Video Screencast Help

SMSMSE Remote Console Access blocked connecting thru Forefront TMG

Created: 13 Oct 2011 | 2 comments

I have a Forefront TMG server with the Exchange 2010 Edge role installed to publish Web email apps and process SMTP - I'll call it the Edge server and it is not joined to the domain. SMSMSE 6.5 is installed.

Another Win2k8R2 server has the Exchange 2010 Client Access, Hub and Mailbox roles installed - I'll call it the Mailbox server and it is joined to the domain. SMSMSE 6.5 is installed.

My goal is to be able to manage settings on both the Edge server and Mailbox server using the SMSMSE Console Global Group - Exchange 2010 feature and do this from either server.

For SMSMSE Console connectivity I setup outbound and inbound access rules in Forefront TMG on the Edge server using port 8081. The theory being that I could use either the Mailbox or Edge servers to connect to and manage SMSMSE.

What works: From the Edge server I can use the SMSMSE console and connect to the Mailbox server by enter my domain login credentials in the form domain\username.

What doesn't work: From the Mailbox server I tried to use the SMSMSE console to connect to the Edge server by entering my local administrator credentials from the Edge server. I've tried just the user name and the form servername\username. I can't get access. Forefront logs show that the port 8081 access rule isn't working and access is being blocked by the default rule. On the Mailbox server the console access fails with a diaglog box: "Unable to connect to the remote server".

All the Symantec documentation says all I need is port 8081 to access a remote console. What am I missing for this to work?

Comments 2 CommentsJump to latest comment

Tariq Naik's picture

You mentioned that Forefront logs shows that the port 8081 access rule isn't working and access is being blocked by the default rule.

So you need to fix this rule and make it work.

Does the same rule work properly when you connect using the console on the edge server. Have you specified source and detination IP addresses in the rule. maybe your source IP gets NATted when you connect from the mailbox server as I assume your edge servers might be in DMZ. Maybe you should verify the source IP in the forefront logs where it says denied connection

benjamin_lurie's picture

Use a network capture tool on the mailbox server while the console is trying to connect.  Then after the failure analyze the set of packets being sent to the edge server (you can do this with a destination filter).  The packet capture will show which packets were not accepted by the remote server.  Look a the destination port for those packets.

You will then need to configure the remote server to allow inbound traffic on those ports.  You can test this by using telnet from the command prompt.  For example:

telnet 8081

This should not come back with an error. 

Then you will know your firewall/Forefront rules are working.

Just as a note, in my lab I only saw port 8081 being used.