Solved

smtp forward to lan segment via a  single homed ISA 2k4

Posted on 2006-06-25
6
420 Views
Last Modified: 2013-11-16
G’day Experts,

Many thanks in advance.

I have been assigned the task of supplying web caching and incoming SMTP forwarding ISA2004 server.  The isa server is only allowed one nic.  

The design I have been provided uses a PIX holding several real world IP addresses.  SMTP traffic is passed to the ISA server sitting within a DMZ.  The PIX is responsible for blocking data except SMTP.  ISA is meant to further forward any SMTP to the IP of Linux SME server.  This server sits on the local LAN
   

DMZ network       172.16.18.0 /24
       Gw      172.16.18.1
      Isa      172.16.18.2

Lan mail server = 10.101.10.2


Any recommendations on best how to do this?   I have been told that giving my ISA server 2 nic’s is not an option. and that I should find a way to port forward ?
0
Comment
Question by:student-g
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16979843
G'day yerself.

This is fine, not quite sure what your issue is; ISA with a single NIC will do all of the above.
When you install ISA, select the single interface network template option.
Make sure that all the internal addresses are added to the internal network (configuration - networks - internal addresses)

Is the DMZ made from a third interface on the PIX or is there another firewall on the inside of the pix making a dmz between?

The PIX will forward the SMTP to the ISA server.
On the ISA, right-click the firewall policy and select the Publish mail server option. Give the IP address of the 10.101.10.2.
The rest is simple.

Let me know what part is giving you the grief.
0
 

Author Comment

by:student-g
ID: 17001480
G'day Keith,

Thank you for your quick reply.  

I tried the mail server publishing rule and was informed
"ISA server detected a single NIC configuration Server publishing rules are not supported in a single nic config"
“Do you still want to create server publishing rule?”

I published the rule anyhow ...and watched for dropped packet via monitoring.

The above rule was ignored..and the SMTP connection denied.

I tried creating new “server publishing rule” based on port 25 ..but it also warned me and then failed

For proof of concept I am trialling   a "any to any " firewall rule and running IIS 6 as a incoming mail relay locally on the server.  (testing atm)

This is making me nervous because when ever I have used iis 6 unbound to any other service (eg mail essentials, exchange etc etc ) it behaves erratically

Is their a key or patch I can apply that will force ISA to ignore that its justifiable defaults to allow publishing on a single physical interface?



Many thanks in advanced

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 150 total points
ID: 17003265
http://www.isaserver.org/articles/2004ispcolo.html

Have a read here to understand the loopback adaptor.

Regards
Keith
0
 

Author Comment

by:student-g
ID: 17018377
G'day,

Thank you for the reference.  

Looking through the article and spending a fair bit of time running through ISA2k4 I believe that I simply can not deliver a single nic solution (not saying it can not be done) that I am comfortable with.    It would be an implementation that would later haunt me (due to lack of familiarity with the product) and goes against common scenarios.

I would recomend that anyone using ISA with single NICS read the above link

The project needs to be re scoped correctly.

I am awarding the points to Keith because he provided as much possible info to the solution, faster then could be expected.  The points should be up'd to 150 due to excellent response time

Regards
student-g


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17018400
I'll make the change and thank you :)

Regards
Keith
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now