RE: How to allow POP3 SSL connections w' ISA 2004
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Wed, 23 May 2007 08:28:01 GMT
Hello Mike,
Thank you for posting here.
According to your description, I understand that you can not receive mail
via SSL POP3 after you install ISA 2004 sp3 on your SBS. If I have
misunderstood the problem, please don't hesitate to let me know.
Based on my research, the rules that you created look correct. I suggest we
try the following steps to see if we can resolve this issue:
1. You have to rerun the CEICW to make sure your SBS 2003 server have right
network configuration. Go through the follow KB and Rerun CEICW again
carefully.
How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763/en-us
2. Increase the value of Connection limit
Open the ISA 2004 Server management console, navigate to Configuration->
General-> Define Connection Limits-> Connection Limit tap, uncheck the
option: Limit the number of connection, click OK, then click Apply.
3. If the problem persists, please try to disable the POP Intrusion
Detection Filter
Open the ISA 2004 Server management console, navigate to Configuration->
General->Add-ins->Application Filters tap, right click POP Intrusion
Detection Filter, select Disable. Then click Apply.
4. Please try to disable the ISA firewall client on the problematic client
computer, and then test this issue.
If we can not resolve the issue after we perform the above steps, please
kindly help me collect some information for further investigation:
1. Run command "ipconfig /all > c:\ipconfig_sbs.txt" on SBS, send the files
c:\ipconfig_sbs.txt to me at v-terliu@xxxxxxxxxxxxx
1. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/tools/isainfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
2. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
| Subject: How to allow POP3 SSL connections w' ISA 2004
| User-Agent: 40tude_Dialog/2.0.15.1 (df45ded5.127.468)
| MIME-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| Content-Transfer-Encoding: 7bit
| Date: Tue, 22 May 2007 13:31:33 -0700
| Message-ID: <eshywALnHHA.4848@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-71-144-115-66.dsl.renocs.sbcglobal.net
71.144.115.66
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:38709
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Outlook 2003 on an XP domain workstation is configured to receive POP3
| SSL e-mail on port 995 and send with SMTP SSL on port 465, both to an
| external server, i.e. gmail and us.army.mil (not our Exchange server). I
| can send, but I can't receive.
|
| This worked using the RRAS firewall, and worked after installing ISA
| Server 2004 SP1 and SP2, but does not work with ISA Server 2004 SP3. The
| server running SBS 2003 SP2. Perhaps I've misconfigured the policies.
|
| Here are my policies in ISA Server. Is the error obvious?
|
| Name: "SBS Client POP3S Outbound Access Rule"
| Action: Allow
| Protocols: POP3S (Parameters Port range 995, TCP, Outbound, No
| application filters)
| From/Listener: Internal
| To: External
| Condition: All Users
|
| and
|
| Name: "SBS Client SMTPS Outbound Access Fule"
| Action: Allow
| Protocols: SMTPS (Parameters Port 465, TCP, Outbound, No application
| filters)
| From/Listener: Internal
| To: External
| Condition: All Users
|
| Outlook complains that it can't find the POP3 server. This happens
| nearly instantly. I can see in ISA Server logging the following when
| checking gmail:
| 1:26:15PM, Destination 209.85.146.109, Dest Port 995, Protocol POP3S,
| Action "Initiated Connection", Rule "SBS Client POP3S Outbound Access
| Rule, Client IP 192.168.16.242 (this is my workstation), Source
| Internal, Destination External
| and a nano second later, exactly the same entry.
|
| This is followed by 2 "Closed Connection" entries 14 seconds later.
|
| --
| Mike H
|
.
- Follow-Ups:
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Mike H
- Re: How to allow POP3 SSL connections w' ISA 2004
- References:
- How to allow POP3 SSL connections w' ISA 2004
- From: Mike H
- How to allow POP3 SSL connections w' ISA 2004
- Prev by Date: Question On ntBackup
- Next by Date: Re: site to site VPN - need suggestions on VPN routers and folder sync
- Previous by thread: Re: How to allow POP3 SSL connections w' ISA 2004
- Next by thread: Re: How to allow POP3 SSL connections w' ISA 2004
- Index(es):
Relevant Pages
|
Loading
