Re: How to allow POP3 SSL connections w' ISA 2004

Hello Mike,

Thank you for kind update. I'm sorry for the delay response due to the
weekend.

Yes, you are correct, this is mostly an Outlook settings issue, you can try
to repost your question in Outlook newsgroup.

Additional, I suggest we try to confirm the following settings:

1. Follow Gmail formal article on how to configure outlook to use Gmail
Account
http://mail.google.com/support/bin/answer.py?answer=13278

2. Install ISA 2004 Service Pack2 on ISA server machine

Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=88350ABA-D09E-44B5-
8002-96590ABFA148&displaylang=en

3. Configure Gmail Account to allow POP service
http://mail.google.com/mail/help/demos/Gmail_POP/788_Google_Gmail.html

4. Firewall Client that is installed on Client machines should be ISA 2004
version

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
| Subject: Re: How to allow POP3 SSL connections w' ISA 2004
| User-Agent: 40tude_Dialog/2.0.15.1 (7c16b7da.214.381)
| MIME-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| Content-Transfer-Encoding: 7bit
| References: <eshywALnHHA.4848@xxxxxxxxxxxxxxxxxxxx>
<9hN9LRRnHHA.5168@xxxxxxxxxxxxxxxxxxxxxx>
<e9FsbuWnHHA.4896@xxxxxxxxxxxxxxxxxxxx>
<KfRN8WfnHHA.1140@xxxxxxxxxxxxxxxxxxxxxx>
| Date: Thu, 24 May 2007 10:50:58 -0700
| Message-ID: <eTxqTwinHHA.3520@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-71-144-115-66.dsl.renocs.sbcglobal.net
71.144.115.66
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:39204
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Good morning, Terence.
|
| Thank you for inspecting the circumstances of my problem.
|
| As you have asked, I've done the following:
|
| (1) Yes, four services are running related to ISA Server. Here's their
| status:
| * Microsoft Data Engine: Running
| * Microsoft Firewall: Running (Uptime 18:30:50)
| * Microsoft ISA Server Job Scheduler: Running (Uptime 3 days,
| 12:41:12)
| * Remote Access Service: Running
|
| (2) I am running antivirus software on the server, NOD32 Enterprise
| Edition. As you have asked, I've disabled protection.
|
| (3) Yes, I can access the internet using Internet Explorer from the
| problem workstation as well as all others.
|
| (4) Yes, I can access the internet from the SBS server.
|
| (5) I have not installed Outlook on the server. However, it does have
| Outlook Express, which has been unused to this point.
| * I started Outlook Express and set up an account for my SSL e-mail
| account, using these custom settings:
| * Incoming mail server: POP3
| * Incoming mail: pop.SSLserver.mil
| * Outgoing: mailrouter.SSLserver.mil
| * "My server requires authentication": Ticked
| *Logon Information: "use same settings as my incoming mail
| server"
| * Outgoing mail: Port 465, SSL
| * Incoming mail: Port 995, SSL
|
| Here is the result of the first send/receive:
| (1) I received the following warning: "The server you are connected
| to is using a security certificate that could not be verified. A
| certificate chain processed, but terminated in a root certificate which
| is not trusted by the trust provider. Do you want to continue using this
| server?" I ticked "YES". (I have not installed the appropriate
| certificates on the server. I HAVE installed them on my workstation.)
| (2) I had entered a p/w when I set up the account but I was prompted
| again. I entered the p/w and the send/receive continued.
| (3) I received a test message that I had sent using HTTP e-mail from
| a browser.
| (4) I replied to the test message using the us.SSLserver.mil SSL
| account. The reply sent normally.
|
| (6) I stopped ISA Server, enabled logging to file for firewall logging
| and web proxy logging, and restarted the server.
|
| (7) I started Outlook Express and performed a send/receive. The
| send/receive proceeded normally.
|
| (8) I created a test message and sent to us.SSLserver.mil. The message
| was sent normally.
|
| (9) I performed another send/receive. The message was received normally.
|
| (10) I stopped ISA Server, changed logging back to the MSDE, and saved
| the .w3c logs, which are attached to this message. For some reason,
| there was only one .w3c file, not two.
|
| (11) I decided to try the army account with OE on my workstation. I
| created it in OE, created a message, and sent it. It sent normally. I
| was also able to receive with OE.
|
| Terrence, it begins to look like the problem is the integration of
| Outlook with the firewall client or proxy server. Strangely, I can use
| the MAIL control panel item, profile properties, to successfully test
| the account properties. If I use Account Properties in Outlook the test
| fails.
|
| I look forward to your reply
|
| Regards,
| Mike
|
| On Thu, 24 May 2007 11:21:52 GMT, Terence Liu [MSFT] wrote:
|
| > Hello Mike,
| >
| > Thank you for you kind update.
| >
| > From the log I can see the POP3 connection is success at beginning
| > (2007-5-23 18:13:50). But fail soon (2007-5-23 18:14:37). And allow the
| > access are fail, the reason is 0xc0040001, means the object is shutting
| > down.
| >
| > Therefore, please ensure that: your ISA services are correct running.
Open
| > ISA 2004 console, extend Monitoring, click Services tab. Ensure the 4
| > services are running.
| >
| > If you install any antivirus software on ISA server, please try to
disable
| > it or uninstall.
| >
| > Before we go any further, please let me know the following information
so
| > that we can understand your situation more clearly.
| >
| > 1. Can you access the Internet from client computers?
| >
| > 2. Can you access the Internet from SBS?
| >
| > 3. Try to access SSL POP3 from SBS, does the issue happen again?
| >
| > 4. Please reproduce the issue and gather the
ISALOG_20070523_FWS_000.w3c
| > and send to me again.
| [snip]
| > --------------------
| >| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
| [snip]
| >| I've replied to you in line with your numbered list, Terence. Finally,
| >| you ask for an ipconfig for the server, the output of isainfo, and 2
| >| .w3c log files from ISA Server. I've created and zipped them and
| >| e-mailed them to you.
| >|
| >| Thanks, Terence.
| >|
| >| Regards,
| >| Mike
| >|
| >| On Wed, 23 May 2007 08:28:01 GMT, Terence Liu [MSFT] wrote:
| >|
| >| [snip]
| >|> According to your description, I understand that you can not receive
| >|> mail via SSL POP3 after you install ISA 2004 sp3 on your SBS. If I
| >|> have misunderstood the problem, please don't hesitate to let me
| >|> know.
| >|>
| >|> Based on my research, the rules that you created look correct. I
| >|> suggest we try the following steps to see if we can resolve this
| >|> issue:
| >|>
| >|> 1. You have to rerun the CEICW to make sure your SBS 2003 server
| >|> have right network configuration. Go through the follow KB and
| >|> Rerun CEICW again carefully.
| >|
| >| Done, including a reboot
| >|
| >| [snip]
| >|> 2. Increase the value of Connection limit
| >| [snip]
| >|
| >| Increased yesterday from 160 to 1000.
| >| Also removed connection limits entirely and retried. No change. Set
| >| connection limits back to 1000.
| >|
| >|> 3. If the problem persists, please try to disable the POP Intrusion
| >|> Detection Filter
| >| [snip]
| >|
| >| Done, and restarted ISA Server. No change. Reset POP Intrusion Filter
to
| >| Enabled.
| >|
| >|> 4. Please try to disable the ISA firewall client on the problematic
| >|> client computer, and then test this issue.
| >|
| >| Disabled firewall client. No effect. Enabled firewall client.
| >|
| >|> If we can not resolve the issue after we perform the above steps,
| >|> please kindly help me collect some information for further
| >|> investigation:
| >|>
| >|> 1. Run command "ipconfig /all > c:\ipconfig_sbs.txt" on SBS, send
| >|> the files c:\ipconfig_sbs.txt to me at v-terliu@xxxxxxxxxxxxx
| >|>
| >|> 1. Please help to gather the ISA Info:
| >|>
| >|> 1) Download the file from the following URL:
| >|>
| >|> http://www.isatools.org/tools/isainfo.zip
| >|>
| >|> 2) Extract all files to a folder on ISA server.
| >|>
| >|> 3) Double click Isainfo.js. This will generate 2 files
| >|> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml
| >|> in the current folder.
| >|>
| >|> 4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
| >|>
| >|> 2. Please also help to gather the ISA logs:
| >|>
| >|> 1) Schedule a down time.
| >|>
| >|> 2) Open ISA 2004 management console.
| >|>
| >|> 3) Expand the server node and highlight 'Monitoring'.
| >|>
| >|> 4) In the right pane, switch to the 'Logging' tab, make sure the
'Task
| >|> Pane' is showed there.
| >|>
| >|> 5) In the 'Task Pane', click 'Configure Firewall Logging' under
| >|> 'Logging Tasks', and then switch the 'log storage format' from
| >|> 'MSDE database' (default) to 'File'.
| >|>
| >|> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >|>
| >|> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
| >|> 'Logging Tasks', and then switch the 'log storage format' from
| >|> 'MSDE database' (default) to 'File'.
| >|>
| >|> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >|>
| >|> 9) Click 'Apply' to save changes and update the configuration.
| >|>
| >|> 10) Temporarily disable the Firewall service. To do that, please
click
| >|> Monitoring | Services tab, and then right click 'Microsoft Firewall'
to
| >|> choose 'Stop'.
| >|>
| >|> 11) Clear the current existing W3C logs. To do that, go to the log
| >|> saving directory and clean any existing .W3C logs. By default, the
| >|> logs will be saved to 'C:\Program Files\Microsoft ISA
| >|> Server\ISALogs'. (Some MDF may not be able to deleted, that's
| >|> normal.) You may backup them first and then delete them.
| >|>
| >|> 12) Go back to the ISA 2004 management console, and then Start the
| >|> stopped 'Microsoft Firewall' service.
| >|>
| >|> 13) Reproduce the problem, stop the service, and then gather the
| >|> resulting W3C files to me for analysis.
| >|>
| >|> 14) Please also let me know the IP address of the testing clients so
| >|> that I can filter the data.
| >|>
| >|> Hope these steps will give you some help.
| >| [snip]
|

.

Relevant Pages

  • Re: How to allow POP3 SSL connections w ISA 2004
    ... Can not receive mail via SSL POP3 through ISA server 2004 by use Microsoft ... Outlook 2003, the Outlook Express can work fine. ... In ISA Server 2004, Configuration/General/Define Firewall Client ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: How to allow POP3 SSL connections w ISA 2004
    ... the Outlook group as well. ... Firewall Client configuration for ISA Server 2004. ...
    (microsoft.public.windows.server.sbs)
  • RE: Outlook accessing external POP3 Servers
    ... external mail servers through an ISA Server computer using RPC over HTTP. ... The default Firewall Client settings that are created during the ... Outlook by Firewall Client in both ... and then create new settings for Outlook that prevent ...
    (microsoft.public.isa)
  • Re: Window could not search for new updates.
    ... and " Obtain DNS server address automatically " are marked. ... Windows Update error 8024402C ... Turn on the "Automatically detect ISA server" feature in ISA ... | If you are using Microsoft ISA Firewall Client, ...
    (microsoft.public.windowsupdate)
  • Re: How to allow POP3 SSL connections w ISA 2004
    ... I am at SP3 for ISA Server 2004. ... Yes, you are correct, this is mostly an Outlook settings issue, you can try ... Please also help to gather the ISA logs: ...
    (microsoft.public.windows.server.sbs)