Access IMAP/SMTP behind ISA?

[game_over]

I'm trying to acces IMAP and SMTP behind ISA. Every mail client i try just fails to connect and i've tried several domains including googlemail.

I have creating the following access rule:

Mail Access Protocol - Enabled / Allow

Selected Protocols - HTTP, HTTPS, SMTP, IMAP4, IMAPS, POP3

From - INTERNAL

To - EXTERNAL

Users - ALL USERS

Schedule - ALWAYS

All content types

Do i need to do anything else besides setup the access rule?

One thing i have noticed is that the SMTP filter port range is 465, but gmail says to set this as 587. In ISA the option to add more ports is grayed out?

Anyone have any experience with this?

[garethevans1986]

Try telnetting into the SMTP server to see if it can be reached, another option is to view the logs to see if its ISA Server that is actually blocking it or not.

GE

[game_over]

I can't access it using PuTTy and when i check logs i can see 'Connection Denied' from my IP address when using basic authentication but when i change the ports to what google says i get nothing.

[CCS-IT]

  On 09/03/2010 at 10:46, forcer said:

I can't access it using PuTTy and when i check logs i can see 'Connection Denied' from my IP address when using basic authentication but when i change the ports to what google says i get nothing.

Make sure the imap.gmail.com:993 OR (74.125.155.109:993) for IMAP and smtp.gmail.com:465 Or (74.125.127.109:465) is allow in your Firewall, then check telnet

1)TELNET imap.gmail.com 993

2)TELNET smtp.gmail.com 465

if you using googleAps and configured your domain with google for Mailing then use 587 port for SMTP (TLS Enabled)

3)TELNET smtp.gmail.com 587

[game_over]

telnet imap.gmail.com 993

Connecting To imap.gmail.com...Could not open connection to the host, on port 993: Connect failed

telnet imap.gmail.com 456

Connecting To imap.gmail.com...Could not open connection to the host, on port 456: Connect failed

telnet imap.gmail.com 587

Connecting To imap.gmail.com...Could not open connection to the host, on port 587: Connect failed

I can't see the option to allow it in ISA, the imap protocols are there and in use in the access rule above but it also wont let me add anymore ports.

[CCS-IT]

  On 09/03/2010 at 12:20, forcer said:

telnet imap.gmail.com 993

Connecting To imap.gmail.com...Could not open connection to the host, on port 993: Connect failed

telnet imap.gmail.com 456

Connecting To imap.gmail.com...Could not open connection to the host, on port 456: Connect failed

telnet imap.gmail.com 587

Connecting To imap.gmail.com...Could not open connection to the host, on port 587: Connect failed

I can't see the option to allow it in ISA, the imap protocols are there and in use in the access rule above but it also wont let me add anymore ports.

how much you experience in ISA Server out of ?/10

Try to Create new role in ISA and specify Source address/IP and Destination/IP, port number and allows access...

[game_over]

  On 10/03/2010 at 05:51, MPK said:

how much you experience in ISA Server out of ?/10

Try to Create new role in ISA and specify Source address/IP and Destination/IP, port number and allows access...

I'm not at professional level.

Can you point me in the right direction to create a new roll in ISA?

#

I tried creating a new protocol for GMAIL SSL ports and adding that to the mail access rule but got nothing.

[CCS-IT]

  On 10/03/2010 at 09:41, forcer said:

I'm not at professional level.

Can you point me in the right direction to create a new roll in ISA?

#

I tried creating a new protocol for GMAIL SSL ports and adding that to the mail access rule but got nothing.

can you upload the screen shots of ISA Allowed/denied source and destination, and tell me one thing you specified imap.gmail.com/smtp.gmail.com any where in ISA server. ?

[game_over]

  On 10/03/2010 at 13:12, MPK said:

can you upload the screen shots of ISA Allowed/denied source and destination, and tell me one thing you specified imap.gmail.com/smtp.gmail.com any where in ISA server. ?

NO i haven't specified imap.gmail.com/smtp.gmail.com - i don't know where to do it?

as i say my experience is little.

[game_over]

Bump. Does anyone know how to specify imap/smtp.gmail.com in ISA server?

[CCS-IT]

I hope this image tutorial fix your problem,

do as per the instructions.

[game_over]

Thank you for taking the time to do that, but i still got nothing.

here are the details of the access rule, is everything correct?

New Access Rule:

Gmail (Enabled / Allow)

Protocols:

IMAP4

IMAP4 Server

IMAPS

IMAPS Server

SMTP

SMTP Server

SMTP-GMAIL (TCP / 587 / Outbound) < custom protocol i made with ports for Gmail

From:

Internal

Local Host

To:

smtp.gmail.com (Address Range: 74.125.127.109 to 74.125.155.109)

Users:

All Users

[game_over]

here is a screenshot of what the log shoots out when i try to connect

[game_over]

I've updated ISA to latest service pack and it provides more info on the logs.

All i get is:

Unidentified IP Traffic(TCP:1745) Initiated Connection

Unidentified IP Traffic(TCP:1745) Connection Closed

Initiated Connection

Log type: Firewall service

Status: The operation completed successfully.

Rule: Source: Internal ( 192.168.16.73:63894)

Destination: Local Host ( 192.168.16.4:1745)

Protocol: Unidentified IP Traffic (TCP:1745)

User:

Additional information

• Number of bytes sent:
  
• Number of bytes received:
• Processing time: 0ms
  
• Original Client IP: 192.168.16.73
• Client agent:

then:

Closed Connection

Log type: Firewall service

Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.

Rule: Source: Internal ( 192.168.16.73:63894)

Destination: Local Host ( 192.168.16.4:1745)

Protocol: Unidentified IP Traffic (TCP:1745)

User:

Additional information

• Number of bytes sent: 16530
  
• Number of bytes received: 15514
• Processing time: 4000ms
  
• Original Client IP: 192.168.16.73
• Client agent:

I'm seriously thinning out on top.

[IrfanL]

Is there another firewall/router upstream from your ISA server?

[game_over]

  On 17/03/2010 at 16:08, -ANiMaL- said:

Is there another firewall/router upstream from your ISA server?

umm.. yeah

ISA Firewall --> Router <--File Server

...........................^^^

...................Cachepilot (Internet)

or maybe it's just a switch, i'm not 100% sure on that one i didn't install it.

[IrfanL]

Make sure its not block your traffic.

[game_over]

I wouldn't know where to start lol i doubt that's the issue as nothing else is being blocked?

[game_over]

  On 17/03/2010 at 16:30, -ANiMaL- said:

Make sure its not block your traffic.

I think you are right, I have come to the conclusion the ports are blocked on the router.

Do you have any idea how i could access the router, i don't even know it's IP. Is it possible to find this?

[Joel]

Is this a home setup?

[game_over]

  On 18/03/2010 at 14:16, Joel said:

Is this a home setup?

no...it's in a building with 50+ computers, 3 hubs.

[pupdawg21]

  On 18/03/2010 at 15:01, forcer said:

no...it's in a building with 50+ computers, 3 hubs.

Hi,

Looking at your issue, theres a lot of stuff kinda wonky with your rules. For one if you are already allowing everyone to access HTTP/HTTPs in an Allow everyone internet access rule ... you should not be specifying HTTP and HTTPs again in your SMTP/IMAP rules.

Now lets get started.

What you want to do is define a new Access rule. In this access rule you want to name it something like 'Allow SMTP client Access' so it's easily identifiable.

Also in your diagram you say it goes .... ISA Firewall --> Router --> File Server ?

Where is the internet connection connected into?

Is the internet connection at the Router or at the ISA firewall?

Also if the internet connection is at the router I think you diagram should probably go something like Router --> ISA Firewall --> File Server .... with the ISA firewall protecting the File server or am I misunderstanding your layout.

Next you want to specify the Action as Allow

In the protocol tab you want to Add SMTP and SMTPS (These normally can be found in the Mail protocol section.) - You did this

Since you mentioned IMAP you also want to add IMAP4 and IMAPS (These are also found in the Mail protocol section.) - You did this

Next you will want to define a New custom protocol. This protocol should allow TCP on port 587. (This is frequently used port for remote SMTP access since port 25 is blocked by most major ISPs.). Name this custom protocol something like 'SMTP (587)' - You DID NOT do this

You want to add this new SMTP (587) protocol to your allowed protocol set. (The protocol you created will be found under the User-Defined section) - You DID NOT do this

On the From tab you want to allow either Internal or All Protected Networks or whatever group you want to have access that you have previously defined.

On the To tab you want to specify External

Users tab should be 'all users' or the designated users you want to have access.

Apply the rule.

Apply the rule to ISA

Now on the ISA server go to the monitoring section.

Setup a monitor with a rule to monitor traffic from the Client you want to test from.

Now go to that client and attempt the connection.

You should be able to successfully connect out now and you should be able to see every connection attempt and the pathing as it happens in the ISA monitor.

If nothing else is blocking or in front the ISA connection to the outside world you should be able to connect or at least be able to see what path it's taking and when is it dropping.

If you're seeing no connection attempts on the designated ports then you may have something else causing the problem or something is denied/blocked in another rule that is processing before it gets to your matched rule.

Let me know if this gets you on the right track.

[game_over]

HI, thanks for your detailed walk through, i think i did add the new port anyway but i went through it non the less incase i missed anything.

now when i try to send and receive in Outlook 2007

i get this

xxxx@gmail.com - Sending - Complete

Syncronising subscribed folders for xxxx@gmail.com - Errors

  Quote

Task 'Synchronizing subscribed folders for xxxx@gmail.com.' reported error (0x800CCC0E) : 'Outlook cannot synchronize subscribed folders for xxxx@gmail.com. Error: Cannot connect to the server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).'

Attached is a screen shot of the ISA log output:

The Firewall, Server and Cachepilot(internet access) all go into a switch/router in the cabinet.

[IrfanL]

Did you tried connecting directly to the router and testing whether IMAP works or not?

Do you have make and model of the router?

[pupdawg21]

  On 18/03/2010 at 16:00, forcer said:

HI, thanks for your detailed walk through, i think i did add the new port anyway but i went through it non the less incase i missed anything.

now when i try to send and receive in Outlook 2007

i get this

xxxx@gmail.com - Sending - Complete

Syncronising subscribed folders for xxxx@gmail.com - Errors

Attached is a screen shot of the ISA log output:

The Firewall, Server and Cachepilot(internet access) all go into a switch/router in the cabinet.

In your screen shots what is the 192.168.16.4 IP address? Is that an upstream firewall/router that web traffic gets passed through?

You might try refining your monitor filter to actually only show traffic going to Port 587 and 445 and 25 for the clients IP address to see if you see any activity. If you don't .... then you have something else going on before the traffic reaches the ISA firewall.

You should be seeing an attempt to connect to the specified port to the specified destination (Actual google imap address) but since you are seeing a connection going to port 1745 at that internal IP address either you have some rule that is redirecting traffic or your setup is configured to direct traffic up to that 192.168.16.4 address on port 1745 and then whatever that box is .... does something else with the traffic.