I have been having a problem with two exchange servers communicating with each other. As per the wiki I found this is likely to be due to the servers communicating using esmtp traffic. I am however having a problem with the solution and would like some advice.

The setup is as follows

server 1 - 192.168.2.50 ( exchange )
|
untangle 1 - 192.168.2.90
|
router 1 - 192.168.2.99
|
|
VPN via internet
|
|
router 2 - 192.168.1.99
|
untangle 2 - 192.168.1.90
|
server 2 - 192.168.1.50 ( exchange )

On untangle 1 and 2 I have tried various custom policy settings without success. Currently both have the following to try to ensure all possibilities have been covered. Both untangle machines are running in transparent bridge mode with two nics.

rule 1 - no rack - internal - external - tcp - 192.168.2.50 - 192.168.1.50 - 25
rule 2 - no rack - external - internal - tcp - 192.168.1.50 - 192.168.2.50 - 25
rule 3 - no rack - internal - external - tcp - 192.168.1.50 - 192.168.2.50 - 25
rule 4 - no rack - external - internal - tcp - 192.168.2.50 - 192.168.1.50 - 25

all rules are live and set for any day between 00.00 and 23.59 and both untangle servers reset to ensure the custom policy has been accepted and is shown in the dialog window

The communications are still not working properly. I have therefore installed a syslog server and have both untangle machines sending information to the syslog server. The policy did work once last night and I thought it had been solved, so i left it alone, today however without having changed anything it has stopped working again. An example of an output below shows that the defualt policy is still being applied and I cannot see why. Any help or advice would be gratefully accepted as my head hurts now and I am probably missing something simple.

--

Wednesday, January 02, 2008 01:14:47
Info message from: 192.168.1.90
PipelineEndpoints # endpoints: create-date=Wed Jan 02 01:19:13 GMT 2008, session-id=309498780, protocol=TCP, policy=Default Rack, policy-direction=outbound, client-iface=inside, client-addr=192.168.1.50, client-port=45174, server-addr=192.168.2.50, server-port=25, server-iface=outside, client-addr=192.168.1.50, client-port=45174, server-addr=192.168.2.50, server-port=25 #

Whose VPN?

Sorry If I was not clear the two routers (draytek) are setup with vpn between them. All other traffic works correctly over this vpn connection.

fraaglex,

What I was trying to find out what was the protocol. If you are using IPsec or PPTP, we aren't supporting passthrough of those yet. Only the OpenVPN is usable with Untangle. Its SSL-based, and fully supported.

Alright sorry, The vpn connection is between the hardware routers and is running using pptp. I did not think this was an issue as it was the routers rather than the servers running the vpn and as such the vpn connection should not be passing through the untangle system.

However I have been doing some further testing using only one of the sites and as such one untangle system with no vpn involved to rule out the vpn issue

To do this I set a single rule under custom policy as

no rack - external interface for client - any interface for server - client address any - server address 192.168.2.50 - any port

Now under this policy any type of incoming traffic should bypass the default rack and be processed as no rack should it not. I then tried both a telnet to port 25 from the internet and also web page access of the server from the internet. These ports having been forwarded by the hardware routers to the server through the untangle box and in both cases they are still processed by the default rack according to the syslog. The web port 80 syslog message is shown below with the ip's masked out with x's

Wednesday, January 02, 2008 16:41:53
Info message from: 192.168.2.97
Response # endpoints: create-date=Wed Jan 02 16:46:09 GMT 2008, session-id=1006886194, protocol=TCP, policy=Default Rack, policy-direction=inbound, client-iface=outside, client-addr=xxx.xxx.xxx.xxx, client-port=53303, server-addr=192.168.2.50, server-port=80, server-iface=inside, client-addr=xxx.xxx.xxx.xxx, client-port=53303, server-addr=192.168.2.50, server-port=80 # info: url=http://xxx.xxx.net/exchweb/img/icon-paperclip.gif, content-type=image/gif, content-length=156 #

I just can't seem to get the custom policy's to apply to the traffic.

Well after much fiddling around I chose the only thing I had not previously touched. Always the thing you don't expect. For each of the rules that I actually wanted to use under custom policy I clicked on the normal daytime dropdown and chose to invert it. This made no difference to the start and end time and even after rebooting the untangle machine the custom policy still shows normal daytime not inerted daytime but all port 25 traffic between the two servers is now being handled by the no rack policy.
At least things are working for me now but I could not understand why this simple drop down would have made the difference when it is not registered in the interface even after the reboot that it has been selected. Wierd?

Ah well I just need to monitor it for a while now and ensure that it keeps working and this is the solution for me.

fragglex: thanks for the post. I had exactly the same problem and change the selecting the inverted daytime fixed it. It does seem like a very, very strange workaround?

I have the same problem! In my case I have 2 offices connected by IPSec VPN, powered by Juniper routers.
Behind them are 2 Untangle boxes with trial Professional Package working in transparent mode.
I have no luck to pass esmtp traffic between two Exchange servers.

Test 1 - Only 1 Untangle box

Server 1 - 10.1.1.2 - Exchange
|
Untangle 1 - 10.1.1.100 / 255.0.0.0 - Transparent (ver. 5.0.3)
|
Router 1 - 10.1.1.1 (int. interface)
|
VPN throught Internet
|
Router 2 - 10.0.1.1 (int. interface)
|
Server 2 - 10.0.1.2 - Exchange

After a few unsuccessfull attemtps with two and more policies, working Custom Policy for me is:

Interface Client - ANY; Interface Server - ANY !!!!!!!
Address Client - 10.0.0.0/8; Address Server - 10.0.0.0/8
Port - 25
Rack - NO RACK

This settings allow bidirectional communication between my servers.
Interesting in the case - Untangle allow me to apply this settings without error message!
When I set two Untagle boxes (behind routers), the second Untangle can't apply upper described settings.
Error message was something: ....You can't set ANY interface for client and server simultaneously.

Test 2 - Two Untangle boxes

Server 1 - 10.1.1.2 - Exchange
|
Untangle 1 - 10.1.1.100 / 255.0.0.0 - Transparent (ver. 5.0.3)
|
Router 1 - 10.1.1.1 (int. interface)
|
VPN
|
Router 2 - 10.0.1.1 (int. interface)
|
Untangle 2 - 10.0.1.100 / 255.0.0.0 - Transparent (ver. 5.0.3)
|
Server 2 - 10.0.1.2 - Exchange

..and for finish, is there a guy who can describe me in detail this case with examples for me - unenlightened ...

Thanks in advance!

The Exchange server at 10.1.1.2 would be associated with the INTERNAL interface on one Untangle box, and the 10.0.1.2 would be associated with the INTERNAL interface on the other Untangle box. They can send TO anywhere, but the interface they are on must be defined.