Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Using Windows Firewall On SBS2011 To Only Accept Port 25 Access For Certain IPs

Posted on 2014-11-19
5
Medium Priority
?
360 Views
Last Modified: 2014-11-20
Hello, I run SBS 2011 which uses Server 2008 R2 and Exchange 2010.

I am using Exchange Online Protection to protect spam from getting to our network.

As is expected spam is getting through still since spammers can send directly to our server using port 25.

So I am trying to figure out how to deny access to this port for all addresses except the following ones:

http://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

I can not find the SMTP port under "Windows Firewall with Advanced Security" so I'm not sure how Exchange configured the firewall there.

However, I did try to change the IP ranges in the network tab under the receive connector in the hub transport role of the server configuration. This broke everything, I could no longer get email, I got the following error:

#5.7.1 smtp;530 5.7.1 Client was not authenticated> #SMTP#

I am attaching the file "network_cap_1.JPG" to show what I have before I change anything. "network_cap_2.JPG" shows the EOP IP ranges added and when I add those I get the above error.

I checked the IP that EOP is using to deliver mail to me and that IP currently is  207.46.163.210, so that should be covered by the 207.46.163.0/24 scope, shouldn't it?

Also since I am leaving the default 10.1.1.0-10.1.1.0 & 10.1.1.2-10.1.1.255 entries alone I'm not understanding two things:

1) Why does adding the EOP IPs break everything
2) Why is any email coming in since those IP ranges are local and not external.

Help would be greatly appreciated.

Thanks.
network-cap-1.JPG
network-cap-2.JPG
0
Comment
Question by:Pawel_Kowalski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40453749
I have not used EOP before, but it sounds like you may not have the correct settings on the receive connector's Authentication and Permission Groups tabs.  What do you have selected on those tabs? IIRC, the firewall is setup by default to allow Exchange full access and the address/ports/IPs, etc. that is uses are controlled via Exchange itself using either the EMC or the EMS depending on your preferences.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40453931
Did you make these changes on the Default <Server Name> receive connector or the Windows SBS Internet Receive <Server Name> receive connector?

You should be making these changes on the Windows SBS Internet Receive <Server Name> connector as this connector is configured by default for external emails.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40454179
Personally I never make these lock downs on my Exchange Server but rather on my perimeter firewall. If you do want to make these on Exchange versus a perimeter firewall I would follow VB ITS instructions.
0
 
LVL 6

Expert Comment

by:Asif Bacchus
ID: 40454525
@Gareth, I totally agree.  I usually do this on my firewall also.  
@OP, I was not sure if you were using a separate firewall and was under the impression you were just using the Windows firewall.  Could you post-back with that information?  Thanks.
0
 

Author Closing Comment

by:Pawel_Kowalski
ID: 40455503
Thanks! That was the exact problem.

In regards to a perimeter firewall this location doesn't have one, very small office and essentially the SOHO router serves as the firewall (only ports 25 and 443 are forwarded). Doesn't have anything fancy like allowable IP for certain ports. Probably not the most secure method but the budget isn't there to do anything about it.

Thanks again.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question