DMZ to Exchange 2007 (Port 25 Blocked?)

Hello folks,

We are in the process of migrating from Exchange 2003 to Exchange 2007. The current network setup is as follows

[Internet] ---email flow->[Gateway Mail Marshal Server in DMZ] --[<- Firewall Policies ->]--->[LAN: Exchange 2003 / Exchange 2007].

All policies from DMZ -> LAN and LAN ->DMZ are in place on the firewall. I have opened the policies for testing purposes. I am able to ping / RDP between the DMZ and Exchange 2007 in both directions.

However, I canno use telnet from Gateway(DMZ) to Exchange 2007. It simply does not work.
I am able to telnet into Exchange 2003 just fine.


I have modified the "Default Reciever" in Exchange 07 to include the DMZ Gateway's IP Address.

Still no go -


Any help would be great! Final Idea is to route the emails from Gateway to Exchange 07 instead of Exchange 03.  Currently there is a routing group in place between the two exchange servers to route the emails internally. All mailboxes have been moved to the Exchange 07 already.


This is the last step before i delete the routing groups and proceed with the decommissioning of the Exchange 03.
LVL 1
skyjumperdudeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hilal1924Commented:
Hi, Couple of Questions before I suggest anything:
1. When you modified the Default Recieve Connector, Did you leve the Default (0.0.0.0 255.255.255.255) as it is?
2. What are the permissions set up on your connector? Do you have Anonymous permitted?
3. Can you telnet to port 25 internally ?
Hilal
skyjumperdudeAuthor Commented:
1.  Yes the default selections have not been removed. I did add 192.168.235.66 (DMZ- Gateway Server) to the list.

2.  Only the "Anonymous" option is selected on the connector.

3.  Telnet internally works perfectly fine.  (I triple checked the firewall setting, its wide open between the mail and gateway servers - just to be sure!)
Hilal1924Commented:
"1.  Yes the default selections have not been removed. I did add 192.168.235.66 (DMZ- Gateway Server) to the list."
>> Did you add the subnet Mask also, or Just the IP Address. It may help if you add subnet mask as well.
Can you do a packet capture (Wireshark) and see if it is even recieving telnet on port 25 from the DMZ server? Also try with a a new Dedicated Recieve Connector for this IP. Just modify the port number and choose a non-default port such as 2525 on the recieve connector and see if that helps.
Rest all settings look good.
Hilal
 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

skyjumperdudeAuthor Commented:
Interesting!
I haven't done the Wire-shark yet but oddly enough creating a new connector on a different port worked!
Please see the attached screenshot.  
- I'm not certain as to where i can place the Subnet mask?


What do you think is preventing me to getting on at port 25?
-BTW: from my Gateway Server I can telnet on to port 25 of the Exchange 2003 (which is in LAN)

All firewalls on the Exchange 07 are turned off.
Screenshot.jpg
Hilal1924Commented:
I am sorry i am not able to see the ss sinxe i am bout to sleep. I will take a lootk at it in the morning. Use the dedicated connector for now, actually it is better than using the default connector. I will let you know if I find something interesting in the as. meanwhile you can rate this question.
Hilal
Hilal1924Commented:
PS. to use subnet mask do it in this format 192.168.62.2-255.255.255.0

just separate the ip and mask with a hyphen.
skyjumperdudeAuthor Commented:
Sounds good!

Thanks a bunch for the help. Let me know if you ever figure out why just port 25 wouldn't go.
Hilal1924Commented:
You Have sent the Screenshot of the new dedicated connector. Can you post the following ss's. Most probably it is permission and authentication mismatch.
1. Authentication Tab and Permission Tab (Default Connector, New Connector)
2. Network Tab (Default and New Connector)
 
Hilal
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.