done the logging?
done the logging?
I have enabled the logging as you have said, I don't know what to do after on that through
Also I have found this under the TMG logging
e: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: Internal (188.8.131.52:50016)
Destination: Local Host (10.146.65.31:25)
Number of bytes sent: 60 Number of bytes received: 40
Processing time: 0ms Original Client IP: 184.108.40.206
So it looks like the mail is getting to the the TMG server if i'm correct?
It it looks like the problem is the tmg server to the exchange server.
Are there mean to be any smtp or smtps for a tmg rule?
can you telnet from TMG ti Exch and send an email?
seems like the issue is with the smtp rules, can you go over them?
or post them
Ok this is how I have setup SMTP rules at the momment
1- Firewall Policy, New, Mail Server Publishing Rule
2- Mail Server Publishing Rule Name (Exchange)
3- Client Access: RPC, IMAP, POP3, SMTP
4- Error now comes up saying 'Forefront TMG detected a single adaptor configuration. Server publishing rules are not supported in a single network adaptor configuration. Do you still want to create a server publishing rule?
5- yes button
6- Ticking all boxes (Outlook RPC, POP3, IMAP4, SMTP, POP3 Secure, IMAP4 Secure, SMTP Secure) I have just tried to just use SMTP and SMTP Secure, and nothing else.
7- Type in Server IP Address (10.146.65.20)
8- Listen for request from these networks - Use internal with TMG IP Address (10.146.65.31)
Last edited by pritchardavid; 25th August 2012 at 10:31 AM.
The TMG server is a virtual server and it has two virtual network cards. So I'm not sure why its saying that, or is it because I did setup it as a single network adapter topology when I setup TMG. I added the second virtual Ethernet card the other day when this message came up, thinking it would get rid of this error!
So you think this is the problem then mate? Does it need changing to a different topology? if so how would you do that a reinstall?
Or would UAG provide this in a single network adaptor topology?
I wouldn't know what other topology to pick if needed.
Last edited by pritchardavid; 25th August 2012 at 11:10 AM.
I'd go for a reinstall, TMG is a nightmare with its settings, once it gets something in its head its stuck. You also want each adapter in a separate IP subnet so that it can distinguish what is going on.
Well I have managed to change to edge firewall by rerunning the wizard, but still no external emails working
Might have to reinstall like you said, but that can I check a few things with you please?
- Internal DNS Server IPs?
- No Gateway?
- Normal Subnet Mask 255.255.248/24? (IP Address Range Allocated from the council 10.146.64.1-10.146.71.250)
- IP address 10.146.65.34
- Internal DNS Server IPs?
- Normal Gateway Address? (Modem that's the fibre is connected to before our main HP switch)
- What subnet mask?
- IP address which is already nated for a public IP address (Internal is 10.146.65.31 for this)
Also how to I setup the SMTP rules?
What network do I select for the listener? internal or external or both?
Also with our two existing web listeners http/https do they stay in the internal network or now the external network, I'm guessing it stays the same, just want to make sure.
Last edited by pritchardavid; 25th August 2012 at 02:06 PM.
To use it as a firewall it needs to be at the border between two networks, this means that it's external interface would exist on the LEA IP range and the rest of the school would exist NATed behind it in a separate range. I have always found it odd the way that the LEA networks work as they seem to be setup to punish good practice rather than reward it.
The external adapter should be on the IP 10.146.65.31 with the subnet mask allocated and the default gateway set to the upstream device. It's DNS should point to the internal AD DNS servers.
The internal adapter could use a different network like 172.16.x.x that holds all of your client PCs and servers, again DNS points at AD.
The listeners should be on both internal and external.
Damn that's goanna be one nasty job, everything thing is set on 10.146.* range
Is it worth a try using Exchange Edge with TMG?
If you want the added benefits of an Edge.
If it's in a VM environment you may be able to use untangle or something to NAT the traffic from the LEA IP to a 172 address then into the external Interface of the ISA. Convoluded but it should trick it into working.
There are currently 1 users browsing this thread. (0 members and 1 guests)