Using ISA Server 2004 Enterprise Edition with Exchange Server 2003

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition and Microsoft Exchange Server 2003 are designed to work closely together in your network environment to provide a secure messaging environment.

This article describes how to deploy ISA Server 2004 as your advanced firewall server to protect your messaging environment.

On This Page

• Scenarios
• Solutions
• Additional Information

ISA Server 2004 and Exchange Server 2003

ISA Server acts as an advanced firewall that controls Internet traffic between the multiple networks that are connected to it, through its multi-networking feature. In the Exchange scenario, ISA Server will control traffic entering your Internal corporate network and outbound communication from your messaging environment. When you use ISA Server to handle all inbound requests from client applications such as Microsoft Office Outlook® 2003 and Outlook Web Access, your Exchange front-end servers no longer need to be located in the perimeter network, and your Exchange resources are protected from attack.

All inbound Internet traffic bound to your Exchange servers, such as Microsoft Office Outlook Web Access, remote procedure call (RPC) over Hypertext Transfer Protocol (HTTP) communication from Microsoft Office Outlook 2003 clients, Outlook Mobile Access, Post Office Protocol version 3 (POP3), and Internet Message Access Protocol version 4rev1 (IMAP4) are processed by ISA Server. When ISA Server receives a request from a client application such as Outlook 2003 to access information on an Exchange server, ISA Server routes the request to the appropriate Exchange servers on your Internal network. The internal Exchange servers return the requested data to ISA Server, and then ISA Server sends the information to the client through the Internet.

ISA Server Features

ISA Server 2004 includes several features that complement and ease the publishing of Exchange servers.

New Mail Server Publishing Wizard

The New Mail Publishing Wizard allows you to easily configure rules that publish:

• Web client access
• Client access
• Server-to-server communication: Simple Mail Transfer Protocol (SMTP) and Network News Transfer Protocol (NNTP)

Web client access

Web client access includes:

• Outlook Web Access. Outlook Web access gives users Secure Sockets Layer (SSL)-secured access through a supported Web browser to their e-mail, calendar, group scheduling, and public folder information on computers running Exchange Server.
• Outlook Mobile Access. Outlook Mobile Access provides users with access to Exchange mailbox information from mobile devices.
• Exchange ActiveSync. Exchange ActiveSync® allows you to synchronize your Exchange mailboxes directly and with high levels of security to Microsoft Windows Mobile™-powered devices such as Pocket PC 2003, Pocket PC 2002, Pocket PC Phone Edition, and Windows Powered Smartphone.

Publication of Web client access services is described in the document Outlook Web Access Server Publishing in ISA Server 2004 (https://www.microsoft.com).

ISA Server also enables you to publish an RPC Proxy server so that Microsoft Office Outlook 2003 clients can access their mailboxes using RPC over HTTP.

Client access

ISA Server enables you to publish Exchange to allow direct client access on these protocols:

• RPC
• IMAP
• POP3
• SMTP (to allow sending of e-mail messages)

Server-to-server communication

The New Mail Server Publishing Wizard enables you to publish a server on SMTP, Secure SMTP, and NNTP so that other servers can communicate with the published server.

SMTP filter and Message Screener

ISA Server includes components that help prevent mail relaying, the entry of viruses, and unwanted attachments on the network: the SMTP filter and Message Screener.

The purpose of the SMTP filter is to filter SMTP command verbs by intercepting all SMTP traffic that arrives on port 25. The SMTP application filter is installed with ISA Server and is always located on the ISA Server computer. When SMTP traffic arrives at the ISA Server computer, the traffic is analyzed against the rules, and forwarded if allowed by the rules and the filter.

The purpose of Message Screener is to filter keywords and attachments, and to prevent specific users or domains from accessing the network. SMTP Message Screener must be installed on an Internet Information Services (IIS) 6.0 or IIS 5.0 SMTP server. This server does not have to be the ISA Server computer. For example, Message Screener could be installed on the ISA Server computer, on the Exchange Server computer, or on any other IIS 6.0 or IIS 5.0 SMTP server in the Internal network or in a perimeter network.

Installation and configuration of the SMTP filter and Message Screener are described in the document Using the ISA Server 2004 Enterprise Edition SMTP Filter and Message Screener (https://www.microsoft.com).

Network Load Balancing

You can use the Network Load Balancing (NLB) functionality of ISA Server to configure and manage the NLB functionality of Microsoft Windows Server™ 2003 running on ISA Server arrays.

When you configure NLB through ISA Server, NLB is integrated with ISA Server functionality. This provides important functionality that is not available in Windows NLB alone:

• NLB configuration is performed through ISA Server Management.
• ISA Server provides NLB health monitoring, and discontinues NLB on a particular computer as necessitated by its status. This prevents the continued functioning of NLB when the state of the computer does not allow the passage of traffic. For example, if there is a failure of the network adapter on the computer, or if you stop the Microsoft Firewall service, ISA Server stops NLB-directed traffic from passing though that computer. When the issue is resolved, ISA Server will again allow NLB traffic to pass through that computer.
• ISA Server works with Windows NLB to automatically configure bidirectional affinity, and does so for multiple networks. This guarantees that traffic is handled in both directions by the same array server.

Scenarios

There are two common scenarios that are considered in this document:

• You have an Exchange Server 2003 deployment, consisting of Exchange front-end servers in a perimeter network, and back-end servers in the Internal network. You want to secure this deployment with Internet Security and Acceleration (ISA) Server 2004.
• You have an Exchange Server 2003 deployment, consisting of Exchange front-end and back-end servers in the Internal network. You want to secure this deployment with ISA Server.

Solutions

If your Exchange front-end servers are in a perimeter network, the solution is to move the front-end servers to the Internal network, and allow Internet Security and Acceleration (ISA) Server 2004 to handle the requests from outside the corporate network, such as requests from the Internet. There will be no direct access to the Exchange servers from outside the corporate network, so they will remain secure.

If your front-end servers are already in the Internal network, you can deploy ISA Server in front of the front-end servers to secure them.

The procedures provided later in this document address both solutions. If your front-end servers are already in the Internal network, skip the procedures related to moving the servers.

Deployment Recommendations

The walk-through procedures describe deployment of ISA Server in a production environment. However, before deploying ISA Server in production, you should thoroughly test it in a non-production, test lab environment. In addition to lab testing, and to minimize service disruption to users, you may want to stage your production rollout so that you do not move servers out of the perimeter network until you verify your configuration.

Network Topology

To deploy this solution, you will require the following computers. These are minimal requirements for a laboratory configuration:

• Computer to serve as the Exchange front-end server. This computer must run Microsoft Windows Server™ 2003 or Windows® 2000 Server and Microsoft Exchange Server 2003. For more information about system requirements for Exchange, see System Requirements for Exchange Server 2003 (https://www.microsoft.com).
• Computer to serve as an Exchange back-end server. This computer must run Windows Server 2003 or Windows 2000 Server and Exchange Server 2003. For more information about system requirements for Exchange, see System Requirements for Exchange Server 2003 (https://www.microsoft.com).
• Domain controller on the Internal network.
• At least one internal client computer.
• An array of computers running ISA Server 2004 Enterprise Edition. An array of one computer will suffice. Each computer in the array should have at least three network adapters: one each for the Internal, External and intra-array networks. The intra-array network is described in Using ISA Server with Exchange Server 2003 Walk-through Procedure 3: Configure Intra-Array Communication.
• A computer to host the ISA Server Configuration Storage server. In a laboratory environment, a single computer can host both the Configuration Storage server and ISA Server services. In a production environment, we recommend that the Configuration Storage server be hosted behind the ISA Server services computer, for enhanced security. The Configuration Storage server stores all of the ISA Server configuration data, including administrative roles.
• At least one external client computer.

The network topology (after moving servers out of the perimeter network) is shown in the following figure.

Using ISA Server with Exchange Server 2003—Walk-through

This walk-through contains the following procedures:

• Procedure 1: Prepare to Deploy ISA Server 2004
• Procedure 2: Install ISA Server 2004
• Procedure 3: Configure Intra-Array Communication
• Procedure 4: Configure Network Load Balancing
• Procedure 5: Move Exchange Front-End Servers to the Internal Network
• Procedure 6: Configure Corporate DNS Servers
• Procedure 7: Configure SMTP Servers
• Procedure 8: Configure ISA Server for Inbound Mail
• Procedure 9: Configure ISA Server for Outbound Mail
• Procedure 10: Enable External Client Access to the Exchange Server
• Procedure 11: Configure RPC over HTTP for Outlook 2003

Using ISA Server with Exchange Server 2003 Walk-through Procedure 1: Prepare to Deploy ISA Server 2004

Before you deploy ISA Server in the perimeter network and start moving Exchange servers into the Internal network, you must install the ISA Server Configuration Storage server, and the array of computers running ISA Server services.

Placing the ISA Server array

Before you install ISA Server, consider where the ISA Server array should be placed:

• You may place the ISA Server array in your corporate domain.

• In some topologies, you may require that the ISA Server array not be a member of the corporate domain. In that scenario, the ISA Server array can be deployed in a separate domain with a trust relationship to the corporate domain through which authentication requests are supported.

• The ISA Server array can be placed in a workgroup and use Remote Authentication Dial-In User Service (RADIUS) authentication if needed. Deployment of ISA Server in a workgroup is described in the document ISA Server 2004 in a Workgroup (https://www.microsoft.com).

  Note

  If you install in a single domain or in domains with trust relationships, you can change to server certificate authentication any time after installation, if your deployment needs change. To do so, obtain an exported server certificate and save it on the Configuration Storage server. Then, run ISA Server Setup and select Repair, and on the Enterprise Deployment Environment page, select the workgroup option. Alternatively, instead of running Repair, you can run ISACertTool. For more information, see the document ISA Server 2004 in a Workgroup (https://www.microsoft.com).

Configuring NLB

We recommend that you enable ISA Server integrated Network Load Balancing (NLB) on both the External and Internal networks. This is described in Using ISA Server with Exchange Server 2003 Walk-through Procedure 4: Configure Network Load Balancing in this document. If you use ISA Server integrated NLB, you must install an additional network adapter on each member of the ISA Server array, and configure an intra-array network that uses those adapters to handle intra-array communication. Configuring an intra-array network is described in Using ISA Server with Exchange Server 2003 Walk-through Procedure 3: Configure Intra-Array Communication. The solution presented in this document is based on the use of ISA Server integrated NLB and an intra-array communication network.

Using a static internal IP address

Make sure the IP address of the ISA Server computer's internal network adapter is static. This configuration is necessary because you must configure SecureNAT clients, such as your published SMTP server, and point them to the internal IP address of your ISA Server computer. If the IP address on your internal network adapter changes, you must manually update those clients. When you use a static IP address and do not change that address, you avoid this problem.

If you are using ISA Server integrated NLB, the virtual IP address that you set for the Internal network will be static, and will work in this scenario.

After your ISA Server computer is connected to both the Internet and your Internal network, it can start regulating inbound and outbound Internet traffic.

Obtaining an external IP address for ISA Server

Your external network adapter needs an IP address to which Internet traffic can connect. Obtain an IP address for the external network adapter, and configure it in the TCP/IP settings. If you are using NLB, the virtual IP address you set on the external NLB will be the IP address to which the Internet traffic will connect.

If you already manage your own corporate Domain Name System (DNS) server for external name resolution, consider using the IP address assigned to your Internet domain's name server. Using this IP address allows you to move the DNS server into the Internal network and to use ISA Server to forward DNS requests from the Internet. If you obtain a separate IP address for ISA Server and then move your DNS server back to the Internal network, you must update your name server records at your Internet registrar to point to the new ISA Server IP address.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 2: Install ISA Server 2004

Installing ISA Server 2004 Enterprise Edition requires these steps:

• Installing the Configuration Storage server. If you are installing an ISA Server array specifically for the purpose of protecting your Exchange servers, the ISA Server array can make use of an existing Configuration Storage server.
• Creating enterprise networks.
• Creating an array.
• Installing a server in an array.

If you will install the ISA Server array in a workgroup (or in a domain that does not have a trust relationship with that of the Configuration Storage server), you must install a digital certificate on the Configuration Storage server computer. This process is described in the document ISA Server 2004 in a Workgroup (www.microsoft.com).

Installing the Configuration Storage server

The Configuration Storage server stores the configuration information for all of the arrays in the enterprise. This procedure describes how to install the Configuration Storage server, and configure the ISA Server environment for the installation of the first ISA Server array. This section explains:

• How to install ISA Server by running ISA Server Setup.
• How to create an enterprise network and an ISA Server array object.

Perform these procedures on the computer that you have designated as the Configuration Storage server, CS-1 in this walk-through:

1. On the Configuration Storage server (Main-Storage), log on to the domain. The user that is logged on during the installation will automatically become an enterprise administrator for ISA Server.
2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.
3. In Microsoft ISA Server Setup, click Install ISA Server.
4. After the Setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.
5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.
6. Type your customer information and the product key, and then click Next.
7. On the Setup Scenarios page, select Install Configuration Storage server, and then click Next.
   
8. On the Component Selection page, you can review the settings. For this walk-through, the default selections will suffice. Click Next.
9. On the Enterprise Installation Options page, select Create a new ISA Server enterprise, and then click Next.
   
10. On the New Enterprise Warning page, click Next. This page warns you about installing more than one enterprise.
11. On the Create a New Enterprise page, provide a name and description for the enterprise. In this walk-through, the enterprise will be called Fabrikam. You can provide a description of the enterprise (optional). Click Next.
12. On the Enterprise Deployment Environment page, you have the option of installing a digital certificate to enable encrypted communication between the Configuration Storage server and the computer running ISA Server services. In this solution, the Configuration Storage server and the computers running ISA Server services are in the same domain, so you can leave the default selection, I am deploying in a single domain or in domains with trust relationships. Click Next.
    
13. On the Ready to Install the Program page, click Install to begin the installation.
14. After the installation is complete, select Invoke ISA Management when the wizard closes, and then click Finish.

In the ISA Server console, expand the Enterprise node, and then expand the Enterprise Policies node. Note that there is one policy listed, the Default Policy. Click Default Policy and look at the rules in the details pane. There is one enterprise policy rule, a rule that denies all traffic that is applied after array level rules. This rule ensures that unless access is specifically allowed, ISA Server denies it. Other than that enterprise policy rule, in the Default Policy, only array rules will apply. This is appropriate to the solution presented in this document. You can define enterprise policies to cover other scenarios in your enterprise. For more information about enterprise policies, see ISA Server product Help.

Creating enterprise networks

As enterprise administrator, you should define enterprise networks that are ranges of IP addresses used throughout your enterprise. Enterprise networks enable you to create access rules on the enterprise level, referring to the enterprise networks. This will enable your array administrators to define networks on the array level, to easily create rules for networks throughout the enterprise, and to assist spoof detection through the proper definition of networks. For example, if your enterprise uses the address ranges 10.0.0.1–10.255.255.255 and 20.0.0.1–20.255.255.255, you would include those ranges in the enterprise Internal network. An array administrator can then define an Internal network by referring to the enterprise Internal network.

If you do not define an enterprise network, the array administrator can define an Internal network based on the IP addresses associated with the internal network adapters on the ISA Server array, or define a specific range of IP addresses to be included in the array’s Internal network.

To define a corporate Internal enterprise network that will include all of the IP addresses that can be mapped to Internal networks that will be defined on arrays, follow these steps:

1. On the Configuration Storage server, expand the Enterprise node, and click Enterprise Networks.
2. In the task pane, on the Tasks tab, select Create a New Network to start the New Network Wizard.
3. In Network name, provide a name for the new network, such as Internal, and then click Next.
4. On the Network Addresses page, click Add Range to open the IP Address Range Properties dialog box. In Start address, type the low end of the IP address range, such as 10.0.0.1 and in End address, type the high end of the IP address range, such as 10.255.255.255, and then click OK. On the Network Addresses page, click Next.
5. On the summary page, review the properties of the enterprise network you are creating, and then click Finish.

Creating an array

After you install the Configuration Storage server, you can create a firewall array. You will create the array as an enterprise administrator on the Configuration Storage server. This enables you to configure how enterprise policy and array policy work together, before the array is released to the array administrator and populated with servers. For example, by creating the array as an enterprise administrator on the Configuration Storage server, you can limit what type of rules the array administrator can create. If the array administrator creates the array and establishes rules, the enterprise administrator will no longer be able to block the creation of those types of rules that have already been created.

This procedure assumes that you are still logged on to the Configuration Storage server as an enterprise administrator:

1. On the Configuration Storage server, open ISA Server Management.
2. Click Arrays. In the task pane, on the Tasks tab, click Create New Array to start the New Array Wizard.
3. On the Welcome page, provide a name for the new array, and then click Next.
4. On the Array DNS Name page, provide the Domain Name System (DNS) name of the array. This is the name that Firewall clients and Web client will use to connect to the array. Click Next.
5. On the Array Enterprise Policy page, from the drop-down menu, select the enterprise policy that will be applied to the new array. Unless you created enterprise policies, only the Default Policy is available.
6. On the Array Policy Rule Types page, select the types of rules the array administrator is allowed to make. In this scenario, allow the administrator to make all types of rules. Click Next.
7. On the summary page, review the array configuration and then click Finish. When the progress bar indicates that the array has been created, click OK.
8. Now that you created an array, assign array administrator privileges to it. In ISA Server Management, right-click the name of the array and select Properties.
9. On the Assign Roles tab, click Add. Add a user who will be an array administrator. Note that you can also add groups, rather than individual users. From the drop-down Role menu, select ISA Server Array Administrator, and then click OK.
10. Click OK to close the properties page.
11. In the Firewall Policy details pane, click Apply to apply the changes.

Installing a server in the array

Now that you have created an array, you can add the ISA Server computers to the array.  Perform this procedure on each computer that will run ISA Server services:

1. Log on to the domain using the credentials of the array administrator.
2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.
3. In Microsoft ISA Server Setup, click Install ISA Server.
4. After the Setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.
5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.
6. Type your customer information, and then click Next.
7. On the Setup Scenarios page, select Install ISA Server services, and then click Next.
   
8. On the Component Selection page, you can review the settings, and then click Next.
9. On the Locate Configuration Storage Server page, specify the Configuration Storage server to which this computer will connect. You can click Browse to locate the Configuration Storage server computer. Note that the name you use to refer to the Configuration Storage server computer is its fully qualified domain name on the network, and not the enterprise name that you provided previously. On this page, if the user is not logged on as an enterprise or array administrator, you must select Connect using this account, and then provide the credentials of an enterprise or array administrator to connect to the Configuration Storage server. Click Next.
   
10. On the Array Membership page, select Join an Existing Array, and then click Next.
11. On the Join Existing Array page, provide the name of the array, Main. You can also click Browse to open the Arrays to join dialog box, and select the array from the list. Click Next.
12. On the Configuration Storage Server Authentication Options page, select the authentication type that will be used for connections between the ISA Server computer and the Configuration Storage server. Because in this scenario, the firewall array and the Configuration Storage server are in the same domain, select Windows authentication, and then click Next.
13. This step will only take place on the first server you install in the array. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. We recommend that you map your Internal network to an enterprise network. The use of enterprise networks is described in the product Help.
    1. Click Add to open the Addresses dialog box.
    2. Click Add Network to open the Select Enterprise Networks dialog box.
    3. Select Internal, and then click OK.
    4. In the Addresses dialog box, click OK.
    5. On the Internal Network page, click Next.
14. On the Services Warning page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.
15. On the Ready to Install the Program page, click Install.
16. After the installation is complete, click Finish.
17. You will be prompted to restart the computer. Click Yes to restart the computer.

Repeat this procedure for the other servers that have to be installed.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 3: Configure Intra-Array Communication

If you use ISA Server integrated NLB, you must install an additional network adapter on each member of the ISA Server array, and configure an intra-array network that uses those adapters to handle intra-array communication (communication between the servers in the array).

This procedure describes how to configure secure intra-array communication:

1. In ISA Server Management, expand Arrays, expand the array, expand Configuration, and select Servers.
2. For each server in the array, right-click the server and select Properties (or select Configure Selected Server in the task pane on the Tasks tab).
3. On the Communication tab, under Use this IP address for communication between array members, select the IP address of the network adapter over which intra-array communication will take place.
4. Click OK.
5. Repeat this procedure for all of the servers in the array.
6. Select the Networks node.
7. In the details pane, select the Networks tab.
8. In the task pane, on the Tasks tab, click Create a New Network.
9. On the Welcome page, type a name for the network such as Intra-Array Network, and then click Next.
10. On the Network Type page, select Internal Network, and click Next.
11. On the Network Addresses page, click Add Adapter to open the Network Adapters dialog box. Select the network adapter that is used for intra-array communication. Click OK, and then click Next.
12. On the Completing the New Network Wizard page, review the settings, and click Finish.
13. Click Apply in the details pane to apply your changes.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 4: Configure Network Load Balancing

We recommend that you configure Network Load Balancing (NLB) on both the External and Internal networks. This will provide you with the benefits of NLB and will ensure that traffic is routed properly to your Exchange front-end server and back to the external client.

To configure NLB, follow these steps:

1. Open ISA Server Management, expand Arrays, expand the array that is publishing Exchange, expand Configuration, and select Networks.
2. In the task pane, on the Tasks tab, select Enable Network Load Balancing Integration, to start the Network Load Balancing Integration Wizard. On the Welcome page, click Next.
3. On the Select Load Balanced Networks page, select the External and Internal networks. Then, highlight External to select it, and click Set Virtual IP. On the Set Virtual IP Address dialog box, provide the IP address and the mask for the virtual IP address, and then click OK. Repeat this process for the Internal network.
4. On the Select Load Balanced Networks page, click Next. On the summary page, click Finish.
5. In the details pane, click Apply to apply your changes (or you can wait until you make all of your changes, and then click Apply). Some changes require that the Microsoft Firewall service be restarted. If you are prompted to restart the Firewall service, do so.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 5: Move Exchange Front-End Servers to the Internal Network

To ensure that the ISA Server computer will be the only computer exposed to the Internet, place the Exchange servers in the Internal network. The Internal network was defined in the ISA Server installation described in Procedure 2, so all that is required is that you physically move the front-end Exchange servers to the Internal network, by connecting them to a router or switch that is connected to the internal network adapter of the ISA Server computer.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 6: Configure Corporate DNS Servers

There are several steps that you must take to ensure that requests for your Exchange server will be properly resolved.

Updating the MX record to point to ISA Server

Typically, the MX record for your organization points to a host record, which in turn points to the IP address of the SMTP gateway in your perimeter network. You must update the host record to point to the external virtual IP address of your ISA Server array. You can continue to use the same MX record and host name, but you must point to a different IP address.

For example, consider the following DNS entry:

Mail Exchanger (MX)    [10]    smtp.contoso.com.

The MX record points to the host record named smtp, which resolves to IP address 192.168.0.2. In this case, you update the IP address of the smtp host record with the external virtual IP address of the ISA Server array.

The remaining steps apply only when you have a corporate DNS server that handles name resolution requests for your Exchange server. If the requests are handled by an external DNS server, such as one managed by an Internet service provider, you should skip this step.

Moving the DNS server

Move your DNS server out of the perimeter network into the Internal network. The DNS server will now only require one network adapter, to connect it to the Internal network. Make sure the DNS server has a static IP address, because if the IP address changes, inbound mail routing could fail.

Publishing the DNS server

When you move your corporate DNS server into the Internal network, create a server publishing rule publishing the server on the DNS protocol to the External network.

To publish the DNS server, follow these steps:

1. In Microsoft ISA Server Management, expand Arrays, expand the array that is protecting the Exchange server, and click Firewall Policy.

2. In the Firewall Policy task pane, on the Tasks tab, click Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

3. On the Welcome page of the wizard, provide a name for the rule, such as Publish Corporate DNS for Exchange Name Resolution, and then click Next.

4. On the Select Server page, provide the IP address for the DNS server, and then click Next.

5. On the Select Protocol page, select DNS Server, and then click Next.

6. On the IP Addresses page, select the network on which ISA Server will listen for requests. Because you want to receive name resolution requests from the Internet, select External. Do not click Next.
   

7. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
   

8. Click OK, and on the IP Addresses page, click Next.

9. On the Completing the New Server Publishing Rule Wizard page, scroll through the rule configuration to verify that you have configured the rule correctly, and then click Finish.

10. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

11. You must also update your domain name server record for your Internet domain to point to the external virtual IP address (if you enabled NLB) or the external IP addresses of the ISA Server array.

    Note

    There is an access rule in the ISA Server system policy that allows the DNS protocol from the ISA Server computer to all networks. This rule is enabled by default when you install ISA Server, so you do not have to create this rule.

Configuring the DNS server to be a SecureNAT client

We recommend that you configure your corporate DNS server to be a SecureNAT client, so that you do not have to create the special configuration files required for servers that run Firewall Client software. SecureNAT clients are computers that do not have Firewall Client software installed, and that have a default TCP/IP route to the Internet that goes through the ISA Server computer. When ISA Server forwards the incoming DNS request from the Internet to your corporate DNS server, the DNS server needs to be configured as a SecureNAT client to successfully route the response back to the Internet through ISA Server. For the DNS server to be able to route the response, you must set the default gateway on the SecureNAT client to use the internal virtual IP address of the ISA Server array.

To configure your DNS server as a SecureNAT client, open the TCP/IP properties page on the server's network adapter, and set the default gateway IP address to the internal virtual IP address of the ISA Server array.

Testing the corporate DNS server from the Internet

Computers with Internet access should now be able to query your corporate DNS server, even if it is located on the Internal network. Test that external DNS queries are working. First, create a new host record on your corporate DNS server to use for testing (call it dnstest). Next, from a computer connected to the Internet, use a tool such as NSLOOKUP to query dnstest.example.com (where example is the name of your domain) and verify that the query is successful. Remember that the IP address you use for the NSLOOKUP query should be the IP address of the ISA Server external network adapter.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 7: Configure SMTP Servers

To configure Simple Mail Transfer Protocol (SMTP) servers, you will move SMTP servers out of the perimeter network and then configure the SMTP server to be a SecureNAT client.

Moving SMTP servers out of the perimeter network

ISA Server handles all inbound traffic from the Internet. Move your SMTP gateway server out of the perimeter network into the Internal network. The SMTP server will now only require one network adapter, to connect it to the Internal network.

Configuring the SMTP server to be a SecureNAT client

We recommend that you configure your SMTP server to be a SecureNAT client, so that you do not have to create the special configuration files required for servers that run Firewall Client software.

As with DNS, by default your inbound SMTP server needs to route Internet traffic through the ISA Server computer. Configure your SMTP server to be a SecureNAT client. To configure your SMTP server as a SecureNAT client, open the TCP/IP properties page on the server's network adapter, and set the default gateway IP address to the internal virtual IP address of the ISA Server array.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 8: Configure ISA Server for Inbound Mail

You must configure ISA Server to allow traffic. First, configure inbound Internet mail.

When you configure inbound Internet mail, you configure ISA Server to manage mail from the Internet to your internal users. Instead of your SMTP gateway server receiving inbound mail in the perimeter network, you configure ISA Server to receive the incoming SMTP traffic and forward it to the SMTP server on your Internal network.

Creating a mail server publishing rule for inbound SMTP traffic

You must create a mail server publishing rule that instructs ISA Server to forward incoming SMTP requests to your SMTP gateway.

To create a new mail publishing rule using the New Mail Server Publishing Rule Wizard, follow these steps:

1. Expand Microsoft ISA Server Management and click Firewall Policy.
2. In the Firewall Policy task pane, on the Tasks tab, click Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.
3. On the Welcome page of the wizard, provide a name for the rule, such as Inbound SMTP, and then click Next.
   
4. On the Select Access Type page, select Server-to-server communication: SMTP, NNTP and then click Next.
   
5. On the Select Services page, select SMTP. You may also select Secure SMTP if you want to publish your Exchange server to receive secure SMTP communication. Newsgroups (NNTP) is for the publishing of a news server, to receive e-mail messages from newsgroups. Click Next.
   
6. On the Select Server page, provide the IP address of the Exchange server, and then click Next.
   
7. On the IP Addresses page, select the network on which ISA Server will listen for requests. Because you want to receive name resolution requests from the Internet, select External. Do not click Next.
   
8. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
   
9. Click OK, and on the IP Addresses page, click Next.
10. On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to verify that you have configured the rule correctly, and then click Finish.
11. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Testing inbound SMTP traffic using Telnet

Mail servers on the Internet should now be able to connect on port 25 to your inbound SMTP server to send mail to your organization. You should test that this connectivity is working. From a computer connected to the Internet, use Telnet to access your external MX record host on port 25.

For example, if an MX record in corporate DNS lists smtp.contoso.com as the host, you would type the following at a command prompt:

telnet smtp.contoso.com 25

In this example, you would see a response similar to the following:

220 smtp.contoso.com Microsoft ESMTP MAIL Service, Version:

If you do not see a response from your SMTP server, try connecting to the ISA Server computer's external IP address directly. If that works, it is possible that you have a DNS configuration problem.

After you confirm that you can use Telnet to access the SMTP server through ISA Server, you should be ready to receive inbound SMTP mail from the Internet. Send a test message from the Internet to someone in your organization, and verify that it arrives.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 9: Configure ISA Server for Outbound Mail

After you configure inbound Internet mail, the next step is to configure outbound mail traffic from your organization to be routed to the Internet through ISA Server. Your SMTP bridgehead server responsible for Internet mail needs to be able to create SMTP sessions to mail servers on the Internet. Additionally, computers on your network must be able to query DNS servers on the Internet.

Creating an SMTP access rule

To enable outbound SMTP connections from your network, create an access rule on ISA Server that allows outbound SMTP traffic:

1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

2. In the task pane, on the Tasks tab, select Create Array Access Rule to start the New Access Rule Wizard.

3. On the Welcome page of the wizard, enter the name for the access rule, such as Outbound SMTP, and then click Next.
   

4. On the Rule Action page, select Allow, and then click Next.
   

5. On the Protocols page, in This rule applies to, select Selected protocols, and then click the Add button to open the Add Protocols dialog box.
   

6. In the Add Protocols dialog box, expand Mail, and select SMTP. Click Add, and then click Close, to close the Add Protocols dialog box. On the Protocols page, click Next.
   

7. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select Internal, click Add, and then click Close.

8. On the Access Rule Sources page, click Next.

   Note

   You can limit the access rule sources to a computer set containing the Exchange servers that handle outbound mail. If you have configured an SMTP connector on Exchange to handle all outbound mail, only that Exchange server would have to be listed (as a Computer network object) in the access rule sources. For more information about Computer and Computer Set network objects, see Appendix A: Creating Rule Elements in this document.

9. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.

10. On the User Sets page, you can specify the set of users whose credentials are used by the Exchange servers that require access, or you can leave the default user set All Users. If you want to specify a specific user set, select All Users and click Remove. Then, click the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. For more information about user sets, see Appendix A: Creating Rule Elements in this document. When you have completed the user set selection, click Next.
    

11. Review the information on the wizard summary page, and then click Finish.

12. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Remember that access rules are ordered, so if a deny rule matching SMTP access requests exists ahead of this allow rule in the order, access will be denied.

Configuring the SMTP server as a SecureNAT client

If your SMTP server for outbound Internet mail is configured to use DNS, the Exchange server on which it is homed must be configured as a SecureNAT client. If, instead of using DNS, the server is configured to route to a smart host, the smart host (which is configured to use DNS to route outbound mail) needs to be a SecureNAT client.

To configure your SMTP server to be a SecureNAT client, open the TCP/IP properties page on the server's network adapter, and set the default gateway IP address to the IP address of the ISA Server internal network adapter.

Sending a test message to a user on the Internet

Users should now be able to send mail to recipients with Internet mail addresses. Verify that outbound mail is working by sending a test message to a user on the Internet.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 10: Enable External Client Access to the Exchange Server

You can use the New Mail Server Rule Publishing Rule Wizard to publish two categories of external client access:

• Web client access, including Outlook Web Access, Outlook Mobile Access, and Exchange Server ActiveSync.
• Client access using the RPC, IMAP, POP3 and SMTP.

Publication of Web client access services is described in Outlook Web Access Server Publishing in ISA Server 2004 Enterprise Edition (https://www.microsoft.com). Enabling client access using RPC, IMAP, POP3, and SMTP is described in this document.

Creating a new mail publishing rule

To enable access by external clients, create a new mail publishing rule using the New Mail Server Publishing Rule Wizard:

1. Expand Microsoft ISA Server Management and click Firewall Policy.

2. In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Rule Wizard.

3. On the Welcome page of the wizard, provide a name for the rule, such as External Client Access, and then click Next.

4. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.
   

   Important

   Do not confuse client access using RPC with access using RPC over HTTP, which is described in Using ISA Server with Exchange Server 2003 Walk-through Procedure 11: Configure RPC over HTTP for Outlook 2003 in this document. If you plan to publish RPC over HTTP, do not select RPC in the following step.

5. On the Select Services page, select the protocols on which you want access to be possible. The secure ports are associated with the Secure Sockets Layer (SSL)-encrypted protocols: IMAPS, POP3S, and SMTPS. Click Next.
   

6. On the Select Server page, provide the IP address of the Exchange server, and then click Next.

7. On the IP Addresses page, select the network on which ISA Server will listen for requests from external clients. Because you want to receive communication from the External network, select External. Do not click Next.
   

8. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
   

9. Click OK, and on the IP Addresses page, click Next.

10. On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to verify that you have configured the rule correctly, and then click Finish.

    Note

    The New Mail Server Publishing Rule Wizard creates a separate publishing rule for each protocol you selected. You can see the individual rules in the Firewall Policy details pane.

11. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Requiring encryption on the RPC rule

If you created a rule that publishes Exchange RPC Server (not RPC over HTTP, which is described in Using ISA Server with Exchange Server 2003 Walk-through Procedure 11: Configure RPC over HTTP for Outlook 2003 in this document), you should require encryption for those connections.

To require encryption for Exchange RPC Server communication, follow these steps:

1. Expand Microsoft ISA Server Management and click Firewall Policy.
2. In the Firewall Policy details pane, double-click the Exchange RPC Server rule. The rule will have the name you provided in the New Mail Server Publishing Rule Wizard, appended with Exchange RPC Server, for example, External Client Access Exchange RPC Server.
   
3. In the rule properties, select the Traffic tab, click Filtering, and select Configure Exchange RPC to open the Configure Exchange RPC Policy dialog box.
   
4. Select Enforce Encryption, and then click OK.
   
5. Click OK to close the rule properties page.
6. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Using ISA Server with Exchange Server 2003 Walk-through Procedure 11: Configure RPC over HTTP for Outlook 2003

Microsoft Office Outlook 2003 clients can access their mailboxes using remote procedure call (RPC) over Hypertext Transfer Protocol (HTTP). To provide RPC over HTTP access to your Exchange servers for your Outlook 2003 users, you need to publish the /rpc virtual directory on your RPC Proxy server through ISA Server. You can publish this directory by using a Web publishing rule to specify the /rpc virtual directory on the RPC Proxy server. In this example, the RPC Proxy server is located on the Exchange front-end server, but you can also locate your RPC Proxy server on another Web server. For ease of maintenance, we recommend that you use your Exchange front-end server as your RPC Proxy server.

To publish the /rpc virtual directory, use the following steps to create a Web publishing rule:

1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
2. On the task pane, in the Tasks tab, click Publish a Web Server, to start the New Web Publishing Rule Wizard.
3. On the Welcome page, type a name for the rule, such as Publish RPC over HTTP, and click Next.
4. On the Select Rule Action page, ensure that the default Allow is selected, which will allow requests to reach your Web server according to the conditions set by the rule. Click Next.
5. On the Define Website to Publish page, in Computer name or IP address, specify the RPC Proxy server that you want to publish. This can be the computer name or the IP address of the computer. Select Forward the original host header instead of the actual one. For more information, see the document Publishing Web Servers Using ISA Server 2004 (https://www.microsoft.com). In Path, specify the /rpc/* directory. Click Next.
   
6. On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Web server. In Accepts request for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your Web site. If you select This domain name and provide a specific domain name, such as www.fabrikam.com, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer, only requests for https://www.fabrikam.com will be forwarded to the Web server. Because you are specifying the folder /rpc, that would also be required in the request: https://www.fabrikam.com/rpc. The required request format is shown in Site. Click Next.
   
7. On the Select Web Listener page, specify the Web listener that will listen for Web page requests that should be redirected to your Web server, and then click Next. If you have not defined a Web listener, click New and follow these steps to create a new listener:
   1. On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for publishing RPC over HTTP, and then click Next.
   2. On the IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapters of ISA Server. Therefore, select External. Do not click Next.
   3. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
      
   4. Click OK, and on the IP Addresses page, click Next.
   5. On the Port Specification page, the HTTP port is set to 80 (default setting). If you want to receive HTTPS requests, select Enable SSL, verify that the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. This requires that you have a digital certificate installed on the ISA Server computer. For more information about certificates, see Digital Certificates for ISA Server 2004 (https://www.microsoft.com). We recommend that you install a certificate, disable the HTTP port, and enable SSL, so that only HTTPS (encrypted) communication can take place between the Outlook 2003 clients and your RPC Proxy server. Click Select, select the certificate you installed, click OK, and then click Next.
      
   6. On the Completing the New Web Listener Wizard page, review the settings, and click Finish. On the Select Web Listener page, click Next.
8. On the User Sets page, the default, All Users, is displayed. This will allow any computer in the External network to access the published Web pages. If you want to specify a specific user set, select All Users and click Remove. Then, click the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. For more information about user sets, see Appendix A: Creating Rule Elements in this document. When you have completed the user set selection, click Next.
9. On the Completing the New Web Publishing Rule Wizard page, scroll through the rule configuration to verify that you have configured the rule correctly, and click Finish.
10. In the ISA Server details pane, click Apply to apply the changes you have made.
11. To test this configuration, configure Outlook on a computer on the Internet to connect to a corporate Exchange mailbox using HTTP. Establish a VPN connection to the corporate network, and verify that you are able to send and receive mail.

Appendix A: Creating Rule Elements

An ISA Server rule element is an object that you can use to refine ISA Server rules. For example, a subnet rule element represents a subnet within a network. You can create a rule that applies only to a subnet, or a rule that applies to a whole network exclusive of the subnet.

There are rule elements on the array level and on the enterprise level.

Another example of a rule element is a user set, representing a group of users. By creating a user set and making use of it in an ISA Server rule, you can create a rule that applies only to that set of users.

You can see the rule elements that are available to you by expanding the ISA Server computer node, clicking Firewall Policy, and selecting the Toolbox tab in the task pane. There are five types of rule elements:

• Protocols. This rule element type contains protocols that you can use to limit the applicability of access rules. For example, you can allow or deny access on one or more protocols, rather than on all protocols.
• Users. In this rule element type, you can create a user set to which a rule will be explicitly applied, or which can be excluded from a rule.
• Content Types. This rule element type provides common content types to which you may want to apply a rule.
• Schedules. In this rule element type, you can designate hours of the week during which the rule applies.
• Network Objects. In this rule element type, you can create sets of computers to which a rule will apply, or which will be excluded from a rule.

To create an array-level rule element, follow this general procedure:

1. Open Microsoft ISA Server Management, expand Arrays, expand the ISA Server array node, and click Firewall Policy.

2. In the task pane, select the Toolbox tab.

3. Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element.

4. At the top of the list of elements, click New.
   

5. Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created.

6. Click Apply in the details pane to apply changes. If you prefer, you can click Apply after you have created your Web publishing rules, (after you have made all of your changes) rather than after each change. It will take a few moments for the changes to be applied.

   Note

   You can also create enterprise level rule elements that can be used in the creation of enterprise policy. Follow the same procedure, but in the Enterprise node, under Enterprise Policies.

Additional Information

Additional information is available from the following resources:

• Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).
• For information about ISA Server, see the ISA Server Web site (www.microsoft.com).
• For information about Microsoft Exchange Server, see the Exchange Server Web site (www.microsoft.com).