Re: Exchange, SMTP queues and firewall

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: tcnolan (tcnolan_at_optonline.net)
Date: 06/22/04 

Date: 21 Jun 2004 17:22:58 -0700

Hi Mark,

Thanks for your reply. Today when I cleared out the queues in
Exchange, there were only 262 messages. So there really isn't that
many now. On Friday, when I started the SMTP server, in about 20
minutes I lost connection to the internet because the firewall ran out
of NAT ports.

We use Soho Watchguard (5.2.11) for our firewall. We kept losing
connection to the internet and whenever we rebooted the firewall, it
would be fine for a while. That is when we noticed in the firewall
logs the error NAT - Dynamic Translation Pool exhausted.

We have never had this problem before. We are a small office with
just 10 PCs. So we shouldn't have that many ports being used. The
tech support at Watchguard said the NAT ports should stay around 950.
They are as puzzled as we are.

I have used mutiple engines to scan for viruses and today changed all
the passwords on the server. When I turned off NDRs, the firewall
seemed to hold steady at 950 NAT ports available.

I don't know what you mean by "smarthost" but will look into it.

Thanks,

Terry

"Mark Arnold [MVP]" <mark@mvps.org> wrote in message news:<ne9ed0d9hchnr19m1n7o8ojhgd3bps2au8@4ax.com>...
> tcnolan@optonline.net (tcnolan) wrote:
>
> >Hi...
> >
> >
> How many NDR's do you have? If there are tons and tons you could be
> either a relay or being hit by spam in a big way.
> When exchange tries to send an NDR it will lookup the address and will
> only make a connection if it can get to the destination server. Having
> nDR's in the queue won't be taking up nat ports I wouldn't say. Do you
> really need to nat your outbound in this way though?
> Another consideration is to change the outbound connection to a
> smarthost rather than attempting delivery to each and every
> destination on the Internet. That will ensure that only one
> destination is available (usually the ISP's smtp relay) and will
> reduce connections, depending on what you actually mean by connections
> and depending on how the firewall is working.
>
>
> Mark Arnold MCSA MCSE+M MVP,
> FAQ: http://www.swinc.com/resource/exchange.htm
> Blog: http://www.msexchange.me.uk

Relevant Pages

  • RE: Exchange 2003
    ... This behavior seems plausible if there's a stateful firewall in the ... the case, then clearly, you won't get anything back from an nbtstat, ... does it allow it after there's a connection?". ... without exchange 2003 on it. ...
    (Pen-Test)
  • Re: Outlook Problem with Exchange
    ... So we rebooted our main firewall last night to no avail. ... could comminute with Exchange slightly but not all the way. ... -RDP to Exchange Server ... The connection to the GC for Directory access, ...
    (microsoft.public.exchange.applications)
  • Re: Outlook access through a firewall
    ... >connected to Exchange 2000. ... >and the high-numbered ports in the firewall. ... >for port 135 instead of 80). ... the connection isn't refused, it just hangs while trying to ...
    (microsoft.public.exchange.admin)
  • Outlook access through a firewall
    ... connected to Exchange 2000. ... Mapper hands out, then opening up TCP port 135 ... and the high-numbered ports in the firewall. ... the connection isn't refused, it just hangs while trying to ...
    (microsoft.public.exchange.admin)
  • Re: Exchange, SMTP queues and firewall
    ... If I have NDRs turned off, our firewall stays up fine. ... the NAT Ports Available slowly decrease from 1000 to 0 and we ... Exchange has to try to resend, due to a bad reply address, etc. ...
    (microsoft.public.exchange.admin)