Contributor

Question

How to publish Exchange Server in Fortigate

Forum|Forum|15 years ago
January 3, 2011
10 replies
19096 views

Hello, I configured exchange server behind fortigate ,The OWA is working properly and I can send email but cannot receive any email , I got this error " Sorry, no mailbox here by that name. (#5.1.1)" I just using Virtual IP , is there any special setting I missed ? thanks

ede_pfau

SuperUser

Hi, please supply more information: - setup of your VIP - the policy the VIP is used in, including the services setting

A

Anonymous_UserAuthor

Contributor

information

VIP info Name :Exchange External Interface: WAN1 Type: Static NAT External IP Address/Range : Real IP that registered as MX record Mapped IP Address/Range :internel IP " actually IP of TMG server" Port Forwarding: none Policy Source :All Destination: Exchange Service: Any Action : Accept

rwpatterson

New Member

Is the destination the inside exchange IP or the VIP definition? It needs to be the VIP to work.

A

Anonymous_UserAuthor

Contributor

The destination is the VIP definition with the name Exchange , as you see above the name of VIP is Exchange & destination in the policy is Exchange

ede_pfau

SuperUser

VIP and policy look OK. Do some more tests: - can you ping the server from outside? - can you telnet to the server from outside? enter HELO or ELHO and see if you get a response. If both tests run OK it' s not a firewall issue but a valid answer from the server. What do the server logs say?

A

Anonymous_UserAuthor

Contributor

I cannot ping either for the fortigate or the Virtual IP , I tried also to telnet & I got this Could not open connection to the host on port 23 connect failed

ede_pfau

SuperUser

Then the public IP seems to be wrong. Please post - the public IP of your MX - the public IP of your fortigate, including subnet mask (if you want you may change one or two bytes, but not the rightmost) You can check correct routing from your ISP via traceroute/tracert. Where does it stop?

Maik

New Member

are you sure this is a Firewall issue? You get a response from your Thread management gateway (TMG) saying that there is no mailbox visible.

" Sorry, no mailbox here by that name. (#5.1.1)"

the firewall would completly block the connection saying nothing. Also outbound mail works. OWA works on the same VIP as well? The telnet test mentioned should go to port 25 talking SMTP. (#telnet ip port). Yours is defaulting to the default telnet port 23. (google for " telnet smtp test" ) i' d rather have a look into the TMG than the Fortigate. regards Maik

A

Anonymous_UserAuthor

Contributor

even when I tried to disable the OWA rule in TMG that publish the Exchange I got the error error , I think My SMTP ISP who is replied

ede_pfau

SuperUser

thanks Maik, I meant telnet to the SMTP port but didn' t write it...still not running at 100%. OWA can work with the same VIP as the VIP is not port-forwarding. Hossam, I completely agree with Maik' s observations. Check the server logs first.

discoveryit

New Member

you should setup your VIP with port 25 forwarded inbound. instead of forwarding the entire range. That allows you to use that IP for other things. Telnet should look like this telnet mail.server.com 25 <tests port 25 not 23.

Ay74495.jpg

discoveryit

New Member

Vip Policy

Zx71232.jpg

A

Anonymous_UserAuthor

Contributor

thank you for your response , I tried to specify the port as you described but the same problem beside in this case I cannot login from outside using OWA

ede_pfau

SuperUser

OWA can work with the same VIP as the VIP is not port-forwarding.

I say it again in other words: OWA cannot work with the same VIP _if_ it is port-forwarding SMTP. If you don' t read the posts then this is fruitless.

tried to tracert & it is complete to the end without any problem Also I can ping the external IP of exchange successfuly

Does that mean you pinged 2 different IPs? Which ones? We are still guessing instead of getting information - I already asked for the IPs 7 posts ago. And again, what do you see in the server logs?

A

Anonymous_UserAuthor

Contributor

What is wrong with you ? why you are talking to me like this ???? You replied to Maik

OWA can work with the same VIP as the VIP is not port-forwarding.

I replied to discoveryit

I tried to specify the port as you described but the same problem beside in this case I cannot login from outside using OWA.

so what ?????? what is wrong ???? I described to discoveryit that when I I enable port-forwarding OWA didn' t work .

Does that mean you pinged 2 different IPs? Which ones? We are still guessing instead of getting information - I already asked for the IPs 7 posts ago.

I Said I can ping just the external IP , the VIP of exchange server, I don' t sad two IP please check this diagram The VIP = 1.1.1.2 & this the MX record

Yw66533.jpg

ede_pfau

SuperUser

Keep it cool. It' s only a technical issue. All I was saying is that you waste time configuring a port-forwarding VIP. I stated that both SMTP and OWA are working because it is not a port-forwarding VIP, then you tried it and voila OWA stopped working. That was for sure.

I tried to tracert & it is complete to the end without any problem Also I can ping the external IP of exchange successfuly

" Also" makes me believe that you tracerouted to one IP, and pinged to the VIP. If you tracerouted and pinged to the same IP (the VIP) then this doesn' t say much, as both use ICMP. Still it looks like your problem is with the TMG. What do the logs say?

A

Anonymous_UserAuthor

Contributor

reply

I' ll check the log & post it here , but I noticed strange thing , when I enable the policy that allowed VIP my ip " client computer behind the FW" " on the internet is changed from the real ip of fortigate into the VIP . and when I disable this firewall policy I got the real fortigate ip

A

Anonymous_UserAuthor

Contributor

I didn' t get any logs in TMG 2010 server , so How can I log Exchange traffic in Fortigate to ensure it passed to TMG ????

discoveryit

New Member

to make OWA work you can just copy the VIP above and make one that forwards port 443 to the exchange. You can then add the HTTPS forward as a " Multiple Address" to the same policy that your Port 25 forward is using. Also make sure that you are not using multiple IP' s. Our exchange server has 1 IP for SMTP traffic and another for Web Traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded