Messages that are allowed or blocked by Message Screener are logged locally to a file on the machine running Message Screener. The file is located by default in %ProgramFiles%\Microsoft ISA Server\ISALogs.

Note:
Application layer inspection of outbound mail is also possible. An organization may wish to block outgoing viruses and worms in an effort to protect other Internet connected networks. In addition, outbound mail inspection prevents users from sending attachment documents and other files that contain proprietary corporate data.

This procedure describes how to edit the predefined list of SMTP commands that is installed with the SMTP filter. You cannot remove SMTP commands from the predefined list, but you can disable a command so that the filter will not consider the length of that command, or edit the maximum length for each command, thus adjusting the threshold above which the filter will not accept SMTP commands. You can also add simple SMTP commands, as described in SMTP Filter Procedure 2: Add SMTP Commands.

To configure SMTP filter buffer overflow thresholds:

1. In the console tree of ISA Server Management, click Configuration, and then click Add-ins.
   
2. In the details pane, on the Applications Filters tab, double-click SMTP Filter.
   
   
3. On the SMTP Commands tab, click the applicable command and then click Edit.
   
   
4. In the SMTP Command Rule dialog box, in Maximum Length, type the maximum length of the command line (in bytes) for the commands. Note that you can disable the command by clearing the Enable SMTP command check box.
   
5. Click OK to close the SMTP Command Rule dialog box.
   
6. Click OK to close the SMTP Filter Properties page.
   

This procedure describes how to add a simple SMTP command to be filtered by the SMTP filter. A simple SMTP command is a single command followed by a single response. Other types of SMTP commands are not supported.

To add an SMTP command:

1. In the console tree of ISA Server Management, click Configuration, and then click Add-ins.
   
2. In the details pane, on the Applications Filters tab, double-click SMTP Filter.
   
3. On the SMTP Commands tab, click Add.
   
4. In the SMTP Command Rule dialog box, in Command Name, type the name of the command.
   
5. In Maximum Length, type the maximum length of the command line (in bytes).
   
6. Click OK to close the SMTP Command Rule dialog box.
   
7. Click OK to close the SMTP Filter Properties page.
   

If an SMTP command is blocked because it violates one of the SMTP filter's conditions, the blocked message will only be logged when you enable the SMTP filter event alert. Follow these steps to enable the alert:

1. In the console tree of ISA Server Management, click Monitoring.
   
2. In the details pane, select the Alerts tab.
   
3. In the task pane, on the Tasks tab, click Configure Alert Definitions to open the Alert Properties page.
   
   
4. On the Alerts Definitions tab, double-click SMTP Filter event (or select SMTP Filter event and click Edit) to open the SMTP Filter event Properties page.
   
   
5. On the Events tab, you can set the alert action trigger thresholds, and on the Actions tab you can configure what action is taken when an alert is triggered. For more information see Alert Thresholds and Actions.
   
   
6. Click OK to close the properties page.
   

Alert Thresholds and Actions

Message Screener must be installed on an SMTP server running Internet Information Services (IIS) 6.0 or IIS 5.0. This server does not have to be the ISA Server computer. You can install Message Screener on a server in the Internal network, or in a perimeter network. If you install Message Screener on the Internal network, you can install it on the Exchange server, or you can install it on a different SMTP server.

Note:
If you install Message Screener in a perimeter network you must create access rules to allow communication between Message Screener, the SMTP filter on the ISA Server computer, and the mail server in the Internal network.

Follow these steps to install Message Screener:

1. Insert the ISA Server 2004 CD. The setup dialog box should appear automatically. If it does not appear, run ISAAutorun.exe from the root directory of the CD.
   
2. Click Install ISA Server 2004.
   
3. On the Welcome page, click Next.
   
4. On the License Agreement page, read the terms of the license agreement. If you agree with the terms, select I accept the terms in the license agreement, and click Next.
   
5. On the Customer Information page, provide the requested information and click Next.
   
6. On the Setup Type page, select Custom. You can click Change to install Message Screener in a location other than the default location. Click Next.
   
7. On the Custom Setup page, click the icon next to Firewall Services and select This feature will not be available. Do the same for ISA Server Management. These are the core services and tools of ISA Server 2004, which you would install on an ISA Server computer, rather than on the server running IIS that will host Message Screener.
   
   
8. Click the icon next to Message Screener and select This feature will be installed on local hard drive.
   
   
9. On the Ready to Install the Program page, click Install.
   
10. On the Installation Wizard Completed page, click Finish.
    

If you install Message Screener on any computer other than the Exchange server, you must configure the SMTP server to relay mail to the Exchange server. If you installed Message Screener on the Exchange server, omit this procedure.

If the ISA Server computer and the Exchange server are on the same network, or if the Exchange server has a route relationship with the network where you installed the ISA Server computer, Message Screener should relay mail directly to the IP address of the Exchange server (Step 8 in the procedure).

If the Exchange server has a network address translation (NAT) relationship with the network where you installed the ISA Server computer, Message Screener should relay mail to the ISA Server computer. In this scenario, the Exchange server must be published to the network in which Message Screener is located, through a listener on that network. You must configure Message Screener to relay the mail to the IP address of that listener.

This procedure takes place on the Message Screener computer:

1. Open the Internet Services Manager. Click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS).
   
2. Expand the local computer node. Expand Default SMTP Virtual Server, right-click Domains, select New, and click Domain to open the New SMTP Domain Wizard.
   
3. On the Welcome page, verify that the default domain type, Remote, is selected, and then click Next.
   
4. On the Domain Name page, provide the domain name for the SMTP server, such as internal.fabrikam.com, and then click Finish.
   
5. In the Internet Information Services (IIS) Manager, click Domains. Right-click the new remote domain that you just created, and select Properties.
   
6. Click the General tab.
   
7. In Select the appropriate settings for your remote domain, click to select the Allow incoming mail to be relayed to this domain check box to allow the SMTP server to act as a mail relay.
   
8. Under Route domain, click Forward all mail to smart host, and then type the IP address or the fully qualified domain name (FQDN) of the internal network's corporate mail server. If you use an IP address, make sure that you use brackets "[]" to enclose the IP address. For example, [157.54.25.14].
   
9. Click OK.
   
10. Stop and start the SMTP virtual server. To do so, right-click Default SMTP Virtual Server, and then click Stop. After the virtual server stops, right-click Default SMTP Virtual Server again, and then click Start.
    

In this procedure you will publish your Message Screener SMTP server through the ISA Server computer. Follow these steps on the ISA Server computer to publish the SMTP server:

1. In the console tree of ISA Server Management, click Firewall Policy.
   
2. In the task pane, on the Tasks tab, click Publish a Mail Server.
   
3. On the Welcome page, provide a name for the rule, such as Publish Message Screener SMTP Server, and then click Next.
   
4. On the Select Access Type page, select Server-to-Server communication: SMTP, NNTP, and then click Next.
   
5. On the Select Services page, select SMTP and then click Next.
   
6. On the Select Server page, provide the IP address of the SMTP server, and then click Next.
   
7. On the IP Addresses page, select the network on which ISA Server will listen for requests for the SMTP server. Because your SMTP server is meant to receive e-mail messages from the Internet, you would typically select External. Click Next.
   
8. On the summary page, scroll through the rule configuration to make sure that you have configured the rule correctly, and click Finish.
   
9. In the ISA Server details pane, click Apply to apply the changes you have made.
   

Message Screener requires access rules for communication with the ISA Server computer and the mail server (if on a different network than the Message Screener computer). Follow these procedures to create the needed rules.

Creating a Message Screener to Local Host Access Rule

Creating an Outbound SMTP Traffic Access Rule

If you install Message Screener on a perimeter network, and the perimeter network has a route relationship with the Internal network, you must create an access rule allowing outbound SMTP traffic from the perimeter network to the Internal network. This access rule will also allow the Message Screener computer to access your corporate DNS server if it is located in the Internal network.

Note:
If the Internal network has a NAT relationship with the perimeter network, you must publish the mail server to the perimeter network, or at a minimum, to the Message Screener computer, using a mail server publishing rule. Publishing the Internal mail server is described in Appendix A: Publishing a Mail Server in a NAT Scenario.

To create the access rule:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
   
2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
   
3. On the Welcome page of the wizard, enter the name for the access rule, such as Outbound SMTP - Message Screener to Exchange, and then click Next.
   
4. On the Rule Action page, select Allow, and then click Next.
   
5. On the Protocols page, in This rule applies to, select Selected protocols and then use the Add button to open the Add Protocols dialog box.
   
6. In the Add Protocols dialog box, expand Mail, and select SMTP. Click Add, and then click Close to close the Add Protocols dialog box. On the Protocols page, click Next.
   
7. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select Internal, click Add, and then click Close. On the Access Rule Sources page, click Next.
   
8. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.
   

   Note:

   If you want to limit the access rule source to the Message Screener computer in the perimeter network, and the destination to the Exchange server (or front-end Exchange server) or other mail server, you can create two computer sets, one for each of those computers, and select those from the Add Network Entities dialog box on the Access Rule Sources and Access Rule Destinations pages. Remember that the Message Screener computer will also need access to your corporate DNS server, so either include the DNS server in the computer set with the mail server, or create the generic access rule from network to network.

9. On the User Sets page, leave the default user set All Users in place, and then click Next.
   
10. Review the information on the wizard summary page, and then click Finish.
    
11. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Remember that access rules are ordered, so if a deny rule matching SMTP access requests exists ahead of this allow rule in the order, access will be denied.
    

Enabling Access on the MS Firewall Control Protocol

You must create a user on the Message Screener computer with access to the ISA Server computer. Do this by running the SMTPCred.exe program. If the Message Screener is installed on the ISA Server computer, omit this step.

1. On the ISA Server 2004 CD, open the FPC\Program Files\Microsoft ISA Server directory, and double-click SMTPCred.exe. (You can also type SMTPCred.exe at a command prompt in the same directory.)
   
2. In the Message Screener Credentials dialog box, provide the name of the ISA Server computer (or the IP address of the ISA Server computer€™s network adapter connected to the Message Screener network), a username with administrative rights on the ISA Server computer, the user€™s domain, and the password.
   
   
3. Click Test to test the connection using those credentials, and OK to close the dialog box.
   

The Message Screener computer requires access to your corporate DNS server so that it can locate the internal mail server by name. If the DNS server is in the same network as the Message Screener computer, it will have access, and you do not have to make configuration changes to ISA Server. However, if the DNS server is in another network, such as the Internal network, you may need to create an access rule from the perimeter network to the Internal network to allow access. For more information, see Message Screener Procedure 4: Create Access Rules.

In this procedure you will configure Message Screener to screen for specific items:

1. In the console tree of ISA Server Management, expand Configuration and click Add-ins.
   
2. In the details pane, on the Applications Filters tab, double-click SMTP Filter to open the SMTP Filter Properties dialog box.
   
3. On the General tab, verify that Enable this filter is selected.
   
4. On the Keywords, Users/Domains, and Attachments tabs, you can configure the screening of e-mail messages:
   
   • On the Keywords tab, click Add to open the Mail Keyword Rule dialog box. On this dialog box, in Keyword, you can provide a string that Message Screener will look for in e-mail messages. You can select whether the action is applied if the keyword is found in the Message subject or body, Message subject, or Message body. You can select an action from the Action drop-down list: Delete message, Hold Message, or Forward message to. If you select Forward message to, in E-mail address provide the e-mail address to which the e-mail messages containing the keyword should be sent. Click OK after you have configured the keyword rule. You can then add additional keywords by clicking Add and repeating this step.
     
     
   • On the Users/Domains tab, you can add the names of senders or of entire domains for which e-mail messages will be blocked. To add a sender, in Sender€™s e-mail address type the sender€™s e-mail address in the format user@domain.com, and then click Add. To add a domain, in Domain name type the name of the domain in the format domain.com, and then click Add.
     
     
   • On the Attachments tab, click Add to open the Mail Attachment Rule dialog box. In this dialog box, you can select an attachment parameter that Message Screener will check: Attachment name, Attachment extension, or Attachment size limit. Then, provide a value for the parameter you selected. You can select an action from the Action drop-down list: Delete message, Hold Message, or Forward message to. If you select Forward message to, in E-mail address provide the e-mail address to which the e-mail messages containing the keyword should be sent. Click OK after you have configured the keyword rule. You can then add additional keywords by clicking Add and repeating this step. Click OK when you have configured the mail attachment rule. You can then add additional attachments by clicking Add and repeating this step.
     
     
5. After you configure Message Screener to screen e-mail messages based on keywords, users or domains, or attachments, click OK to close the SMTP Filter Properties dialog box.
   
6. In the ISA Server details pane, click Apply to apply the changes you have made.
   

When you use Message Screener, you will be publishing Message Screener to receive e-mail messages, rather than your Exchange server or other mail server. You therefore must configure your mail server to receive mail from the Message Screener computer. The procedure for doing so will differ depending on the type of mail server you are using. In the case of Exchange Server, you would use the Smart Host feature to indicate to the Exchange server to receive its mail from Message Screener.

If Message Screener is located on the same network as the mail server, you can point directly to the Message Screener computer.

If Message Screener is located on a network other than that which hosts the mail server, as in the case where Message Screener is in a perimeter network and the mail server is in the Internal network, use the following guidelines:

• If the perimeter network has a route relationship with the Internal network, the mail server can point directly to the IP address of the Message Screener computer.
  
• If there is a NAT relationship from the Internal network to the perimeter network, the mail server on the Internal network must be published to the perimeter network, so the mail server should point to the perimeter network adapter of the ISA Server computer. Publishing the Internal mail server is described in Appendix A: Publishing a Mail Server in a NAT Scenario.
  

1. On the summary page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.
   
2. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.