none
Trouble Publishing SMTP through TMG to Internal Exchange 2010

    Question

  • Hello,

    I have a TMG server configured as a back firewall.  I am trying to publish SMTP so that our hosted spam filtering can deliver inbound email through the TMG to the internal Hub Transport server.

    The Internet firewall is a Cisco ASA that NATs our public IP to the DMZ IP of the TMG server.

    I have run the Mail Server Publishing Rule with the following settings:

    Name: Exchange HT SMTP Rule

    Access Type: Server-to-server commnication: SMTP,NNTP

    Services: SMTP

    Server Being Published: 10.10.50.100 (internal Exchange HT server)

    Network Listener IP Addresses: Perimeter - 10.119.1.50(DMZ IP of TMG)

    i am using an external workstation and Telnet on port 25 to test the rule.  I have configured the logs to filter based on my external workstation's Client IP address.

    When I attempt to connect via Telnet on port 25, Telnet replies back "Could not open connection to the host, on port 25: Connection failed".  On log of the TMG, i see two events repeated several times.

    These two events are logged each three times per failed connection, but no other events are shown.

    One thing that I am curious of is that the events in the log indicate the "[System] Allow SMTP traffic to the local host for mail protection filtering" rule and not the publishing rule that was created.  No events show up for the rule that was created to publish the mail server.

    Friday, February 17, 2012 4:15 PM

Answers

All replies

  • Hi,

    maybe it's a cisco firewall problem
    look at this topic to troubleshoot problems Send or Receive E-Mail Messages Behind a Cisco Firewall : You Cannot Send or Receive E-Mail Messages Behind a Cisco PIX Firewall

    Regards,


    Cordialement, Oussema FEKIH Note : Si ma réponse vous a été utile, ou apporté une résolution; merci de Voter ou de la marquer comme Utile. Best Regards, Oussema FEKIH If my reply has helped you or made a resolution, thank you to vote it as helpful or mark it as answer.

    Friday, February 17, 2012 5:02 PM
  • I dont think that is an issue but have forwarded the link to the firewall resources to double check.  We currently have SMTP flowing into other mail gateways from the ASA for filtering, which is why I dont think the ASA is a problem.

    I should also note that we are NOT using the Exchange Edge Trasnport Role or Forefront Protection for Exchange on the TMG servers.  To my understanding, this means we cannot use the email policy configurations within TMG, but should still be able to use publishing rule for Non-Web Server Protocols, specifying the SMTP Server as the service.

    Friday, February 17, 2012 9:36 PM
  •  

    Hi,

    Thank you for the post.

    “Access Type: Server-to-server commnication: SMTP,NNTP” – if you want external user to access your mail server, please select “Client access: RPC,IMAP,POP3,SMTP” in the mail publishing rule.

    Regards,


    Nick Gu - MSFT

    Tuesday, February 21, 2012 6:18 AM
  • Client access isnt a problem.  The problem is I need inbound SMTP to pass through the TMG server and then to the internal Exchange servers.  For some reason, the SMTP connections never get processed, but simply close with the events show earlier in this thread.
    Tuesday, February 21, 2012 12:04 PM
  • When using the Client Access setting to allow SMTP, the same results are experienced.  The TMG never appears to process the rule as the "[System] Allow SMTP traffic to the local host for mail protection and filtering" is the only rule applied before the connection is dropped.  Still no denial events or any other events on TMG to indicate why this fails.

    Tuesday, February 21, 2012 4:06 PM
  • The listener probably needs to be on the External network...

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, February 21, 2012 4:13 PM
  • I udpated the rule to use the External network in addition to the Perimeter network, but no luck.

    When I run a netstat -na, I do not see any listeners for port 25.  Is the Exchange ET role required for any SMTP handling?  Essentially I would like TMG just to proxy SMTP through to the internal Hub Transport servers.

    Tuesday, February 21, 2012 4:39 PM
  • Ok, can you give an overview of your TMG networking configuration and specific details of your current server publishing rule...

    No, you dont need Exchange ET to do SMTP server publishing.

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Tuesday, February 21, 2012 5:11 PM
  • Also, is you TMG back firewall doing NAT or routing?

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, February 21, 2012 5:13 PM
  • The network config is shown below.  The Internal network consists of several internal VLANs included in the two address ranges defined.  The Perimeter network contains all other address ranges.

    Persistant routes have been defined as the default GW on the Internal NIC has been removed.

    The network rules are configured as:

    Name - Relation - Source Network, Destination Network, NAT Addresses

    1. Local Host Access - Route - Local Host - All Networks
    2. VPN Clients to Internal Network - Route - Quarantined VPN Clients, VPN Clients - Internal
    3. Internet Access - NAT - Internal, Quarantined VPN Clients, VPN Clients - External - Default IP Address
    4. Perimeter to External Relationship - NAT - Perimeter - External - Default IP Address
    5. Perimeter to Internal Network - Route - Perimeter - Internal

    The firewall System Policy for E-Mail Policy is currently disabled, as well as the E-Mail Policy configuration within the TMG console.

     

    The Non-Web Server Protocol Publishing Rule configuration can be seen below:

    Action Tab

    • Action to take: Allow
    • Log requests matching this rule: enabled

    Traffic Tab

    • Allow network traffic using the following protocol: SMTP Server

    From Tab

    • Rule Applies to trafafic from these sources: Perimeter, External

    To Tab

    • Specify the network address of the server to publish: 10.112.225.20
    • Requests for published server: Requests appear to come from the Forefront TMG computer

    Networks Tab

    • Selet networks for this listener: External, Perimeter

    Under these settings, when we test SMTP, the errors indicate:

    Denied Connection

    Log Type: Firewall Service

    Status: The policy rules do not allow the user request

    Rule: Default Rule

    Source: Perimeter (Public IP of test workstation)

    Destination: Local Host (10.119.1.50:25)

    Protocol: SMTP

    If we enable the E-Mail policy, the "Initiated Connection" and "Closed Connection" events are logged as seen above in the thread.  Exchange Edge Transport is not installed on the server.  I am trying to just have it proxy SMTP as was possible in ISA 2006.

    Tuesday, February 21, 2012 6:49 PM
  • As you have a route relationship between Perimeter and Internal, I am pretty sure you have two options:

    (1) Enable the listener to listen on all IP addresses, not a specific address, then modify the ASA to NAT direct to 10.10.50.100 as opposed to an IP address on the outside of TMG.

    (2) Create a new network rule to apply a NAT relationship between the Perimeter network and the Exchange HT server on 10.10.50.100. Order the new rule above the existing 'Perimeter to Interanal: Route' rule.

    I think the following examples match your scenario:

    http://blogs.technet.com/b/isablog/archive/2008/06/24/server-publishing-with-isa-server-2004-2006-and-route-relationship-between-networks.aspx

    http://richardkok.wordpress.com/2010/11/08/using-non-web-server-publishing-rules-with-a-route-relationship-on-forefront-tmg/

    Server publishing when you have a route relationship between is a bit odd in ISA/TMG, but hopefully the above makes sense and gets it working for you ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, February 22, 2012 12:20 AM
  • I went through the process of creating a Network rule between the HT servers and the Perimeter network.  I followed the process outlined in your recommended link http://richardkok.wordpress.com/2010/11/08/using-non-web-server-publishing-rules-with-a-route-relationship-on-forefront-tmg/, but when I complete the configuration, I do not see anything listening on port 25.  I have disabled and re-enabled the publishing rule for mail server, but I cannot get a listener to show up on the server when I run netstat.
    Thursday, February 23, 2012 10:23 PM
  • Did you try option 1?

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, February 23, 2012 10:38 PM
  • I am not sure how we can do the first option:

    "(1) Enable the listener to listen on all IP addresses, not a specific address, then modify the ASA to NAT direct to 10.10.50.100 as opposed to an IP address on the outside of TMG."

    The TMG is only in place for Exchange related traffic and sits as a back firewall, but the ASAs hande all other traffic from the Internet, through DMZ, to internal LAN.  If we set the Internet facing ASA to NAT directly to the internal IP 10.10.50.100 for our Exchange server, then the ASA will forward to the Exchange server without passing through the TMG.

    Saturday, February 25, 2012 10:52 PM
  • Hi Guys,

    i had the same problem and i spent 2 days trying to figure out the cause. That's why i'm sharing this post on all the similar thread i can find.

    My problem was: TMG wasn't listening on port 25 after the Non-Web Server publishing rule (similar rules but for FTP, HTTP were working and the TMG started to listen on the appropriate ports straight after the "apply").

    Solution: Right Click on Firewall Policy --> All Task --> System Policies ---> Edit System Policies. Then scroll down to E-Mail Policy (should  be the second last) and tick "Enable this configuration group"

    Am i the only one that had this unticked?

    Stefano
    Wednesday, December 05, 2012 10:44 AM