Solved

smtp forward to lan segment via a  single homed ISA 2k4

Posted on 2006-06-25
6
428 Views
Last Modified: 2013-11-16
G’day Experts,

Many thanks in advance.

I have been assigned the task of supplying web caching and incoming SMTP forwarding ISA2004 server.  The isa server is only allowed one nic.  

The design I have been provided uses a PIX holding several real world IP addresses.  SMTP traffic is passed to the ISA server sitting within a DMZ.  The PIX is responsible for blocking data except SMTP.  ISA is meant to further forward any SMTP to the IP of Linux SME server.  This server sits on the local LAN
   

DMZ network       172.16.18.0 /24
       Gw      172.16.18.1
      Isa      172.16.18.2

Lan mail server = 10.101.10.2


Any recommendations on best how to do this?   I have been told that giving my ISA server 2 nic’s is not an option. and that I should find a way to port forward ?
0
Comment
Question by:student-g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16979843
G'day yerself.

This is fine, not quite sure what your issue is; ISA with a single NIC will do all of the above.
When you install ISA, select the single interface network template option.
Make sure that all the internal addresses are added to the internal network (configuration - networks - internal addresses)

Is the DMZ made from a third interface on the PIX or is there another firewall on the inside of the pix making a dmz between?

The PIX will forward the SMTP to the ISA server.
On the ISA, right-click the firewall policy and select the Publish mail server option. Give the IP address of the 10.101.10.2.
The rest is simple.

Let me know what part is giving you the grief.
0
 

Author Comment

by:student-g
ID: 17001480
G'day Keith,

Thank you for your quick reply.  

I tried the mail server publishing rule and was informed
"ISA server detected a single NIC configuration Server publishing rules are not supported in a single nic config"
“Do you still want to create server publishing rule?”

I published the rule anyhow ...and watched for dropped packet via monitoring.

The above rule was ignored..and the SMTP connection denied.

I tried creating new “server publishing rule” based on port 25 ..but it also warned me and then failed

For proof of concept I am trialling   a "any to any " firewall rule and running IIS 6 as a incoming mail relay locally on the server.  (testing atm)

This is making me nervous because when ever I have used iis 6 unbound to any other service (eg mail essentials, exchange etc etc ) it behaves erratically

Is their a key or patch I can apply that will force ISA to ignore that its justifiable defaults to allow publishing on a single physical interface?



Many thanks in advanced

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 150 total points
ID: 17003265
http://www.isaserver.org/articles/2004ispcolo.html

Have a read here to understand the loopback adaptor.

Regards
Keith
0
 

Author Comment

by:student-g
ID: 17018377
G'day,

Thank you for the reference.  

Looking through the article and spending a fair bit of time running through ISA2k4 I believe that I simply can not deliver a single nic solution (not saying it can not be done) that I am comfortable with.    It would be an implementation that would later haunt me (due to lack of familiarity with the product) and goes against common scenarios.

I would recomend that anyone using ISA with single NICS read the above link

The project needs to be re scoped correctly.

I am awarding the points to Keith because he provided as much possible info to the solution, faster then could be expected.  The points should be up'd to 150 due to excellent response time

Regards
student-g


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17018400
I'll make the change and thank you :)

Regards
Keith
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question