Re: How to allow POP3 SSL connections w' ISA 2004
- From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 Jun 2007 18:01:12 -0700
Terence, I just found the solution to this problem. I also posted it to
the Outlook group as well. As you read it, note that I already had the
POP3S and SMTPS policies in place. The problem was one little tweak for
the firewall client. Here is the text of that post:
"On this date I finally discovered the problem. It turns out to be
Firewall Client configuration for ISA Server 2004.
While inspecting the firewall I browsed some more areas of it that I
hadn't used yet. In ISA Server 2004, under "Configuration/General/Define
Firewall Client Settings", "Application Settings", I discovered the
following entry for Outlook.exe:
Application: outlook
Key: Disable
Value: 1
That tweaked me to use the following search string in Google:
"firewall client" settings for Outlook
which led me to http://www.isaserver.org/articles/2004olpop3smtp.html
The article explains almost exactly what the problem was. I modified his
instructions slightly to apply to my situation, being sure the POP3S and
SMTPS policies were in place in the firewall, and then changing the
firewall client key from Value=1 to Value=0. I then refreshed the
firewall client.
This works perfectly. You sure learn to appreciate something when you
spend 13 days working at it!"
On Tue, 29 May 2007 10:26:48 GMT, Terence Liu [MSFT] wrote:
Hello Mike,.
Thank you for your email.
I'm sorry I do not find the root cause of this issue for you. If you get
the resolution of this issue, please kindly update me.
I hope everything is going well.
Please do not hesitate to let me know if there's anything else I can do for
you.
Thank you and have a nice day,
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
| Subject: Re: How to allow POP3 SSL connections w' ISA 2004
| User-Agent: 40tude_Dialog/2.0.15.1 (d73e50c3.184.275)
| MIME-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| Content-Transfer-Encoding: 7bit
| References: <eshywALnHHA.4848@xxxxxxxxxxxxxxxxxxxx>
<9hN9LRRnHHA.5168@xxxxxxxxxxxxxxxxxxxxxx>
<e9FsbuWnHHA.4896@xxxxxxxxxxxxxxxxxxxx>
<KfRN8WfnHHA.1140@xxxxxxxxxxxxxxxxxxxxxx>
<eTxqTwinHHA.3520@xxxxxxxxxxxxxxxxxxxx>
<OVotPfRoHHA.5168@xxxxxxxxxxxxxxxxxxxxxx>
| Date: Mon, 28 May 2007 15:43:58 -0700
| Message-ID: <uX##umXoHHA.2596@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: adsl-71-144-115-66.dsl.renocs.sbcglobal.net
71.144.115.66
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:39912
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Welcome back, Terence!
|
| Thank you for the links. I had already followed the GMail instructions.
| Also, I am at SP3 for ISA Server 2004. (In fact, I don't think I had
| this problem at ISA Server 2004 SP2. However, I can't be sure. As you
| know, my first installation of ISA Server was short-lived because of the
| NIC driver update problem.)
|
| The third link you mention has a video produced by Google. As "how to"
| videos go, that is probably one of the best I've encountered; concise,
| to the point, fast-paced, and an interesting way of using the mouse
| pointer as a "flourish" (much like one would use a hand gesture to
| underline a sentence on a blackboard). Sadly, it added nothing new to
| the problem, but I will remember the method used in the presentation.
|
| I think I'll end up paying Microsoft to help me with this problem, but
| first I'll try a couple more posts, perhaps to
| microsoft.public.isa.clients and microsoft.public.isa.configuration.
| Maybe my NOD32 vendor has something to add as well. Even though we
| disabled AV on both the workstation and server (uninstalling it in fact
| on the workstation) perhaps simply disabling it still leaves artifacts
| that interfere with Outlook SSL connections.
|
| WHEN I finally get an answer to this, Terence, I will post back into
| this thread. Meanwhile, thank you for what you have done and the time
| that you've invested.
|
| Regards,
| Mike
|
| On Mon, 28 May 2007 11:03:23 GMT, Terence Liu [MSFT] wrote:
|
|> Hello Mike,
|>
|> Thank you for kind update. I'm sorry for the delay response due to the
|> weekend.
|>
|> Yes, you are correct, this is mostly an Outlook settings issue, you can
try
|> to repost your question in Outlook newsgroup.
|>
|> Additional, I suggest we try to confirm the following settings:
|>
|> 1. Follow Gmail formal article on how to configure outlook to use Gmail
|> Account
|> http://mail.google.com/support/bin/answer.py?answer=13278
|>
|> 2. Install ISA 2004 Service Pack2 on ISA server machine
|>
|> Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard
|> Edition Service Pack 2
|>
http://www.microsoft.com/downloads/details.aspx?familyid=88350ABA-D09E-44B5-
8002-96590ABFA148&displaylang=en
|>
|> 3. Configure Gmail Account to allow POP service
|> http://mail.google.com/mail/help/demos/Gmail_POP/788_Google_Gmail.html
|>
|> 4. Firewall Client that is installed on Client machines should be ISA
2004
|> version
| [snip]
|> --------------------
|>| From: Mike H
|>|
|>| Good morning, Terence.
|>|
|>| Thank you for inspecting the circumstances of my problem.
|>|
|>| As you have asked, I've done the following:
|>|
|>| (1) Yes, four services are running related to ISA Server. Here's their
|>| status:
|>| * Microsoft Data Engine: Running
|>| * Microsoft Firewall: Running (Uptime 18:30:50)
|>| * Microsoft ISA Server Job Scheduler: Running (Uptime 3 days,
|>| 12:41:12)
|>| * Remote Access Service: Running
|>|
|>| (2) I am running antivirus software on the server, NOD32 Enterprise
|>| Edition. As you have asked, I've disabled protection.
|>|
|>| (3) Yes, I can access the internet using Internet Explorer from the
|>| problem workstation as well as all others.
|>|
|>| (4) Yes, I can access the internet from the SBS server.
|>|
|>| (5) I have not installed Outlook on the server. However, it does have
|>| Outlook Express, which has been unused to this point.
|>| * I started Outlook Express and set up an account for my SSL e-mail
|>| account, using these custom settings:
|>| * Incoming mail server: POP3
|>| * Incoming mail: pop.SSLserver.mil
|>| * Outgoing: mailrouter.SSLserver.mil
|>| * "My server requires authentication": Ticked
|>| *Logon Information: "use same settings as my incoming mail
|>| server"
|>| * Outgoing mail: Port 465, SSL
|>| * Incoming mail: Port 995, SSL
|>|
|>| Here is the result of the first send/receive:
|>| (1) I received the following warning: "The server you are connected
|>| to is using a security certificate that could not be verified. A
|>| certificate chain processed, but terminated in a root certificate which
|>| is not trusted by the trust provider. Do you want to continue using
this
|>| server?" I ticked "YES". (I have not installed the appropriate
|>| certificates on the server. I HAVE installed them on my workstation.)
|>| (2) I had entered a p/w when I set up the account but I was
prompted
|>| again. I entered the p/w and the send/receive continued.
|>| (3) I received a test message that I had sent using HTTP e-mail
from
|>| a browser.
|>| (4) I replied to the test message using the us.SSLserver.mil SSL
|>| account. The reply sent normally.
|>|
|>| (6) I stopped ISA Server, enabled logging to file for firewall logging
|>| and web proxy logging, and restarted the server.
|>|
|>| (7) I started Outlook Express and performed a send/receive. The
|>| send/receive proceeded normally.
|>|
|>| (8) I created a test message and sent to us.SSLserver.mil. The message
|>| was sent normally.
|>|
|>| (9) I performed another send/receive. The message was received
normally.
|>|
|>| (10) I stopped ISA Server, changed logging back to the MSDE, and saved
|>| the .w3c logs, which are attached to this message. For some reason,
|>| there was only one .w3c file, not two.
|>|
|>| (11) I decided to try the army account with OE on my workstation. I
|>| created it in OE, created a message, and sent it. It sent normally. I
|>| was also able to receive with OE.
|>|
|>| Terrence, it begins to look like the problem is the integration of
|>| Outlook with the firewall client or proxy server. Strangely, I can use
|>| the MAIL control panel item, profile properties, to successfully test
|>| the account properties. If I use Account Properties in Outlook the test
|>| fails.
| [snip]
|>| On Thu, 24 May 2007 11:21:52 GMT, Terence Liu [MSFT] wrote:
| [snip]
|>|>
|>|> From the log I can see the POP3 connection is success at beginning
|>|> (2007-5-23 18:13:50). But fail soon (2007-5-23 18:14:37). And allow
the
|>|> access are fail, the reason is 0xc0040001, means the object is
shutting
|>|> down.
|>|>
|>|> Therefore, please ensure that: your ISA services are correct
|>|> running. Open ISA 2004 console, extend Monitoring, click Services
|>|> tab. Ensure the 4 services are running.
|>|>
|>|> If you install any antivirus software on ISA server, please try to
|>|> disable it or uninstall.
|>|>
|>|> Before we go any further, please let me know the following
|>|> information so that we can understand your situation more clearly.
|>|>
|>|> 1. Can you access the Internet from client computers?
|>|>
|>|> 2. Can you access the Internet from SBS?
|>|>
|>|> 3. Try to access SSL POP3 from SBS, does the issue happen again?
|>|>
|>|> 4. Please reproduce the issue and gather the
|>|> ISALOG_20070523_FWS_000.w3c and send to me again.
|>| [snip]
|>|> --------------------
|>|>| From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
|>| [snip]
|>|>| I've replied to you in line with your numbered list, Terence.
Finally,
|>|>| you ask for an ipconfig for the server, the output of isainfo, and 2
|>|>| .w3c log files from ISA Server. I've created and zipped them and
|>|>| e-mailed them to you.
| [snip]
|>|>|
|>|>| On Wed, 23 May 2007 08:28:01 GMT, Terence Liu [MSFT] wrote:
|>|>|
|>|>| [snip]
|>|>|> According to your description, I understand that you can not receive
|>|>|> mail via SSL POP3 after you install ISA 2004 sp3 on your SBS. If I
|>|>|> have misunderstood the problem, please don't hesitate to let me
|>|>|> know.
|>|>|>
|>|>|> Based on my research, the rules that you created look correct. I
|>|>|> suggest we try the following steps to see if we can resolve this
|>|>|> issue:
|>|>|>
|>|>|> 1. You have to rerun the CEICW to make sure your SBS 2003 server
|>|>|> have right network configuration. Go through the follow KB and
|>|>|> Rerun CEICW again carefully.
|>|>|
|>|>| Done, including a reboot
|>|>|
|>|>| [snip]
|>|>|> 2. Increase the value of Connection limit
|>|>| [snip]
|>|>|
|>|>| Increased yesterday from 160 to 1000.
|>|>| Also removed connection limits entirely and retried. No change. Set
|>|>| connection limits back to 1000.
|>|>|
|>|>|> 3. If the problem persists, please try to disable the POP Intrusion
|>|>|> Detection Filter
|>|>| [snip]
|>|>|
|>|>| Done, and restarted ISA Server. No change. Reset POP Intrusion
|>|>| Filter to Enabled.
|>|>|
|>|>|> 4. Please try to disable the ISA firewall client on the problematic
|>|>|> client computer, and then test this issue.
|>|>|
|>|>| Disabled firewall client. No effect. Enabled firewall client.
|>|>|
|>|>|> If we can not resolve the issue after we perform the above steps,
|>|>|> please kindly help me collect some information for further
|>|>|> investigation:
|>|>|>
|>|>|> 1. Run command "ipconfig /all > c:\ipconfig_sbs.txt" on SBS, send
|>|>|> the files c:\ipconfig_sbs.txt to me at v-terliu@xxxxxxxxxxxxx
|>|>|>
|>|>|> 1. Please help to gather the ISA Info:
|>|>|>
|>|>|> 1) Download the file from the following URL:
|>|>|>
|>|>|> http://www.isatools.org/tools/isainfo.zip
|>|>|>
|>|>|> 2) Extract all files to a folder on ISA server.
|>|>|>
|>|>|> 3) Double click Isainfo.js. This will generate 2 files
|>|>|> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml
|>|>|> in the current folder.
|>|>|>
|>|>|> 4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
|>|>|>
|>|>|> 2. Please also help to gather the ISA logs:
|>|>|>
|>|>|> 1) Schedule a down time.
|>|>|>
|>|>|> 2) Open ISA 2004 management console.
|>|>|>
|>|>|> 3) Expand the server node and highlight 'Monitoring'.
|>|>|>
|>|>|> 4) In the right pane, switch to the 'Logging' tab, make sure the
|>|>|> 'Task Pane' is showed there.
|>|>|>
|>|>|> 5) In the 'Task Pane', click 'Configure Firewall Logging' under
|>|>|> 'Logging Tasks', and then switch the 'log storage format' from
|>|>|> 'MSDE database' (default) to 'File'.
|>|>|>
|>|>|> 6) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
|>|>|>
|>|>|> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
|>|>|> 'Logging Tasks', and then switch the 'log storage format' from
|>|>|> 'MSDE database' (default) to 'File'.
|>|>|>
|>|>|> 8) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
|>|>|>
|>|>|> 9) Click 'Apply' to save changes and update the configuration.
|>|>|>
|>|>|> 10) Temporarily disable the Firewall service. To do that, please
|>|>|> click Monitoring | Services tab, and then right click 'Microsoft
|>|>|> Firewall' to choose 'Stop'.
|>|>|>
|>|>|> 11) Clear the current existing W3C logs. To do that, go to the
|>|>|> log saving directory and clean any existing .W3C logs. By
|>|>|> default, the logs will be saved to 'C:\Program Files\Microsoft
|>|>|> ISA Server\ISALogs'. (Some MDF may not be able to deleted, that's
|>|>|> normal.) You may backup them first and then delete them.
|>|>|>
|>|>|> 12) Go back to the ISA 2004 management console, and then Start the
|>|>|> stopped 'Microsoft Firewall' service.
|>|>|>
|>|>|> 13) Reproduce the problem, stop the service, and then gather the
|>|>|> resulting W3C files to me for analysis.
|>|>|>
|>|>|> 14) Please also let me know the IP address of the testing clients
|>|>|> so that I can filter the data.
|>|>|>
|>|>|> Hope these steps will give you some help.
|>|>| [snip]
- Follow-Ups:
- Re: How to allow POP3 SSL connections w' ISA 2004
- From: Terence Liu [MSFT]
- Re: How to allow POP3 SSL connections w' ISA 2004
- Prev by Date: Re: EEK! -Windows Server 2003 SP2 Will Hit Automatic Updates Next Week
- Next by Date: Re: Enable OWA
- Previous by thread: SBS Migration - User Contacts
- Next by thread: Re: How to allow POP3 SSL connections w' ISA 2004
- Index(es):
Relevant Pages
|
|
