Solved

MS Outlook behind ISA 2006 Cannot send and Receive emails

Posted on 2009-05-18
17
1,562 Views
Last Modified: 2013-11-29
I cannot send or receive emails from particular accounts configured in Ms Outlook behind ISA 2006. Ever since I installed ISA, I can only receive/send emails from one particular account, " ...cannot contact the mail server..." that is what is shown in the error message.
I have checked the configurations, I have connected via a different network which does not reside behind ISA and it works fine, so I have dissipated any doubts on whether the mail server was having any sort of problems. The firewall rules seem to be well applied too, I say this because I still can receive/send emails from one of the pop accounts which happens to have the same domain name as the mail server(it is hosted externally).

Any help would be greatly apreciated.

Rgs,
0
Comment
Question by:kemitHamite
  • 8
  • 6
  • 2
  • +1
17 Comments
 

Expert Comment

by:Axiscomputernetworks
ID: 24411500
What address do you get back if you ping the Exchange server as specified in the account configuration? I saw this once before when the client machine had a hosts entry for the mailserver that specified the external address. With one firewall, they could go to the external address, and by chance get redirected back inside. With a new firewall, that path wasn't available. In this case, using Exchange from outside the firewall works correctly because it is supposed to use the public/routable IP address for the Exchange server.

So from inside the firewall, ping the Exchange server. If it comes back as a 10.x.x.x, 172.x.x.x, or 192.168.x.x address, then that is good. If it comes back with the same address that you would get if you pinged it from outside, then you have a problem. Check the hosts file to see if there is an entry. Check your DNS server to see if it is automatically getting one inside the network, preferably a Windows server that is part of the domain.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24411570
Hi Axis...,
I am not using exchange server!
0
 

Expert Comment

by:Axiscomputernetworks
ID: 24411790
Oh. You mentioned that you were using POP3 on the separate account that is working. Are you also using POP3 on the account that is having a problem?
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24412072
yes, they are all using pop3. this is why I can't understand what the problem is because, if it was a matter of a configuration problem in ISA then it shouldn't work for neither of the accounts, you get what I am saying?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24414913
how have you made the ISA firewall rules for the pop3 and the smtp services?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24422749
The problem is that by default Outlook will not use the Firewall [winsock proxy] Service of ISA.  It will only use the Secure NAT Service.  I believe the reason for this is because Outlook is almost always used as an Exchange Client and having this behavor as the default helps assure that the ISA Firewall Client software does not interferre with the Exchange communication.

By default, If you want to use Outlook with an outside POP3, SMTP, IMAP Serivce it needs to do so as a SecureNAT Client.  This may not be desireable since SecureNAT communication is always anonymous and cannot make use of Access Rules if they require authentication.

So if you want to use Outlook over an authenticated connection to an outside POP3, SMTP, IMAP Serivce then you have to install the Firewall Client Software and enable the Firewall Service to acknowledge Outlook.  Do this like so:

In the ISA MMC--->Configuration-->General-->Define Firewall Client Settings-->Application Settings Tab-->find the "Outlook" entry-->edit the Value so that Disable=0

If my take up to 30 minutes of so before the changes begin to effect the Client machines.  There is an update cycle for the client side Firewall Client to pickup new or changed settings from the ISA server.

0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24433358
hi Keith_Alabaster,
Sorry for the delay.
The pop3 and smtp rules are under INTERNET, which is my second access rule right after my DENY (blocked url's). The protocols under the same rule are as follows:
-ftp server
-ftp
-http
-https
-pop3
-smtp

FROM Internal, Domain Controller and the ISA server
TO External
All Users

Some additional info, only on my LAN rules I have DNS but all the rules in the LAN are crossed by a line and all of a sudden I cannot remotely log in to my isa server although I have RDP listed under my protocols.

Rgs
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24433437
pwindell,
thanks a lot for your suggestion but i haven't been able to install the firewall client. The computer where I am installing it does not find the path to my computer running ISA. Do you think I need to open a specific rule on my firewall policy?

Rgs
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 29

Expert Comment

by:pwindell
ID: 24434716
Without the Firewall Client you can only use anonymous Rules for SMTP/POP3.

But the networking issue that keeps the FWC from working properly may also prevent the thing from running properly as a SecureNAT Client,...which prevents Outlook from working.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24440257
pwindell i get ur point but if that was the problem then how come i can send/receive emails from one of the pop3 accounts and not from the other account?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24443513
From the same workstation using the same email client at the same time? One account works, one doesn't?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24443534
Ok, yes, I see that now earlier in the thread.  Well I don't know then.  Try using the actual IP# of the mail server in the connection settings in the Mail Client,...don't use Domain Names or Machine Names.

There may be DNS issues,...particularly if you aren't running Split-DNS when you maybe shoud be.

0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24443561
okay, i will try your suggestion.
thanks a lot for taking your time,

rgs
0
 
LVL 1

Author Closing Comment

by:kemitHamite
ID: 31582520
pwindell thanks a lot for helping me out. simple and straight forward help. Just one more thing could you give me some tips on this Split-DNS thing? Excuse my ignorance...

Many many thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24632137
A quickie answer for the Split-DNS
There are basically two types
1. Single Zone Split-DNS
2. Multi-Zone Split-DNS
If your AD Domain Name uses the same spelling as your Public Domain Name then you use #1.
But if the spellings are different then you use #2
With #1 you just add additonal static A Records (www, mail, etc) and give then the correct IP# whether they be Public or Private.
With #2 you add a new Standard Non-AD, Non-dynamic Update Zone for each spelling of the Domain Names you have.  Create the static records the same way as #1.
Your Split-DNS is for Your Lan only.  It has nothing to do with how the people out in "Internet Land" resolve any of your Public Domain Hosts
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 24637921
Thanks a lot pwindell, I will follow your advice.

Once again, many thanks.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24644607
I think I posted the Split-DNS comments to the wrong thread. I doesn't look like you were the one asking about it.
Sorry...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Use email signature images to promote corporate certifications and industry awards.
Resolve DNS query failed errors for Exchange
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now