Export (0) Print
Expand All
Expand Minimize

Using the ISA Server 2004 SMTP Filter and Message Screener

Microsoft® Internet Security and Acceleration (ISA) Server 2004 includes two components to help prevent mail relaying, the entry of viruses, and unwanted attachments on the network: the Simple Mail Transfer Protocol (SMTP) filter and Message Screener. Message Screener is an ISA Server optional component, which you can install separately from ISA Server and ISA Server Management.

On This Page

ISA Server intercepts all SMTP traffic that arrives on port 25 of the ISA Server computer. The SMTP filter on the ISA Server computer accepts the traffic, inspects it, and passes it on, only if the rules allow it.

The SMTP filter examines SMTP commands sent by Internet SMTP servers and clients. This application layer filter can intercept SMTP commands and check whether they are larger than they should be. SMTP commands that are larger than the limits you configure in the SMTP filter are assumed to be attacks against the SMTP server and can be stopped by the SMTP filter.

Each SMTP command has a maximum length associated with it. This length represents the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, ISA Server drops the connection and prevents the attacker from communicating with the corporate mail server.

When a client uses a command that is defined but disabled, the filter closes that connection. When a client uses a command that is unrecognized by the SMTP filter, no filtering is performed on that message.

The RFC considers the AUTH command as part of the MAIL FROM command. For this reason, the SMTP filter blocks MAIL FROM commands only when they exceed the length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For example, if you specify maximum length of MAIL FROM as 266 bytes and AUTH as 1024 bytes, the message will be blocked only if the MAIL FROM command exceeds 1290 bytes.

Cc713320.note(en-us,TechNet.10).gifNote:
   We recommend that you not add the TURN command to the SMTP filter because the SMTP filter does not currently support filtering on that command.

The SMTP filter can work in conjunction with Message Screener, to provide deeper content inspection. The SMTP filter filters all SMTP traffic that arrives at the ISA Server computer that matches a server publishing rule on the SMTP protocol.

Message Screener

Message Screener works together with the SMTP filter, to intercept all SMTP traffic arriving on TCP port 25 of the ISA Server computer. Message Screener is designed for filtering spam. Using Message Screener, you can filter e-mail messages based on keywords or attachments, or block e-mail messages from specific senders and domains. Message Screener must be installed on a SMTP server running Internet Information Services (IIS) 6.0 or IIS 5.0. You can install Message Screener in the Internal network, where we recommend you install your Exchange servers, in a perimeter network, or on the ISA Server computer. We recommend that you install Message Screener in a perimeter network, because this provides an additional layer of protection between the Internet and your mail servers.

When you use Message Screener, you will be publishing Message Screener to receive e-mail messages, rather than your Exchange server or other mail server. You therefore must configure your mail server to receive mail from the Message Screener computer.

Cc713320.note(en-us,TechNet.10).gifImportant:
We do not recommend that you use Message Screener together with Exchange Server 2003, because Message Screener will interfere with the functioning of the Exchange Server Connection and Recipient Filtering feature. The SMTP filter can be used with Exchange Server 2003

The Message Screener component can filter incoming mail based on:

  • Value sent in the MAIL FROM SMTP command, used for Sender and Domain name filtering.
  • Content-Disposition header field for each attachment. This field commonly contains the attachment file name and extension. Message Screener can filter attachments by extension, by name, or by size.
  • Message subject, body of either text/plain or text/html content type.

Message Screener can be configured to hold the e-mail message for later inspection or forward the message to a security administrator's account for further examination and analysis.

Consider, for example, a common virus that sends e-mail messages containing a specific keyword. You can configure Message Screener to take one of three actions when an e-mail message with this keyword is received:

  • Delete the message
  • Hold the message
  • Forward the message

Logging Blocked Messages

Messages that are allowed or blocked by Message Screener are logged locally to a file on the machine running Message Screener. The file is located by default in %ProgramFiles%\Microsoft ISA Server\ISALogs.

Cc713320.note(en-us,TechNet.10).gifNote:
   Application layer inspection of outbound mail is also possible. An organization may wish to block outgoing viruses and worms in an effort to protect other Internet connected networks. In addition, outbound mail inspection prevents users from sending attachment documents and other files that contain proprietary corporate data.

Scenarios in which the SMTP filter and Message Screener must be configured are provided in the sections that follow.

SMTP Filter Scenarios

You can configure the SMTP filter to address these example scenarios:

  • You want to adjust the maximum length of an SMTP command allowed by the SMTP filter.
  • You encounter a new SMTP command that is vulnerable to attack if the maximum command length is exceeded.

Message Screener Scenarios

You can configure Message Screener to address these example scenarios:

  • You want to block e-mail messages containing a specific string, because that string is associated with a virus-carrying e-mail message.
  • You want to block e-mail messages containing a specific attachment, or type of attachment, known to be a source of viral infection.
  • You want to block a specific domain which is a source of spam.
  • You want to block specific outgoing mail. If you install Message Screener in a perimeter network, you can configure Message Screener to block specific outgoing mail. This configuration is described in Screening Outgoing E-Mail Messages Using Message Screener.

These solutions describe how to configure the SMTP filter and Message Screener to address the provided scenarios.

SMTP Filter Walk-through

This walk-through describes how to configure the SMTP filter to filter SMTP commands.

SMTP Filter Procedure 1: Configure SMTP Filter Buffer Overflow Thresholds

This procedure describes how to edit the predefined list of SMTP commands that is installed with the SMTP filter. You cannot remove SMTP commands from the predefined list, but you can disable a command so that the filter will not consider the length of that command, or edit the maximum length for each command, thus adjusting the threshold above which the filter will not accept SMTP commands. You can also add simple SMTP commands, as described in SMTP Filter Procedure 2: Add SMTP Commands.

To configure SMTP filter buffer overflow thresholds:

  1. In the console tree of ISA Server Management, click Configuration, and then click Add-ins.
  2. In the details pane, on the Applications Filters tab, double-click SMTP Filter.
    Cc713320.e2c47e40-3c63-44fd-b056-35711770f1be(en-us,TechNet.10).gif
  3. On the SMTP Commands tab, click the applicable command and then click Edit.
    Cc713320.0bfc9f48-b83d-4812-bb07-7be147f1ba69(en-us,TechNet.10).gif
  4. In the SMTP Command Rule dialog box, in Maximum Length, type the maximum length of the command line (in bytes) for the commands. Note that you can disable the command by clearing the Enable SMTP command check box.
  5. Click OK to close the SMTP Command Rule dialog box.
  6. Click OK to close the SMTP Filter Properties page.

SMTP Filter Procedure 2: Add SMTP Commands

This procedure describes how to add a simple SMTP command to be filtered by the SMTP filter. A simple SMTP command is a single command followed by a single response. Other types of SMTP commands are not supported.

To add an SMTP command:

  1. In the console tree of ISA Server Management, click Configuration, and then click Add-ins.
  2. In the details pane, on the Applications Filters tab, double-click SMTP Filter.
  3. On the SMTP Commands tab, click Add.
  4. In the SMTP Command Rule dialog box, in Command Name, type the name of the command.
  5. In Maximum Length, type the maximum length of the command line (in bytes).
  6. Click OK to close the SMTP Command Rule dialog box.
  7. Click OK to close the SMTP Filter Properties page.

SMTP Filter Procedure 3: Log Blocked E-Mail Messages

If an SMTP command is blocked because it violates one of the SMTP filter's conditions, the blocked message will only be logged when you enable the SMTP filter event alert. Follow these steps to enable the alert:

  1. In the console tree of ISA Server Management, click Monitoring.
  2. In the details pane, select the Alerts tab.
  3. In the task pane, on the Tasks tab, click Configure Alert Definitions to open the Alert Properties page.
    Cc713320.e723f9fb-774d-4110-80e4-e1de95c42ec6(en-us,TechNet.10).gif
  4. On the Alerts Definitions tab, double-click SMTP Filter event (or select SMTP Filter event and click Edit) to open the SMTP Filter event Properties page.
    Cc713320.f0db3b82-cf09-4e58-8a91-e836bfbe0da9(en-us,TechNet.10).gif
  5. On the Events tab, you can set the alert action trigger thresholds, and on the Actions tab you can configure what action is taken when an alert is triggered. For more information see Alert Thresholds and Actions.
    Cc713320.3bf37952-a1c5-4974-b15e-00d5faea81c4(en-us,TechNet.10).gif
  6. Click OK to close the properties page.
Alert Thresholds and Actions

Thresholds determine when the alert action will be performed:

  • How many times per second the event will occur before issuing an alert (also called the event frequency threshold).
  • How many events will occur before the alert is issued.
  • How long to wait before issuing the alert again.

You can set one or more of the following actions to be performed when an alert condition is met:

  • Send an e-mail message.
  • Run a specific action.
  • Log the event in the Windows event log.
  • Stop or start the Microsoft Firewall service or Scheduled Content Download service.

You can configure which credentials will be used when an application is executed. Use the Local Security Policy to configure user privileges.

Message Screener Walk-through

This walk-through assumes that you will install Message Screener in a perimeter network that has a route relationship defined with the network containing the mail server. Using Message Screener requires that you complete the following procedures:

  1. Install Message Screener.
  2. Configure SMTP Relay on the Message Screener computer.
  3. Create an SMTP publishing rule on the ISA Server computer, publishing the Message Screener computer to the External network (the Internet) on the SMTP protocol.
  4. Create access rules. One rule should allow the Message Screener computer access to the Local Host network (the ISA Server computer), using the MS Firewall Control protocol. This rule allows Message Screener to pass its credentials to the ISA Server computer, and to be aware of changes to the ISA Server configuration. Another rule should allow Message Screener in the perimeter network to access the internal mail server. (This is not needed if you install Message Screener in the same network as the mail server.)
  5. Configure credentials on the Message Screener computer using SMTPCred.exe. If Message Screener is installed on the ISA Server computer, omit this step.
  6. Ensure that the Message Screener computer has access to a DNS server, so that it can locate by name the corporate mail server to which it must forward e-mail messages.
  7. Configure Message Screener to block specific types of messages.
  8. Configure your mail server to receive mail from the Message Screener computer.
    Cc713320.note(en-us,TechNet.10).gifNote:
       If you install Message Screener in a perimeter network, you can also configure Message Screener to block specific outgoing mail. This configuration is described in Screening Outgoing E-Mail Messages Using Message Screener.

Message Screener Procedure 1: Install Message Screener

Message Screener must be installed on an SMTP server running Internet Information Services (IIS) 6.0 or IIS 5.0. This server does not have to be the ISA Server computer. You can install Message Screener on a server in the Internal network, or in a perimeter network. If you install Message Screener on the Internal network, you can install it on the Exchange server, or you can install it on a different SMTP server.

Cc713320.note(en-us,TechNet.10).gifNote:
   If you install Message Screener in a perimeter network you must create access rules to allow communication between Message Screener, the SMTP filter on the ISA Server computer, and the mail server in the Internal network.

Follow these steps to install Message Screener:

  1. Insert the ISA Server 2004 CD. The setup dialog box should appear automatically. If it does not appear, run ISAAutorun.exe from the root directory of the CD.
  2. Click Install ISA Server 2004.
  3. On the Welcome page, click Next.
  4. On the License Agreement page, read the terms of the license agreement. If you agree with the terms, select I accept the terms in the license agreement, and click Next.
  5. On the Customer Information page, provide the requested information and click Next.
  6. On the Setup Type page, select Custom. You can click Change to install Message Screener in a location other than the default location. Click Next.
  7. On the Custom Setup page, click the icon next to Firewall Services and select This feature will not be available. Do the same for ISA Server Management. These are the core services and tools of ISA Server 2004, which you would install on an ISA Server computer, rather than on the server running IIS that will host Message Screener.
    Cc713320.1fd86ee8-dd1c-4084-bb26-7ada34ee46c3(en-us,TechNet.10).gif
  8. Click the icon next to Message Screener and select This feature will be installed on local hard drive.
    Cc713320.993cac8d-f47e-43bc-b7b0-afa79b113a3a(en-us,TechNet.10).gif
  9. On the Ready to Install the Program page, click Install.
  10. On the Installation Wizard Completed page, click Finish.

Message Screener Procedure 2: Configure SMTP Relay on the Message Screener Computer

If you install Message Screener on any computer other than the Exchange server, you must configure the SMTP server to relay mail to the Exchange server. If you installed Message Screener on the Exchange server, omit this procedure.

If the ISA Server computer and the Exchange server are on the same network, or if the Exchange server has a route relationship with the network where you installed the ISA Server computer, Message Screener should relay mail directly to the IP address of the Exchange server (Step 8 in the procedure).

If the Exchange server has a network address translation (NAT) relationship with the network where you installed the ISA Server computer, Message Screener should relay mail to the ISA Server computer. In this scenario, the Exchange server must be published to the network in which Message Screener is located, through a listener on that network. You must configure Message Screener to relay the mail to the IP address of that listener.

This procedure takes place on the Message Screener computer:

  1. Open the Internet Services Manager. Click Start, point to All Programs, point to Administrative Tools, and select Internet Information Services (IIS).
  2. Expand the local computer node. Expand Default SMTP Virtual Server, right-click Domains, select New, and click Domain to open the New SMTP Domain Wizard.
  3. On the Welcome page, verify that the default domain type, Remote, is selected, and then click Next.
  4. On the Domain Name page, provide the domain name for the SMTP server, such as internal.fabrikam.com, and then click Finish.
  5. In the Internet Information Services (IIS) Manager, click Domains. Right-click the new remote domain that you just created, and select Properties.
  6. Click the General tab.
  7. In Select the appropriate settings for your remote domain, click to select the Allow incoming mail to be relayed to this domain check box to allow the SMTP server to act as a mail relay.
  8. Under Route domain, click Forward all mail to smart host, and then type the IP address or the fully qualified domain name (FQDN) of the internal network's corporate mail server. If you use an IP address, make sure that you use brackets "[]" to enclose the IP address. For example, [157.54.25.14].
  9. Click OK.
  10. Stop and start the SMTP virtual server. To do so, right-click Default SMTP Virtual Server, and then click Stop. After the virtual server stops, right-click Default SMTP Virtual Server again, and then click Start.

Message Screener Procedure 3: Publish the SMTP Server

In this procedure you will publish your Message Screener SMTP server through the ISA Server computer. Follow these steps on the ISA Server computer to publish the SMTP server:

  1. In the console tree of ISA Server Management, click Firewall Policy.
  2. In the task pane, on the Tasks tab, click Publish a Mail Server.
  3. On the Welcome page, provide a name for the rule, such as Publish Message Screener SMTP Server, and then click Next.
  4. On the Select Access Type page, select Server-to-Server communication: SMTP, NNTP, and then click Next.
  5. On the Select Services page, select SMTP and then click Next.
  6. On the Select Server page, provide the IP address of the SMTP server, and then click Next.
  7. On the IP Addresses page, select the network on which ISA Server will listen for requests for the SMTP server. Because your SMTP server is meant to receive e-mail messages from the Internet, you would typically select External. Click Next.
  8. On the summary page, scroll through the rule configuration to make sure that you have configured the rule correctly, and click Finish.
  9. In the ISA Server details pane, click Apply to apply the changes you have made.

Message Screener Procedure 4: Create Access Rules

Message Screener requires access rules for communication with the ISA Server computer and the mail server (if on a different network than the Message Screener computer). Follow these procedures to create the needed rules.

Creating a Message Screener to Local Host Access Rule

The Message Screener computer requires access to the Local Host network (the ISA Server computer), using the MS Firewall Control protocol. This rule allows Message Screener to pass its credentials to the ISA Server computer.

To create the access rule:

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule, such as Message Screener to Local Host, and then click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, in This rule applies to, select Selected protocols and then use the Add button to open the Add Protocols dialog box.
  6. In the Add Protocols dialog box, expand All Protocols, and select MS Firewall Control. Click Add, and then click Close to close the Add Protocols dialog box. On the Protocols page, click Next.
  7. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select the perimeter network containing the Message Screener computer, click Add, and then click Close. On the Access Rule Sources page, click Next.
  8. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the Local Host network (the ISA Server computer), click Add, and then click Close. On the Access Rule Destinations page, click Next.
    Cc713320.note(en-us,TechNet.10).gifNote:
       If you want to limit the access rule source to the Message Screener computer in the perimeter network, you can create a computer set containing the Message Screener computer and select it from the Add Network Entities dialog box on the Access Rule Sources page.
  9. On the User Sets page, leave the default user set All Users in place, and then click Next.
  10. Review the information on the wizard summary page, and then click Finish.
  11. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Remember that access rules are ordered, so if a deny rule matching SMTP access requests exists ahead of this allow rule in the order, access will be denied.
Creating an Outbound SMTP Traffic Access Rule

If you install Message Screener on a perimeter network, and the perimeter network has a route relationship with the Internal network, you must create an access rule allowing outbound SMTP traffic from the perimeter network to the Internal network. This access rule will also allow the Message Screener computer to access your corporate DNS server if it is located in the Internal network.

Cc713320.note(en-us,TechNet.10).gifNote:
   If the Internal network has a NAT relationship with the perimeter network, you must publish the mail server to the perimeter network, or at a minimum, to the Message Screener computer, using a mail server publishing rule. Publishing the Internal mail server is described in Appendix A: Publishing a Mail Server in a NAT Scenario.

To create the access rule:

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.
  2. In the task pane, on the Tasks tab, select Create New Access Rule to start the New Access Rule Wizard.
  3. On the Welcome page of the wizard, enter the name for the access rule, such as Outbound SMTP - Message Screener to Exchange, and then click Next.
  4. On the Rule Action page, select Allow, and then click Next.
  5. On the Protocols page, in This rule applies to, select Selected protocols and then use the Add button to open the Add Protocols dialog box.
  6. In the Add Protocols dialog box, expand Mail, and select SMTP. Click Add, and then click Close to close the Add Protocols dialog box. On the Protocols page, click Next.
  7. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select Internal, click Add, and then click Close. On the Access Rule Sources page, click Next.
  8. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.
    Cc713320.note(en-us,TechNet.10).gifNote:
       If you want to limit the access rule source to the Message Screener computer in the perimeter network, and the destination to the Exchange server (or front-end Exchange server) or other mail server, you can create two computer sets, one for each of those computers, and select those from the Add Network Entities dialog box on the Access Rule Sources and Access Rule Destinations pages. Remember that the Message Screener computer will also need access to your corporate DNS server, so either include the DNS server in the computer set with the mail server, or create the generic access rule from network to network.
  9. On the User Sets page, leave the default user set All Users in place, and then click Next.
  10. Review the information on the wizard summary page, and then click Finish.
  11. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Remember that access rules are ordered, so if a deny rule matching SMTP access requests exists ahead of this allow rule in the order, access will be denied.
Enabling Access on the MS Firewall Control Protocol

Message Screener requires access to the ISA Server computer on the MS Firewall Control protocol. A system policy rule allowing access from the Remote Management Computers computer set to the Local Host on the MS Firewall Control protocol already exists. You must add the Message Screener computer to the Remote Management Computers computer set so that the rule will apply to it:

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
  2. In the task pane, on the Toolbox tab, select Network Objects, expand Computer Sets, and double-click the Remote Management Computers computer set.
    Cc713320.506bd488-2580-49e0-aaae-8553e8c4b04f(en-us,TechNet.10).gif
  3. Click Add, and from the drop-down list select Computer to open the New Computer Rule Element dialog box.
  4. Provide the name and IP address for the Message Screener computer, and then click OK.
  5. In the Firewall Policy details pane, click Apply to apply the change.

Message Screener Procedure 5: Configure Credentials on the Message Screener Computer

You must create a user on the Message Screener computer with access to the ISA Server computer. Do this by running the SMTPCred.exe program. If the Message Screener is installed on the ISA Server computer, omit this step.

  1. On the ISA Server 2004 CD, open the FPC\Program Files\Microsoft ISA Server directory, and double-click SMTPCred.exe. (You can also type SMTPCred.exe at a command prompt in the same directory.)
  2. In the Message Screener Credentials dialog box, provide the name of the ISA Server computer (or the IP address of the ISA Server computer€™s network adapter connected to the Message Screener network), a username with administrative rights on the ISA Server computer, the user€™s domain, and the password.
    Cc713320.32916711-3228-4ed3-8182-4fbc79ae6297(en-us,TechNet.10).gif
  3. Click Test to test the connection using those credentials, and OK to close the dialog box.

Message Screener Procedure 6: Enable DNS Server Access for the Message Screener Computer

The Message Screener computer requires access to your corporate DNS server so that it can locate the internal mail server by name. If the DNS server is in the same network as the Message Screener computer, it will have access, and you do not have to make configuration changes to ISA Server. However, if the DNS server is in another network, such as the Internal network, you may need to create an access rule from the perimeter network to the Internal network to allow access. For more information, see Message Screener Procedure 4: Create Access Rules.

Message Screener Procedure 7:  Configure Message Screener

In this procedure you will configure Message Screener to screen for specific items:

  1. In the console tree of ISA Server Management, expand Configuration and click Add-ins.
  2. In the details pane, on the Applications Filters tab, double-click SMTP Filter to open the SMTP Filter Properties dialog box.
  3. On the General tab, verify that Enable this filter is selected.
  4. On the Keywords, Users/Domains, and Attachments tabs, you can configure the screening of e-mail messages:
    • On the Keywords tab, click Add to open the Mail Keyword Rule dialog box. On this dialog box, in Keyword, you can provide a string that Message Screener will look for in e-mail messages. You can select whether the action is applied if the keyword is found in the Message subject or body, Message subject, or Message body. You can select an action from the Action drop-down list: Delete message, Hold Message, or Forward message to. If you select Forward message to, in E-mail address provide the e-mail address to which the e-mail messages containing the keyword should be sent. Click OK after you have configured the keyword rule. You can then add additional keywords by clicking Add and repeating this step.
      Cc713320.cf96009b-9947-451c-9fff-a9f7032bc2af(en-us,TechNet.10).gif
    • On the Users/Domains tab, you can add the names of senders or of entire domains for which e-mail messages will be blocked. To add a sender, in Sender€™s e-mail address type the sender€™s e-mail address in the format user@domain.com, and then click Add. To add a domain, in Domain name type the name of the domain in the format domain.com, and then click Add.
      Cc713320.abeb24e2-4f9c-447d-a91a-0bcf55ba03eb(en-us,TechNet.10).gif
    • On the Attachments tab, click Add to open the Mail Attachment Rule dialog box. In this dialog box, you can select an attachment parameter that Message Screener will check: Attachment name, Attachment extension, or Attachment size limit. Then, provide a value for the parameter you selected. You can select an action from the Action drop-down list: Delete message, Hold Message, or Forward message to. If you select Forward message to, in E-mail address provide the e-mail address to which the e-mail messages containing the keyword should be sent. Click OK after you have configured the keyword rule. You can then add additional keywords by clicking Add and repeating this step. Click OK when you have configured the mail attachment rule. You can then add additional attachments by clicking Add and repeating this step.
      Cc713320.8cd10a17-fada-486f-9764-0ee85834c468(en-us,TechNet.10).gif
  5. After you configure Message Screener to screen e-mail messages based on keywords, users or domains, or attachments, click OK to close the SMTP Filter Properties dialog box.
  6. In the ISA Server details pane, click Apply to apply the changes you have made.

Message Screener Procedure 8:  Configure your Mail Server to Receive Mail from the Message Screener Computer

When you use Message Screener, you will be publishing Message Screener to receive e-mail messages, rather than your Exchange server or other mail server. You therefore must configure your mail server to receive mail from the Message Screener computer. The procedure for doing so will differ depending on the type of mail server you are using. In the case of Exchange Server, you would use the Smart Host feature to indicate to the Exchange server to receive its mail from Message Screener.

If Message Screener is located on the same network as the mail server, you can point directly to the Message Screener computer.

If Message Screener is located on a network other than that which hosts the mail server, as in the case where Message Screener is in a perimeter network and the mail server is in the Internal network, use the following guidelines:

  • If the perimeter network has a route relationship with the Internal network, the mail server can point directly to the IP address of the Message Screener computer.
  • If there is a NAT relationship from the Internal network to the perimeter network, the mail server on the Internal network must be published to the perimeter network, so the mail server should point to the perimeter network adapter of the ISA Server computer. Publishing the Internal mail server is described in Appendix A: Publishing a Mail Server in a NAT Scenario.
  1. On the summary page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.
  2. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Screening Outgoing E-Mail Messages Using Message Screener

If you install Message Screener in a perimeter network, you can also configure Message Screener to block specific outgoing mail. To do so, configure your Internal Exchange server (or other mail server) to route outgoing mail through Message Screener . Message Screener will then receive all outgoing mail before it is forwarded to the Internet, and will screen the outgoing mail according to the configuration you created in Message Screener Procedure 7:  Configure Message Screener.

If you installed Message Screener on a computer that is in a different network than your Exchange server, you will also create an access rule allowing access from the Exchange server (or its containing network) to the Message Screener computer (or its containing network).

Some scenarios in which you may want to block outgoing mail are:

  • Block outgoing mail containing video files, to reduce the use of bandwidth for forwarding television commercials to friends.
  • Block outgoing mail that contains viruses and worms in an effort to protect other Internet connected networks.
  • Prevent users from sending attachment documents and other files that contain proprietary corporate data.

Because the Message Screener configuration applies consistently to all e-mail messages that pass through Message Screener, any configuration changes to Message Screener will also apply to incoming e-mail messages.

Appendix A: Publishing a Mail Server in a NAT Scenario

When you use Message Screener, you will be publishing Message Screener to receive e-mail messages, rather than your Exchange server or other mail server. You therefore must configure your mail server to receive mail from the Message Screener computer. If there is a network address translation (NAT) relationship from the Internal network to the perimeter network, the mail server on the Internal network must be published to the perimeter network, so the mail server should point to the perimeter network adapter of the ISA Server computer.

To publish the mail server on the Internal network to the Message Screener computer on the perimeter network, create a new mail publishing rule using the New Mail Server Publishing Rule Wizard:

  1. Expand Microsoft ISA Server Management and click Firewall Policy.
  2. In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.
  3. On the Welcome page of the wizard, provide a name for the rule, such as Inbound SMTP from Message Screener, and then click Next.
  4. On the Select Access Type page, select Server-to-server communication: SMTP, NNTP and then click Next.
  5. On the Select Services page, select SMTP, and then click Next.
  6. On the Select Server page, provide the IP address of the Exchange server, and then click Next.
  7. On the IP Addresses page, select the network on which ISA Server will listen for requests. Because you want to receive communication from the perimeter network, select the perimeter network, and then click Next.
  8. On the summary page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.
  9. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft