Jim --
First of all I want to say thank you for taking the time to write a lengthy and
informative response. I have done what you suggested, and I just have a few
quick questions that I'd greatly appreciate it if you could help me out with.
I'm basically a *NIX sysadmin so I apologize for my ignorance on Exchange ... I
really should get up to date with NT becoming such an omnipresence in the
corporate environment.
Here is my situation:
My clients are all Win9x and log onto the PDC (which is the exchange server) on
a local RFC 1918 subnet (192.168.x.x). There is no DNS or WINS, but Exchange
works fine in this environment (through SMB broadcasting I'm guessing?).
As soon as I move to a different subnet (its actually LAN-to-LAN VPN to another
192.168 network), I can't get to the exchange server. I added a line for it in
my Win9x box lmhosts.sam file in the Windows directory, and rebooted. I don't
have internal DNS at all on either network, so I don't know if modifying
hosts.sam would make any difference/sense. The guy who set up the exchange
server set one name for the host name (tcp/ip) and a different one for its
Netbios name (I can see now why Windows warns against such things). The NT
domain coincides with the InterNIC domain, but I am not sure if this is any
help. The Exchange server is already kinda schizophrenic, because it is proxied
to the outside world via FW-1's static NAT. Thus Exchange thinks it is
mail.ourdomain.com (valid) while MS tcp/ip says its 192.168.a.b.
Another complicating issue is that many of the VPN users (on the separate
subnet) have their own WINS servers specified by DHCP. Does this render
lmhosts.sam useless? I only wonder, because even after adding a #PRE entry (the
Exchange server) I still can't go to Net Neighborhood and do \\net-bios-name and
retrieve anything (this could be because anonymous directory shares have been
disabled in the registry and I'm not authenticated to that domain though).
"ping netbiosname" also produces "unknown host". Basically the question is,
since the users are already logging onto one domain, with its own WINS servers,
can they ever access this Exchange server, in another domain (with no WINS
servers)? If I specify to log onto the Exchange server's domain in Win9x, will
Windows ever know how to log onto it (since the PDC can only be looked up in
lmhosts.sam and WINS is specified in DHCP)?
Anyway, sorry to drone on. Any morsels or tidbits of info would be very much
appreciated.
TiA...
Cheers,
John
Jim Brown wrote:
> Microsoft Exchange Clients must be able to resolve the Exchange Server by
> name AND IP address ALL of the time. When you key in the initial IP address
> during client configuration it immediately resolves that IP to a NetBIOS
> name. The client has only used the IP address to discover the NetBIOS name.
> This does not mean your client can resolve in both directions (IP to Name
> and Name to IP)
>
> Without some type of mapping, be it WINS, DNS, or a hosts file, you will
> have problems. Even though during configuration the client was able to
> resolve IP to NetBIOS this does not mean it will be able to resolve future
> requests for NetBIOS to IP. Your client now has a NetBIOS name in the
> configuration with no method to find the IP address of the server until you
> enable on of the methods stated earlier.
>
> You can either configure a WINS server with the mapping, create an entry in
> the hosts file of each client, create an entry in the lmhosts file on each
> client, or create a resolvable DNS entry.
>
> Test you client configuration by pinging X.X.X.X (IP address of Exchange
> Server) AND pinging the NetBIOS name.
> ping X.X.X.X
> ping ExchangeServerName
>
> If both of these methods work then your clients should work. Name to IP and
> IP to Name resolution is the key. You must have both. The resolve during
> client configuration is misleading. It does not mean all of the necessary
> resolution is working for the client.
>
> Exchange and Outlook is something I am very familiar with. If this does not
> solve your problem, provide me with some feedback and I am confident we can
> get it working.
>
> Jim B.
> -----Original Message-----
> From: John Hovell [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 30, 2000 4:42 PM
> To: [EMAIL PROTECTED]; Belanger, Derek
> Subject: Re: [FW1] MS Exchange 5.5 to work with Checkpoint 2000
>
> Derek --
>
> Thank you very much for the response. I don't know much about Exchange,
> other
> than exchange protocol is a nightmare with firewalls. Do you mean this
> is
> because every time I fill in as my exchange server in the client's
> configuration
> by it's IP: 123.45.67.89, it immediately changes into NETBIOS-NAME (the
> name
> that Windows calls this thing)?
>
> That _is_ what's happening, and if I change it back to the IP address, I
> can get
> at least a username/password logon dialog box, but it fails after this
> (default
> information store could not be opened). (and the client config goes
> back to
> specifying the server by NETBIOS-NAME -- and I see nothing more in the
> firewall
> logs)
>
> This is what made me think WINS, but I'm not even sure how to go about
> this for
> our size organization (less than 25) with people dialing in remotely via
> the
> VPN-1.
>
> Any hints/clues how I am supposed to get this working? Thank you very
> much.
>
> Cheers,
> John
>
> "Belanger, Derek" wrote:
>
> > If both the user name and server name resolve in the "Exchange Server"
>
> > service property sheet within the MAPI client profile, the issue is
> not
> > likely the firewall.
> >
> > --Derek
> >
> > -----Original Message-----
> > From: John Hovell [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, August 30, 2000 12:59 AM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] MS Exchange 5.5 to work with
> > Checkpoint 2000
> >
> > Hello all --
> >
> > I am trying to configure my FW-1 to allow users from
> various
> > subnets
> > (VPN and other local) to access an MS Exchange server
> I have
> > on a local
> > segment.
> >
> > The Exchange server is running the Exchange protocol
> for
> > client
> > access... So far, I haven't been able to connect
> correctly.
> >
> > FW-1 logs are showing no dropped packets (just a few
> on port
> > 135
> > *accepted* and then nothing else) but the Outlook (97
> or
> > 2000) fail to
> > connect (Error: Outlook cannot open your default mail
> > folders -- Would
> > you like to open your default file system instead?)
> >
> > I am thinking it could be one of a couple things:
> >
> > -- FW-1 is somehow dropping packets I don't know about
>
> >
> > -- I need to set up WINS in order for Exchange to
> > communicate with hosts
> > on other subnets (but I don't think so, because I'm
> pretty
> > sure people
> > can access Exchange right over the Internet if there
> is no
> > firewall).
> >
> > -- Something else??
> >
> > Does anyone have any experience with this kind of
> setup with
> > Exchange
> > 5.5? I am running Checkpoint 4.1 SP2 under Linux.
> > Everything else is
> > running fine.
> >
> > Also, I tried disabling the "silent service" drop, but
> that
> > did not
> > improve the situation. For now, my policies Are ANY
> ANY ANY
> > in both
> > directions between subnets.
> >
> > Thanks,
> > John
> >
> >
> >
> ============================================================================
>
> > ====
> > To unsubscribe from this mailing list, please see
> the
> > instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
> >
> ============================================================================
>
> > ====
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
