SBS 2003 RWW, mail to devices and internet connection sharing failure

Please work through my article and shout if you get stuck anywhere:

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Alan

i get a failure with the open port tool checking port 443.  i find this odd because i cant find any open oprts with this tool, yet i am able to access the internet from the server, and i can use logmein to connect to the server remotely.  maybe this is a router issue?  i have port 443 forwarded to 192.168.1.123 which is the ip of the nic on my server that is connected to the modem.

asp.net selection for exchange and exchange virtual directories is set to 2. and greyed out, cant change it

Well not much will work if you haven't got open ports.

Try a different router and see how that goes.

Purchased and configured a Linksys N900, with the same result, no open ports.  I went into ISA, under alerts and found several errors.
1.Connection Limit Exceeded - A user or an IP address exceeded its connection limit.
2.Connection Limit Exceeded - ISA Server disconnected the following client: 172.16.2.18 because its connection limit was exceeded.  For more informtion about this event, see the windows event viewer.
3.Configuration Error - An error occurred while reading configuration information.
4.Configuration Error - ISA Server detected routes through the network adapter External Network that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 172.16.255.255-172.16.255.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
5. I also notice in the logs my phone attempting to retrieve mail.  The first entry in the log is initiated connection successfully by sbs rww inbound access rule.  Then directly after that is a closed connection (a connection was abortively closed after one of the peers sent an rst segment) by sbs rww inbound access rule.

I have not made changes to ISA in ages, and can't imagine how something in there would get changed.  It happened on a Thursday, so I don't think it was an update, but perhaps it was.  Any ideas?

Re-run the connect to the Internet wizard and let that re-publish your ISA rules and see how it behaves after that.

Run without making changes?

Yes - just run it and let it complete without changing anything other than ISA (if it prompts to change - been a long time since I've seen SBS 2003 with ISA).

Ran without making changes.  Now  ISA is stopping port 443 with the default rule.  I ran the remote connectivity analyzer also.  It is now able to resolve host, but still saying port 443 is blocked there as well.

Did the wizard re-create the ISA rules or prompt to update them?

Are you planning on keeping the server long?

Do you need ISA server?

it did not prompt to update anything, i even added a function to the firewall to try and force something to happen.  the only traffic getting through is dhcp, everything else is getting shot down by the default rule.  i havent decided a migration path, so not sure how long i am keeping the server at this point.  without isa i will only have the router as firewall protection.  should i try shutting isa down and check functionality?  how do you turn isa off?

I would uninstall it - disable the 2nd NIC and set the server up as a single NIC server.

All our SBS servers manage very well behind just a hardware firewall and ISA is more of a PITA than it's worth in my opinion.

You will also find it much easier to manage without ISA messing you about.

If you want to Migrate to another server, you will have to remove ISA anyway, so I would personally do it now rather than later.

Alan

So no ideas as to what's causing this then?

I'm no ISA expert - you need Keith Alabaster for that, but it does sound like an ISA problem causing your issues.

Running the Connect to the Internet Wizard should reset the ISA rules and make things happy again, but I can't offer any more advice as I don't know ISA well enough to assist you.

If you strip ISA server out of the equation and it still doesn't work, then I'm the most likely person to get it working for you.

Alan

I've pinged Keith an email with a link to this question so if he is still about, hopefully he will be able to assist you and get ISA ruled out.

Alan

He should appear later on this evening (UK time) and try to assist you.

Alan

thanks

My pleasure.

there are some things under default web site that i can not set back to asp 1.... such as exchange oma, could that have something to do with it?

I've seen Activesync work happily with ASP.NET 2.0 on some virtual directories, but as ISA isn't allowing traffic through, I would address that first and then worry about the Exchange IIS settings once you know there is still a problem.

Alan

to be exact exchange and exchange-oma are stuck on asp.net 2.0.****  and i cant change them to 1.****  maybe this has something to do with the problem?

Good morning.

I've read through the thread - and would clarify some things please...

a) You started with just an RWW issue - is this still the case or is it now rather wider than that?
b) What is the version of ISA you are using - ISA 2000? ISA 2004? I'll assume the latter and if so, are you fully service packed up i.e. ISA 2004 SP3?
c) From your comment above, you are running a class B network (172.16.0.0) on the internal NIC with a 255.255.0.0 mask. ISA has to be aware of ALL the ip addresses that it is to protect and this must include the network ID and the broadcast address. So, in the network configuration of ISA the range would be 172.16.0.0 - 172.16.255.255. If you have omitted the broadcast address then ISA will see it as an EXTERNAL ip, not an internal IP. Not a big deal you might think but it is. All broadcast traffic on the internal LAN - using that IP - will arrive on the ISA internal nic and the firewall will believe it is being spoofed - and drop it.
d) What are you seeing in the real time ISA monitor when an external connection is attempted?
Keith

The original problem, which still exists was RWW as well as internet connection sharing.  I can not access RWW, or get email to my phone.  When i run exchange connectivity test, it resolves the host but says port 443 is closed.  When i watch ISA monitor I see the connection attempt, but the default rule shoots it down.  I am running a 2 nic server.  The nic connected to the cable modem is 192.168.1.123 and the nic connected to my server is 172.16.1.1.

ISA info;
Microsoft ISA Server 2004
(c) 2004 Microsoft Corporation.
Version: 4.0.2167.909

When watching the ISA monitor, the destination IP of all the hits comes up as 192.168.1.123.  I can find my exchange server getting through the ISA firewall fine, but nothing else has been allowed through.  At this point I had to use a proxy to cheat and get internet access at client machines so we can function until this is resolved.

My DMZ network is 192.168.1.2 - 192.168.1.254
My Internal network is 172.16.2.0 - 172.16.2.255
My local host currently has no ip addresses associated with it.  Correct me if i'm wrong, but that should be the ip address of my server internally?

Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External ( 192.168.1.1:60674)
Destination: Local Host ( 192.168.1.123:443)
Protocol: HTTPS
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
 

This is my cell phone trying to poll for mail over the wireless network here (my 192.168.1.123 nic card is connected to this as well with a static ip of 192.168.1.123).  This practice always worked previously.

I may be completely wrong here, but it appears to me that local host is incorrect.  Local Host should point to 172.16.2.1, not 192.168.1.123.  I have no idea how that could have gotten changed, nor an idea of how to fix it.  If that is in fact the problem.

if the traffic is being caught by the default rule then this tells us that none of the rules above (the default) are matching the traffic that is arriving on the external nic. But let's deal with this one item at a time.

With ISA server, the default setting (after you have run the internet connection wizard) would be for ALL clients - including the SBS server itself - to use a proxy in order to get out. In your case, EVERY internal client including the server should have its proxy set to use 172.16.1.1 port 8080.

Yes - the local host is incorrect. I do not know how this changed either but the problem it causes IS known. Change the NIC binding order if you need to so that the true internal nic appears first in the list. Also verify that the EXTERNAL nic on the SBS box has NO dns entry i.e. the DNS entry on the external nic should be BLANK. This way, when DNS tries to do its lookups it will always look internally first and will only go to the external DNS service provider if it can't resolve through the internal DNS - this is what the DNS forwarders are for.

What are you using for a SSL certificate? The home-grown cert from SBS or do you have a publicly issued certificate? If you check the ISA publishing rules, can you confirm the certificate is still associated with the SSL listener?

PS - if you change the nic bind order you may need to reboot.

i made sure internal nic is first.

server local area connection
external network
connection 2 (unused card)
remote access connections

rebooted.

i am using a homegrown ssl certificate.  should the certificate be for the published server (publishing.yourcompany.local) or the external website being used to access (remote.mywebsite.com)

i also noticed under connectivity on the isa dashboard, the following are all listed as not configured;
active directory
dhcp
dns
others
published servers
web

my external nic is set to obtain ip and dns automatically.  the router the external nic is connected to has an ip reservation for the server.

i noticed in isa network configuration that local host has no ip addresses associated.  dmz network is 192.168.1.2 to 192.168.1.254 and internal network is 172.16.2.0 to 172.16.2.255.  quarantined vpn and vpn have no addresses as well.

Thanks Tom

Sorry for the delay guys, things have been crazy here.  Thanks for all the help

Glad you got it sorted and thanks to Keith for assisting / sorting this one.

Alan

Welcome :)