• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

How to connect external Outlook 2007 clients with SMTP & POP3 to Exchange 2003 with PIX 501

I have the following set up:
1. SBS2003 server with Exchange 2003 SP2 installed. 2 local IP addresses on one NIC
2. A PIX 501 firewall connecting the Exchange server to the internet (SMTP fixup is off, port 25 forwarded to local IPs for each Exchange SMTP virtual server)
3. Exchange configured with 2 SMTP virtual servers, one with anonymous connections allowed for inbound internet mail traffic and one with basic authentication only for external POP3/SMTP mail clients.  Each one answers on only one local IP address.
4. The primary external IP address is referenced in external dns as mail.domain.com with appropriate A and MX records.
5. The secondary external IP address has no DNS entries associated with it.
6. The inbound SMTP virtual server is configured as follows:
        a. The test user is manually entered in the Users button on the Authentication box dialog.
        b. No TLS or other encryption is specified
        c. The Connection dialog is set to "All Except the List Below"
        d. The Relay dialog is set to "All Except the List Below" and "Allow all users with successfully authenticate to relay..."
7. I've stopped and started both SMTP virtual servers and the SMTP service itself.
8. I can connect via telnet to the external IP address of the inbound SMTP VS and the test goes like this:
        a. I enter "ehlo"
        b. I enter "auth login"
        c. I enter <encoded username> (with no domain/username or username@domain.com)
        d. I enter <encoded password>
        e. Response from server "535 5.7.3 Authentication unsuccessful."
9. I've tried connecting via Outlook 2007 and Windows Mail without any luck.  I've tried every domain and username combination I can think of (domain.internal and domain.com) and verified the username and password several times.

I'm down to wondering if there's a network transmission problem or something similar.  I started looking at MTUs and the like but decided to ask for second opinions before I dust off Ethereal.

Am I missing something obvious here? Everything looks like it should work.  Do I need a DNS A record for the second SMTP VS and the to configure that name in the Delivery - Advanced - FQDN field?  Am I formatting the username incorrectly?
0
vsalyan
Asked:
vsalyan
  • 7
  • 6
1 Solution
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"Am I missing something obvious here?"

In my opinion?  YES.  You're totally "overthinking" the entire configuration and you've completely ignored SBS's default design and functionality.  You might want to start by reading http://sbsurl.com/itpro

Why do you have two SMTP virtual servers?  Why have you not configured the server's emal and networking with the Configure Email and Internet Connection Wizard (CEICW -- Linked as "Configure Internet Connection" on the To-Do List)?  

The CEICW will properly configure your server in about 5 minutes to allow for both Outlook Web Access as well as RPC over HTTPS access from Outlook 2003/2007 remote clients.  There should be no need for POP3 access at all.

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
It turns out there were other problems with the box and we reinstalled to fix it.

POP3 was required because of non-Windows platform clients.  The CEICW does a great job of creating a basic working configuration (you're much better off using it than not generally) but doesn't do advanced configurations.

In this case I went back to Occam's Razor and looked for other problems that could cause the issue that were simpler than what I was getting in to.  I'm sure anyone who does troubleshooting will appreciate the challenge of determining when you've gone too far down the wrong path.  It's more an art than a science.  In this case, I was looking deeper than required to solve the problem on a new installation that it was easier to just reinstall.

Thanks anyway!
0
 
vsalyanAuthor Commented:
I solved this one on my own, please close the question as I don't see an option to close it myself.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"POP3 was required because of non-Windows platform clients."

That doesn't make any sense at all... non-windows platforms can use other options which are not as problematic as POP3.  (ie, OWA, WMA, IMAP4).

"I answered my question myself. What do I do?": http://www.experts-exchange.com/help.jsp#hi70

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
POP3 was required during the transition from their old configuration to the new SBS server.  They had POP3 connections to their ISP on several non-Windows mobile devices mobile devices that were not Exchange Active Sync capable.and some remote laptops.  This was an inherited (failed) configuration from the previous consultant.

As for why I needed the POP3 and SMTP... rather than doing a hard cut over on Exchange implementations I create a period during which POP3 and Exchange coexist with all mail being delivered to the Exchange store.  During the coexistence I can take my time importing the PST files and setting up proper archiving on the clients without incurring large amounts of down time and off hours support for my customers.  When I have all the PST's imported and whatnot I change the client's MX records to point at the new Exchange server rather than the ISP and then after about a week I remove the old POP3 configurations for the clients, giving them plenty of time to download any remaining messages on the ISP's mail servers.

For this implementation I found out later that the end users had not properly switched their SMTP settings to point to their local ISP's SMTP relays and that they were trying to use the central office's SMTP which required that connections only be made from clients on their own network.  We switched those remote users to their own ISP's SMTP settings to fix this problem after the server was up and running.

In this case, I ended up switching the mobile devices to IMAP and converting the laptops to RPC over HTTPS after the server was rebuilt.  It all works flawlessly now.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, your situation is not unique at all and that's exactly why the POP3 Connector is included with SBS.  

I do find it interesting though that your initial question was answered by me telling you that you were completely overthinking it, and you then state that you "went back to Occam's Razor" and are now claiming that you answered the question yourself.

Well... I don't think so.

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
Look, I'm not going to argue with you.  I solved this on my own.  I didn't even look at your answer until almost 2 months after I posted the question.

I'm done wasting time on this question.  I have customers to assist and I'm sure you have better things to do also.  If the moderator decides you've must have the points then so be it, but it won't be because you solved my problem, it'll be becuase of some technicality.

I won't be checking this question any further.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I'm not worried about the points... I have plenty.  I'm only saying that your "solution" is precisely what I had recommended.  Too bad you didn't see it that way.

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
I apologize Jeff.  Yes... I was overthinking if not quite in the manner you suggested.  I just needed to go back and start over and rebuild it from scratch rather than trying to fix something that was too damaged to mess with.  Somebody obviously didn't know what they were doing when they put this server together.

When I rebuilt the server I did the same things I've done on the other 30 or so SBS servers I've installed... I followed industry best practices and particularly the ones set forth by Harry Brelsford... and it worked fine.  I guess I was just taking offense at your comment "Well... I don't think so." when I said that I figured it out on my own.  The assumption being that I was trying to get out of giving you the points.  I wasn't trying to do anything like that... I just figured it out without your assistance and didn't follow up here as I probably should have.

I should have just posted a message that day along the lines "Forget about my question I'm just rebuilding the server." and left it at that.

My question to the board admin is this: if I come up with the same answer that an expert does... independent of that expert and without their assistance... do they get the points or do I get a refund?

If the answer is that they get the points then I'll stop using Experts Exchange.  There's no way I'm going to halt working on my own problem while I wait for someone to potentially reply to my question in a useful manner.  I'm not going to waste points on a solution I don't use and that didn't assist me.

In this case I think Jeff and I just got off on the wrong foot.  Possibly because I took it personally when it seemed like he was calling my own capability in to question when in reality I didn't even put together the system I was trying to fix.

Finally... regarding the Member Agreement... nobody reads those very closely and I will now go review it again.  In any case I was much more worried about losing a potential customer that day than I was about following up with Jeff.  I'm an independent consultant and one customer plus or minus can mean the difference between paying the mortgage and feeding my kids or not.  In that context the rules at Experts Exchange regarding following up on my own question pale in comparison.

Once again I'm overthinking.  I'm just going to stop now and like I said earlier leave this question and go on.

Thanks for trying to help Jeff.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I too am an independend consultant... and I take my free time to answer questions here on EE.  The rules about following up here on EE are designed to allow for the fact that all of us are volunteers that have day-jobs.

But I'll answer your admin question... "if I come up with the same answer that an expert does... independent of that expert and without their assistance... do they get the points or do I get a refund?"

The help section is very clear about "I answered my question myself. What do I do?": http:help.jsp#hi70

As Vee_Mod stated above, though... your "I answered my question myself" reply came two months after I posted basically the same suggestion... and my post was 8 hours after your initial question.  Did you solve it before then?  Well, if you did... then it would have been nice of you to say so before I took time out of my day to respectfully and appropriately answer your posted question.

The points are completely secondary to showing respect for eachother here.

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
Yes... I did decide to rebuild the server before you posted your reply.  And like I said above... I should have immediately posted that I was just going to rebuild.

If you're an independent then you also know that when you're in the middle of getting a customer online that is losing tens of thousands of dollars for every hour the system is down all else becomes insignificant in comparison.  Honestly I had other things on my mind at that point than closing out my question here.  I'm sorry to have wasted your time then and now as a result.
0
 
Vee_ModCommented:
Glad that everything worked out.
I'm the third member of the group to run their own small business and I get more answers than I give around here.

AND - there have been times when I just plain old forgot to close out a question I started.  

It would probably be a good thing if there were some kind of 'pop-up' reminder every time I log in that I have an (some) question(s).

I am going to disengage, but am always available at: vee_mod@e-e.com

V
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Hopefully, next time you can save your client a ton by finding your answer here on EE.

Jeff
TechSoEasy
0
 
vsalyanAuthor Commented:
I agree V.  If there were say a weekly e-mail that informed you of your open questions maybe they wouldn't go so long without someone closing them or clicking to accept a solution.

Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now