Hi Martin,
Yes, I manually started the IsaManagedCtrl serrvice for a while until I finally had the service startup setting "Automatic (delayed start)" working. Or maybe I solved that one after a certificate configuration change. Still no incoming mail and error 31506 keeps repeating while an edge subscription is active.
At some points I probably did not have the correct certificate setup. I've been searching and frankly I'm still not sure what is expected from Exchange/TMG. Right now I'm running like this:
- Edge: The TMG/Exchange edge server has 3rd party EV SSL SAN cert for IIS/Exchange use (covering mail. owa. and autodiscover.).
- Hub: The Exchange hub/cas/mailbox server has a cert with CN computername.domainname.rootdomain from our enterprise CA.
The 3rd party cert is added to the web listenerer of the TMG. Running Get-ExchangeCertificate on each server returns no other certificates. The edge server has SMTP set with Enable-ExchangeCertificate, and the hub has likewise enabled SMTP, IMAP, POP and IIS.
While trying some shots in the dark I deleted the self-issued cert once created by the Exchange Edge installation, but re-creating, or adding a cert from the enterprise CA did not help.
I get errors while trying to see the properties of the two Receive Connectors from the EMC on the edge:
- The operation couldn't be pererformed because object '<EdgeServerName>\External_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers''.
- The operation couldn't be pererformed because object '<EdgeServerName>\Internal_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers''.
Then, from the shell all loos ok as far as I can see:
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers'
Identity Bindings Enabled
-------- -------- -------
Helm\External_Mail_Servers {85.196.xxx.xxx:25} True
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers'
Identity Bindings Enabled
-------- -------- -------
Helm\Internal_Mail_Servers {192.168.xxx.xxx:25, 85.196.xxx.xxx:25} True
I'm not sure if this has anything to do with the lost mail.
Otherwise it looks like settings keep in sync now.
Logging in TMG filtered by SMPT and LDAP (Edge) and LDAPS (Edge) always return two entries while sending an e-mail to the organization:
- Initiated Connection <EdgeServerName> 29.12.2009 19:26:44
Log type: Firewall service
Status: The operation completed successfully.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: External (213.158.233.150:57511)
Destination: Local Host (85.196.xxx.xxx:25)
Protocol: SMTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 213.158.233.150
- Closed Connection <EdgeServerName> 29.12.2009 19:26:49
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: External (213.158.233.150:57511)
Destination: Local Host (85.196.xxx.xxx:25)
Protocol: SMTP
Additional information
Number of bytes sent: 2054 Number of bytes received: 467
Processing time: 5414ms Original Client IP: 213.158.233.150
Later, this one repeat (like error 31506), trying from hub to edge:
- Denied Connection <EdgeServerName> 29.12.2009 19:34:04
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
Rule: None - see Result Code
Source: Internal (192.168.xxxx.xxx:11936)
Destination: Local Host (192.168.yyy.yyy:50636)
Protocol: LDAPS(EdgeSync)
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.xxx.xxx
Any ideas?
Thanks.
-olav