Internet connection not working after new firewall install
I have a 2003 server with exchange 2003 that will not connect to the internet through internet explorer. Here is what has happened and what I have found to work. We just upgraded to a Sonic wall pro 2040 with WAN load balancing, I have a 6MB cable connection for the primary WAN and a 1GB Fractional T1 for the failover. All of the computers on the network look to the 2003 server for DNS and get on the internet without any problems and if I ping a site from the server I get the correct reply so DNS seems fine. Norton Corporate will also do updated which seems really strange. It gets better though, my exchange server receives mail but will not send mail and the stragest thing of all is that if I unplug my cable connection from the firewall so it fails over to the T1 I can get on the internet and my exchange server sends mail. When I plug my Cable connection back in the internet stops working again. I do not have to change anything on the server for this to work. It seems like a gateway problem at first but my firewall is the gateway and it works with the T1. I know that I'm spoiled but I would like to use my 6MB connection over my T1, please help.
Thanks,
Nick
Thanks,
Nick
Seelan Naidoo
seems like you have to explicity allow HTTP (port:80) and SMTP (port:25) on your new firewall, and any other traffic thats required.
Do you have your firewall/routers setup correctly for the two connections and your routing tables and firewall settings correct??
Seems like its all correct for the T1 but when your trying to use the other it all goes wrong.
Its the first place I would start looking
Seems like its all correct for the T1 but when your trying to use the other it all goes wrong.
Its the first place I would start looking
ASKER
The firewall has all outbound traffic allowed. All other PCs on the network can get to the internet on both connections. I think that the problem is somewhere on the server. I will however look again at the settings to tripple check.
are you routing mail through your own DNS servers or external as ISP DNS or SMTP connector??
Does your exchange server point at your DNS server or does it have its own settings including those of the ISP?
Does your exchange server point at your DNS server or does it have its own settings including those of the ISP?
ASKER
My exchange server uses our own DNS server using the default SMTP Virtual Server. Our DNS is on the 2003 server and har forwards setup the point to our isp DNS. The 1st and 3rd forwarders are for the cable connection and the 2np and 4th are for the T1. This is not just an exchange problem it seems it is an internet connection problem.
Silly question but - The TCP/IP settings on the exchange server network adapter/s have the IP address for the Local DNS server - no others right??
ASKER
The server has 2 adapters, one is disabled and the other has its IP as the DNS. No matter which line is plugged into the Firewall I can ping out correctly to site on the internet.
Hmm strange.
So all other computers connect whatever the connection?
Only the exchange server plays up when not using the T1??
You cant access the internet and cannot send mail when on the other 6MB connection.
From an outside point of view this still smells like DNS issues, how are you pinging? an external IP address or a DNS site name.
Have you tried putting the External DNS server addresses directly in the TCP/IP DNS settings on the exchange server itself?
In this order
1st: LAN DNS
2nd: MAIN ISP DNS Server1
3rd: MAIN ISP DNS Server2
4th: BACKUP ISP DNS Server1
5th: BACKUP ISP DNS Server2
?????
So all other computers connect whatever the connection?
Only the exchange server plays up when not using the T1??
You cant access the internet and cannot send mail when on the other 6MB connection.
From an outside point of view this still smells like DNS issues, how are you pinging? an external IP address or a DNS site name.
Have you tried putting the External DNS server addresses directly in the TCP/IP DNS settings on the exchange server itself?
In this order
1st: LAN DNS
2nd: MAIN ISP DNS Server1
3rd: MAIN ISP DNS Server2
4th: BACKUP ISP DNS Server1
5th: BACKUP ISP DNS Server2
?????
ASKER
All other PCs on the network access the internet no matter what connection is on, the server is the only PC that won't connect with the 6MB connection active. When I ping I try sony.com and cnn.com and both work with each connection. I tried to put the internet DNS settings in the network card TCP/IP settings in many configurations but none worked. It seems like DNS is functioning fine. I also did the following after each time I changed the forwarders in DNS last night:
Ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start nedlogon
I know its a strange one, thats why I gave so many points.
Ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start nedlogon
I know its a strange one, thats why I gave so many points.
Indeed this is a very strange one, if all the other computers are working fine in all circumstances.
Certainly scratching my head!
Have you tried disconnecting the T1 so you are on the 6meg line and re-boot the server.
You havent misconfigured any NAT rules in the firewall for that particular server connection to the 6meg service???
I assume that each connection has seperate static IP's so would need two sets of rules for each one??
If you have NAT for SMTP and HTTP for some reason? OWA?? This could explain why that specific machine is getting the problems on that connection only and no other machine
Certainly scratching my head!
Have you tried disconnecting the T1 so you are on the 6meg line and re-boot the server.
You havent misconfigured any NAT rules in the firewall for that particular server connection to the 6meg service???
I assume that each connection has seperate static IP's so would need two sets of rules for each one??
If you have NAT for SMTP and HTTP for some reason? OWA?? This could explain why that specific machine is getting the problems on that connection only and no other machine
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Beacuse this firewall has failover between the two internet connections I left the setup as standard as possible. Both connections have all outbound traffic open. The T1 has ports open for SMTP, OWA and Terminal Services. I have sent in a trouble ticket to sonic wall but I have not heard back yet. The way that I think it works is that the router does nat for both connections the same way since I have not changed anything. All I did was add rules for inbound traffic and did not change outbond traffic. Since all workstations get on no matter what the connection it seems that the problem is on the server. If NAT was blocking because of my rules wouldnt it block the other PCs also.
The other PC's only use the outgoing rule which works fine whatever you dont normally point NAT rules at client PC's.
When you need to direct stuff inbound, this is normally only to servers for web hosting or email services etc.
the NAT rules would poss not be the same for both connections as they would in theory have diff static public IP addresses being on diff ISP networks??
As an example
If you had a rule for a public IP of 82.152.18.11 running on the 6meg, pointing inbound port 80 at server LAN IP of 192.168.1.205 and it was around the wrong way this could block all outgoing traffic from that server when that public IP was in use.
If it then changed to T1 with say IP 62.49.94.218 this could invoke a seperate NAT rule for that connection thats configured and works ok.
When you need to direct stuff inbound, this is normally only to servers for web hosting or email services etc.
the NAT rules would poss not be the same for both connections as they would in theory have diff static public IP addresses being on diff ISP networks??
As an example
If you had a rule for a public IP of 82.152.18.11 running on the 6meg, pointing inbound port 80 at server LAN IP of 192.168.1.205 and it was around the wrong way this could block all outgoing traffic from that server when that public IP was in use.
If it then changed to T1 with say IP 62.49.94.218 this could invoke a seperate NAT rule for that connection thats configured and works ok.
ASKER
You are on to something now! I changed my server IP by one number and I got on the internet. Why didn't I try that in the first place. I still have my support request into Sonicwall and I will let you know how they say to correct it. I didn't seem right since my incoming rules applied only to the T1 not the 6MB. Progress!
Excellent!
That def says there is some sort of rule configured against that servers IP address in the firewall for those ports.
If your other software such as norton update etc works ok, could well be as there is no NAT rule for the port it is using so just gets thrown in with the allow all outbound rule.
The more I think about it the more it seems like a duff rule or setting somewhere.
Other than that could be that you need to update the software on the firewall - im sure Sonicwall should be able to tell you that.
Let me know how you get on
That def says there is some sort of rule configured against that servers IP address in the firewall for those ports.
If your other software such as norton update etc works ok, could well be as there is no NAT rule for the port it is using so just gets thrown in with the allow all outbound rule.
The more I think about it the more it seems like a duff rule or setting somewhere.
Other than that could be that you need to update the software on the firewall - im sure Sonicwall should be able to tell you that.
Let me know how you get on
ASKER
OK after dealing with Sonic Support and having all of my internet connection go down for an hour while we deleted the wrong rules, this is what we found. The wizard that creates the incoming rules for the firewall also creates NAT rules. NAT rules for the Enhanced OS which is what I have for failover support are 1 to 1, so from my understanding the wizard only created rules for the incoming and out going rules on the T1 connection but failed to create a rule for the 6MB connection even though it was the primary connection. Thank you for all your help.
Thanks for the feedback - glad I could be of help