?
Solved

Exchange won't work with new firewall

Posted on 2013-01-09
7
Medium Priority
?
372 Views
Last Modified: 2013-01-16
As part of a move to a new building we are going to stop using our own firewall and have the university provide us that service.  We have tested de-activating our current firewall rules and NAT and having the university activate them on their side.  Every time we've tested, exchange does not work externally, but  I can send and receive emails inside our network.  The only firewall rules that I had on our firewall was for http, https and smtp.  We do use webmail as well - but that should be covered under the https/smtp ports.

The university looked at their firewall and didn't see any traffic coming in our out.  I found an error in the event viewer that said exchange unable to find underlying transport and listed the tcp/udp port of 47001.  There has never been a firewall rule for that.

Any ideas what rules would be needed/what the issue might be?  As part of this change I also have to change the default gateway from our firewall to the university's gateway.  I do that on the network properties... is this in Exchange some place?
0
Comment
Question by:cindyfiller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 38760790
By any chance is the firewall a Cisco? If so have them look at the FixUp protocals.
0
 
LVL 8

Expert Comment

by:s3e3
ID: 38760791
What version of Exchange are you running?

Hop on the exchange server with remote desktop or console and test to see if smtp port is open by running the following command:

telnet aspmx.l.google.com 25

If port 25 outbound is open you should see a google mail server respond.
If you do not see a google mail server respond the firewall is not allowing you out. Do you have internet access from the email server?

The gateway is set on the microsoft networking adapter settings.

You are correct, the only 2 inbound ports you need is 443 and port 25 inbound.
0
 

Author Comment

by:cindyfiller
ID: 38760946
I have exchange 2010 and yes we are trying to set up the rules on a Cisco firewall.  What does the FixUp protocols do - see if there are errors in the rules?

I did try the telnet, but I don't think I have telnet installed as its not a recognized command.  I can add that and try it again.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 2000 total points
ID: 38760959
Take a look at this article.

http://support.microsoft.com/kb/320027

It will explain the issue.
0
 

Author Comment

by:cindyfiller
ID: 38761006
I have our university checking out the firewall for this article.  Very interesting!
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 38761017
Been caught by this one several time! :)
Almost always is the problem.

Have a great day!
0
 

Author Comment

by:cindyfiller
ID: 38782665
It turns out the article referenced above was not the issue, but I think it is the solution for others.  I'm awarding points based on that.  We ended up having to finese the firewall rules that had been created.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month12 days, 23 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question