Solved

How to allow SMTP inbound and outbound through  ISA 2006

Posted on 2008-06-12
20
1,993 Views
Last Modified: 2012-08-13
Hi,

I have exchange server 2003 which is a member server on internal network what access rule must I setup and what publishing rule must I setup. ISA is an edge firewall.
In system policy I have SMTP internal and external allowed is this right. Please explain most secure way.  

What I have now on publishing rule from external (SMTP server) to local host.
One access rule from exchange to local host (SMTP)
System policy inter and external SMTP.
0
Comment
Question by:jacksch4820
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 5
20 Comments
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767031
Hi there

You need 2 access rules created for this purpose.

Firstly you need to "Publish Mail Servers" from the Tasks tab in the firewall policy.

This will create an access rule with something along the lines of..

"Inbound SMTP server"    Allow    "SMTP Server"      External       (IP of your exchange server)

You will then need to create a second access rule to allow for outbound email.


"Outbound SMTP"     Allow     (IP of your exchange server)       External      All Users


Regards
Steve
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767049
For additional information and a walkthrough on setting u your rules take a look at the following technet article
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Regards
Steve
0
 

Author Comment

by:jacksch4820
ID: 21767163
Ok thanks for fast respond understand but how must my SMTP system policy look
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767175
You dont need to make any changes in the system policy

The only configuration in the system policy that relates to SMTP is for allowing email alerts to be sent from the ISA server to other servers.
0
 

Author Comment

by:jacksch4820
ID: 21767303
Ok will anyway award points to you but please explain my last question.
 Some IT admins setup publishing rule from external (SMTP server) to isa ip and not exchange server ip please explain.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767611
Sorry I dont get your question.

ISA should only have the SMTP Server rule pointed to itself if its running on SBS 2003, Or.. They have Exchange installed on the same server..

The ISA server publishing rule listens on the external NIC of the ISA server and passes mail through the server directly to the exchange server.

Regards
Steve

0
 

Author Comment

by:jacksch4820
ID: 21767795

Exchang on internal network member server with smtp connector points to isa internal network card. ISA default edge firewall with Trend virus wall.


Publishing rule for SMTP
From external to ISA Internal IP (SMTP server protocol)

Access Rule for SMTP
From ISA to Exchange (SMTP server protocol)
From Exchange to External (SMTP protocol)
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767826
You dont need 3 rules..

1 in and 1 out

The examples provided in my first post are what you need
0
 
LVL 19

Accepted Solution

by:
Stephen Manderson earned 500 total points
ID: 21767832
Also the outbound rule should read

"Outbound SMTP"     Allow    SMTP(Not SMTP Server)    (IP of your exchange server)       External      All Users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21771711
To be pedantic here - it is not two access rules. It is one access rule and one publishing rule.

As Steve has explained.
One access rule from internal to external - if you want, you can create a computer object for your exchange server associated with its ip address so the access rule would be from computer_object to external

One publishing rule from external to ip address of internal exchange server.

Job done



0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773374
Nothing changes... :(
0
 

Author Comment

by:jacksch4820
ID: 21773700
Keith sorry for asking so many dump questions but you can only learn from people who know more than you

understand 100% how to allow inbound outbound mail through isa but my SMTP connector has to point to internal network card of isa is this right or


Reason  why I ask is because I check how a IT admin configured his ISA with 3 rules do you maybe know why or is just stupid    

Cheers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773809
I never take the view of anyone being ' stupid' - I take the view that the individual simply did not know any better as they have not been taught.

The actual smtp connector within exchange should use dns to deliver mail or, if you have to go through your ISP, then it should be their email server address. The smtp connector does 'not' point to the ISA nic at all.
The default gateway of the Exchange box should be the ISA interrnal nic - yes.

As the mail is 'passing through' ISA rather then ISA being the recipient of the mail, you did not need the rule from isa to exchange.

The out bound access rule would allow outbound smtp to external mail servers AND would allow response traffic back in again.

The publishing rule forwards inbound mail directly to the internal Exchange server and allows responses back out. Therefore the smtp connector can just use DNS and the 3rd rule is not needed

Keith
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776221
What I miss ? :S
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776232
No idea.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776235
Morning :-)

Early start as usual?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776238
yep, just leaving for work :)
0
 

Author Comment

by:jacksch4820
ID: 21777521
Keith and MrManerson Microsoft articles are not always the best solution

My option is better than Microsoft article
Publishing rule for SMTP
From external to ISA internal ip (SMTP server protocol)
 Access Rule for SMTP
From Exchange to ISA internal ip (SMTP protocol)
 System Policy
Allowed external internal
 SMTP connector
 Points to ISA internal ip
Why?  That way you can enable the ISA SMTP filter, which protects against malformed & malicious SMTP commands, overflows etc.  
 
Also if you do maintenance on the Exchange then all mail will be queued on the ISA itself.  What I also do is on my Inbound SMTP ISA rule I do not allow access from External.  Instead I create a computer object for the ISP mail server and only allow that object to send SMTP to my server.  Really helps against SPAM as well, as youre not allowing the whole world to make a SMTP connection to you.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21777723
Im afraid your option isnt as good :P

The SMTP Filter is enabled by default on the "SMTP Server" protocol as used in the Publish Mail server method.

Stick to the MS articles they will see you right ! The method you posted is making a simple task hard, no need to reinvent the wheel and end up with a box :-)

Regards
Steve
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21782130
lol - I wonder where I put my links to some good ISA training courses.

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question