[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1266
  • Last Modified:

Can't get Exchange 2010 IMAP4 working through TMG2010

Hi all,

I'm getting really perplexed about getting IMAP4 on Exchange 2010 working through TMG 2010.

TMG is configured with 2 NICs. One is in the DMZ with a 10.20.30.xx address, and NATting to outside addresses is handled by our Cisco FSM. The other NIC is connected to our infra VLAN. The server is joined to the domain. All Exchange 2010 web publishing rules work fine.

I have created an IMAP server publishing rule and I'm testing the connection using outlook express on a PC on a separate ADSL line in the office. Even with the publishing rule in place I'm still getting the following denied error:

Denied Connection LONSCHISA01 10/19/2011 10:43:57 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.  
Rule: Default rule
Source: External (90.155.46.4:64189)
Destination: Local Host (10.20.30.38:143)
Protocol: IMAP4

Performing this test in the traffic simulator however gives a result of 'Allowed Traffic'. The log for this is as follows:

34252 10/19/2011 11:20:30 AM fff932cc Firewall service The Firewall service is performing rule evaluation.
34253 10/19/2011 11:20:30 AM fff932cc Firewall service Protocol: IMAPS Server
34254 10/19/2011 11:20:30 AM fff932cc Firewall service Packet properties: Source IP address: 90.155.46.4 Source array network: External Destination IP address: 172.20.2.251 Destination array network: Internal
34255 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG will check only rules that are associated with the protocol IMAPS Server.
34256 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
34257 10/19/2011 11:20:30 AM fff932cc Firewall service The access rule is ignored because Forefront TMG looks only for Web publishing rules for an incoming Web request.
34258 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule Exchange 2010 IMAPS Server.
34259 10/19/2011 11:20:30 AM fff932cc Firewall service The rule Exchange 2010 IMAPS Server matches the packet. The packet is allowed.
34260 10/19/2011 11:20:30 AM fff932cc Firewall service The listener on the IP address 172.20.2.251 accepted the request.
34261 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is looking for a deny access rule that matches traffic from the source to the destination.
34262 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is looking for a rule that is associated with the protocol IMAPS.
34263 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG will check only rules that are associated with the protocol IMAPS.
34264 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
34265 10/19/2011 11:20:30 AM fff932cc Firewall service The access rule is ignored because Forefront TMG looks only for Web publishing rules for an incoming Web request.
34266 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule Exchange 2010 ActiveSync.
34267 10/19/2011 11:20:30 AM fff932cc Firewall service This Web publishing rule was skipped for this packet.
34268 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule Exchange 2010 Outlook Anywhere.
34269 10/19/2011 11:20:30 AM fff932cc Firewall service This Web publishing rule was skipped for this packet.
34270 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule Exchange 2010 OWA.
34271 10/19/2011 11:20:30 AM fff932cc Firewall service This Web publishing rule was skipped for this packet.
34272 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the rule Default rule.
34273 10/19/2011 11:20:30 AM fff932cc Firewall service The rule Default rule matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.
34274 10/19/2011 11:20:30 AM fff932cc Firewall service The rule Exchange 2010 IMAPS Server allowed the packet.
34275 10/19/2011 11:20:30 AM fff932cc Firewall service The Firewall service is performing rule evaluation.
34276 10/19/2011 11:20:30 AM fff932cc Firewall service Packet properties: Source IP address: 172.20.2.251 Source array network: Internal Destination IP address: 90.155.46.4 Destination array network: External
34277 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is looking for an applicable network rule.
34278 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the network rule Local Host Access.
34279 10/19/2011 11:20:30 AM fff932cc Firewall service The source IP address in the packet does not match the source specified in the network rule.
34280 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is checking the reverse direction of the network rule Local Host Access.
34281 10/19/2011 11:20:30 AM fff932cc Firewall service The destination IP address in the packet does not match the source specified in the network rule.
34282 10/19/2011 11:20:30 AM fff932cc Firewall service Forefront TMG is evaluating the network rule Internet Access.
34283 10/19/2011 11:20:30 AM fff932cc Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a route relationship.
34284 10/19/2011 11:20:30 AM fff932cc Firewall service The network rule Internet Access matches the source and destination. A route relationship is specified.

The 'Internet Access' network rule is set to Route as we are not using the TMG to NAT. On the firewall rules that were created to handle the OWA/EAS/OA/IMAP, the requests are set to appear to come from the TMG server. Before, the 'Internet Access' network rule was set to NAT, this made no difference.

I've played about with the system quite a bit but have not got anywhere. If anyone could give me some guidance as to how to get IMAP4 working through TMG it would be really most appreciated.

Many thanks

Andoni
0
schneiderit
Asked:
schneiderit
  • 3
1 Solution
 
Keith AlabasterCommented:
That is the wrong protocol isn't it?.

If you are publishing the IMAP service then the traffic accessing it must be inbound therefore you need the IMAP4 Server protocol. The ordinary IMAP4 protocol is for outbound traffic. In your IMAP rule right-click the property of the protocol and check the properties tab which shows the direction of the traffic.
0
 
schneideritAuthor Commented:
Keith,

Thanks for your reply. I meant to say that the server publishing wizard places the IMAP4 server protocol into the rule, not IMAP.

I did find this article which you apparently help on:

http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26973863.html

After running the getting started wizard, it seems that we do have a back firewall after all. Do you think removing the Perimeter network as in the article above will solve the problem?

Many thanks

Andoni
0
 
schneideritAuthor Commented:
I have solved the problem after being given this hint by Nick Gu on the Technet forums:

“There are 2 outgoing network rules - the default Internet Access rule which NATs from internal to external, and another rule for IMAP I created that routes from internal to external and perimeter.” – you cannot do that, jus create NAT from Internal to External and route between Internal and Perimeter. As for “Requests appear to come from the Forefront TMG computer”, it is useful when you don’t want to make the published server a SecureNAT client.

----------------------

I had disabled the last rule (Internet to Perimeter Route). I enabled it and changed it to NAT.

The IMAP publishing rule was created again from Anywhere, to the cas array, listening on the perimeter IP that IMAP was allowed on.

When testing IMAP access from outside, the connection was made but no response came from the server. I changed the IMAP server publishing rule so that requests appear to come from the Forefront TMG computer, and it worked.

After creating an IMAPS rule, that also worked.
0
 
schneideritAuthor Commented:
Solution was found by myself after receiving help from others.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now