Solved

SBS 2003 RWW, mail to devices and internet connection sharing failure

Posted on 2014-02-03
34
388 Views
Last Modified: 2014-02-24
I have a SBS 2003 server with 2 NIC's, one connected to a wireless router and the other to my internal switch.  Router is Netgear WNDR3700v3 and I have ports 25,443-444,1723,3389 and 4125 forwarded to the IP of my SBS NIC for my "external" NIC.  Last Thursday I lost RWW, email to devices and Internet Connection Sharing.  I suspected an ASP.net conflict like I have had in the past, and went in and changed ASP.net from 2.0.50727 to 1.1.4382, however this did not help.  I still suspect a firmware upgrade (perhaps the router) or an ASP conflict, however I am yet to find it.  I can get internet access to a client PC by adding a proxy directing to port 8080 of my server.  Exchange email is also functioning properly.  Exchange email is able to send without issue through.  I ran SBS best practices and corrected issues, but did not solve the problem.  Any advice would be greatly appreciated.
0
Comment
Question by:TomNotDan
  • 15
  • 13
  • 6
34 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
0
 

Author Comment

by:TomNotDan
Comment Utility
i get a failure with the open port tool checking port 443.  i find this odd because i cant find any open oprts with this tool, yet i am able to access the internet from the server, and i can use logmein to connect to the server remotely.  maybe this is a router issue?  i have port 443 forwarded to 192.168.1.123 which is the ip of the nic on my server that is connected to the modem.
0
 

Author Comment

by:TomNotDan
Comment Utility
asp.net selection for exchange and exchange virtual directories is set to 2. and greyed out, cant change it
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Well not much will work if you haven't got open ports.

Try a different router and see how that goes.
0
 

Author Comment

by:TomNotDan
Comment Utility
Purchased and configured a Linksys N900, with the same result, no open ports.  I went into ISA, under alerts and found several errors.
1.Connection Limit Exceeded - A user or an IP address exceeded its connection limit.
2.Connection Limit Exceeded - ISA Server disconnected the following client: 172.16.2.18 because its connection limit was exceeded.  For more informtion about this event, see the windows event viewer.
3.Configuration Error - An error occurred while reading configuration information.
4.Configuration Error - ISA Server detected routes through the network adapter External Network that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 172.16.255.255-172.16.255.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
5. I also notice in the logs my phone attempting to retrieve mail.  The first entry in the log is initiated connection successfully by sbs rww inbound access rule.  Then directly after that is a closed connection (a connection was abortively closed after one of the peers sent an rst segment) by sbs rww inbound access rule.

I have not made changes to ISA in ages, and can't imagine how something in there would get changed.  It happened on a Thursday, so I don't think it was an update, but perhaps it was.  Any ideas?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Re-run the connect to the Internet wizard and let that re-publish your ISA rules and see how it behaves after that.
0
 

Author Comment

by:TomNotDan
Comment Utility
Run without making changes?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Yes - just run it and let it complete without changing anything other than ISA (if it prompts to change - been a long time since I've seen SBS 2003 with ISA).
0
 

Author Comment

by:TomNotDan
Comment Utility
Ran without making changes.  Now  ISA is stopping port 443 with the default rule.  I ran the remote connectivity analyzer also.  It is now able to resolve host, but still saying port 443 is blocked there as well.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Did the wizard re-create the ISA rules or prompt to update them?

Are you planning on keeping the server long?

Do you need ISA server?
0
 

Author Comment

by:TomNotDan
Comment Utility
it did not prompt to update anything, i even added a function to the firewall to try and force something to happen.  the only traffic getting through is dhcp, everything else is getting shot down by the default rule.  i havent decided a migration path, so not sure how long i am keeping the server at this point.  without isa i will only have the router as firewall protection.  should i try shutting isa down and check functionality?  how do you turn isa off?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I would uninstall it - disable the 2nd NIC and set the server up as a single NIC server.

All our SBS servers manage very well behind just a hardware firewall and ISA is more of a PITA than it's worth in my opinion.

You will also find it much easier to manage without ISA messing you about.

If you want to Migrate to another server, you will have to remove ISA anyway, so I would personally do it now rather than later.

Alan
0
 

Author Comment

by:TomNotDan
Comment Utility
So no ideas as to what's causing this then?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I'm no ISA expert - you need Keith Alabaster for that, but it does sound like an ISA problem causing your issues.

Running the Connect to the Internet Wizard should reset the ISA rules and make things happy again, but I can't offer any more advice as I don't know ISA well enough to assist you.

If you strip ISA server out of the equation and it still doesn't work, then I'm the most likely person to get it working for you.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I've pinged Keith an email with a link to this question so if he is still about, hopefully he will be able to assist you and get ISA ruled out.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
He should appear later on this evening (UK time) and try to assist you.

Alan
0
 

Author Comment

by:TomNotDan
Comment Utility
thanks
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
My pleasure.
0
 

Author Comment

by:TomNotDan
Comment Utility
there are some things under default web site that i can not set back to asp 1.... such as exchange oma, could that have something to do with it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I've seen Activesync work happily with ASP.NET 2.0 on some virtual directories, but as ISA isn't allowing traffic through, I would address that first and then worry about the Exchange IIS settings once you know there is still a problem.

Alan
0
 

Author Comment

by:TomNotDan
Comment Utility
to be exact exchange and exchange-oma are stuck on asp.net 2.0.****  and i cant change them to 1.****  maybe this has something to do with the problem?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Good morning.

I've read through the thread - and would clarify some things please...

a) You started with just an RWW issue - is this still the case or is it now rather wider than that?
b) What is the version of ISA you are using - ISA 2000? ISA 2004? I'll assume the latter and if so, are you fully service packed up i.e. ISA 2004 SP3?
c) From your comment above, you are running a class B network (172.16.0.0) on the internal NIC with a 255.255.0.0 mask. ISA has to be aware of ALL the ip addresses that it is to protect and this must include the network ID and the broadcast address. So, in the network configuration of ISA the range would be 172.16.0.0 - 172.16.255.255. If you have omitted the broadcast address then ISA will see it as an EXTERNAL ip, not an internal IP. Not a big deal you might think but it is. All broadcast traffic on the internal LAN - using that IP - will arrive on the ISA internal nic and the firewall will believe it is being spoofed - and drop it.
d) What are you seeing in the real time ISA monitor when an external connection is attempted?
Keith
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
Comment Utility
Thank Keith ;)

Alan
0
 

Author Comment

by:TomNotDan
Comment Utility
The original problem, which still exists was RWW as well as internet connection sharing.  I can not access RWW, or get email to my phone.  When i run exchange connectivity test, it resolves the host but says port 443 is closed.  When i watch ISA monitor I see the connection attempt, but the default rule shoots it down.  I am running a 2 nic server.  The nic connected to the cable modem is 192.168.1.123 and the nic connected to my server is 172.16.1.1.

ISA info;
Microsoft ISA Server 2004
(c) 2004 Microsoft Corporation.
Version: 4.0.2167.909

When watching the ISA monitor, the destination IP of all the hits comes up as 192.168.1.123.  I can find my exchange server getting through the ISA firewall fine, but nothing else has been allowed through.  At this point I had to use a proxy to cheat and get internet access at client machines so we can function until this is resolved.

My DMZ network is 192.168.1.2 - 192.168.1.254
My Internal network is 172.16.2.0 - 172.16.2.255
My local host currently has no ip addresses associated with it.  Correct me if i'm wrong, but that should be the ip address of my server internally?
0
 

Author Comment

by:TomNotDan
Comment Utility
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: External ( 192.168.1.1:60674)
Destination: Local Host ( 192.168.1.123:443)
Protocol: HTTPS
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
 

This is my cell phone trying to poll for mail over the wireless network here (my 192.168.1.123 nic card is connected to this as well with a static ip of 192.168.1.123).  This practice always worked previously.

I may be completely wrong here, but it appears to me that local host is incorrect.  Local Host should point to 172.16.2.1, not 192.168.1.123.  I have no idea how that could have gotten changed, nor an idea of how to fix it.  If that is in fact the problem.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
if the traffic is being caught by the default rule then this tells us that none of the rules above (the default) are matching the traffic that is arriving on the external nic. But let's deal with this one item at a time.

With ISA server, the default setting (after you have run the internet connection wizard) would be for ALL clients - including the SBS server itself - to use a proxy in order to get out. In your case, EVERY internal client including the server should have its proxy set to use 172.16.1.1 port 8080.

Yes - the local host is incorrect. I do not know how this changed either but the problem it causes IS known. Change the NIC binding order if you need to so that the true internal nic appears first in the list. Also verify that the EXTERNAL nic on the SBS box has NO dns entry i.e. the DNS entry on the external nic should be BLANK. This way, when DNS tries to do its lookups it will always look internally first and will only go to the external DNS service provider if it can't resolve through the internal DNS - this is what the DNS forwarders are for.

What are you using for a SSL certificate? The home-grown cert from SBS or do you have a publicly issued certificate? If you check the ISA publishing rules, can you confirm the certificate is still associated with the SSL listener?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
PS - if you change the nic bind order you may need to reboot.
0
 

Author Comment

by:TomNotDan
Comment Utility
i made sure internal nic is first.

server local area connection
external network
connection 2 (unused card)
remote access connections

rebooted.

i am using a homegrown ssl certificate.  should the certificate be for the published server (publishing.yourcompany.local) or the external website being used to access (remote.mywebsite.com)

i also noticed under connectivity on the isa dashboard, the following are all listed as not configured;
active directory
dhcp
dns
others
published servers
web

my external nic is set to obtain ip and dns automatically.  the router the external nic is connected to has an ip reservation for the server.
0
 

Author Comment

by:TomNotDan
Comment Utility
i noticed in isa network configuration that local host has no ip addresses associated.  dmz network is 192.168.1.2 to 192.168.1.254 and internal network is 172.16.2.0 to 172.16.2.255.  quarantined vpn and vpn have no addresses as well.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
Comment Utility
the external nic must not have a dns entry - it is a pre-requisite for ISA. If both the internal and external nic has a dns entry, you have no way at all of controlling whether the ISA will use the internal or external nic settings on which it will perform any form of dns lookup. i.e. it might look at your internal dns server or it might look at the external dns provider's server. Either way you will get foobarred because things will fail to resolve properly.

The ip address range you mention above for the internal is different to your earlier post?

ISA is not great at having a dynamic address on the external nic. If the address is allocated then I would strongly suggest that you set the ip on the ISA external nic and remove the dns entry.

I know you will tell me that 'but it has always worked this way in the past' but I can only tell you the best practice and the way I know it works best.

if ISA (the SBS server) has dns on both nics you will get a screwed localhost entry. That is the logical outcome as it has two scenarios to choose from.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Thanks Tom
0
 

Author Comment

by:TomNotDan
Comment Utility
Sorry for the delay guys, things have been crazy here.  Thanks for all the help
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Glad you got it sorted and thanks to Keith for assisting / sorting this one.

Alan
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Welcome :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now