Firewall

[cmg214]

Hi,
How can I find out where my firewall is?
I need to know if it between OWA and exchange server...........

[TripleRLtd]

Perhaps you can start here, although I am none too sure what your problem is.
http://www.microsoft.com/exchange/owa/

[corturbra]

Hi,
How can I find out where my firewall is?
I need to know if it between OWA and exchange server...........

Well OWA is on the Exchange server so I doubt your firewall is between them.... what is your exact issue?

Usually the firewall will be a piece of hardware like a router, made by Cisco, Vigor, LinkSys, D-Link, etc. One port will be plugged in via a cable into a phone/wall socket and another port into your LAN or directly into a second NIC on your server.

Your server's gateway (depending on how many servers etc you have and how they are configured) will usually be the LAN IP address of the router. Most routers you can log onto using a web browser.

[cmg214]

Well OWA is on the Exchange server so I doubt your firewall is between them.... what is your exact issue?

Usually the firewall will be a piece of hardware like a router, made by Cisco, Vigor, LinkSys, D-Link, etc. One port will be plugged in via a cable into a phone/wall socket and another port into your LAN or directly into a second NIC on your server.

Your server's gateway (depending on how many servers etc you have and how they are configured) will usually be the LAN IP address of the router. Most routers you can log onto using a web browser.

The issue is that since converting over to T1, exchange has many symptoms that I don't understand.

1. Users are being told by customers that when they receive an email from us, they cannot "reply" to it.
2. OWA is inaccessible from the outside. I can connect to it via the server at http://localhost/exchange......
3. when I went in to user's profile and viewed email addresses, they had been changed from (Example jdoe@.... to john@.....). so I manually changed them back to initial addresses (even though everyone is configured for about 4 alias, including the [email protected] jdoe@ is the primary SMTP address), within a minute they were back to john@.....???

I have never done anything with the firewall. I have no idea how it is configured, or where it resides in the network.It is the "canned" microsoft firewall, that shipped with the OS. The consulting firm who setup server, had no information about it, nor does my boss.

The router, went from being a separate "3Com office connect ISDN LAN Modem", to one housed in the Adtran total Access 616, T1 network interface, V.35, 10/100 Base T and IP Router. 16 FXS ports.

We have only one server, with Small Business Server 2k.

[ilovetheusers]

I've read both of your posts and I have to ask (forgive me if I am being presumpious or cras) are you there in the capacity of a IT/IS professional or are you one of the personnel that this site? If the later I suggest contacting the IS or IT group in your company.

If not:

What sort of T1 did you switch to? Are you now on the companies WAN via T1 or did the site get a T1 to the internet?

[corturbra]

The issue is that since converting over to T1, exchange has many symptoms that I don't understand.

1. Users are being told by customers that when they receive an email from us, they cannot "reply" to it.
2. OWA is inaccessible from the outside. I can connect to it via the server at http://localhost/exchange......
3. when I went in to user's profile and viewed email addresses, they had been changed from (Example jdoe@.... to john@.....). so I manually changed them back to initial addresses (even though everyone is configured for about 4 alias, including the [email protected] jdoe@ is the primary SMTP address), within a minute they were back to john@.....???

I have never done anything with the firewall. I have no idea how it is configured, or where it resides in the network.It is the "canned" microsoft firewall, that shipped with the OS. The consulting firm who setup server, had no information about it, nor does my boss.

The router, went from being a separate "3Com office connect ISDN LAN Modem", to one housed in the Adtran total Access 616, T1 network interface, V.35, 10/100 Base T and IP Router. 16 FXS ports.

We have only one server, with Small Business Server 2k.

Right, while we unravel the rest of the details, the problem with the primary address is simple. You'll have a default policy running on the Exchange server, one of its functions is to apply anything set in this policy. It's responsible for your domain name and how the e-mail addresses are setup, so if you have a user with a login name of john and a domain of @overhere.com, it will automatically assign the primary SMTP address as [email protected], if you change it to [email protected], next time the system updates.... it changes it. On the page where you set the SMTP aliases/primary address etc, take out the tick on the box that says something like "update addresses based on recipients policy".

That should cure that.

Now if you've changed from ISDN to ADSL I'm guessing your external IP address has changed, so your DNS/MX Record previously for mail.overhere.com (or whatever address you were using for OWA) would have been for example 1.1.1.1, its now probably (example) 2.2.2.2, so you'll have to update your MX Records, your ISP should be able to sort this for you. To test if that is an issue, ping the name you're using for OWA and see if it matches the external IP of your router. This might also explain why external companies are unable to reply to your e-mails.

And on the fact that you've changed routers, have you setup port forwarding etc exactly as the previous router was setup? This could also have some bearing on inbound traffic.....

And some heads up for you, if the consulting firm you have don't know where your firewall is, I'd change consulting firms.... my guess is that unless it was Microsoft who installed your server, no IT professional would rely on MS to protect their server.... your firewall is probably your router. In fact everything I've told you above, your consulting firm should know....

[cmg214]

Right, while we unravel the rest of the details, the problem with the primary address is simple. You'll have a default policy running on the Exchange server, one of its functions is to apply anything set in this policy. It's responsible for your domain name and how the e-mail addresses are setup, so if you have a user with a login name of john and a domain of @overhere.com, it will automatically assign the primary SMTP address as [email protected], if you change it to [email protected], next time the system updates.... it changes it. On the page where you set the SMTP aliases/primary address etc, take out the tick on the box that says something like "update addresses based on recipients policy".

That should cure that.

Now if you've changed from ISDN to ADSL I'm guessing your external IP address has changed, so your DNS/MX Record previously for mail.overhere.com (or whatever address you were using for OWA) would have been for example 1.1.1.1, its now probably (example) 2.2.2.2, so you'll have to update your MX Records, your ISP should be able to sort this for you. To test if that is an issue, ping the name you're using for OWA and see if it matches the external IP of your router. This might also explain why external companies are unable to reply to your e-mails.

And on the fact that you've changed routers, have you setup port forwarding etc exactly as the previous router was setup? This could also have some bearing on inbound traffic.....

And some heads up for you, if the consulting firm you have don't know where your firewall is, I'd change consulting firms.... my guess is that unless it was Microsoft who installed your server, no IT professional would rely on MS to protect their server.... your firewall is probably your router. In fact everything I've told you above, your consulting firm should know....

Okay, i did uncheck that box. When I was in there yesterday, i noticed that that box was unchecked on my account, and mine was changing-so one down.

I did ping the server (from the server, cause when I tried to do it from my machine, I got this really weird message, again, that I have never seen before. "C:\windows\system32\command.com
C:\windows\system32\autoexec.NT. the system file is not suitable for running MS-DOS and Micorsoft windows applications. Choose 'close' to terminate the application).

So, when I ping the server name it comes up with our public 192. . . address.
When I ping localhost (the way I access OWA from server), it comes up with the 127.0.0.1 for the address.
Also new (which I forgot about). My machine makes me sign into the proxy every morning now, since T1, when I start it up, I have type in name and password.
p.s.-thanks for your help and patience. Can you tell I'm new to the field?

[CeeBee]

Can you tell I'm new to the field?

Definitely.. otherwise you would have known that on NT-based systems the command prompt is CMD.EXE; command.com is 'out there' for compatibility reasons only.

[cmg214]

Definitely.. otherwise you would have known that on NT-based systems the command prompt is CMD.EXE; command.com is 'out there' for compatibility reasons only.

Yeah, thanks, but that wasn't for you.......

[corturbra]

Okay, i did uncheck that box. When I was in there yesterday, i noticed that that box was unchecked on my account, and mine was changing-so one down.

I did ping the server (from the server, cause when I tried to do it from my machine, I got this really weird message, again, that I have never seen before. "C:\windows\system32\command.com
C:\windows\system32\autoexec.NT. the system file is not suitable for running MS-DOS and Micorsoft windows applications. Choose 'close' to terminate the application).

So, when I ping the server name it comes up with our public 192. . . address.
When I ping localhost (the way I access OWA from server), it comes up with the 127.0.0.1 for the address.
Also new (which I forgot about). My machine makes me sign into the proxy every morning now, since T1, when I start it up, I have type in name and password.
p.s.-thanks for your help and patience. Can you tell I'm new to the field?

Eeek I'm confused.... As CeeBee says you need to use cmd not command under NT/2000/XP/2003.

So if I understand this correctly.... you ping your server name and you get it resolved to your public IP address? This would indicate your DNS is screwed or your server is plugged directly into the outside world.... how many network cards are in the server?

localhost address on any machine is 127.0.0.1. On the server click Start, Run, type CMD and press return. Now type ipconfig /all and note down what it's telling you in there, in particular IP address, gateway and DNS server. Lets at least establish that your server is setup correctly. The gateway should be the address of the router.

The only reason I can think that you'd be getting asked for proxy login is if you're not a member of the Internet Users group or on a different domain to the server and it needs to check your credentials, there may be some other issues here but we'll deal with that one later....

What we need to establish first of all is whether or not your server is setup correctly, then we need to check out your connection to the outside world. Out of interest, what errors do the users get who cannot reply to your e-mails? To check if you are using the MS firewall on your server, click Start, Run, services.msc, scroll down the list and you should see Microsoft Firewall. Is it started/disabled/stopped?

When you were changed over to T1 (which I think is American for ADSL?!?!?) did the person changing you over re-run the Internet Connection Wizard on the 2000 SBS to tell it that the Internet connection had changed?

Has the consulting company got any information about what they did? Have you tried asking them, or did they just move you across and not test that all was ok?

[WatchThis!]

If all that was done is an upgrade from ISDN to T1 nothing with the user email address should have changed. And, nothing on your internal network should have changed as a result either.

When my company changed from a Fractional T1 to a Full T1 we also changed service providers. That meant that all of our external addresses changed, but our internal (192.168.X.X) addresses did not change. We did have to have our external DNS records changed to reflect the external address changes. We had to change the NAT table in our firewall to reflect the new external to old internal address mapping. No other changes were needed.

From reading this thread I would surmise that:

1. Your DNS records were not changed to reflect your new external IP Address changes.

2. Something else was changed that either you are unaware of or you didn't mention.

I would definitely get the support folks in to look at this and either help you fix it or get it fixed.

[cmg214]

[QUOTE=corturbra]Eeek I'm confused.... As CeeBee says you need to use cmd not command under NT/2000/XP/2003.

So if I understand this correctly.... you ping your server name and you get it resolved to your public IP address? This would indicate your DNS is screwed or your server is plugged directly into the outside world.... how many network cards are in the server?

localhost address on any machine is 127.0.0.1. On the server click Start, Run, type CMD and press return. Now type ipconfig /all and note down what it's telling you in there, in particular IP address, gateway and DNS server. Lets at least establish that your server is setup correctly. The gateway should be the address of the router.

The only reason I can think that you'd be getting asked for proxy login is if you're not a member of the Internet Users group or on a different domain to the server and it needs to check your credentials, there may be some other issues here but we'll deal with that one later....


Obviously CeeBee isn't as bright as he/she is crass. you can use command or cmd in a 2000 environment. I do it all the time.

Please see private message for IP config.

We have 2 network cards. During the T1 conversion, we had an issue with our WAN card. I surmised that the card slot on motherboard is bad, because it works fine with USB card, that bypasses the slot. Although we had no problems with this card, prior to switchover. I even tried a brand new card, but still no good.
-anyhoo-
I have not been able to get a specific error message from email recipients.
the firewall is started. I had stopped it, just to see if that was the issue, but no, it was not.
Our consultant did run the ICW (wizard)
the consultant has no answers for me. He says everything is configured correctly, and he has no idea why we can't connect.......
P.S.-your heads up on him is dead on, I am beginning to find out.
Many thanks....

[corturbra]

Right picked up your ipconfig and a modded version is here for others to help out..... I'd say CeeBee is on the money, I can't get command to work on my 2000/XP machine, all I get is an error... also not nice to dig at those trying to help

Here are the results of ipconfig/all:
Node type: Hybrid
IP Routing Enabled:yes
WINS Proxy Enabled: no

Ethernet adapter LAN-Intel:
IP: 10.0.0.1
Subnet Mask: 255.255.255.0
DNS Servers: 10.0.0.1
Primary WINS server: 10.0.0.1

Ethernet WAN-USB
DHCP enabled: no
IP Address: 1.1.1.1
Subnet Mask: 255.255.255.248
Default Gateway: 1.1.1.2
DNS servers: 10.0.0.1

Ok I've changed the IP addresses on the ipconfig for obvious reasons.... so I'm guessing that when the ICW was run it has setup the MS firewall, which is where I'm now at a loss, as I've never used it. I've also never setup a server in this way, always using separate hardware to achieve the DMZ instead of the server itself. Technically there is no reason why this should cause a problem, it all appears fine.

However, as on one of my original posts if the WAN IP address has changed from what your ISDN router previously had, then that will affect mail delivery/OWA. If this consultant chap has just changed you over, but not commmunicated these changes to your ISP, then I think this is where the problem lies.

1. Check with your ISP to see where they think your mail is being delivered to
2. Send an e-mail to an internet account (I've some GMail accounts going if you want one) and reply, and see what the message is that comes back, this message will tell us heaps about the issue
3. From outside of your work organisation, ping the name of what you are using for OWA (for example mail.overhere.com (no need to use the /exchange on the ping)) and see if the address matches either of the two addresses listed on the WAN-USB config.
4. Ask your consultant to do more than say 'it should work' thats about as helpful as a chocolate fire guard. If it was configured correctly then it WOULD work, obviously something is not working and its to do with the transfer from ISDN to T1. If you haven't paid him yet for the work, tell him you're not until he fixes it....

Keep us informed!

[CeeBee]

Find out what your external IP is, there are many online services that can show it to you.
Then start a command prompt (cmd) and type:

nslookup
server <your ISP's DNS> (override your hosted dns if any)
set type=mx
<yourdomain.com>

This will return the real MX record(s) of your server. Sometimes ISP's forget to update it at your first request or might not do it unless they have a signed fax with your company header, etc, etc...
If the MX record is different from the IP address and you aren't using any mail reflector or other mail forwarding service, this is your problem (unless you have a more complex configuration, with several Internet IP addresses on the firewall so that your outgoing IP might be different, but most likely still in the same subnet)
There might be another "hidden" issue: some ISP's are blocking incoming traffic to client's ports 25 and 80. Using a different ISP that you know is not blocking those ports, try in a command prompt "telnet <router's external ip> 25". If you get "connect failed" then something is blocking you (either your ISP or the router). Just make sure the router is properly configured.
You can also find the route of your connection. In a command prompt type "tracert www.yahoo.com" and see the hops. Check that it matches what you know it should be.
Going back to command.com - it just emulates the MS-DOS environment for 16 bit applications; it also doesn't support long filenames.
Now stab me.

[cmg214]

Find out what your external IP is, there are many online services that can show it to you.
Then start a command prompt (cmd) and type:

nslookup
server <your ISP's DNS> (override your hosted dns if any)
set type=mx
<yourdomain.com>

This will return the real MX record(s) of your server. Sometimes ISP's forget to update it at your first request or might not do it unless they have a signed fax with your company header, etc, etc...
If the MX record is different from the IP address and you aren't using any mail reflector or other mail forwarding service, this is your problem (unless you have a more complex configuration, with several Internet IP addresses on the firewall so that your outgoing IP might be different, but most likely still in the same subnet)
There might be another "hidden" issue: some ISP's are blocking incoming traffic to client's ports 25 and 80. Using a different ISP that you know is not blocking those ports, try in a command prompt "telnet <router's external ip> 25". If you get "connect failed" then something is blocking you (either your ISP or the router). Just make sure the router is properly configured.
You can also find the route of your connection. In a command prompt type "tracert www.yahoo.com" and see the hops. Check that it matches what you know it should be.
Going back to command.com - it just emulates the MS-DOS environment for 16 bit applications; it also doesn't support long filenames.
Now stab me.

Okay, where do I start:

I have called the ISP to update Mx records, which they must have doen, because we are getting email-right?
I did run the tracert, but I didn't recognized any of IP's it "jumped" to or from.....all started with 216. . .