New firewall - lots of MALEx errors all the time

tfelmly · ‎05-31-2007

We recently replaced a Cisco 6503 with a FWSM firewall with a Juniper SSG550. Our domain controllers are on a separate network from our Unity and Exchange server. Ever since we cut over to the Junipers, we are getting CiscoUnity_MALEx errors what seems like every time someone leaves a message. Most of the time everything is OK however it seems like the first few messages left in the AM fails into the MTA folder. Restarting the AvUMRSyncSvr delivers those messages.

We plugged the Cisco firewall back in and all was fine again.

From what we can tell the Juniper has the same rules that the Cisco had however something is still blocking communication. Just wondering if there are some oddball ports that Unity / Exchange needs with the domain controllers.

We are on Unity 4.1(1) with Exchange 2003 off box. The Exchange box is only used for voicemail and is on the same subnet that the Unity boxes and Call Managers are.

The text of the error is below:

Event Type: Warning

Event Source: CiscoUnity_MALEx

Event Category: Warning

Event ID: 30019

Date: 5/31/2007

Time: 2:44:57 PM

User: N/A

Computer: UNITY1

Description:

The MAPI subsystem has indicated that the Global Catalog Server

neodc2.neoucom.edu which is used to resolve addresses for message submission cannot be reached, and that it has switched to using Global Catalog server neodc1.neoucom.edu. Unity will continue to function using this newly selected Global Catalog server and will not automatically switch back to the original one. If Unity does not have a dedicated connection with sufficient bandwidth to the newly selected server, then there may be significant delays in Exchange access by Unity. Please verify that Unity has a good connection to the new Global Catalog for proper functioning.

For more information, click: http://www.CiscoUnitySupport.com/find.php

These errors will flip flop between dc1 and dc2 and sometimes dc1 to dc1.

Thanks

Ginger Dillon · ‎05-31-2007

Hi -

Page 18 of 102 in this links covers the ports used by Unity - http://www.cisco.com/application/pdf/en/us/guest/products/ps4608/c2001/ccmigration_09186a0080443093.pdf

Port 3268 is the one used for the global catalog. Have you checked with the Juniper appliance vendor yet to report the problem? I know our security perim team is considering this appliance as well.

Ginger

tfelmly · ‎06-01-2007

The problem is almost 100% coming from our Juniper firewall. Today we placed one of the domain controllers on the same vlan that the unity/exchange boxes are on and no more errors. The rule on the firewall is any to any on any service between the voice vlan and the domain controllers. Couldn't get more open than that.

Any ideas?

I've posted the AvDSGlobalCatalog log for those interested.

Todd

tfelmly · ‎06-07-2007

I'd like to update this for archival purposes....

We were never able to clear up the communication problem between our domain controllers and unity/exchange boxes between the Juniper firewall. We ended up building a third domain controller and placing it on the same VLAN that the unity/exchange/call managers are on.

No more errors and everything works 100%.

Best to follow Cisco documentation and not place a firewall between this stuff. What's strange is our Cisco firewall posed no problems in the same setup!