[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

IPCop 1.4.21 Changed Subnet now Exchange and OWA not working

Posted on 2010-04-04
38
Medium Priority
?
597 Views
Last Modified: 2012-08-13
Hello All,
I really need some help here.  I had a requirement to change the green interface IP address and network subnet from 192.168.1.x to 192.168.50.x.  I made the subnet change successfully, modified the IP addresses of the DC and OWA edge server accordingly, and changed the DHCP scope.  Then I changed all the firewall port forwarding rules from 1.x to 50.x wherever they were present.  Now, the exchange server is not receiving any emails and OWA does not work. What am I missing?  Please help me!
0
Comment
Question by:mhv88
  • 21
  • 7
  • 5
  • +1
38 Comments
 
LVL 1

Expert Comment

by:Shivtek
ID: 29734707
Is this exchange 2007?
What is your exchange server's ip address?

Is port forwarding setup properly on port 25?

Do you have any addons installed on IPCOP?
0
 

Author Comment

by:mhv88
ID: 29735728
Hi Shivtek,

It is exchange 2003.  There is an exhange server inside the green zone and an OWA edge server in the orange zone.  Port forwarding rules are in place from external to internal IPs on both servers on port 25 and port 110.  How do I check the addons for IPCOP?

Everythign was working correctly yesterday until I changed the green subnet via IPCOP setup on the device.
IP addresses are:
209.155.210.243 exchange
209.155.210.244 edge OWA
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 29736559
Check the connections status menu. If you have ssh access to a tcpdump -ni "name of internal interface" and see if connections are going inbound to port 25. Save ipcop config and reboot.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 1

Expert Comment

by:Shivtek
ID: 29737104
Can you start a telnet session on port 25 from outside?

Try this from putty or command prompt

telnet 209.155.210.243 25 and see if you can connect and get a message.

0
 
LVL 1

Expert Comment

by:Shivtek
ID: 29737180
You should be able to see the addons from the GU: https://xx.xx.xx.xx:445
xx.xx.xx.xx IP of your gateway/IPCOP
0
 

Author Comment

by:mhv88
ID: 29737724
lanboyo,

Thank you, you must know that I am not too familiar with this firewall, I am a contractor trying to help out a customer.  I don't have the history on this nor to I have ssh access.  I can get physical access to the box if needed and I have remote HTTP access.  Any simplistic recommendations you have would be most welcome.
0
 

Author Comment

by:mhv88
ID: 29738110
screen shot of connections attached
Doc1.docx
0
 
LVL 1

Expert Comment

by:Shivtek
ID: 29738280
Ok, so your exchange is on 192.168.50.2 and it is receiving on port 25.

Please confirm the telnet connection from inside the green network. And also from outside.
0
 
LVL 4

Expert Comment

by:sukamto
ID: 29738602
can you access OWA and telnet port 25 internally from LAN computer? To make sure your exchange and OWA is working fine after changing LAN subnet.
0
 

Author Comment

by:mhv88
ID: 29739015
My appologies for being such a noob, but I'm more of a developer than a network person.  When I try to telnet both external and internal nothing happens.  At the command prompt from inside the geen network, I type in telnet 192.168.50.2 25 but I don't seem to get any sort of response.  What am I supposed to see?
0
 
LVL 4

Expert Comment

by:sukamto
ID: 29739220
is the IPCop using BOT (Block Outgoing Traffic addon)? If so, make sure in Block Outgoing Traffic rule you have make changes accordingly.
Btw, can the server access internet after altering IPCop ip address?
0
 

Author Comment

by:mhv88
ID: 29739430
Internet access is working correctly on all servers and client PCs on the new subnet.
Only exchange seems to not be working anymore.
0
 

Author Comment

by:mhv88
ID: 29739537
I looked on the menu structure of the IPCOP GUI but I don't see anything that says addons so I'm not sure if any are installed.
0
 
LVL 1

Expert Comment

by:Shivtek
ID: 29739632
BOT won't block any incoming traffic.
But would definitely block telnet on port 25, if not allowed.

Telnet should be giving a 220 ESMTP message with the server name.

Can you check if you can establish the telnet on the exchange server locally.

0
 
LVL 1

Expert Comment

by:Shivtek
ID: 29739665
When establishing a telnet from exchange server itself, user: telnet localhost 25, instead of using the IP address.
0
 

Author Comment

by:mhv88
ID: 29740433
on the exchange server itself I open up a cmd window and type telnet.  Results are as follows:

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet> o localhost 25
Connecting To localhost...

Connection to host lost.

Microsoft Telnet>
0
 
LVL 1

Expert Comment

by:Shivtek
ID: 29740725
Ok, try ports 110 and 587 as well.
0
 

Author Comment

by:mhv88
ID: 29740755
Relevant port forwarding rules attached.
0
 

Author Comment

by:mhv88
ID: 29740833
Relevant port forwarding rules attached.
Doc2.docx
0
 

Author Comment

by:mhv88
ID: 29740855
Should I not be posting these screen shots?
0
 

Author Comment

by:mhv88
ID: 29741118
telnet to 110 yielded this response:

+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (POSTE.imcdc.c
om) ready.
but anything I typed after that received a protocl error, had to close the cmd window.

telnet to 587 yielded failed connection attempt

0
 

Author Comment

by:mhv88
ID: 29741244
telnet 110 works externally as well
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 29741361
I would concentrate on the internal servers. Make sure all AD devices have been changed, all services that need to be aware of the change are made, and the servers have been rebooted.

It looks like a variety of devices are still trying to reach the server in 192.168.1.2 , if that has been changed to 192,.168.1.2 to 192.168.50.2, then perhaps the server does not know it. You are dumping a lot of traffic to the 192.168.1.2 network to the internet, so you need to rebuild the print queues and make sure that the DNS records, especially the MX have been changed appropriately.

The print queues on 192.168.50.144 are going to the internet...
Device 192.168.50.147 can't find its DNS server, still looking for 1.2

It looks like you need to change the NATs for 1.210 and 1.250  

Worst of all is the server on 50.2 trying to connect to 1.2 which is proabally itself.

0
 
LVL 4

Expert Comment

by:sukamto
ID: 29741574
from your ipcop screenshot, the portforward rule is working fine, the problem is your exchange server not response fine, it is not your firewall issue now.
check your exchange server.
is the internal users able to access exchange server?
can them telnet to exchange server on port 25 (telnet 192.168.50.2 25 ) ?
0
 

Author Comment

by:mhv88
ID: 29741721
I changed the IP addresses of the printers on the printers themselves after I made the subnet changes, then I changed the port IPs on the print server to the new subnet IPs.  I'm not sure why the printers would still be doing that, perhaps it is because the client PCs still need to have their printers remapped?

I changed DHCP over to the new subnet as well but I don't know what else to change or how to rebuild the print queues or change the DNS records.
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 29741738
I would delete the screenshots after a while, it is not like the fact you are a mail server is top secret. Inbound connections to tcp 25 on the external NAT are immediately closed, connections to tcp 24 are silently discarded, I thint the server is not listening on tcp 25, if you do a netstat -an on the server, it should be listening on port 25.

0
 

Author Comment

by:mhv88
ID: 29741819
telnet to localhost 25 works on the exchange server

telnet to 192.168.50.2 25 does NOT work on the client PCs
0
 

Author Comment

by:mhv88
ID: 29742142
Partial results of netstat -an  from the server itself:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:42             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:143            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:691            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:993            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:995            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1040           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1064           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1066           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1072           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1077           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1079           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1094           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1098           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1225           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1228           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1311           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2160           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2161           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2260           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3052           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3999           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5633           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5651           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5900           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6001           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6002           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6101           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8003           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8081           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9876           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:10000          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:12174          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:18468          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34570          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34571          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34572          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:34573          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:38292          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:56342          0.0.0.0:0              LISTENING

0
 
LVL 4

Expert Comment

by:sukamto
ID: 29742225
what exchange server are you using?
have try restart exchange services or reboot server after ip changes?
0
 

Author Comment

by:mhv88
ID: 29742387
exchange 2003 and I have rebooted the server 2 times since the subnet change
0
 
LVL 4

Accepted Solution

by:
sukamto earned 1200 total points
ID: 29742789
check exchange system manager - server - protocol - smtp - default smtp virtual server - properties - IP Address have using new ip ? is the smtp protocol service started well? any error on server event viewer?
0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 800 total points
ID: 29743549
I would make sure that all internal active directory elements including whovever has the global catalog are reconfigured.

Concentrate on DNS servers... Look at error logs on 50.2

Reconfigure APC powerchute.
0
 

Author Comment

by:mhv88
ID: 29743763
sukamato,

I think that did the trick!  When I checked the default smtp virtual server properties it was set to the old IP address.  I set it to "All Unassigned" the server seems to be sending and receiving emails now.  OWA on the edge server is still not working.  That server is on its own subnet and their were no changes to that server's IP configuration.
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 29744720
Make sure the OWA server has a good source of DNS, it needs to talk to the internal servers.
0
 

Author Comment

by:mhv88
ID: 29744970
the OWA edge server is on the yellow zone in IPCOP and is on its own subnet and has IP 192.168.10.2.  I cannot ping the DC/DNS server from the OWA server right now.  I don't know if that was working previously or not.
0
 

Author Comment

by:mhv88
ID: 29745360
from the exchange server on the green lan I can ping the OWA edge server on the yellow lan by name and it resolves to the correct address.  but I cannot do the reverse from the OWA edge server to the exchange server either by name or IP
0
 

Author Comment

by:mhv88
ID: 29745758
I think the issue is the DMZ pinholes on IPCOP are not configured correctly.  I am looking into that now.
0
 

Author Closing Comment

by:mhv88
ID: 31710816
Thank you Guys for all your help.  You ROCK!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question