Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ISA 2004 Stopping Outbound Emails!!

Posted on 2006-05-24
30
Medium Priority
?
635 Views
Last Modified: 2013-11-16
I been running ISA 2004 for well over a year without having any email problems, now ISA is blocking outbound email from all clients randomly. We are not running the firewall client, they are web proxy and SecureNat.
I rebooted the Exchange 2003 server and Symantec Gateway server and got flooded with old emails stating they were not deliveried in a time manner. I watched the live logging on the ISA and sent out several test emails to family and all were "denied" at the ISA level.
I did notice some email went thru, however for some users and some were denied. The only thing I noticed that was different between the two was the ones denied did not have a rule associated with them and the client IP was the outside interface of the ISA. The ones that went thru did had a rule and used our gateway IP as normal.
Please help
0
Comment
Question by:DFCRJ
  • 16
  • 14
30 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16750999
Which rule in the list was denying the traffic. was it the default rule?
What is the detail of the rule you have that you believe is allowing the mail traffic out?

0
 

Author Comment

by:DFCRJ
ID: 16751081
I knew you would fly in like superman to help:)
Here's what I just figured out, the internal adapter had Authenticated Users checked, when I placed a check in Basic nearly half of the emails started flowing.
All smtp traffic that is allowed to flow uses the internal to external rule with the internal ip being our exchange box. The ones that are being denied (which is still alot) are the no rule and the outside interface of the ISA box. Here is the log just taken.

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      MIME Type      Bidirectional      Client Host Name      Filter Information      Raw IP Header      Raw Payload      Processing Time      Bytes Sent      Bytes Received      HTTP Status Code      Cache Information      Log Record Type      Transport      Protocol      Destination IP      Destination Port      Client Username      Client IP      Object Source      Action      Rule      Log Time      Source Network      Destination Network      HTTP Method      URL      Network Interface      Error Information      Destination Host Name      Source Proxy      Destination Proxy      Source Port      Result Code
209.16.242.34                        DFCISA05      -      -                  -                  0      0      0            0x0      Firewall      TCP      SMTP      65.54.245.40      25            219.16.243.34            Denied Connection            5/24/2006 8:30:52 AM                  -      -            0x0                        1654      0xc0040015 FWX_E_TCPIPDROP_PACKET_DROPPED
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16758154
Incoming & Outgoing smtp mail should not have ANY authentication associated with it unless you are using a smarthost that requires it.
What is your outgoing rule for smtp traffic? Have you any rules above the smtp rule?
If you are running Exchange 2003, why are the clients receiving/sending email through ISA? Aren't they getting the mail directly from Exchange?
Are you receiving email traffic OK?




0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:DFCRJ
ID: 16760710
Well the only rule I have for outbound SMTP is the standard Internal to External with all protocols selected for all users. The only rules above are the internal to internal and the internal to local host.
I'm running Ex 2003 internally and thats where clients send/receive emails, but how can I send an outbound email if it doesnt go thru the ISA? Or are you saying all outbound SMTP should be allowed and not be seen passing thru the ISA. The Ex 2003 is a secureNat / web proxy client.

Basically it look like this:

Internet <------> Router <------> ISA <-------> Symantec(scans for Viruses) <--------> Ex 2003 <------> Internal

When send an email, I can see it in the ISA live logging.
AS far as I know inbound works, no one has complained and I get several a day.
RJ
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16761921
Put the smtp server rule to position 1 for a start. You may need to stop and start your smtp services to initiate the traffic again from any stalled queues.

No, you said <<<I did notice some email went thru, however for some users and some were denied >>>

Did you mean that messages for some smtp servers are allowed but messages for other smtp servrs are denied?  I had read your comment that clients were sending mail themselves (as in users)

0
 

Author Comment

by:DFCRJ
ID: 16809534
Sorry for the delayed response.
I've created a SMTP rule and move it up to the top and I think it's helping.  We have only one mail server, all clients use Outlook. Once the mail is created it's forwarded to our gateway for scanning and then sent out.
What I'm seeing now when watching the traffic is smtp being denied, but it's listing the client ip address as the outside interface of the ISA box not an internal client ip. For instance, I just sent myself an email to my hotmail account, the first smtp traffic was denied (no rule) and the client ip was my outside interface. Then right below it, I see the client ip from the gateway using the smtp rule and it's allowed. I received both test emails though. Here's the log on the denied.

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Record Type      Transport      Protocol      Destination IP      Destination Port      Client Username      Client IP      Object Source      Action      Rule      Log Time      Source Network      Destination Network      HTTP Method      URL      Network Interface      Error Information      Destination Host Name      Source Proxy      Destination Proxy      Source Port      Result Code
219.16.243.34                                  DFCDOT5      -      -                  -                  0      0      0            0x0      Firewall      TCP      SMTP      65.54.244.40      25            219.16.243.34                      Denied Connection            6/1/2006 12:45:13 PM                  -      -            0x0                        47691      0xc0040015 FWX_E_TCPIPDROP_PACKET_DROPPED
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16809612
open the gui,
select configuration - networks
Double click the local network or right-click it and choose properties
select addresses.
ALL addresses that access ISA through the internal nic MUST be listed here. Also, ISA is classful for the subnet so it would have to be including network ID and broadcast.

for example
192.168.1.0 - 192.168.1.255
10.0.0.0 -10.2.255.255
etc
regards
keith
0
 

Author Comment

by:DFCRJ
ID: 16809698
I have all the internal ip's added in there. I have it just like this, 10.10.0.0-10.10.255.255.
After I created the smtp rule and moved it up, I think it fixed the internal email problem, now I'm curious why the first thing it does is hit the outside ip first and gets denied & then uses the smtp rule to go thru.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16809764
Not being funny but it can't can it. To get to the outside IP it would have to pass 'through' the inside IP (if the mail server is inside)   :)

Just to be clear, we need to rules that deal with smtp traffic.

The first is an access rule that allows all smtp & smtp server traffic from internal to external for anyone.
The second rule is a mail publishing rule that redirects to the internal 10.10.x.y address of your exchange box.
0
 

Author Comment

by:DFCRJ
ID: 16809837
Alrighty, here's the way I have it listed.

(1) Exchange - Out | Selected Protocols - SMTP-SMTP Server | From - Internal | To - External | All Users

(2) Exchange - In | Traffic - SMTP Server | From - Anywhere | To - Published Server | Networks - External

I'm going to test some emails now.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16809876
Thanks RJ

Can you just confirm that the mail coming in from the Internet is on a publishing rule, not an access rule?
0
 

Author Comment

by:DFCRJ
ID: 16809951
Yup - here's the whats it reads "Server Publishing Rule"

I received all three test emails, but they were first denied because of course the client ip was the outside interface, & then it switched to the internal and went thru.
I'm sure it's something staring right out at me
0
 

Author Comment

by:DFCRJ
ID: 16810380
Well no luck. I'm tried and my head hurts. At least email is going out, for now. I appreciate your help and I'll keep looking around to see what's happening.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16812043
Hold hard there matey. It should be Mail Publishing rule, not Server Publishing rule. The server publishing is for RDP (remote desktop), SQl, etc.

Whn you right-click the firewall policy and select new, you should see mail publishing in the list of options
0
 

Author Comment

by:DFCRJ
ID: 16816893
I created a new rule by right-clicking and selecting mail publishing rule, once completed it's identical to the oringinal I had in place with the Type: Server Publishing Rule.
So i think it may be correct.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16818394
It is from the outsdie view; it is different though from the isa's point of view in respect to the way traffic is handled. If they were the same, they would not have put both options on the menu.......
0
 

Author Comment

by:DFCRJ
ID: 16818415
oic
Just so I know you know, after selecting Mail rule, I'll select the server to server, not the OWA?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16818426
Absolutely.

The OWA rule option is for a little later :)  Lets get the standard mail running first
0
 

Author Comment

by:DFCRJ
ID: 16818465
ok - Done & I sent myself an email successfully
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16818497
My fingers are cossed for you :)

Regards
keith
0
 

Author Comment

by:DFCRJ
ID: 16818503
well thanks, I suppose I need to check the traffic now.. hold please
0
 

Author Comment

by:DFCRJ
ID: 16818537
well inbound is fine.. still receive the denied on outbound email then it allows it to go thru.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16818584
OK. Now lets deal with outbound.

How are you sending emails? From Exchange?
What is in your smtp or internet connection in Exchange. ie Are you delivering to a smart host or sending email out by DNS?
Has the Exchange server got the internal nic of the ISA server as its default gateway?

Please check your access rules (not publishing rules). Have you got smtp in more than one rule?


0
 

Author Comment

by:DFCRJ
ID: 16818761
(1) Yes and No. We have an Exch 2003 and we also have a Symantec Gateway.
All inbound are sent to the gateway first, to be scanned. All outbounds are sent to the gateway to be scanned and then sent out. Inside the gateway is a routing rule that only allows the Exchange to send email.
(2) The Smarthost is set with the ip address of the above Sym Gateway
(3) The Exchange has the internal ip of the ISA server as it gateway.
(4) The only other place the SMTP would be setup is in the rule, Internal - External | All Outbound Traffic |
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16819179
If you have smtp already set in the 'all outbound', remove it from ALL other outbound rules.
0
 

Author Comment

by:DFCRJ
ID: 16819231
Done. Sent out 4 test emails and never saw the denied. all perfect.
I guess that was the problem. I thought we needed to setup a separate outbound SMTP rule.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16819282
Not if you have already covered it in the ' all outbound'. This one catches people out; it does mean all outboud but it actually means all protocols that are in the protocols list.

Neat.

Are we done? If so, I can call it a day and think about the weekend.

Regards
Keith
0
 

Author Comment

by:DFCRJ
ID: 16819313
Man I'll say. thanks so much for sticking with me on this. I certainly appreciate your help!!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16819373
You are more than welcome. Its nice when you can see the logic of the changes you are making. It really does make the concepts easier for next time.

Have a good weekend and thanks for the points.

Regards

Keith
ISA MCT
0
 

Author Comment

by:DFCRJ
ID: 16819381
You to my friend, you to....
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 11 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question