Solved

How to allow SMTP inbound and outbound through  ISA 2006

Posted on 2008-06-12
20
1,934 Views
Last Modified: 2012-08-13
Hi,

I have exchange server 2003 which is a member server on internal network what access rule must I setup and what publishing rule must I setup. ISA is an edge firewall.
In system policy I have SMTP internal and external allowed is this right. Please explain most secure way.  

What I have now on publishing rule from external (SMTP server) to local host.
One access rule from exchange to local host (SMTP)
System policy inter and external SMTP.
0
Comment
Question by:jacksch4820
  • 9
  • 6
  • 5
20 Comments
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767031
Hi there

You need 2 access rules created for this purpose.

Firstly you need to "Publish Mail Servers" from the Tasks tab in the firewall policy.

This will create an access rule with something along the lines of..

"Inbound SMTP server"    Allow    "SMTP Server"      External       (IP of your exchange server)

You will then need to create a second access rule to allow for outbound email.


"Outbound SMTP"     Allow     (IP of your exchange server)       External      All Users


Regards
Steve
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767049
For additional information and a walkthrough on setting u your rules take a look at the following technet article
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Regards
Steve
0
 

Author Comment

by:jacksch4820
ID: 21767163
Ok thanks for fast respond understand but how must my SMTP system policy look
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767175
You dont need to make any changes in the system policy

The only configuration in the system policy that relates to SMTP is for allowing email alerts to be sent from the ISA server to other servers.
0
 

Author Comment

by:jacksch4820
ID: 21767303
Ok will anyway award points to you but please explain my last question.
 Some IT admins setup publishing rule from external (SMTP server) to isa ip and not exchange server ip please explain.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767611
Sorry I dont get your question.

ISA should only have the SMTP Server rule pointed to itself if its running on SBS 2003, Or.. They have Exchange installed on the same server..

The ISA server publishing rule listens on the external NIC of the ISA server and passes mail through the server directly to the exchange server.

Regards
Steve

0
 

Author Comment

by:jacksch4820
ID: 21767795

Exchang on internal network member server with smtp connector points to isa internal network card. ISA default edge firewall with Trend virus wall.


Publishing rule for SMTP
From external to ISA Internal IP (SMTP server protocol)

Access Rule for SMTP
From ISA to Exchange (SMTP server protocol)
From Exchange to External (SMTP protocol)
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21767826
You dont need 3 rules..

1 in and 1 out

The examples provided in my first post are what you need
0
 
LVL 19

Accepted Solution

by:
Stephen Manderson earned 500 total points
ID: 21767832
Also the outbound rule should read

"Outbound SMTP"     Allow    SMTP(Not SMTP Server)    (IP of your exchange server)       External      All Users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21771711
To be pedantic here - it is not two access rules. It is one access rule and one publishing rule.

As Steve has explained.
One access rule from internal to external - if you want, you can create a computer object for your exchange server associated with its ip address so the access rule would be from computer_object to external

One publishing rule from external to ip address of internal exchange server.

Job done



0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773374
Nothing changes... :(
0
 

Author Comment

by:jacksch4820
ID: 21773700
Keith sorry for asking so many dump questions but you can only learn from people who know more than you

understand 100% how to allow inbound outbound mail through isa but my SMTP connector has to point to internal network card of isa is this right or


Reason  why I ask is because I check how a IT admin configured his ISA with 3 rules do you maybe know why or is just stupid    

Cheers
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21773809
I never take the view of anyone being ' stupid' - I take the view that the individual simply did not know any better as they have not been taught.

The actual smtp connector within exchange should use dns to deliver mail or, if you have to go through your ISP, then it should be their email server address. The smtp connector does 'not' point to the ISA nic at all.
The default gateway of the Exchange box should be the ISA interrnal nic - yes.

As the mail is 'passing through' ISA rather then ISA being the recipient of the mail, you did not need the rule from isa to exchange.

The out bound access rule would allow outbound smtp to external mail servers AND would allow response traffic back in again.

The publishing rule forwards inbound mail directly to the internal Exchange server and allows responses back out. Therefore the smtp connector can just use DNS and the 3rd rule is not needed

Keith
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776221
What I miss ? :S
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776232
No idea.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21776235
Morning :-)

Early start as usual?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21776238
yep, just leaving for work :)
0
 

Author Comment

by:jacksch4820
ID: 21777521
Keith and MrManerson Microsoft articles are not always the best solution

My option is better than Microsoft article
Publishing rule for SMTP
From external to ISA internal ip (SMTP server protocol)
 Access Rule for SMTP
From Exchange to ISA internal ip (SMTP protocol)
 System Policy
Allowed external internal
 SMTP connector
 Points to ISA internal ip
Why?  That way you can enable the ISA SMTP filter, which protects against malformed & malicious SMTP commands, overflows etc.  
 
Also if you do maintenance on the Exchange then all mail will be queued on the ISA itself.  What I also do is on my Inbound SMTP ISA rule I do not allow access from External.  Instead I create a computer object for the ISP mail server and only allow that object to send SMTP to my server.  Really helps against SPAM as well, as youre not allowing the whole world to make a SMTP connection to you.
0
 
LVL 19

Expert Comment

by:Stephen Manderson
ID: 21777723
Im afraid your option isnt as good :P

The SMTP Filter is enabled by default on the "SMTP Server" protocol as used in the Publish Mail server method.

Stick to the MS articles they will see you right ! The method you posted is making a simple task hard, no need to reinvent the wheel and end up with a box :-)

Regards
Steve
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21782130
lol - I wonder where I put my links to some good ISA training courses.

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now