IPCop 1.4.21 Changed Subnet now Exchange and OWA not working

Hello All,
I really need some help here.  I had a requirement to change the green interface IP address and network subnet from 192.168.1.x to 192.168.50.x.  I made the subnet change successfully, modified the IP addresses of the DC and OWA edge server accordingly, and changed the DHCP scope.  Then I changed all the firewall port forwarding rules from 1.x to 50.x wherever they were present.  Now, the exchange server is not receiving any emails and OWA does not work. What am I missing?  Please help me!
mhv88Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ShivtekCommented:
Is this exchange 2007?
What is your exchange server's ip address?

Is port forwarding setup properly on port 25?

Do you have any addons installed on IPCOP?
0
mhv88Author Commented:
Hi Shivtek,

It is exchange 2003.  There is an exhange server inside the green zone and an OWA edge server in the orange zone.  Port forwarding rules are in place from external to internal IPs on both servers on port 25 and port 110.  How do I check the addons for IPCOP?

Everythign was working correctly yesterday until I changed the green subnet via IPCOP setup on the device.
IP addresses are:
209.155.210.243 exchange
209.155.210.244 edge OWA
0
lanboyoCommented:
Check the connections status menu. If you have ssh access to a tcpdump -ni "name of internal interface" and see if connections are going inbound to port 25. Save ipcop config and reboot.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ShivtekCommented:
Can you start a telnet session on port 25 from outside?

Try this from putty or command prompt

telnet 209.155.210.243 25 and see if you can connect and get a message.

0
ShivtekCommented:
You should be able to see the addons from the GU: https://xx.xx.xx.xx:445
xx.xx.xx.xx IP of your gateway/IPCOP
0
mhv88Author Commented:
lanboyo,

Thank you, you must know that I am not too familiar with this firewall, I am a contractor trying to help out a customer.  I don't have the history on this nor to I have ssh access.  I can get physical access to the box if needed and I have remote HTTP access.  Any simplistic recommendations you have would be most welcome.
0
mhv88Author Commented:
screen shot of connections attached
Doc1.docx
0
ShivtekCommented:
Ok, so your exchange is on 192.168.50.2 and it is receiving on port 25.

Please confirm the telnet connection from inside the green network. And also from outside.
0
sukamtoCommented:
can you access OWA and telnet port 25 internally from LAN computer? To make sure your exchange and OWA is working fine after changing LAN subnet.
0
mhv88Author Commented:
My appologies for being such a noob, but I'm more of a developer than a network person.  When I try to telnet both external and internal nothing happens.  At the command prompt from inside the geen network, I type in telnet 192.168.50.2 25 but I don't seem to get any sort of response.  What am I supposed to see?
0
sukamtoCommented:
is the IPCop using BOT (Block Outgoing Traffic addon)? If so, make sure in Block Outgoing Traffic rule you have make changes accordingly.
Btw, can the server access internet after altering IPCop ip address?
0
mhv88Author Commented:
Internet access is working correctly on all servers and client PCs on the new subnet.
Only exchange seems to not be working anymore.
0
mhv88Author Commented:
I looked on the menu structure of the IPCOP GUI but I don't see anything that says addons so I'm not sure if any are installed.
0
ShivtekCommented:
BOT won't block any incoming traffic.
But would definitely block telnet on port 25, if not allowed.

Telnet should be giving a 220 ESMTP message with the server name.

Can you check if you can establish the telnet on the exchange server locally.

0
ShivtekCommented:
When establishing a telnet from exchange server itself, user: telnet localhost 25, instead of using the IP address.
0
mhv88Author Commented:
on the exchange server itself I open up a cmd window and type telnet.  Results are as follows:

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet> o localhost 25
Connecting To localhost...

Connection to host lost.

Microsoft Telnet>
0
ShivtekCommented:
Ok, try ports 110 and 587 as well.
0
mhv88Author Commented:
Relevant port forwarding rules attached.
0
mhv88Author Commented:
Relevant port forwarding rules attached.
Doc2.docx
0
mhv88Author Commented:
Should I not be posting these screen shots?
0
mhv88Author Commented:
telnet to 110 yielded this response:

+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (POSTE.imcdc.c
om) ready.
but anything I typed after that received a protocl error, had to close the cmd window.

telnet to 587 yielded failed connection attempt

0
mhv88Author Commented:
telnet 110 works externally as well
0
lanboyoCommented:
I would concentrate on the internal servers. Make sure all AD devices have been changed, all services that need to be aware of the change are made, and the servers have been rebooted.

It looks like a variety of devices are still trying to reach the server in 192.168.1.2 , if that has been changed to 192,.168.1.2 to 192.168.50.2, then perhaps the server does not know it. You are dumping a lot of traffic to the 192.168.1.2 network to the internet, so you need to rebuild the print queues and make sure that the DNS records, especially the MX have been changed appropriately.

The print queues on 192.168.50.144 are going to the internet...
Device 192.168.50.147 can't find its DNS server, still looking for 1.2

It looks like you need to change the NATs for 1.210 and 1.250  

Worst of all is the server on 50.2 trying to connect to 1.2 which is proabally itself.

0
sukamtoCommented:
from your ipcop screenshot, the portforward rule is working fine, the problem is your exchange server not response fine, it is not your firewall issue now.
check your exchange server.
is the internal users able to access exchange server?
can them telnet to exchange server on port 25 (telnet 192.168.50.2 25 ) ?
0
mhv88Author Commented:
I changed the IP addresses of the printers on the printers themselves after I made the subnet changes, then I changed the port IPs on the print server to the new subnet IPs.  I'm not sure why the printers would still be doing that, perhaps it is because the client PCs still need to have their printers remapped?

I changed DHCP over to the new subnet as well but I don't know what else to change or how to rebuild the print queues or change the DNS records.
0
lanboyoCommented:
I would delete the screenshots after a while, it is not like the fact you are a mail server is top secret. Inbound connections to tcp 25 on the external NAT are immediately closed, connections to tcp 24 are silently discarded, I thint the server is not listening on tcp 25, if you do a netstat -an on the server, it should be listening on port 25.

0
mhv88Author Commented:
telnet to localhost 25 works on the exchange server

telnet to 192.168.50.2 25 does NOT work on the client PCs
0
mhv88Author Commented:
Partial results of netstat -an  from the server itself:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:42             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:143            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:691            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:993            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:995            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1040           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1064           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1066           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1072           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1077           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1079           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1094           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1098           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1225           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1228           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1311           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2160           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2161           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2260           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3052           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3999           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5633           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5651           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5900           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6001           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6002           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6101           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8003           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8081           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9876           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:10000          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:12174          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:18468          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34570          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34571          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34572          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34573          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:38292          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:56342          0.0.0.0:0              LISTENING

0
sukamtoCommented:
what exchange server are you using?
have try restart exchange services or reboot server after ip changes?
0
mhv88Author Commented:
exchange 2003 and I have rebooted the server 2 times since the subnet change
0
sukamtoCommented:
check exchange system manager - server - protocol - smtp - default smtp virtual server - properties - IP Address have using new ip ? is the smtp protocol service started well? any error on server event viewer?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lanboyoCommented:
I would make sure that all internal active directory elements including whovever has the global catalog are reconfigured.

Concentrate on DNS servers... Look at error logs on 50.2

Reconfigure APC powerchute.
0
mhv88Author Commented:
sukamato,

I think that did the trick!  When I checked the default smtp virtual server properties it was set to the old IP address.  I set it to "All Unassigned" the server seems to be sending and receiving emails now.  OWA on the edge server is still not working.  That server is on its own subnet and their were no changes to that server's IP configuration.
0
lanboyoCommented:
Make sure the OWA server has a good source of DNS, it needs to talk to the internal servers.
0
mhv88Author Commented:
the OWA edge server is on the yellow zone in IPCOP and is on its own subnet and has IP 192.168.10.2.  I cannot ping the DC/DNS server from the OWA server right now.  I don't know if that was working previously or not.
0
mhv88Author Commented:
from the exchange server on the green lan I can ping the OWA edge server on the yellow lan by name and it resolves to the correct address.  but I cannot do the reverse from the OWA edge server to the exchange server either by name or IP
0
mhv88Author Commented:
I think the issue is the DMZ pinholes on IPCOP are not configured correctly.  I am looking into that now.
0
mhv88Author Commented:
Thank you Guys for all your help.  You ROCK!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.