SMTP traffic between an Edge Transport server and an internal Hub Transport server is blocked if the Hub server is published by using ISA Server 2006 and if SMTP filtering is enabled

Article translations Article translations
Article ID: 959311 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish an internal Hub Transport server to a Microsoft Exchange 2007 Edge Transport server.
  • In ISA Server 2006, you enable Simple Mail Transfer Protocol (SMTP) filtering.
  • When the Edge Transport server tries to send e-mail messages through ISA Server 2006 to the internal Hub Transport server, the SMTP traffic may be blocked.
  • You configure ISA Server 2006 by using the method that is described on the following Microsoft TechNet Web site:
    How to Add SMTP Verb Commands to ISA Server 2006
    http://technet.microsoft.com/en-us/library/bb851508.aspx
In this scenario, the SMTP traffic between the Edge Transport server and the internal Hub Transport server may still be blocked even though you have added the X-AnonymousTLS verb and the X-EXPs verb to the SMTP filter settings in ISA Server.

CAUSE

This problem occurs when Exchange 2007 uses the proprietary verb X-AnonymousTLS to switch to Transport Layer Security (TLS) encryption. The SMTP filter in ISA Server 2006 is not aware of the usage of this verb. Therefore, the SMTP filter inspects the traffic, even though it is encrypted. Intermittantly, the SMTP filter detects malformed traffic and ends the session.

RESOLUTION

To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008

Note You must still manually add the X-AnonymousTLS verb and the X-EXPs verb to the SMTP filter settings in ISA Server. For more information, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/bb851508.aspx

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

After you apply this hotfix, the SMTP filter in ISA Server 2006 uses passthrough mode for the X-AnonymousTLS verb, and the filter does not inspect traffic. This is identical to how the TLS verb and the STARTTLS verb are treated.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 959311 - Last Review: February 26, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbexpertiseinter kbfix kbsurveynew kbqfe KB959311

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com