Re: How to allow POP3 SSL connections w' ISA 2004
- From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 May 2007 15:43:58 -0700
Welcome back, Terence!
Thank you for the links. I had already followed the GMail instructions.
Also, I am at SP3 for ISA Server 2004. (In fact, I don't think I had
this problem at ISA Server 2004 SP2. However, I can't be sure. As you
know, my first installation of ISA Server was short-lived because of the
NIC driver update problem.)
The third link you mention has a video produced by Google. As "how to"
videos go, that is probably one of the best I've encountered; concise,
to the point, fast-paced, and an interesting way of using the mouse
pointer as a "flourish" (much like one would use a hand gesture to
underline a sentence on a blackboard). Sadly, it added nothing new to
the problem, but I will remember the method used in the presentation.
I think I'll end up paying Microsoft to help me with this problem, but
first I'll try a couple more posts, perhaps to
microsoft.public.isa.clients and microsoft.public.isa.configuration.
Maybe my NOD32 vendor has something to add as well. Even though we
disabled AV on both the workstation and server (uninstalling it in fact
on the workstation) perhaps simply disabling it still leaves artifacts
that interfere with Outlook SSL connections.
WHEN I finally get an answer to this, Terence, I will post back into
this thread. Meanwhile, thank you for what you have done and the time
that you've invested.
Regards,
Mike
On Mon, 28 May 2007 11:03:23 GMT, Terence Liu [MSFT] wrote:
Hello Mike,[snip]
Thank you for kind update. I'm sorry for the delay response due to the
weekend.
Yes, you are correct, this is mostly an Outlook settings issue, you can try
to repost your question in Outlook newsgroup.
Additional, I suggest we try to confirm the following settings:
1. Follow Gmail formal article on how to configure outlook to use Gmail
Account
http://mail.google.com/support/bin/answer.py?answer=13278
2. Install ISA 2004 Service Pack2 on ISA server machine
Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=88350ABA-D09E-44B5-8002-96590ABFA148&displaylang=en
3. Configure Gmail Account to allow POP service
http://mail.google.com/mail/help/demos/Gmail_POP/788_Google_Gmail.html
4. Firewall Client that is installed on Client machines should be ISA 2004
version
--------------------[snip]
| From: Mike H
|
| Good morning, Terence.
|
| Thank you for inspecting the circumstances of my problem.
|
| As you have asked, I've done the following:
|
| (1) Yes, four services are running related to ISA Server. Here's their
| status:
| * Microsoft Data Engine: Running
| * Microsoft Firewall: Running (Uptime 18:30:50)
| * Microsoft ISA Server Job Scheduler: Running (Uptime 3 days,
| 12:41:12)
| * Remote Access Service: Running
|
| (2) I am running antivirus software on the server, NOD32 Enterprise
| Edition. As you have asked, I've disabled protection.
|
| (3) Yes, I can access the internet using Internet Explorer from the
| problem workstation as well as all others.
|
| (4) Yes, I can access the internet from the SBS server.
|
| (5) I have not installed Outlook on the server. However, it does have
| Outlook Express, which has been unused to this point.
| * I started Outlook Express and set up an account for my SSL e-mail
| account, using these custom settings:
| * Incoming mail server: POP3
| * Incoming mail: pop.SSLserver.mil
| * Outgoing: mailrouter.SSLserver.mil
| * "My server requires authentication": Ticked
| *Logon Information: "use same settings as my incoming mail
| server"
| * Outgoing mail: Port 465, SSL
| * Incoming mail: Port 995, SSL
|
| Here is the result of the first send/receive:
| (1) I received the following warning: "The server you are connected
| to is using a security certificate that could not be verified. A
| certificate chain processed, but terminated in a root certificate which
| is not trusted by the trust provider. Do you want to continue using this
| server?" I ticked "YES". (I have not installed the appropriate
| certificates on the server. I HAVE installed them on my workstation.)
| (2) I had entered a p/w when I set up the account but I was prompted
| again. I entered the p/w and the send/receive continued.
| (3) I received a test message that I had sent using HTTP e-mail from
| a browser.
| (4) I replied to the test message using the us.SSLserver.mil SSL
| account. The reply sent normally.
|
| (6) I stopped ISA Server, enabled logging to file for firewall logging
| and web proxy logging, and restarted the server.
|
| (7) I started Outlook Express and performed a send/receive. The
| send/receive proceeded normally.
|
| (8) I created a test message and sent to us.SSLserver.mil. The message
| was sent normally.
|
| (9) I performed another send/receive. The message was received normally.
|
| (10) I stopped ISA Server, changed logging back to the MSDE, and saved
| the .w3c logs, which are attached to this message. For some reason,
| there was only one .w3c file, not two.
|
| (11) I decided to try the army account with OE on my workstation. I
| created it in OE, created a message, and sent it. It sent normally. I
| was also able to receive with OE.
|
| Terrence, it begins to look like the problem is the integration of
| Outlook with the firewall client or proxy server. Strangely, I can use
| the MAIL control panel item, profile properties, to successfully test
| the account properties. If I use Account Properties in Outlook the test
| fails.
| On Thu, 24 May 2007 11:21:52 GMT, Terence Liu [MSFT] wrote:[snip]
|>[snip]
|> From the log I can see the POP3 connection is success at beginning
|> (2007-5-23 18:13:50). But fail soon (2007-5-23 18:14:37). And allow the
|> access are fail, the reason is 0xc0040001, means the object is shutting
|> down.
|>
|> Therefore, please ensure that: your ISA services are correct
|> running. Open ISA 2004 console, extend Monitoring, click Services
|> tab. Ensure the 4 services are running.
|>
|> If you install any antivirus software on ISA server, please try to
|> disable it or uninstall.
|>
|> Before we go any further, please let me know the following
|> information so that we can understand your situation more clearly.
|>
|> 1. Can you access the Internet from client computers?
|>
|> 2. Can you access the Internet from SBS?
|>
|> 3. Try to access SSL POP3 from SBS, does the issue happen again?
|>
|> 4. Please reproduce the issue and gather the
|> ISALOG_20070523_FWS_000.w3c and send to me again.
| [snip]
|> --------------------
|>| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
| [snip]
|>| I've replied to you in line with your numbered list, Terence. Finally,
|>| you ask for an ipconfig for the server, the output of isainfo, and 2
|>| .w3c log files from ISA Server. I've created and zipped them and
|>| e-mailed them to you.
|>|.
|>| On Wed, 23 May 2007 08:28:01 GMT, Terence Liu [MSFT] wrote:
|>|
|>| [snip]
|>|> According to your description, I understand that you can not receive
|>|> mail via SSL POP3 after you install ISA 2004 sp3 on your SBS. If I
|>|> have misunderstood the problem, please don't hesitate to let me
|>|> know.
|>|>
|>|> Based on my research, the rules that you created look correct. I
|>|> suggest we try the following steps to see if we can resolve this
|>|> issue:
|>|>
|>|> 1. You have to rerun the CEICW to make sure your SBS 2003 server
|>|> have right network configuration. Go through the follow KB and
|>|> Rerun CEICW again carefully.
|>|
|>| Done, including a reboot
|>|
|>| [snip]
|>|> 2. Increase the value of Connection limit
|>| [snip]
|>|
|>| Increased yesterday from 160 to 1000.
|>| Also removed connection limits entirely and retried. No change. Set
|>| connection limits back to 1000.
|>|
|>|> 3. If the problem persists, please try to disable the POP Intrusion
|>|> Detection Filter
|>| [snip]
|>|
|>| Done, and restarted ISA Server. No change. Reset POP Intrusion
|>| Filter to Enabled.
|>|
|>|> 4. Please try to disable the ISA firewall client on the problematic
|>|> client computer, and then test this issue.
|>|
|>| Disabled firewall client. No effect. Enabled firewall client.
|>|
|>|> If we can not resolve the issue after we perform the above steps,
|>|> please kindly help me collect some information for further
|>|> investigation:
|>|>
|>|> 1. Run command "ipconfig /all > c:\ipconfig_sbs.txt" on SBS, send
|>|> the files c:\ipconfig_sbs.txt to me at v-terliu@xxxxxxxxxxxxx
|>|>
|>|> 1. Please help to gather the ISA Info:
|>|>
|>|> 1) Download the file from the following URL:
|>|>
|>|> http://www.isatools.org/tools/isainfo.zip
|>|>
|>|> 2) Extract all files to a folder on ISA server.
|>|>
|>|> 3) Double click Isainfo.js. This will generate 2 files
|>|> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml
|>|> in the current folder.
|>|>
|>|> 4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
|>|>
|>|> 2. Please also help to gather the ISA logs:
|>|>
|>|> 1) Schedule a down time.
|>|>
|>|> 2) Open ISA 2004 management console.
|>|>
|>|> 3) Expand the server node and highlight 'Monitoring'.
|>|>
|>|> 4) In the right pane, switch to the 'Logging' tab, make sure the
|>|> 'Task Pane' is showed there.
|>|>
|>|> 5) In the 'Task Pane', click 'Configure Firewall Logging' under
|>|> 'Logging Tasks', and then switch the 'log storage format' from
|>|> 'MSDE database' (default) to 'File'.
|>|>
|>|> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
|>|>
|>|> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
|>|> 'Logging Tasks', and then switch the 'log storage format' from
|>|> 'MSDE database' (default) to 'File'.
|>|>
|>|> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
|>|>
|>|> 9) Click 'Apply' to save changes and update the configuration.
|>|>
|>|> 10) Temporarily disable the Firewall service. To do that, please
|>|> click Monitoring | Services tab, and then right click 'Microsoft
|>|> Firewall' to choose 'Stop'.
|>|>
|>|> 11) Clear the current existing W3C logs. To do that, go to the
|>|> log saving directory and clean any existing .W3C logs. By
|>|> default, the logs will be saved to 'C:\Program Files\Microsoft
|>|> ISA Server\ISALogs'. (Some MDF may not be able to deleted, that's
|>|> normal.) You may backup them first and then delete them.
|>|>
|>|> 12) Go back to the ISA 2004 management console, and then Start the
|>|> stopped 'Microsoft Firewall' service.
|>|>
|>|> 13) Reproduce the problem, stop the service, and then gather the
|>|> resulting W3C files to me for analysis.
|>|>
|>|> 14) Please also let me know the IP address of the testing clients
|>|> so that I can filter the data.
|>|>
|>|> Hope these steps will give you some help.
|>| [snip]
- Follow-Ups:
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Terence Liu [MSFT]
- Re: How to allow POP3 SSL connections w' ISA 2004
- References:
- How to allow POP3 SSL connections w' ISA 2004
- From: Mike H
- RE: How to allow POP3 SSL connections w' ISA 2004
- From: Terence Liu [MSFT]
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Mike H
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Terence Liu [MSFT]
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Mike H
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Terence Liu [MSFT]
- How to allow POP3 SSL connections w' ISA 2004
- Prev by Date: Re: SBS 2003 Prem (original) & SQL Server 2005
- Next by Date: Re: RWW Issue From the Internet (Port 4125)
- Previous by thread: Re: How to allow POP3 SSL connections w' ISA 2004
- Next by thread: Re: How to allow POP3 SSL connections w' ISA 2004
- Index(es):
Relevant Pages
|
|
