How to allow SMTP inbound and outbound through ISA 2006

Hi there

You need 2 access rules created for this purpose.

Firstly you need to "Publish Mail Servers" from the Tasks tab in the firewall policy.

This will create an access rule with something along the lines of..

"Inbound SMTP server"    Allow    "SMTP Server"      External       (IP of your exchange server)

You will then need to create a second access rule to allow for outbound email.


"Outbound SMTP"     Allow     (IP of your exchange server)       External      All Users


Regards
Steve

For additional information and a walkthrough on setting u your rules take a look at the following technet article
http://technet.microsoft.com/en-us/library/bb794845(TechNet.10).aspx

Regards
Steve

Ok thanks for fast respond understand but how must my SMTP system policy look

You dont need to make any changes in the system policy

The only configuration in the system policy that relates to SMTP is for allowing email alerts to be sent from the ISA server to other servers.

Ok will anyway award points to you but please explain my last question.
 Some IT admins setup publishing rule from external (SMTP server) to isa ip and not exchange server ip please explain.

Sorry I dont get your question.

ISA should only have the SMTP Server rule pointed to itself if its running on SBS 2003, Or.. They have Exchange installed on the same server..

The ISA server publishing rule listens on the external NIC of the ISA server and passes mail through the server directly to the exchange server.

Regards
Steve

Exchang on internal network member server with smtp connector points to isa internal network card. ISA default edge firewall with Trend virus wall.


Publishing rule for SMTP
From external to ISA Internal IP (SMTP server protocol)

Access Rule for SMTP
From ISA to Exchange (SMTP server protocol)
From Exchange to External (SMTP protocol)

You dont need 3 rules..

1 in and 1 out

The examples provided in my first post are what you need

To be pedantic here - it is not two access rules. It is one access rule and one publishing rule.

As Steve has explained.
One access rule from internal to external - if you want, you can create a computer object for your exchange server associated with its ip address so the access rule would be from computer_object to external

One publishing rule from external to ip address of internal exchange server.

Job done

Nothing changes... :(

Keith sorry for asking so many dump questions but you can only learn from people who know more than you

understand 100% how to allow inbound outbound mail through isa but my SMTP connector has to point to internal network card of isa is this right or


Reason  why I ask is because I check how a IT admin configured his ISA with 3 rules do you maybe know why or is just stupid    

Cheers

I never take the view of anyone being ' stupid' - I take the view that the individual simply did not know any better as they have not been taught.

The actual smtp connector within exchange should use dns to deliver mail or, if you have to go through your ISP, then it should be their email server address. The smtp connector does 'not' point to the ISA nic at all.
The default gateway of the Exchange box should be the ISA interrnal nic - yes.

As the mail is 'passing through' ISA rather then ISA being the recipient of the mail, you did not need the rule from isa to exchange.

The out bound access rule would allow outbound smtp to external mail servers AND would allow response traffic back in again.

The publishing rule forwards inbound mail directly to the internal Exchange server and allows responses back out. Therefore the smtp connector can just use DNS and the 3rd rule is not needed

Keith

What I miss ? :S

No idea.

Morning :-)

Early start as usual?

yep, just leaving for work :)

Keith and MrManerson Microsoft articles are not always the best solution

My option is better than Microsoft article
Publishing rule for SMTP
From external to ISA internal ip (SMTP server protocol)
 Access Rule for SMTP
From Exchange to ISA internal ip (SMTP protocol)
 System Policy
Allowed external internal
 SMTP connector
 Points to ISA internal ip
Why?  That way you can enable the ISA SMTP filter, which protects against malformed & malicious SMTP commands, overflows etc.  
 
Also if you do maintenance on the Exchange then all mail will be queued on the ISA itself.  What I also do is on my Inbound SMTP ISA rule I do not allow access from External.  Instead I create a computer object for the ISP mail server and only allow that object to send SMTP to my server.  Really helps against SPAM as well, as youre not allowing the whole world to make a SMTP connection to you.

Im afraid your option isnt as good :P

The SMTP Filter is enabled by default on the "SMTP Server" protocol as used in the Publish Mail server method.

Stick to the MS articles they will see you right ! The method you posted is making a simple task hard, no need to reinvent the wheel and end up with a box :-)

Regards
Steve

lol - I wonder where I put my links to some good ISA training courses.