Archive for the ‘ISA’ Category

After deciding to use my FTMG server for Spam Protection using the Microsoft Exchange Edge Transport syncronisation I proceeded to follow the configuration guides on Technet.

Everything seemed to be working excellently, SPAM was reduced considerably.  Then out of nowhere a number of people contacted me to say that they were receiving Non Deliverable Reports when trying to send me emails.  The content of the NDR was:

#< #5.7.1 SMTP; 550 5.7.1 External client with IP address w.x.y.z does not have permissions to submit to this server. Visit for more information.> #SMTP#

I thought this was a bit odd because it had been working without issue for nearly a week.  Upon investigation I found the Forefront TMG Managed Control Service was not started on my FTMG Server.  This service controls the integration of the FTMG E-Mail Policy with the Exchange Edge Transport server.  Trying to start the service simply failed with an error of:

Windows Could not Start the “Microsoft ForeFront TMG Managed Control” service on Local Computer
Error 0x80070057 : Parameter is incorrect

I did a bit of searching and found that this could be caused by the IP Block List in the Exchange Management Console filling up with IP addresses.  My first thought was why the IP Block List on FTMG was not reflecting this?  Maybe that’s one for the FTMG Product Team. 

I opened the Exchange Management Console and checked the IP Block List, which was enabled, to see what was listed.  This didn’t go so well.  I received the following error message:

Obviously this was not good! I couldn’t control Exchange through the FTMG Console (which is where all configuration changes are supposed to be made.  But worse, I couldn’t control it through the Exchange Management Console either. 

Last resort, I tried the Exchange Management Shell.  Running the following command: Get-IPBlockListEntry provided me with a list of over 100 IP addresses that had been blocked.  Excellent, at least I now knew I could do something via the EMS.  Running Get-IPBlockListEntry | Remove-IPBlockListEntry removed all the IP Addresses.  I was then able to start the Forefront TMG Managed Control Service.

First thing I did was disable the IP Block List – using the FTMG console of course! My server has now been running happily for nearly 24 hours again.

This kind of begs the question as to how and why the IP Block List on the Edge Transport server is filling up with IP addresses, and I guess more importantly, why the same IP Block List in FTMG does not reflect the contents of the Edge Transport Server?

The following procedure will provide you with the steps required to publish Exchange services (OWA/HTTP-RPC/ActiveSync) with ISA2006. The procedure will work with all versions of Exchange you will just see slightly different options depending on which version you choose.

First thing is to launch ISA Server Manager, and in the Task Pane on the right hand side click Publish Exchange Web Client Access

Firewall Policy Tasks
Firewall Policy Tasks

You will then see a screen asking you to give your rule a name, I use something like “OWA Publishing Rule”, it makes no difference what you put in here but it just makes it easy to identify later if you use a sensible/descriptive name.

On the screen pictured below you need to choose which version of Exchange you are using (note that Exchange 2010 is not listed, you need to select Exchange 2007)

Exchange Version

With Exchange 2007/2010 it will not allow you to specify more than one service within the wizards so you will need to create a rule for each service. Click Next

Select to Publish a Single Website or Load Balancer (In Exchange 2007/2010 you will use a CAS server to proxy for all your Exchange Servers if you have more than one), if you only have the one server then you will just direct requests to that.

Load Balancer

On the next screen select SSL, it will work if you choose non-secured but all your login credentials will be sent in plain text.

Load Balancer

On the next screen below enter the internal fully qualified domain name of your Exchange Server that is running the Client Access Role, and the internal IP address to ensure that if names resolution fails that the request is completed.

You will then need to enter the public name that will be used to access your server, for example, this name must match the certificate that is used on both the CAS server and installed on the ISA server.

On the Web listeners page click new to create a new listener for OWA and give it a name, again it really doesn’t matter what this name is it just needs to be something you can easily identify at a later date. I am going to call mine OWA-Listener. On the next screen specify which network you will be listening on. As part of the ISA setup you will already have an External and Internal Network configured. You will need to select the External network for most applications however you may want to add the internal network as well if users inside your network will be accessing OWA through the ISA server as well.

If you have multiple external IP addresses configured to the Network Card that represents your external network then clicking the Select IP Addresses button will allow you to choose which IP address your requests will be coming from. This is important, if you have more than one service being published with port 443 going to different servers then you will need more than one external IP address.

Once that’s done you will need to select the certificate you will use, again this must match the certificate that is installed on the Exchange server and it must be installed in the Computer store on the ISA server not the User store. Select HTML Form Authentication (we will turn the Exchange FBA off later – otherwise you will end up with 2 login prompts) and uncheck the SSO box on the next screen (unless you are using SSO for other published resources).

You will then return back to the Publish wizard and select the listener you have just created, click Next and accept the defaults on the next 2 screens and then you have finished with your publishing rule. All thats left to do with ISA is to apply the settings you have just set.

Disable Exchange FBA

For the publishing rule you have just created to work effectively you need to disable Form Based Authentication on the Exchange server that the rule is publishing. The reason for this, if you don’t disable it the ISA server will provide you with a form for credentials and then so will the Exchange server.

To disable FBA in Exchange 2007 and 2010 you will need to do the following:

Open Exchange Management Console and navigate to Server Configuration > Client Access and select the Outlook Web Access tab (in Exchange 2010 they have renamed this to Outlook Web App), right click on OWA and select properties and then check the box for “Use one of more standard authentication methods” and select Integrated Authentication as per the screenshot below. You will then need to run IISRESET from a command line.

To disable FBA in Exchange 2003 you need to open Exchange System Manager and navigate to Administrative Groups > First Administrative Group > Servers > Servername > Protocols > HTTP > Right click on Exchange Virtual Server and select properties. Select Settings and uncheck the box that says “Enable Forms Based Authentication”. You will then need to run IISRESET from a command line.