Solved

How to allow SMTP inbound and outbound through  ISA 2006

Posted on 2008-06-12
20
1,913 Views
Last Modified: 2012-08-13
Hi,

I have exchange server 2003 which is a member server on internal network what access rule must I setup and what publishing rule must I setup. ISA is an edge firewall.
In system policy I have SMTP internal and external allowed is this right. Please explain most secure way.  

What I have now on publishing rule from external (SMTP server) to local host.
One access rule from exchange to local host (SMTP)
System policy inter and external SMTP.
0
Comment
Question by:jacksch4820
  • 9
  • 6
  • 5
20 Comments
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Hi there

You need 2 access rules created for this purpose.

Firstly you need to "Publish Mail Servers" from the Tasks tab in the firewall policy.

This will create an access rule with something along the lines of..

"Inbound SMTP server"    Allow    "SMTP Server"      External       (IP of your exchange server)

You will then need to create a second access rule to allow for outbound email.


"Outbound SMTP"     Allow     (IP of your exchange server)       External      All Users


Regards
Steve
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
For additional information and a walkthrough on setting u your rules take a look at the following technet article
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Regards
Steve
0
 

Author Comment

by:jacksch4820
Comment Utility
Ok thanks for fast respond understand but how must my SMTP system policy look
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
You dont need to make any changes in the system policy

The only configuration in the system policy that relates to SMTP is for allowing email alerts to be sent from the ISA server to other servers.
0
 

Author Comment

by:jacksch4820
Comment Utility
Ok will anyway award points to you but please explain my last question.
 Some IT admins setup publishing rule from external (SMTP server) to isa ip and not exchange server ip please explain.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Sorry I dont get your question.

ISA should only have the SMTP Server rule pointed to itself if its running on SBS 2003, Or.. They have Exchange installed on the same server..

The ISA server publishing rule listens on the external NIC of the ISA server and passes mail through the server directly to the exchange server.

Regards
Steve

0
 

Author Comment

by:jacksch4820
Comment Utility

Exchang on internal network member server with smtp connector points to isa internal network card. ISA default edge firewall with Trend virus wall.


Publishing rule for SMTP
From external to ISA Internal IP (SMTP server protocol)

Access Rule for SMTP
From ISA to Exchange (SMTP server protocol)
From Exchange to External (SMTP protocol)
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
You dont need 3 rules..

1 in and 1 out

The examples provided in my first post are what you need
0
 
LVL 19

Accepted Solution

by:
Stephen Manderson earned 500 total points
Comment Utility
Also the outbound rule should read

"Outbound SMTP"     Allow    SMTP(Not SMTP Server)    (IP of your exchange server)       External      All Users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
To be pedantic here - it is not two access rules. It is one access rule and one publishing rule.

As Steve has explained.
One access rule from internal to external - if you want, you can create a computer object for your exchange server associated with its ip address so the access rule would be from computer_object to external

One publishing rule from external to ip address of internal exchange server.

Job done



0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Nothing changes... :(
0
 

Author Comment

by:jacksch4820
Comment Utility
Keith sorry for asking so many dump questions but you can only learn from people who know more than you

understand 100% how to allow inbound outbound mail through isa but my SMTP connector has to point to internal network card of isa is this right or


Reason  why I ask is because I check how a IT admin configured his ISA with 3 rules do you maybe know why or is just stupid    

Cheers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
I never take the view of anyone being ' stupid' - I take the view that the individual simply did not know any better as they have not been taught.

The actual smtp connector within exchange should use dns to deliver mail or, if you have to go through your ISP, then it should be their email server address. The smtp connector does 'not' point to the ISA nic at all.
The default gateway of the Exchange box should be the ISA interrnal nic - yes.

As the mail is 'passing through' ISA rather then ISA being the recipient of the mail, you did not need the rule from isa to exchange.

The out bound access rule would allow outbound smtp to external mail servers AND would allow response traffic back in again.

The publishing rule forwards inbound mail directly to the internal Exchange server and allows responses back out. Therefore the smtp connector can just use DNS and the 3rd rule is not needed

Keith
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
What I miss ? :S
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No idea.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Morning :-)

Early start as usual?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
yep, just leaving for work :)
0
 

Author Comment

by:jacksch4820
Comment Utility
Keith and MrManerson Microsoft articles are not always the best solution

My option is better than Microsoft article
Publishing rule for SMTP
From external to ISA internal ip (SMTP server protocol)
 Access Rule for SMTP
From Exchange to ISA internal ip (SMTP protocol)
 System Policy
Allowed external internal
 SMTP connector
 Points to ISA internal ip
Why?  That way you can enable the ISA SMTP filter, which protects against malformed & malicious SMTP commands, overflows etc.  
 
Also if you do maintenance on the Exchange then all mail will be queued on the ISA itself.  What I also do is on my Inbound SMTP ISA rule I do not allow access from External.  Instead I create a computer object for the ISP mail server and only allow that object to send SMTP to my server.  Really helps against SPAM as well, as youre not allowing the whole world to make a SMTP connection to you.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
Comment Utility
Im afraid your option isnt as good :P

The SMTP Filter is enabled by default on the "SMTP Server" protocol as used in the Publish Mail server method.

Stick to the MS articles they will see you right ! The method you posted is making a simple task hard, no need to reinvent the wheel and end up with a box :-)

Regards
Steve
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol - I wonder where I put my links to some good ISA training courses.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now