Solved

smtp forward to lan segment via a  single homed ISA 2k4

Posted on 2006-06-25
6
427 Views
Last Modified: 2013-11-16
G’day Experts,

Many thanks in advance.

I have been assigned the task of supplying web caching and incoming SMTP forwarding ISA2004 server.  The isa server is only allowed one nic.  

The design I have been provided uses a PIX holding several real world IP addresses.  SMTP traffic is passed to the ISA server sitting within a DMZ.  The PIX is responsible for blocking data except SMTP.  ISA is meant to further forward any SMTP to the IP of Linux SME server.  This server sits on the local LAN
   

DMZ network       172.16.18.0 /24
       Gw      172.16.18.1
      Isa      172.16.18.2

Lan mail server = 10.101.10.2


Any recommendations on best how to do this?   I have been told that giving my ISA server 2 nic’s is not an option. and that I should find a way to port forward ?
0
Comment
Question by:student-g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16979843
G'day yerself.

This is fine, not quite sure what your issue is; ISA with a single NIC will do all of the above.
When you install ISA, select the single interface network template option.
Make sure that all the internal addresses are added to the internal network (configuration - networks - internal addresses)

Is the DMZ made from a third interface on the PIX or is there another firewall on the inside of the pix making a dmz between?

The PIX will forward the SMTP to the ISA server.
On the ISA, right-click the firewall policy and select the Publish mail server option. Give the IP address of the 10.101.10.2.
The rest is simple.

Let me know what part is giving you the grief.
0
 

Author Comment

by:student-g
ID: 17001480
G'day Keith,

Thank you for your quick reply.  

I tried the mail server publishing rule and was informed
"ISA server detected a single NIC configuration Server publishing rules are not supported in a single nic config"
“Do you still want to create server publishing rule?”

I published the rule anyhow ...and watched for dropped packet via monitoring.

The above rule was ignored..and the SMTP connection denied.

I tried creating new “server publishing rule” based on port 25 ..but it also warned me and then failed

For proof of concept I am trialling   a "any to any " firewall rule and running IIS 6 as a incoming mail relay locally on the server.  (testing atm)

This is making me nervous because when ever I have used iis 6 unbound to any other service (eg mail essentials, exchange etc etc ) it behaves erratically

Is their a key or patch I can apply that will force ISA to ignore that its justifiable defaults to allow publishing on a single physical interface?



Many thanks in advanced

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 150 total points
ID: 17003265
http://www.isaserver.org/articles/2004ispcolo.html

Have a read here to understand the loopback adaptor.

Regards
Keith
0
 

Author Comment

by:student-g
ID: 17018377
G'day,

Thank you for the reference.  

Looking through the article and spending a fair bit of time running through ISA2k4 I believe that I simply can not deliver a single nic solution (not saying it can not be done) that I am comfortable with.    It would be an implementation that would later haunt me (due to lack of familiarity with the product) and goes against common scenarios.

I would recomend that anyone using ISA with single NICS read the above link

The project needs to be re scoped correctly.

I am awarding the points to Keith because he provided as much possible info to the solution, faster then could be expected.  The points should be up'd to 150 due to excellent response time

Regards
student-g


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17018400
I'll make the change and thank you :)

Regards
Keith
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Probable TCP NULL scan detected 10 413
Filezilla server wont allow me to connect to it 2 66
ASE reports it as spam 2 1,448
How to restrict all websites and allow only citrix website 5 97
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question