cybis1
asked on
How do I Restrict Remote desktop (RDP) with ISA server 2004 - and limit incoming SMTP servers
Hi,
I have to look after am MS small business server 2003 premium usingh ISA server as the firewall, and two network cards.
Currently I have a rule with allows a remote desktop connection directly to the server, but from any location on the internet, so I am havein go rely on a strong password.
How do i create a rule which will restrict RDP access so only a selected few IP addresses can connect to administer the server.
Also follwoing on from this rule, i would like incmoing smtp mail to be only accespted from one DNS name (or a selection of IP addresses), and for the server to deny SMTP acesss fromj anything else.
Will anyone please make it simple for me.
Thanks
John
I have to look after am MS small business server 2003 premium usingh ISA server as the firewall, and two network cards.
Currently I have a rule with allows a remote desktop connection directly to the server, but from any location on the internet, so I am havein go rely on a strong password.
How do i create a rule which will restrict RDP access so only a selected few IP addresses can connect to administer the server.
Also follwoing on from this rule, i would like incmoing smtp mail to be only accespted from one DNS name (or a selection of IP addresses), and for the server to deny SMTP acesss fromj anything else.
Will anyone please make it simple for me.
Thanks
John
Jeff has a point on the rdp. If you really want to do it then you use the Toolbox within the gui to create Computer Objects matching the IP addressses of the devices you want then place these objects in the FROM box in the publishing rule. Personally I leave this open and use the strong password approach myself also.
Did you mean receive email from just one smtp server rather than from one dns server? Unless you are pulling email from an ISP's mail server rather than directly from sending mail servers I can't see the benefit. However, if your REALLY want to do it then the same approach can be used as I mention above for RDP.
I would suggest also (maybe Jeff can confirm this as ISA is my area but SBS is definitely his) that if you ever ran the SBS wizards, it would likely create the rules again to meet best practice and this could remove your restrictions.
Keith
Did you mean receive email from just one smtp server rather than from one dns server? Unless you are pulling email from an ISP's mail server rather than directly from sending mail servers I can't see the benefit. However, if your REALLY want to do it then the same approach can be used as I mention above for RDP.
I would suggest also (maybe Jeff can confirm this as ISA is my area but SBS is definitely his) that if you ever ran the SBS wizards, it would likely create the rules again to meet best practice and this could remove your restrictions.
Keith
ASKER
i think if i had an emergency and needed someone elso to help, I could allow all RDP connections, then after the aid, I could restrict it again. We have a few trused people and it would be these people's IP addresses that would be allowed.
The reason for blocking all but a set of SMTP servers is that all our incoimng mail is directed to our ISP that offers the services of scanning for viruses & spam off site, and then forwarding the "safe" mail to our SMTP server. This service off loads the processing of virus scanning away from the exchange server, and reduces bandwidth usage.
I hope this explains my questions.
The reason for blocking all but a set of SMTP servers is that all our incoimng mail is directed to our ISP that offers the services of scanning for viruses & spam off site, and then forwarding the "safe" mail to our SMTP server. This service off loads the processing of virus scanning away from the exchange server, and reduces bandwidth usage.
I hope this explains my questions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you thoughs. We are in fact using a similar service http://www.maildefender.co.uk/products/maildefender which does do SMTP scanning for spam & viruses. So we only want these servers to send mail to our exchange. Hence the question how do i creat a rule that only allows SMTP traffice from certain IP addresses?
I still want to restrict the RDP access to specific IP addresses, but when i tried to createa rule it still allowed all ipp addresses in. So i think i need the help in a simple format.
Thanks
I still want to restrict the RDP access to specific IP addresses, but when i tried to createa rule it still allowed all ipp addresses in. So i think i need the help in a simple format.
Thanks
Well, in that case, you really should speak with MailDefender for their recommended configuration. Because if they support SenderID filtering, you can just use that: http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html. This would be the simplist way to solve the problem because essentially you would accept only from them and reject all others.
I really have no idea why you would want to restrict RDP access. Honestly, you are painting yourself into a corner. If you are that concerned about security then you should really be looking at a stronger level of authentication and encryption which you can read about here:
http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
This is because even if you restrict a connection from a specific IP address, that IP address can be spoofed (in addition to being inconvenient).
Jeff
TechSoEasy
I really have no idea why you would want to restrict RDP access. Honestly, you are painting yourself into a corner. If you are that concerned about security then you should really be looking at a stronger level of authentication and encryption which you can read about here:
http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
This is because even if you restrict a connection from a specific IP address, that IP address can be spoofed (in addition to being inconvenient).
Jeff
TechSoEasy
Another option for RDP, by the way, is to close port 3389 entirely to only allow RDP via VPN.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Jeff,
I Really appreciate the time you give in answering my questions....and I finally take on board what you say about restricting RDP access, and I will leave it well alone.
With reagard to the maildefender settings, all i need to do to the ISA server is to create an access rule that only allows SMTP mail from one IP address (which is the ISP's mail server) and not accept any mail from any other SMTP server. Please can I have the simple instructions for setting up the access rule.
Thanks
I Really appreciate the time you give in answering my questions....and I finally take on board what you say about restricting RDP access, and I will leave it well alone.
With reagard to the maildefender settings, all i need to do to the ISA server is to create an access rule that only allows SMTP mail from one IP address (which is the ISP's mail server) and not accept any mail from any other SMTP server. Please can I have the simple instructions for setting up the access rule.
Thanks
There should already be a rule in ISA Server for inbound SMTP. You would need to modify that rule to accept from the single IP address rather than from ALL.
I can't give you much more in the way of instructions for that because I really have started moving away from using ISA and don't have a test box that I can use at the moment.
Jeff
TechSoEasy
I can't give you much more in the way of instructions for that because I really have started moving away from using ISA and don't have a test box that I can use at the moment.
Jeff
TechSoEasy
Is there a reason that you gave a "C" grade? Because really that shouldn't be given unless an expert fails to respond to your follow-up questions. Since you never provided that opportunity, it's totally out of line here.
Perhaps you might want to review: https://www.experts-exchange.com/help.jsp#hi73
An explanation would certainly be appreciated.
Jeff
TechSoEasy
Perhaps you might want to review: https://www.experts-exchange.com/help.jsp#hi73
An explanation would certainly be appreciated.
Jeff
TechSoEasy
ASKER
Jeff,
Sorry you are quite correct...I didn't mean to put a c grade, i meant to click the "a" option. As you were very helpful, and followed up all the questions.
I think I must have just I must have miss clicked. Is there a way that I can correct my mistake?
Sorry you are quite correct...I didn't mean to put a c grade, i meant to click the "a" option. As you were very helpful, and followed up all the questions.
I think I must have just I must have miss clicked. Is there a way that I can correct my mistake?
No Problem... the question has been re-opened. Please just accept an answer again to close it.
Jeff
TechSoEasy
Jeff
TechSoEasy
And what's your goal of restricting SMTP connections? Do you only want to receive email from those few people?
Can you describe what you are ultimately trying to protect against? Because I've often found that folks focus on specific areas that they have heard may be a security problem, while ignoring other very basic security practices.
I'm not saying that you fall into this category... at least until I know more... but your question sure sounds as though you may be a candidate. :-)
Jeff
TechSoEasy