Unable to Send and Receive emails through ISA server

  • Article

Introduction

There are many reasons for a published SMTP Server via ISA Server fails to receive or send emails. While troubleshooting this type of issue it is important to review the basic configuration before move further on a more deep troubleshoot, many times the root cause of the problem is much simple then you might think. This post will expose a common scenario where it was not possible to receive or send emails through ISA Server.

Scenario

The topology of this scenario is based on an SMTP Publishing rule on ISA server, first deployment, in order words: this setup never worked. Internal users were unable to receive email from the Internet, although they were able to send emails to external users.

Troubleshooting

One of the first steps while troubleshooting SMTP Publishing Rule is to try to telnet on port 25 to the published address to see if the packet even hits the external interface of ISA Server. In this particylar case it did reach ISA but the connection gets denied with the following error.

Denied Connection ISA 4/19/2010 11:10:02 PM

Log type: Firewall service

Status: The policy rules do not allow the user request.

Rule: Default rule

Source: External (10.10.2.45:42848)

Destination: Local Host (X.X.X.X:25)

Protocol: SMTP

This means that when ISA Server received the request, it evaluated all the rules on a top down order and since the traffic didn’t match any rule it was processed by the default rule. While reviewing the Network configuration it was possible to identify one failure on the configuration that was indeed causing such behavior. The IP address of the Internal SMTP server was missing from the internal IP range defined in the ‘Internal Network’ of the ISA server as shown in figure below:

image

The IP address in this case is 192.168.1.201. As you can see that’s the IP address which is missing from the Internal Network defined here. After we added the IP address of the exchange server in the Internal Network of the ISA server (as shown in the figure below) we could send and receive emails.

image

Conclusion

For the Server Publishing to work properly on the ISA server we should have the IP addresses of the Published servers added in the ‘Internal Network’ of ISA. Ideally it should be the whole Internal Network which should be added in the ‘Internal Network’ of the ISA server. The other message that it is important to remember is: always start your troubleshooting in a simple manner, reviewing the basics, this can save you lot of time.

Author

Nitin Singh

Support Engineer

Microsoft CSS Forefront (ISA/TMG) Team

Technical Reviewer

Yuri Diogenes

Sr Support Escalation Engineer

Microsoft Forefront (ISA/TMG) Team