Publishing IMAP with TMG

HI- I am trying to publish IMAP in a test environment via TMG.

I can get it to work when using port 993 from the internet all the way back to the IMAP server. Is it possible to have the traffic hit TMG on port 993, then go back to the IMAP as port 143? What would that config look like?

-Mark
mpotoskyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
yes.

Create a new protocol called messedup-imap or something using inbound tcp port 993 - 993. On the protocol page, select ports and edit the settings. See sthe section regarding the port traffic is forwarded to and change it from matching the published port to 143.

Create a new non-web server publishing rule using the new protocol and set the listener to external. Just bear in mind you cannot have TWO port 993 listeners on the same external IP address.

keith
0
Suliman Abu KharroubIT Consultant Commented:
Do you use email server publish  rule ?
0
mpotoskyAuthor Commented:
Hi Keith-

Can you be more specific about the "the section regarding the port traffic is forwarded to and change it from matching the published port to 143" part?

I created a new protocol, added 993 as the inbound port. On the properties I see Primary Connections, Secondary Connections, and App Filters...nothing about port traffic forwarding"

Another, question...how would TMG have the authority to decrypt and translate the IMAPS packets?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mpotoskyAuthor Commented:
HI Sulimanw: Yes - I used the publish mail servers wizard, following the client access path.
0
Keith AlabasterEnterprise ArchitectCommented:
Create the new protocol and the new server publishing rule.
Then edit the publishing rule and select the tab to show the protocol being published and you will see a ports option there.
0
mpotoskyAuthor Commented:
@Keith-  I see that ports menu, thanks. Maybe I was not clear in my first post. I need TMG to anwser IMAPS (993) and pass on IMAP (143) to the IMAP server?

Will forwarding ports in this way handle the decryption?

0
Keith AlabasterEnterprise ArchitectCommented:
Yes as the traffic is simpy forwarded.

In that section you get a number of options, the first being the listening port (external) - this should be left alone. The second section is the port that ISA or FTMG will send the port on to - and this is what you would change. Beacuse GTMG is simply acting as a conduit here (why I stated the non-web server route) it is just 'passing through'. That said, never tried it for IMAP but as it works for TLS etc I cannot see why IMAP would be any different.
0
mpotoskyAuthor Commented:
@Keith -  just passing through is want I want to avoid. I need it the protocol to change from IMAPS to IMAP. Wouldn't that require TMG to do some decryption? I think what I am looking for is SSL Bridging that will work on non-web apps.

I will test out the scenario you described, but since the IMAP server has no certificates on it, I don't see how it can decrypt and use the IMAPS traffic.

-Mark
0
Keith AlabasterEnterprise ArchitectCommented:
OK - misunderstood the intent.
0
mpotoskyAuthor Commented:
No problem, any idea if what I am trying to do is possible?
0
pwindellCommented:
Publish IMAP in the normal way with the normal IMAP predefined protocol that is already in the TMG.

In the properties of the Publishing Rule go to the Traffic Tab
Then click the Ports Button.
Leave everything in there the default way it is except for the second item "Published Server Ports"
Select "Send requests to this port..." and give it the special Target Port you want to use.

This is called Port Address Translation (PAT).
Server Publilshing Rules are really Reverse NAT,...then when doing this you are using PAT over the Reverse NAT,....so if you like acronyms,...it could be called "RNAT/PAT" meaning Port Address Translation over Reverse NAT
0
mpotoskyAuthor Commented:
Hi pwindell,

I am not sure if you read the chain of comments, but maybe I am not explaining my requirements clearly:

I don't want PAT alone, I need TMG to change the protocol and the port. Switching ports, but still sending encrypted packets back to my IMAP server will do me no good, because the IMAP server does not have a certificate installed on it.

I need TMG to receive the encrypted IMAPS packets, decrypt them, and then send them back to my IMAP server as plain ole unencrypted IMAP over port 143.
0
pwindellCommented:
I know (knew) exactly what you were/are asking and what I said is exactly what you are supposed to do.

1. There is no "PAT alone" in what I suggested

2. There is no encryption is anything I described.

3. There is no such thing as switching protocols in this context.  Your posts all said IMAP (including the subject line),...no where was IMAPS mentioned until now.   The Mail Client must use the correct protocol,...period.  If your Server is only using IMAP then the Client must use only IMAP,...simple as that.
0
mpotoskyAuthor Commented:
HI pwindell-  I disagree that you knew exactly what I am asking, but based on your below points it sounds like you have a good understanding of what I am poorly articulating now.

1) I need an SSL Bridging type technology in combination with PAT.  I have seen SSL bridging work for HTTPS to HTTP traffic, is there a way to leverage it for non web traffic like IMAPS?

2) I know, that is the mis-understanding I am trying to clear up. Based on your third point, It sounds like I succeed.

3) Is there such a thing as protocol switching in any context related to TMG and IMAPS to IMAP? I agree subject line is poor, I should have used the protocols and the ports, not just the ports. This is the meat of my problem, I need the mail clients to talk to TMG via IMAPS and TMG to talk to the IMAP server via IMAP with TMG handling the decryption. Is this possible.

Thanks for your help,
Mark
0
pwindellCommented:
1) I need an SSL Bridging type technology in combination with PAT.  I have seen SSL bridging work for HTTPS to HTTP traffic, is there a way to leverage it for non web traffic like IMAPS?

Well,..I think you question/comment here summs is up.  No, there is no way to do with IMAP what you see done with HTTP/HTTPS.   HTTP/HTTPS is handled by Web Publishing Rules which are done over the Web Proxying Service which is an Applicataion Layer System.  IMAP is done over Server Publishing based on the SecureNAT Service which primarily all happens at the Network (3) and the Transport (4) Layers.  That is two completely different worlds.

You can monkey with port numbers across the NAT as I described however you want but there is no Application Level manipulation happening,...it is just Layer 3&4 and that is all.   It is just receiving on one IP# and passing it to another (NAT) and optionally flipping ports numbers as it does it (PAT).

Now you can include both protocols "IMAP4 Server" and "IMAPS Server" in the same publishing Rule and basically do both at the same time,...but whatever it starts with it stays with,...whatever the client is using,...is what will be used.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.