Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 431
  • Last Modified:

smtp forward to lan segment via a single homed ISA 2k4

G’day Experts,

Many thanks in advance.

I have been assigned the task of supplying web caching and incoming SMTP forwarding ISA2004 server.  The isa server is only allowed one nic.  

The design I have been provided uses a PIX holding several real world IP addresses.  SMTP traffic is passed to the ISA server sitting within a DMZ.  The PIX is responsible for blocking data except SMTP.  ISA is meant to further forward any SMTP to the IP of Linux SME server.  This server sits on the local LAN
   

DMZ network       172.16.18.0 /24
       Gw      172.16.18.1
      Isa      172.16.18.2

Lan mail server = 10.101.10.2


Any recommendations on best how to do this?   I have been told that giving my ISA server 2 nic’s is not an option. and that I should find a way to port forward ?
0
student-g
Asked:
student-g
  • 3
  • 2
1 Solution
 
Keith AlabasterCommented:
G'day yerself.

This is fine, not quite sure what your issue is; ISA with a single NIC will do all of the above.
When you install ISA, select the single interface network template option.
Make sure that all the internal addresses are added to the internal network (configuration - networks - internal addresses)

Is the DMZ made from a third interface on the PIX or is there another firewall on the inside of the pix making a dmz between?

The PIX will forward the SMTP to the ISA server.
On the ISA, right-click the firewall policy and select the Publish mail server option. Give the IP address of the 10.101.10.2.
The rest is simple.

Let me know what part is giving you the grief.
0
 
student-gAuthor Commented:
G'day Keith,

Thank you for your quick reply.  

I tried the mail server publishing rule and was informed
"ISA server detected a single NIC configuration Server publishing rules are not supported in a single nic config"
“Do you still want to create server publishing rule?”

I published the rule anyhow ...and watched for dropped packet via monitoring.

The above rule was ignored..and the SMTP connection denied.

I tried creating new “server publishing rule” based on port 25 ..but it also warned me and then failed

For proof of concept I am trialling   a "any to any " firewall rule and running IIS 6 as a incoming mail relay locally on the server.  (testing atm)

This is making me nervous because when ever I have used iis 6 unbound to any other service (eg mail essentials, exchange etc etc ) it behaves erratically

Is their a key or patch I can apply that will force ISA to ignore that its justifiable defaults to allow publishing on a single physical interface?



Many thanks in advanced

0
 
Keith AlabasterCommented:
http://www.isaserver.org/articles/2004ispcolo.html

Have a read here to understand the loopback adaptor.

Regards
Keith
0
 
student-gAuthor Commented:
G'day,

Thank you for the reference.  

Looking through the article and spending a fair bit of time running through ISA2k4 I believe that I simply can not deliver a single nic solution (not saying it can not be done) that I am comfortable with.    It would be an implementation that would later haunt me (due to lack of familiarity with the product) and goes against common scenarios.

I would recomend that anyone using ISA with single NICS read the above link

The project needs to be re scoped correctly.

I am awarding the points to Keith because he provided as much possible info to the solution, faster then could be expected.  The points should be up'd to 150 due to excellent response time

Regards
student-g


0
 
Keith AlabasterCommented:
I'll make the change and thank you :)

Regards
Keith
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now