

    by:kain21
    we need to add change the way the listener operates... open isa server management and click on firewall policy... on the right hand side you will see three tabs... toolbox, tasks, and help... click on toolbox... underneath toolbox click on network objects... expand web listeners.... right click on external and click properties... click networks... select the checkmark next to internal... internal and external should be checked now...  Verify that in the selected ips area it displays "all ip addresses"... click ok... apply the changes...
    0
     
    LVL 8

    Expert Comment

    by:kain21
    ok.. we have some other issues to deal with since iis is running on the same computer as isa server... we need to change the port number the website runs on... open iis manager, right click on the website you are attempting to publish... in the TCP port box type 81... click ok... right click the website and click stop... right click and click start...  now go to isa server management and open the properties of the web publishing rule... click the bridging tab and check the redirect request to http port box... type in 81 instead of 80... click ok and apply the changes...

    couple of questions for you too... the website you are attempting to publish... does it have the www.magicmortgage.us header assigned to it in iis or maybe a certain ip address?  the authentication problem you are getting is more than likely due to iis responding with the localstart.asp page in the default website directory... try clicking cancel when it asks you to authenticate and look at the page it is attempting to pull up... if it says localstart.asp then that's what it's doing...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    still can't access the site w/o www. and cannot access the server via the network. Also i found strange... i cant connect to any webpages on the ISA Server.. when i click internet explorer it syas page cannot be displayed... and on the bottom it syas Error code 403 forbidden. The ISA server denied the specified uniform resource locater (URL) (12202).. also cannot access email via outlook express... looks like smtp and pop3 is being blocked.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    you can't connect to any webpages on the server by design... isa server 2004 deals with the lans differently than isa server 2000... isa server 2004 applies firewall rules to all traffic that passes through it... including localhost to localhost... in order to pull up the web pages on the isa server you would have to modify the listener to include the localhost... as well as add the domain localhost to the allowed sites under the system policy for isa server.... i thought email was working from behind the firewall... if you are attempting to use outlook express on the isa server as well the same problem would result...  the rule allowing smtp and pop3 from the internal network wouldn't apply to the localhost as isa server considers the localhost it's own network...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Ok that makes sense, however i still am unable to connect to the ISA server from any other machine via the network... or any mapped drives i had prior to installing ISA server.
    0
     
    LVL 8

    Expert Comment

    by:kain21
    that's because of the same situation... request from the internal network to the localhost are being blocked... so you have mapped network drives on this server and IIS?  any other services running... sounds like you are trying to do too much with this server... isa server 2004 ideally should be run on a standalone system... the more services running on the isa server the more complex the configuration gets... in order to get your mapped drives to work you would need to create a new access rule that would allow all protocols from the internal network to the localhost...  this opens up potential security risks from an internal attack... if someone compromised a system on the internal network then they would be able to access the isa server an open up ports...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    If im not worried about Internal clients- only about 7 machines connecting to the server.... how can i open up all..or most ports to the server (internally only) also because i want to be able to backup documents from the client's machines onto this server.... i do have another machine next to it that is idle... will i be better off to uninstall ISA server from this one and place it on the other..will that be complicated to setup again? Can i just export the settings and import and get the same results... will it be a different firewall setup this time? I dont mind doing it all on the same machine because theres not that much load on it because there are not that many clients connecting... so i thought it would be easier to do it all on one comp. So if i can enable all the ports to allow me to connect then that would be great... also i did what you said for the webserver to be functioning... can you try it to see if its working? Thanks
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    ..if i were to put ISA server on the seperate machine... should it be part of the same domain (magicmortgage) or just on put it on a workgroup?
    0
     
    LVL 8

    Expert Comment

    by:kain21
    is this server a domain controller too?

    to allow access we need to create a new access rule...
    right click on firewall policy -> new -> access rul
    Specify the name as internal access.. click next
    Select Allow... next
    all outbound traffic... next
    click add... expand networks... select internal... click add... click close.. click next...
    click add... expand networks... select local host... click add... click close.. click next...
    leave all users... click next
    click finish and apply the changes

    as far as external access goes... am i getting the right ip addres  68.15.32.116?
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Thats the correct IP address, is it connecting to the website?... The other computer is not a domain controller.. its not even a part of a domain its on some workgroup... i wasnt sure if i needed to make a username and password for it and add it to the domain or if i could just use while its on some random workgroup?
    0
     
    LVL 8

    Accepted Solution

    by:
    you can have isa server on a computer that's not part of the domain... having isa server on a server that is a domain controller can definitely lead to some issues... even though all protocols have been allowed from the internal network to the isa server some traffic still gets blocked... you can see how much gets blocked by looking at the log...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Ok great. thank you for all of your help!
    0
     
    LVL 8

    Expert Comment

    by:kain21
    no problem... I would recommend buying this book when it comes out http://www.amazon.com/exec/obidos/tg/detail/-/1931836191/qid=1100094271/sr=8-2/ref=sr_8_2/102-2565527-3794501?v=glance&n=507846 ... i know i will be...
    0
     
    LVL 3

    Author Comment

    by:Leo Alexander
    Thanks, i will look into it.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    913 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now