Internet Related/Filtering/Firewall Thread, Help with our Exchange & TMG Setup - No External Mail! in Technical; done the logging?...
24th August 2012, 11:54 PM #16
25th August 2012, 01:00 AM #17
I have enabled the logging as you have said, I don't know what to do after on that through
Also I have found this under the TMG logging
e: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: Internal (18.104.22.168:50016)
Destination: Local Host (10.146.65.31:25)
Number of bytes sent: 60 Number of bytes received: 40
Processing time: 0ms Original Client IP: 22.214.171.124
So it looks like the mail is getting to the the TMG server if i'm correct?
It it looks like the problem is the tmg server to the exchange server.
Are there mean to be any smtp or smtps for a tmg rule?
25th August 2012, 01:25 AM #18
can you telnet from TMG ti Exch and send an email?
25th August 2012, 02:48 AM #19
seems like the issue is with the smtp rules, can you go over them?
or post them
25th August 2012, 10:23 AM #20
Ok this is how I have setup SMTP rules at the momment
1- Firewall Policy, New, Mail Server Publishing Rule
2- Mail Server Publishing Rule Name (Exchange)
3- Client Access: RPC, IMAP, POP3, SMTP
4- Error now comes up saying 'Forefront TMG detected a single adaptor configuration. Server publishing rules are not supported in a single network adaptor configuration. Do you still want to create a server publishing rule?
5- yes button
6- Ticking all boxes (Outlook RPC, POP3, IMAP4, SMTP, POP3 Secure, IMAP4 Secure, SMTP Secure) I have just tried to just use SMTP and SMTP Secure, and nothing else.
7- Type in Server IP Address (10.146.65.20)
8- Listen for request from these networks - Use internal with TMG IP Address (10.146.65.31)
Last edited by pritchardavid; 25th August 2012 at 10:31 AM.
25th August 2012, 10:34 AM #21
Is it actually a single adapter setup, this will break things.
Originally Posted by pritchardavid
25th August 2012, 11:07 AM #22
The TMG server is a virtual server and it has two virtual network cards. So I'm not sure why its saying that, or is it because I did setup it as a single network adapter topology when I setup TMG. I added the second virtual Ethernet card the other day when this message came up, thinking it would get rid of this error!
So you think this is the problem then mate? Does it need changing to a different topology? if so how would you do that a reinstall?
Or would UAG provide this in a single network adaptor topology?
I wouldn't know what other topology to pick if needed.
Last edited by pritchardavid; 25th August 2012 at 11:10 AM.
25th August 2012, 12:39 PM #23
I'd go for a reinstall, TMG is a nightmare with its settings, once it gets something in its head its stuck. You also want each adapter in a separate IP subnet so that it can distinguish what is going on.
25th August 2012, 02:00 PM #24
Well I have managed to change to edge firewall by rerunning the wizard, but still no external emails working
Might have to reinstall like you said, but that can I check a few things with you please?
- Internal DNS Server IPs?
- No Gateway?
- Normal Subnet Mask 255.255.248/24? (IP Address Range Allocated from the council 10.146.64.1-10.146.71.250)
- IP address 10.146.65.34
- Internal DNS Server IPs?
- Normal Gateway Address? (Modem that's the fibre is connected to before our main HP switch)
- What subnet mask?
- IP address which is already nated for a public IP address (Internal is 10.146.65.31 for this)
Also how to I setup the SMTP rules?
What network do I select for the listener? internal or external or both?
Also with our two existing web listeners http/https do they stay in the internal network or now the external network, I'm guessing it stays the same, just want to make sure.
Last edited by pritchardavid; 25th August 2012 at 02:06 PM.
25th August 2012, 02:21 PM #25
To use it as a firewall it needs to be at the border between two networks, this means that it's external interface would exist on the LEA IP range and the rest of the school would exist NATed behind it in a separate range. I have always found it odd the way that the LEA networks work as they seem to be setup to punish good practice rather than reward it.
The external adapter should be on the IP 10.146.65.31 with the subnet mask allocated and the default gateway set to the upstream device. It's DNS should point to the internal AD DNS servers.
The internal adapter could use a different network like 172.16.x.x that holds all of your client PCs and servers, again DNS points at AD.
The listeners should be on both internal and external.
28th August 2012, 08:05 PM #26
Damn that's goanna be one nasty job, everything thing is set on 10.146.* range
Is it worth a try using Exchange Edge with TMG?
29th August 2012, 02:36 PM #27
If you want the added benefits of an Edge.
29th August 2012, 02:46 PM #28
If it's in a VM environment you may be able to use untangle or something to NAT the traffic from the LEA IP to a 172 address then into the external Interface of the ISA. Convoluded but it should trick it into working.
By phreak in forum Enterprise Software
Last Post: 23rd May 2012, 04:14 PM
By timbo343 in forum Windows
Last Post: 11th January 2011, 10:32 AM
By laputa01 in forum Windows
Last Post: 4th November 2008, 03:00 PM
By ninjabeaver in forum Wireless Networks
Last Post: 2nd December 2005, 11:50 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)