ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA 2000 Server Feature Pack 1, Version 1

Publishing Microsoft Exchange Server services (POP3, IMAP4, SMTP) through a firewall is easily configured with ISA Server and the Secure Mail Publishing Wizard. This document provides step-by-step instructions for configuring the following configurations:

  • Publishing an Exchange 2000 Server located on an ISA Server computer.

  • Publishing an Exchange 2000 Server behind an ISA Server computer.

On This Page

Before You Begin
Scenario 1: Publishing an Exchange Server Located on an ISA Server Computer
Procedures
Scenario 2: Publishing an Exchange Server behind an ISA Server Computer
Procedures
Summary
Additional Resources

Before You Begin

Before you begin, gather the following information:

  • The internal and external IP addresses of your ISA Server computer.

  • Internal IP address of your Exchange server.

  • External DNS mail exchange (MX) and host (A) records for the published mail server.

  • The protocols that need to be published by ISA Server.

Scenario 1: Publishing an Exchange Server Located on an ISA Server Computer

When Exchange Server is installed on the same computer as ISA Server, the Secure Mail Publishing Wizard creates IP packet filters for each mail service selected. This process differs when Exchange Server is installed on a separate server.

ppopi01

Procedures

To configure this scenario, you will perform the following steps, detailed in the following sections:

  1. Configure DNS name resolution

  2. Configure clients

  3. Run the Secure Mail Publishing Wizard

  4. Review the wizard settings

  5. Create client address sets

  6. Create protocol rules

Step 1. Configure DNS name resolution

Prior to actually running the Secure Mail Publishing Wizard, you must configure name resolution. Ensure that the following conditions have been established and verified:

  • Confirm you have a registered domain, for example nwtraders.com registered with Network Solutions.

  • Confirm you have a public IP address assigned by your ISP or appropriate vendor, and that it is assigned to the external network adapter on the ISA Server computer.

  • Confirm that Mail Exchange (MX) and Host (A) records have been defined and properly mapped to the public external IP assigned at the ISA Server computer. (Check your ISP if you are not hosting your external DNS presence.)

  • Confirm external domain resolution to the correct IP address, for example ping of mail.nwtraders.com resolves to proper external IP address.

  • Ensure the DNS name used by your mail clients maps to the ISA Server computer's external IP address. This step is an important requirement for your POP3, IMAP4, and HTTP clients to succeed in proper resolution of the FQDN when publishing Exchange services.

Step 2. Configure clients

It is recommended that the Exchange server be configured as a SecureNAT client.

Step 3. Run the Secure Mail Publishing Wizard

  1. Open ISA Management.

  2. For enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate Server or Array.

  3. Expand Publishing, right-click Server Publishing Rules, and then click Secure Mail Server...

  4. On the Welcome page, click Next.

  5. On the Mail Services Selection page, select the following check boxes:

    • Incoming SMTP

    • Outgoing SMTP

    • Incoming POP3

    • Incoming IMAP4

      Note: You can select the Apply Content Filtering check box if the SMTP application filter is installed and enabled.

      You can also configure SSL authentication for the desired protocols by selecting the appropriate check boxes.

  6. On the ISA Server computer's External IP Address page, type the external IP address of the ISA Server computer, and then click Next.

  7. On the Internal Mail Server page, click the Local Host, and then click Next.

  8. Ensure that the Restart the Firewall Services check box is selected, and then click Finish to complete the wizard.

  9. To confirm successful creation of the packet filters, expand Access Policy, click IP Packet Filters, and confirm the presence of the Custom Filters in the details pane.

Step 4. Review the wizard settings

You can easily publish an Exchange server without utilizing the Secure Mail Publishing Wizard. To create the necessary packet filters when Exchange is installed on the ISA Server computer, reference the information in the table.

As shown in the table, the default packet filters created by the Secure Mail Publishing Wizard allow only incoming traffic to the mail server, except for SMTP, which includes an additional outgoing packet filter for mail exchange lookups to succeed when someone attempts to send mail to an external domain.

Protocol

Predefined Custom

IP Protocol

Protocol Number

Direction

Local Port

Local Port Number

Remote Port

Remote Port Number

IMAP (In)

Custom

TCP

6

Inbound

Fixed

143

All Ports

N/A

POP3 (In)

Custom

TCP

6

Inbound

Fixed

110

All Ports

N/A

SMTP (In)

Custom

TCP

6

Inbound

Fixed

25

All Ports

N/A

SMTP (Out)

Custom

TCP

6

Inbound

All Ports

N/A

Fixed Port

25

Step 5. Configure client address sets

A client address set is needed to limit outbound SMTP and DNS traffic to your SMTP and internal DNS servers on the corporate network. A client address set will require the IP address of your SMTP server and DNS server to complete.

To create an SMTP Server client address set

  1. Open ISA Management.

  2. For enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

  3. Expand Policy Elements, right-click Client Address Sets, click New, and then click Set...

  4. Provide a name and the IP address of your SMTP servers, and then click OK.

To create a DNS server client address set

  1. Open ISA Management.

  2. For Enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

  3. Expand Policy Elements, right-click Client Address Sets, click New, and then click Set...

  4. Provide a name and the IP address of your DNS servers, and then click OK.

Step 6. Create protocol rules

Protocol rules are necessary to support outbound access for both SMTP and DNS traffic to ensure that mail will be routed effectively. Without the creation of the following protocol rules, resolution of fully qualified domain names, including mail domain names, will fail, resulting in the inability to send mail from the internal, published Exchange server.

To create an SMTP Server protocol rule

  1. Open ISA Management.

  2. For enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

  3. Expand Access Policy, right-click Protocol Rules, click New and then click Rule.

  4. Name the rule and click Next.

  5. For the Rule Action, click Allow and click Next.

  6. On the Protocols page, click the DOWN ARROW key and click the Selected Protocols option. Scroll down the list and place a check mark in the check box for SMTP, and then click Next.

  7. Set the Schedule for Always, and then click Next.

  8. For the client type, select the Specific computers (client address set) option and use your SMTP server's client address set.

  9. Confirm your settings and click Finish.

To create a DNS Server protocol rule:

  1. Open ISA Management.

  2. For enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

  3. Expand Access Policy, right-click Protocol Rules, click New, and then click Rule.

  4. Name the rule and click Next.

  5. For the Rule Action select Allow and click Next.

  6. On the Protocols page, click the DOWN ARROW key and select the Selected Protocols option. Scroll down the list and place a check mark in the check box for DNS Query and DNS Zone Transfer, and then click Next.

  7. Set the Schedule for Always, and then click Next.

  8. For the client type, select the Specific computers (client address set) option and use your DNS server's client address set.

  9. Confirm your settings and click Finish.

Scenario 2: Publishing an Exchange Server behind an ISA Server Computer

In this procedure, the Microsoft Exchange Server computer is on the local network, protected by the ISA Server computer, as illustrated in the figure.

To publish your internal Exchange server, similar procedures can again be utilized to complete this walk-through.

Procedures

To successfully publish an internal Exchange Server behind an ISA Server computer, ensure the following have been created before running the Secure Mail Publishing Wizard. The following were defined in Scenario 1: Publishing an Exchange Server Located on an ISA Server..

  1. DNS configuration and resolution

  2. ISA Server client type configuration on the Exchange server

  3. Client address sets

  4. DNS and SMTP protocol rules

In addition, it is recommended that you run the Secure Mail Publishing Wizard, as described in this section.

Run the Secure Mail Publishing Wizard

  1. Open ISA Management.

  2. For enterprise installations, expand the Enterprise tree, and choose the appropriate Enterprise Policy.

    For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.

  3. Expand Publishing, right-click Server Publishing Rules, and then click Secure Mail Server...

  4. On the Welcome page, click Next.

  5. On the Mail Services Selection page, select the following check boxes;

    • Incoming SMTP

    • Outgoing SMTP

    • Incoming POP3

    • Incoming IMAP4

  6. On the ISA Server's External IP Address page, type the external IP address of the ISA Server computer, and then click Next.

  7. On the Internal Mail Server page, click At this IP Address, type the internal IP address of the Exchange server, and then click Next.

  8. Verify the information is correct, and then click Finish to complete the wizard.

Note: To confirm successful creation of the server publishing rules, expand Publishing, click Server Publishing Rules, and confirm the presence of the appropriate protocols in the details pane. In addition, expand Access Policy, click Protocol Rules, and confirm the presence of a new SMTP protocol rule created to allow outgoing mail traffic.

The new rules created by the wizard are all named with the prefix Mail wizard rule.

In summary, the Secure Mail Publishing Wizard automatically created the following items:

  • The necessary server publishing rules for the protocols chosen (POP3, IMAP4, SMTP-Inbound).

  • A single protocol rule for the SMTP client protocol (SMTP-Outbound).

  • A client address set that contains the IP address of your internal Exchange server.

Summary

This section reviews the key issues for publishing your mail server using the Secure Mail Publishing Wizard:

  • DNS must be on the network.

  • DNS must be able to resolve Internet domains by using forwarders.

  • Check your DNS configuration, protocol rules, and SMTP publishing rules manually.

  • Configure SMTP server to use an internal DNS server for name resolution.

  • SMTP server could also be configured to point to a smart host.

  • Protocol rule for outbound access to SMTP port 25.

  • Protocol rule for outbound DNS queries.

  • DNS queries normally use UDP port 53, but will use TCP port 53 if the entire query will not fit in a single UDP datagram.

  • If SMTP is running on the ISA Server computer, in addition to on the internal SMTP server, disable SMTP service on the ISA Server computer.

  • Protocol rules for TCP and UDP port 53 DNS queries are not required, if configured IIS SMTP to use a smart host.

  • Avoid running SMTP, IIS, NNTP, and other services on ISA Server.

  • You can configure Exchange as a firewall client by modifying the Wspcfg.ini file, but this is not a preferred method.

  • Never install the firewall client on the ISA Server computer.

  • To publish multiple internal Exchange servers with server publishing rules, you need to add multiple IPs to the external interface, or add multiple external interfaces with an IP bound to each. Remember, when using server publishing rules, after you bind an external IP to a specific port (for example, SMTP port 25), you cannot configure additional server publishing rules to use the same port.

  • With server publishing, the external port on the ISA Server computer and the port number on the internal server must be the same because ISA Server cannot perform port redirection.

  • Secure Mail Publishing Wizard creates the necessary server publishing rules and client address sets.

  • ISA Server will drop all packets that do not match the published services.

Additional Resources

In addition to the content provided here, see the following resources for additional information:

  • 303426 "ISA Server Publishing Rule Does Not Include SMTP Outbound Checkboxes"

  • 304948 "RPC Interfaces That are Exposed by Secure Mail Publishing in ISA Server"

  • 280437 "Exchange 2000 Server Exchange System Manager Cannot Open Public Folders"

  • 307632 "How to Publish Exchange 2000 Server Through ISA Server by Using the Firewall Client"

  • 313139 "How to Obtain ISA Server Service Pack 1"

  • 296614 "Differences Between Exchange 2000 Standard and Enterprise Versions"

  • 263237 "Windows 2000 and Exchange 2000 Server SMTP use TCP DNS Queries"

  • 224196 "Restricting Active Directory Replication Traffic to a Specific Port"

  • 246739 "Exchange 2000 Server Front-End Back-End Terminology and Implementation"

  • 291662, "How to publish DNS with ISA Server".

  • 269556, "DNS queries generated when static packet filters is removed".

  • Whitepaper, "Configuring Microsoft Exchange 2000 Server for the Internet"

  • Whitepaper, "Exchange 2000 Front-End and Back-End Topology"

  • Whitepaper, "Active Directory and Exchange"

  • Whitepaper, "Chapter 4: Securing Exchange Communications"