SMTP traffic between an Edge Transport server and an internal Hub Transport server is blocked if the Hub server is published by using ISA Server 2006 and if SMTP filtering is enabled

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish an internal Hub Transport server to a Microsoft Exchange 2007 Edge Transport server.
  • In ISA Server 2006, you enable Simple Mail Transfer Protocol (SMTP) filtering.
  • When the Edge Transport server tries to send e-mail messages through ISA Server 2006 to the internal Hub Transport server, the SMTP traffic may be blocked.
  • You configure ISA Server 2006 by using the method that is described on the following Microsoft TechNet Web site:
    How to Add SMTP Verb Commands to ISA Server 2006
    http://technet.microsoft.com/en-us/library/bb851508.aspx
In this scenario, the SMTP traffic between the Edge Transport server and the internal Hub Transport server may still be blocked even though you have added the X-AnonymousTLS verb and the X-EXPs verb to the SMTP filter settings in ISA Server.
CAUSE
This problem occurs when Exchange 2007 uses the proprietary verb X-AnonymousTLS to switch to Transport Layer Security (TLS) encryption. The SMTP filter in ISA Server 2006 is not aware of the usage of this verb. Therefore, the SMTP filter inspects the traffic, even though it is encrypted. Intermittantly, the SMTP filter detects malformed traffic and ends the session.
RESOLUTION
To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008

Note You must still manually add the X-AnonymousTLS verb and the X-EXPs verb to the SMTP filter settings in ISA Server. For more information, visit the following Microsoft TechNet Web site:
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
After you apply this hotfix, the SMTP filter in ISA Server 2006 uses passthrough mode for the X-AnonymousTLS verb, and the filter does not inspect traffic. This is identical to how the TLS verb and the STARTTLS verb are treated.
REFERENCES
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Properties

Article ID: 959311 - Last Review: 01/15/2015 09:22:18 - Revision: 1.0

  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
  • kbnosurvey kbarchive kbexpertiseinter kbfix kbsurveynew kbqfe KB959311
Feedback