Wednesday, November 17, 2010

TMG&EDGE server 550 5.7.1 Unable to relay

I have been working on one of our LABs last couple days to configure Exchange 2010 servers to work with TMG & EDGE. One of the problems I have faced was not being able to send mail from Exchange host to the TMG & EDGE and mail also was not coming in. Assuming the firewalls allowing traffic couple things I like to mention may save you time if you run into similar scenario.

First of all if you are not familiar with TMG and its configuration here what you need to have click here, this step by step doc will walk you trough the basic configuration.

Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010

The best thing or way to find out if SMTP traffic is leaving the Exchange host is to install sniffer on the Exchange host itself to be honest. After installing WireShark ( sniffer) install PortQueryUI or similar tool to generate SMTP traffic.

 

In my case SMTP traffic was not leaving the host due to McAfee E-policy blocking by default SMTP port on the Exchange servers (-: , Uhhhhhh if you skip this part and start jumping somewhere else you end up coming back here anyways.

So though process should be simple, does SMTP traffic leaving the Exchange host? If yes you will hit eventually TMG& EDGE assuming any firewall standing on your way in the middle is passing SMTP traffic.

After fallowing TMG guide if you are still unable to get Exchange host TMG& EDGE SMTP conversation you may want to check this ,

image

 

Get-ReceiveConnector

 


Get-ReceiveConnector "Reinjection" | Add-ADPermission -User "NTAUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTPAccept-Any-Recipient"

 


Add-AdPermission "Reinjection" -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-Bypass-Anti-Spam
  • The safest way to check the SMTP flow is still the old way opening CMD and telneting on port 25 from host to destination and see what the response is IMHO.

Allowing application servers to relay off Exchange Server

http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Respectfully,
Oz Casey, Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog
http://telnet25.spaces.live.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

No comments: