Solved

How to allow SMTP inbound and outbound through  ISA 2006

Posted on 2008-06-12
20
1,953 Views
Last Modified: 2012-08-13
Hi,

I have exchange server 2003 which is a member server on internal network what access rule must I setup and what publishing rule must I setup. ISA is an edge firewall.
In system policy I have SMTP internal and external allowed is this right. Please explain most secure way.  

What I have now on publishing rule from external (SMTP server) to local host.
One access rule from exchange to local host (SMTP)
System policy inter and external SMTP.
0
Comment
Question by:jacksch4820
  • 9
  • 6
  • 5
20 Comments
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767031
Hi there

You need 2 access rules created for this purpose.

Firstly you need to "Publish Mail Servers" from the Tasks tab in the firewall policy.

This will create an access rule with something along the lines of..

"Inbound SMTP server"    Allow    "SMTP Server"      External       (IP of your exchange server)

You will then need to create a second access rule to allow for outbound email.


"Outbound SMTP"     Allow     (IP of your exchange server)       External      All Users


Regards
Steve
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767049
For additional information and a walkthrough on setting u your rules take a look at the following technet article
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Regards
Steve
0
 

Author Comment

by:jacksch4820
ID: 21767163
Ok thanks for fast respond understand but how must my SMTP system policy look
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767175
You dont need to make any changes in the system policy

The only configuration in the system policy that relates to SMTP is for allowing email alerts to be sent from the ISA server to other servers.
0
 

Author Comment

by:jacksch4820
ID: 21767303
Ok will anyway award points to you but please explain my last question.
 Some IT admins setup publishing rule from external (SMTP server) to isa ip and not exchange server ip please explain.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767611
Sorry I dont get your question.

ISA should only have the SMTP Server rule pointed to itself if its running on SBS 2003, Or.. They have Exchange installed on the same server..

The ISA server publishing rule listens on the external NIC of the ISA server and passes mail through the server directly to the exchange server.

Regards
Steve

0
 

Author Comment

by:jacksch4820
ID: 21767795

Exchang on internal network member server with smtp connector points to isa internal network card. ISA default edge firewall with Trend virus wall.


Publishing rule for SMTP
From external to ISA Internal IP (SMTP server protocol)

Access Rule for SMTP
From ISA to Exchange (SMTP server protocol)
From Exchange to External (SMTP protocol)
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767826
You dont need 3 rules..

1 in and 1 out

The examples provided in my first post are what you need
0
 
LVL 19

Accepted Solution

by:
Stephen Manderson earned 500 total points
ID: 21767832
Also the outbound rule should read

"Outbound SMTP"     Allow    SMTP(Not SMTP Server)    (IP of your exchange server)       External      All Users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21771711
To be pedantic here - it is not two access rules. It is one access rule and one publishing rule.

As Steve has explained.
One access rule from internal to external - if you want, you can create a computer object for your exchange server associated with its ip address so the access rule would be from computer_object to external

One publishing rule from external to ip address of internal exchange server.

Job done



0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773374
Nothing changes... :(
0
 

Author Comment

by:jacksch4820
ID: 21773700
Keith sorry for asking so many dump questions but you can only learn from people who know more than you

understand 100% how to allow inbound outbound mail through isa but my SMTP connector has to point to internal network card of isa is this right or


Reason  why I ask is because I check how a IT admin configured his ISA with 3 rules do you maybe know why or is just stupid    

Cheers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773809
I never take the view of anyone being ' stupid' - I take the view that the individual simply did not know any better as they have not been taught.

The actual smtp connector within exchange should use dns to deliver mail or, if you have to go through your ISP, then it should be their email server address. The smtp connector does 'not' point to the ISA nic at all.
The default gateway of the Exchange box should be the ISA interrnal nic - yes.

As the mail is 'passing through' ISA rather then ISA being the recipient of the mail, you did not need the rule from isa to exchange.

The out bound access rule would allow outbound smtp to external mail servers AND would allow response traffic back in again.

The publishing rule forwards inbound mail directly to the internal Exchange server and allows responses back out. Therefore the smtp connector can just use DNS and the 3rd rule is not needed

Keith
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776221
What I miss ? :S
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776232
No idea.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776235
Morning :-)

Early start as usual?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776238
yep, just leaving for work :)
0
 

Author Comment

by:jacksch4820
ID: 21777521
Keith and MrManerson Microsoft articles are not always the best solution

My option is better than Microsoft article
Publishing rule for SMTP
From external to ISA internal ip (SMTP server protocol)
 Access Rule for SMTP
From Exchange to ISA internal ip (SMTP protocol)
 System Policy
Allowed external internal
 SMTP connector
 Points to ISA internal ip
Why?  That way you can enable the ISA SMTP filter, which protects against malformed & malicious SMTP commands, overflows etc.  
 
Also if you do maintenance on the Exchange then all mail will be queued on the ISA itself.  What I also do is on my Inbound SMTP ISA rule I do not allow access from External.  Instead I create a computer object for the ISP mail server and only allow that object to send SMTP to my server.  Really helps against SPAM as well, as youre not allowing the whole world to make a SMTP connection to you.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21777723
Im afraid your option isnt as good :P

The SMTP Filter is enabled by default on the "SMTP Server" protocol as used in the Publish Mail server method.

Stick to the MS articles they will see you right ! The method you posted is making a simple task hard, no need to reinvent the wheel and end up with a box :-)

Regards
Steve
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21782130
lol - I wonder where I put my links to some good ISA training courses.

0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Logon script to disable isa 2006 client at startup 4 546
stop torrents download isa 2006 9 597
ActiveSync issues 16 149
allow gmail in TMG 2010 2 455
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question