Michael Veltre
asked on
IPCop 1.4.21 Changed Subnet now Exchange and OWA not working
Hello All,
I really need some help here. I had a requirement to change the green interface IP address and network subnet from 192.168.1.x to 192.168.50.x. I made the subnet change successfully, modified the IP addresses of the DC and OWA edge server accordingly, and changed the DHCP scope. Then I changed all the firewall port forwarding rules from 1.x to 50.x wherever they were present. Now, the exchange server is not receiving any emails and OWA does not work. What am I missing? Please help me!
I really need some help here. I had a requirement to change the green interface IP address and network subnet from 192.168.1.x to 192.168.50.x. I made the subnet change successfully, modified the IP addresses of the DC and OWA edge server accordingly, and changed the DHCP scope. Then I changed all the firewall port forwarding rules from 1.x to 50.x wherever they were present. Now, the exchange server is not receiving any emails and OWA does not work. What am I missing? Please help me!
ASKER
Hi Shivtek,
It is exchange 2003. There is an exhange server inside the green zone and an OWA edge server in the orange zone. Port forwarding rules are in place from external to internal IPs on both servers on port 25 and port 110. How do I check the addons for IPCOP?
Everythign was working correctly yesterday until I changed the green subnet via IPCOP setup on the device.
IP addresses are:
209.155.210.243 exchange
209.155.210.244 edge OWA
It is exchange 2003. There is an exhange server inside the green zone and an OWA edge server in the orange zone. Port forwarding rules are in place from external to internal IPs on both servers on port 25 and port 110. How do I check the addons for IPCOP?
Everythign was working correctly yesterday until I changed the green subnet via IPCOP setup on the device.
IP addresses are:
209.155.210.243 exchange
209.155.210.244 edge OWA
Check the connections status menu. If you have ssh access to a tcpdump -ni "name of internal interface" and see if connections are going inbound to port 25. Save ipcop config and reboot.
Can you start a telnet session on port 25 from outside?
Try this from putty or command prompt
telnet 209.155.210.243 25 and see if you can connect and get a message.
Try this from putty or command prompt
telnet 209.155.210.243 25 and see if you can connect and get a message.
You should be able to see the addons from the GU: https://xx.xx.xx.xx:445
xx.xx.xx.xx IP of your gateway/IPCOP
xx.xx.xx.xx IP of your gateway/IPCOP
ASKER
lanboyo,
Thank you, you must know that I am not too familiar with this firewall, I am a contractor trying to help out a customer. I don't have the history on this nor to I have ssh access. I can get physical access to the box if needed and I have remote HTTP access. Any simplistic recommendations you have would be most welcome.
Thank you, you must know that I am not too familiar with this firewall, I am a contractor trying to help out a customer. I don't have the history on this nor to I have ssh access. I can get physical access to the box if needed and I have remote HTTP access. Any simplistic recommendations you have would be most welcome.
ASKER
screen shot of connections attached
Doc1.docx
Doc1.docx
Ok, so your exchange is on 192.168.50.2 and it is receiving on port 25.
Please confirm the telnet connection from inside the green network. And also from outside.
Please confirm the telnet connection from inside the green network. And also from outside.
can you access OWA and telnet port 25 internally from LAN computer? To make sure your exchange and OWA is working fine after changing LAN subnet.
ASKER
My appologies for being such a noob, but I'm more of a developer than a network person. When I try to telnet both external and internal nothing happens. At the command prompt from inside the geen network, I type in telnet 192.168.50.2 25 but I don't seem to get any sort of response. What am I supposed to see?
is the IPCop using BOT (Block Outgoing Traffic addon)? If so, make sure in Block Outgoing Traffic rule you have make changes accordingly.
Btw, can the server access internet after altering IPCop ip address?
Btw, can the server access internet after altering IPCop ip address?
ASKER
Internet access is working correctly on all servers and client PCs on the new subnet.
Only exchange seems to not be working anymore.
Only exchange seems to not be working anymore.
ASKER
I looked on the menu structure of the IPCOP GUI but I don't see anything that says addons so I'm not sure if any are installed.
BOT won't block any incoming traffic.
But would definitely block telnet on port 25, if not allowed.
Telnet should be giving a 220 ESMTP message with the server name.
Can you check if you can establish the telnet on the exchange server locally.
But would definitely block telnet on port 25, if not allowed.
Telnet should be giving a 220 ESMTP message with the server name.
Can you check if you can establish the telnet on the exchange server locally.
When establishing a telnet from exchange server itself, user: telnet localhost 25, instead of using the IP address.
ASKER
on the exchange server itself I open up a cmd window and type telnet. Results are as follows:
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet> o localhost 25
Connecting To localhost...
Connection to host lost.
Microsoft Telnet>
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet> o localhost 25
Connecting To localhost...
Connection to host lost.
Microsoft Telnet>
Ok, try ports 110 and 587 as well.
ASKER
Relevant port forwarding rules attached.
ASKER
Relevant port forwarding rules attached.
Doc2.docx
Doc2.docx
ASKER
Should I not be posting these screen shots?
ASKER
telnet to 110 yielded this response:
+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (POSTE.imcdc.c
om) ready.
but anything I typed after that received a protocl error, had to close the cmd window.
telnet to 587 yielded failed connection attempt
+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (POSTE.imcdc.c
om) ready.
but anything I typed after that received a protocl error, had to close the cmd window.
telnet to 587 yielded failed connection attempt
ASKER
telnet 110 works externally as well
I would concentrate on the internal servers. Make sure all AD devices have been changed, all services that need to be aware of the change are made, and the servers have been rebooted.
It looks like a variety of devices are still trying to reach the server in 192.168.1.2 , if that has been changed to 192,.168.1.2 to 192.168.50.2, then perhaps the server does not know it. You are dumping a lot of traffic to the 192.168.1.2 network to the internet, so you need to rebuild the print queues and make sure that the DNS records, especially the MX have been changed appropriately.
The print queues on 192.168.50.144 are going to the internet...
Device 192.168.50.147 can't find its DNS server, still looking for 1.2
It looks like you need to change the NATs for 1.210 and 1.250
Worst of all is the server on 50.2 trying to connect to 1.2 which is proabally itself.
It looks like a variety of devices are still trying to reach the server in 192.168.1.2 , if that has been changed to 192,.168.1.2 to 192.168.50.2, then perhaps the server does not know it. You are dumping a lot of traffic to the 192.168.1.2 network to the internet, so you need to rebuild the print queues and make sure that the DNS records, especially the MX have been changed appropriately.
The print queues on 192.168.50.144 are going to the internet...
Device 192.168.50.147 can't find its DNS server, still looking for 1.2
It looks like you need to change the NATs for 1.210 and 1.250
Worst of all is the server on 50.2 trying to connect to 1.2 which is proabally itself.
from your ipcop screenshot, the portforward rule is working fine, the problem is your exchange server not response fine, it is not your firewall issue now.
check your exchange server.
is the internal users able to access exchange server?
can them telnet to exchange server on port 25 (telnet 192.168.50.2 25 ) ?
check your exchange server.
is the internal users able to access exchange server?
can them telnet to exchange server on port 25 (telnet 192.168.50.2 25 ) ?
ASKER
I changed the IP addresses of the printers on the printers themselves after I made the subnet changes, then I changed the port IPs on the print server to the new subnet IPs. I'm not sure why the printers would still be doing that, perhaps it is because the client PCs still need to have their printers remapped?
I changed DHCP over to the new subnet as well but I don't know what else to change or how to rebuild the print queues or change the DNS records.
I changed DHCP over to the new subnet as well but I don't know what else to change or how to rebuild the print queues or change the DNS records.
I would delete the screenshots after a while, it is not like the fact you are a mail server is top secret. Inbound connections to tcp 25 on the external NAT are immediately closed, connections to tcp 24 are silently discarded, I thint the server is not listening on tcp 25, if you do a netstat -an on the server, it should be listening on port 25.
ASKER
telnet to localhost 25 works on the exchange server
telnet to 192.168.50.2 25 does NOT work on the client PCs
telnet to 192.168.50.2 25 does NOT work on the client PCs
ASKER
Partial results of netstat -an from the server itself:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:42 0.0.0.0:0 LISTENING
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:143 0.0.0.0:0 LISTENING
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
TCP 0.0.0.0:691 0.0.0.0:0 LISTENING
TCP 0.0.0.0:993 0.0.0.0:0 LISTENING
TCP 0.0.0.0:995 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1077 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1079 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1094 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1225 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1228 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1311 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2160 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2161 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2260 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3052 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3999 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5633 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5651 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6101 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9876 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING
TCP 0.0.0.0:18468 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34570 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34571 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34572 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34573 0.0.0.0:0 LISTENING
TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING
TCP 0.0.0.0:56342 0.0.0.0:0 LISTENING
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:42 0.0.0.0:0 LISTENING
TCP 0.0.0.0:53 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:143 0.0.0.0:0 LISTENING
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
TCP 0.0.0.0:691 0.0.0.0:0 LISTENING
TCP 0.0.0.0:993 0.0.0.0:0 LISTENING
TCP 0.0.0.0:995 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1066 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1072 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1077 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1079 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1094 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1225 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1228 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1311 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2160 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2161 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2260 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3052 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3999 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5633 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5651 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6101 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9876 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:12174 0.0.0.0:0 LISTENING
TCP 0.0.0.0:18468 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34570 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34571 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34572 0.0.0.0:0 LISTENING
TCP 0.0.0.0:34573 0.0.0.0:0 LISTENING
TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING
TCP 0.0.0.0:56342 0.0.0.0:0 LISTENING
what exchange server are you using?
have try restart exchange services or reboot server after ip changes?
have try restart exchange services or reboot server after ip changes?
ASKER
exchange 2003 and I have rebooted the server 2 times since the subnet change
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sukamato,
I think that did the trick! When I checked the default smtp virtual server properties it was set to the old IP address. I set it to "All Unassigned" the server seems to be sending and receiving emails now. OWA on the edge server is still not working. That server is on its own subnet and their were no changes to that server's IP configuration.
I think that did the trick! When I checked the default smtp virtual server properties it was set to the old IP address. I set it to "All Unassigned" the server seems to be sending and receiving emails now. OWA on the edge server is still not working. That server is on its own subnet and their were no changes to that server's IP configuration.
Make sure the OWA server has a good source of DNS, it needs to talk to the internal servers.
ASKER
the OWA edge server is on the yellow zone in IPCOP and is on its own subnet and has IP 192.168.10.2. I cannot ping the DC/DNS server from the OWA server right now. I don't know if that was working previously or not.
ASKER
from the exchange server on the green lan I can ping the OWA edge server on the yellow lan by name and it resolves to the correct address. but I cannot do the reverse from the OWA edge server to the exchange server either by name or IP
ASKER
I think the issue is the DMZ pinholes on IPCOP are not configured correctly. I am looking into that now.
ASKER
Thank you Guys for all your help. You ROCK!
What is your exchange server's ip address?
Is port forwarding setup properly on port 25?
Do you have any addons installed on IPCOP?