[cameron]

source parameters
IP address: ИП компьютера с проблемой
Traffic sent from anonymous user

destination:
адрес вашего почтового сервера и порт подключения

[YORK]

Allowed Traffic
Denied Traffic - destination URL host name could not be resolved
Rule Name: Email
Rule Order: 3

Additional information
From: Internal
To: External
Network Rule Name: Internet Access
Network Relationship: NAT
Protocol: POP3
Rule Application Filter:


Traffic allowed by firewall policy rules may be blocked by Web or Application filters.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Allowed Traffic
Denied Traffic - destination URL host name could not be resolved
Rule Name: Email
Rule Order: 3

Additional information
From: Internal
To: External
Network Rule Name: Internet Access
Network Relationship: NAT
Protocol: 587 Port
Rule Application Filter:


Traffic allowed by firewall policy rules may be blocked by Web or Application filters.

[cameron]

что вы вписали в destination?

давайте не замалёванные скришоты, гадание на кофейной гуще малорезультативно.

[YORK]

Там указывал и 110 и 587 порт

[cameron]

отлично.
скрин результата + полный из Diagnostic Logging'а (это можно текстом)

[YORK]

3618 24.06.2011 18:45:01 000023d0 Firewall Engine source does not match the packet.
3619 24.06.2011 18:45:01 000023d0 Firewall Engine Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3620 24.06.2011 18:45:01 000023d0 Firewall Engine The source port does not match the rule.
3621 24.06.2011 18:45:01 000023d0 Firewall Engine Forefront TMG is evaluating the rule GFI WebMonitor GUI Access.
3622 24.06.2011 18:45:01 000023d0 Firewall Engine destination does not match the packet.
3623 24.06.2011 18:45:01 000023d0 Firewall Engine Forefront TMG is evaluating the rule GFI WebMonitor Updates Access.
3624 24.06.2011 18:45:01 000023d0 Firewall Engine source does not match the packet.
3625 24.06.2011 18:45:01 000023d0 Firewall Engine Forefront TMG is evaluating the rule Full Access Nat users.
3626 24.06.2011 18:45:01 000023d0 Firewall Engine The rule cannot be evaluated by the Firewall Engine because the rule applies to a specific user.
3627 24.06.2011 18:45:01 000023d0 Firewall Engine The rule Full Access Nat users has parameters that cannot be evaluated by the Firewall Engine. The packet is passed to the Firewall service to complete rule evaluation.
3628 24.06.2011 18:45:01 000023d0 Firewall Engine The action of the rule cannot be determined without evaluation by the Firewall service.
3629 24.06.2011 18:45:01 000023d0 Firewall service The Firewall service is performing rule evaluation.
3630 24.06.2011 18:45:01 000023d0 Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 130.117.190.210 Destination array network: External
3631 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is looking for an applicable network rule.
3632 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule Local Host Access.
3633 24.06.2011 18:45:01 000023d0 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3634 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is checking the reverse direction of the network rule Local Host Access.
3635 24.06.2011 18:45:01 000023d0 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3636 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule VPN Clients to Internal Network.
3637 24.06.2011 18:45:01 000023d0 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3638 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is checking the reverse direction of the network rule VPN Clients to Internal Network.
3639 24.06.2011 18:45:01 000023d0 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3640 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule Internet Access.
3641 24.06.2011 18:45:01 000023d0 Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.
3642 24.06.2011 18:45:01 000023d0 Firewall service The network rule Internet Access matches the source and destination. A NAT relationship is specified.
3643 24.06.2011 18:45:01 000023d0 Firewall service The Firewall service is performing rule evaluation.
3644 24.06.2011 18:45:01 000023d0 Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 130.117.190.210 Destination array network: External
3645 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is looking for an applicable network rule.
3646 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule Local Host Access.
3647 24.06.2011 18:45:01 000023d0 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3648 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is checking the reverse direction of the network rule Local Host Access.
3649 24.06.2011 18:45:01 000023d0 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3650 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule VPN Clients to Internal Network.
3651 24.06.2011 18:45:01 000023d0 Firewall service The source IP address in the packet does not match the source specified in the network rule.
3652 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is checking the reverse direction of the network rule VPN Clients to Internal Network.
3653 24.06.2011 18:45:01 000023d0 Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3654 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the network rule Internet Access.
3655 24.06.2011 18:45:01 000023d0 Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.
3656 24.06.2011 18:45:01 000023d0 Firewall service The network rule Internet Access matches the source and destination. A NAT relationship is specified.
3657 24.06.2011 18:45:01 000023d0 Firewall service The Firewall service is performing rule evaluation.
3658 24.06.2011 18:45:01 000023d0 Firewall service Protocol: BranchCache - Advertise
3659 24.06.2011 18:45:01 000023d0 Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 130.117.190.210 Destination array network: External
3660 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG will check only rules that are associated with the protocol BranchCache - Advertise.
3661 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3662 24.06.2011 18:45:01 000023d0 Firewall service The source port does not match the rule.
3663 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule Full Access Nat users.
3664 24.06.2011 18:45:01 000023d0 Firewall service The rule does not match because the rule requires authentication and no user is specified in the packet.
3665 24.06.2011 18:45:01 000023d0 Firewall service The rule Full Access Nat users requires user authentication for evaluation.
3666 24.06.2011 18:45:01 000023d0 Firewall service The rule Full Access Nat users requires user authentication.
3667 24.06.2011 18:45:01 000023d0 Firewall service The Firewall service is performing rule evaluation.
3668 24.06.2011 18:45:01 000023d0 Firewall service Protocol: HTTPS
3669 24.06.2011 18:45:01 000023d0 Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 130.117.190.210 Destination array network: External
3670 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG will check only rules that are associated with the protocol HTTPS.
3671 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule [System] Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error reporting sites.
3672 24.06.2011 18:45:01 000023d0 Firewall service source does not match the packet.
3673 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule [System] Allow HTTP/HTTPS requests from Forefront TMG to specified sites.
3674 24.06.2011 18:45:01 000023d0 Firewall service source does not match the packet.
3675 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule [System] Allow HTTP/HTTPS from Forefront TMG to specified Microsoft Update sites.
3676 24.06.2011 18:45:01 000023d0 Firewall service source does not match the packet.
3677 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3678 24.06.2011 18:45:01 000023d0 Firewall service The source port does not match the rule.
3679 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule GFI WebMonitor GUI Access.
3680 24.06.2011 18:45:01 000023d0 Firewall service destination does not match the packet.
3681 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule GFI WebMonitor Updates Access.
3682 24.06.2011 18:45:01 000023d0 Firewall service source does not match the packet.
3683 24.06.2011 18:45:01 000023d0 Firewall service Forefront TMG is evaluating the rule Full Access Nat users.
3684 24.06.2011 18:45:01 000023d0 Firewall service The rule does not match because the rule requires authentication and no user is specified in the packet.
3685 24.06.2011 18:45:01 000023d0 Firewall service The rule Full Access Nat users requires user authentication for evaluation.
3686 24.06.2011 18:45:01 000023d0 Firewall service The rule Full Access Nat users requires user authentication.
3687 24.06.2011 18:45:23 fffdcedc Firewall service The Firewall service is performing rule evaluation.
3688 24.06.2011 18:45:23 fffdcedc Firewall service Protocol: POP3
3689 24.06.2011 18:45:23 fffdcedc Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 212.252.122.217 Destination array network: External
3690 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG will check only rules that are associated with the protocol POP3.
3691 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is evaluating the rule [System] Allow MS Firewall Control communication to selected computers.
3692 24.06.2011 18:45:23 fffdcedc Firewall service The source port does not match the rule.
3693 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is evaluating the rule Email.
3694 24.06.2011 18:45:23 fffdcedc Firewall service The rule Email matches the packet. The packet is allowed.
3695 24.06.2011 18:45:23 fffdcedc Firewall service The rule Email allowed the packet.
3696 24.06.2011 18:45:23 fffdcedc Firewall service The Firewall service is performing rule evaluation.
3697 24.06.2011 18:45:23 fffdcedc Firewall service Packet properties: Source IP address: 192.168.110.21 Source array network: Internal Destination IP address: 212.252.122.217 Destination array network: External
3698 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is looking for an applicable network rule.
3699 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is evaluating the network rule Local Host Access.
3700 24.06.2011 18:45:23 fffdcedc Firewall service The source IP address in the packet does not match the source specified in the network rule.
3701 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is checking the reverse direction of the network rule Local Host Access.
3702 24.06.2011 18:45:23 fffdcedc Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3703 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is evaluating the network rule VPN Clients to Internal Network.
3704 24.06.2011 18:45:23 fffdcedc Firewall service The source IP address in the packet does not match the source specified in the network rule.
3705 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is checking the reverse direction of the network rule VPN Clients to Internal Network.
3706 24.06.2011 18:45:23 fffdcedc Firewall service The destination IP address in the packet does not match the source specified in the network rule.
3707 24.06.2011 18:45:23 fffdcedc Firewall service Forefront TMG is evaluating the network rule Internet Access.
3708 24.06.2011 18:45:23 fffdcedc Firewall service The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.
3709 24.06.2011 18:45:23 fffdcedc Firewall service The network rule Internet Access matches the source and destination. A NAT relationship is specified.

[cameron]

так, отлично, по правилу №3 вы получаете доступ к почтовому серверу.
проверьте это телнетом.
далее, если телнет будет проходить (адрес для проверки такой же как в настройках аутлука), то вам необходимо зайти в:
networking-networks-confirure Forefront TMG client settings, найти там outlook-disable-1 и изменить на outlook-disable-0.

после чего проверить работоспособность, и елси не работает описать проблему ещё раз с полными скринами.

[YORK]

telnet 212.252.122.217:110
результат
+OK <25494.1308971056@mail5.superonline.com>

изменил на outlook-disable-0 не помогло
ок щас с скринами опишусь

[YORK]

Значит так.
Есть Иса сервер (TMG) в нем есть правила.
так как у нас нету EXCHANGE сервера , мы получаем почту с наружу.
Так вот при таком правиле



Outlook выдает такую ошибку





а когда вместо internal указываю определенного юзера (компьютера) то все начинает нормально работать.

[cameron]

добавьте в правило 3 протокол DNS.