Solved

smtp forward to lan segment via a  single homed ISA 2k4

Posted on 2006-06-25
6
421 Views
Last Modified: 2013-11-16
G’day Experts,

Many thanks in advance.

I have been assigned the task of supplying web caching and incoming SMTP forwarding ISA2004 server.  The isa server is only allowed one nic.  

The design I have been provided uses a PIX holding several real world IP addresses.  SMTP traffic is passed to the ISA server sitting within a DMZ.  The PIX is responsible for blocking data except SMTP.  ISA is meant to further forward any SMTP to the IP of Linux SME server.  This server sits on the local LAN
   

DMZ network       172.16.18.0 /24
       Gw      172.16.18.1
      Isa      172.16.18.2

Lan mail server = 10.101.10.2


Any recommendations on best how to do this?   I have been told that giving my ISA server 2 nic’s is not an option. and that I should find a way to port forward ?
0
Comment
Question by:student-g
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16979843
G'day yerself.

This is fine, not quite sure what your issue is; ISA with a single NIC will do all of the above.
When you install ISA, select the single interface network template option.
Make sure that all the internal addresses are added to the internal network (configuration - networks - internal addresses)

Is the DMZ made from a third interface on the PIX or is there another firewall on the inside of the pix making a dmz between?

The PIX will forward the SMTP to the ISA server.
On the ISA, right-click the firewall policy and select the Publish mail server option. Give the IP address of the 10.101.10.2.
The rest is simple.

Let me know what part is giving you the grief.
0
 

Author Comment

by:student-g
ID: 17001480
G'day Keith,

Thank you for your quick reply.  

I tried the mail server publishing rule and was informed
"ISA server detected a single NIC configuration Server publishing rules are not supported in a single nic config"
“Do you still want to create server publishing rule?”

I published the rule anyhow ...and watched for dropped packet via monitoring.

The above rule was ignored..and the SMTP connection denied.

I tried creating new “server publishing rule” based on port 25 ..but it also warned me and then failed

For proof of concept I am trialling   a "any to any " firewall rule and running IIS 6 as a incoming mail relay locally on the server.  (testing atm)

This is making me nervous because when ever I have used iis 6 unbound to any other service (eg mail essentials, exchange etc etc ) it behaves erratically

Is their a key or patch I can apply that will force ISA to ignore that its justifiable defaults to allow publishing on a single physical interface?



Many thanks in advanced

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 150 total points
ID: 17003265
http://www.isaserver.org/articles/2004ispcolo.html

Have a read here to understand the loopback adaptor.

Regards
Keith
0
 

Author Comment

by:student-g
ID: 17018377
G'day,

Thank you for the reference.  

Looking through the article and spending a fair bit of time running through ISA2k4 I believe that I simply can not deliver a single nic solution (not saying it can not be done) that I am comfortable with.    It would be an implementation that would later haunt me (due to lack of familiarity with the product) and goes against common scenarios.

I would recomend that anyone using ISA with single NICS read the above link

The project needs to be re scoped correctly.

I am awarding the points to Keith because he provided as much possible info to the solution, faster then could be expected.  The points should be up'd to 150 due to excellent response time

Regards
student-g


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17018400
I'll make the change and thank you :)

Regards
Keith
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now