• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1645
  • Last Modified:

MS Outlook behind ISA 2006 Cannot send and Receive emails

I cannot send or receive emails from particular accounts configured in Ms Outlook behind ISA 2006. Ever since I installed ISA, I can only receive/send emails from one particular account, " ...cannot contact the mail server..." that is what is shown in the error message.
I have checked the configurations, I have connected via a different network which does not reside behind ISA and it works fine, so I have dissipated any doubts on whether the mail server was having any sort of problems. The firewall rules seem to be well applied too, I say this because I still can receive/send emails from one of the pop accounts which happens to have the same domain name as the mail server(it is hosted externally).

Any help would be greatly apreciated.

Rgs,
0
kemitHamite
Asked:
kemitHamite
  • 8
  • 6
  • 2
  • +1
1 Solution
 
AxiscomputernetworksCommented:
What address do you get back if you ping the Exchange server as specified in the account configuration? I saw this once before when the client machine had a hosts entry for the mailserver that specified the external address. With one firewall, they could go to the external address, and by chance get redirected back inside. With a new firewall, that path wasn't available. In this case, using Exchange from outside the firewall works correctly because it is supposed to use the public/routable IP address for the Exchange server.

So from inside the firewall, ping the Exchange server. If it comes back as a 10.x.x.x, 172.x.x.x, or 192.168.x.x address, then that is good. If it comes back with the same address that you would get if you pinged it from outside, then you have a problem. Check the hosts file to see if there is an entry. Check your DNS server to see if it is automatically getting one inside the network, preferably a Windows server that is part of the domain.
0
 
kemitHamiteAuthor Commented:
Hi Axis...,
I am not using exchange server!
0
 
AxiscomputernetworksCommented:
Oh. You mentioned that you were using POP3 on the separate account that is working. Are you also using POP3 on the account that is having a problem?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
kemitHamiteAuthor Commented:
yes, they are all using pop3. this is why I can't understand what the problem is because, if it was a matter of a configuration problem in ISA then it shouldn't work for neither of the accounts, you get what I am saying?
0
 
Keith AlabasterEnterprise ArchitectCommented:
how have you made the ISA firewall rules for the pop3 and the smtp services?
0
 
pwindellCommented:
The problem is that by default Outlook will not use the Firewall [winsock proxy] Service of ISA.  It will only use the Secure NAT Service.  I believe the reason for this is because Outlook is almost always used as an Exchange Client and having this behavor as the default helps assure that the ISA Firewall Client software does not interferre with the Exchange communication.

By default, If you want to use Outlook with an outside POP3, SMTP, IMAP Serivce it needs to do so as a SecureNAT Client.  This may not be desireable since SecureNAT communication is always anonymous and cannot make use of Access Rules if they require authentication.

So if you want to use Outlook over an authenticated connection to an outside POP3, SMTP, IMAP Serivce then you have to install the Firewall Client Software and enable the Firewall Service to acknowledge Outlook.  Do this like so:

In the ISA MMC--->Configuration-->General-->Define Firewall Client Settings-->Application Settings Tab-->find the "Outlook" entry-->edit the Value so that Disable=0

If my take up to 30 minutes of so before the changes begin to effect the Client machines.  There is an update cycle for the client side Firewall Client to pickup new or changed settings from the ISA server.

0
 
kemitHamiteAuthor Commented:
hi Keith_Alabaster,
Sorry for the delay.
The pop3 and smtp rules are under INTERNET, which is my second access rule right after my DENY (blocked url's). The protocols under the same rule are as follows:
-ftp server
-ftp
-http
-https
-pop3
-smtp

FROM Internal, Domain Controller and the ISA server
TO External
All Users

Some additional info, only on my LAN rules I have DNS but all the rules in the LAN are crossed by a line and all of a sudden I cannot remotely log in to my isa server although I have RDP listed under my protocols.

Rgs
0
 
kemitHamiteAuthor Commented:
pwindell,
thanks a lot for your suggestion but i haven't been able to install the firewall client. The computer where I am installing it does not find the path to my computer running ISA. Do you think I need to open a specific rule on my firewall policy?

Rgs
0
 
pwindellCommented:
Without the Firewall Client you can only use anonymous Rules for SMTP/POP3.

But the networking issue that keeps the FWC from working properly may also prevent the thing from running properly as a SecureNAT Client,...which prevents Outlook from working.
0
 
kemitHamiteAuthor Commented:
pwindell i get ur point but if that was the problem then how come i can send/receive emails from one of the pop3 accounts and not from the other account?
0
 
pwindellCommented:
From the same workstation using the same email client at the same time? One account works, one doesn't?
0
 
pwindellCommented:
Ok, yes, I see that now earlier in the thread.  Well I don't know then.  Try using the actual IP# of the mail server in the connection settings in the Mail Client,...don't use Domain Names or Machine Names.

There may be DNS issues,...particularly if you aren't running Split-DNS when you maybe shoud be.

0
 
kemitHamiteAuthor Commented:
okay, i will try your suggestion.
thanks a lot for taking your time,

rgs
0
 
kemitHamiteAuthor Commented:
pwindell thanks a lot for helping me out. simple and straight forward help. Just one more thing could you give me some tips on this Split-DNS thing? Excuse my ignorance...

Many many thanks
0
 
pwindellCommented:
A quickie answer for the Split-DNS
There are basically two types
1. Single Zone Split-DNS
2. Multi-Zone Split-DNS
If your AD Domain Name uses the same spelling as your Public Domain Name then you use #1.
But if the spellings are different then you use #2
With #1 you just add additonal static A Records (www, mail, etc) and give then the correct IP# whether they be Public or Private.
With #2 you add a new Standard Non-AD, Non-dynamic Update Zone for each spelling of the Domain Names you have.  Create the static records the same way as #1.
Your Split-DNS is for Your Lan only.  It has nothing to do with how the people out in "Internet Land" resolve any of your Public Domain Hosts
0
 
kemitHamiteAuthor Commented:
Thanks a lot pwindell, I will follow your advice.

Once again, many thanks.
0
 
pwindellCommented:
I think I posted the Split-DNS comments to the wrong thread. I doesn't look like you were the one asking about it.
Sorry...
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now