ISA Server 2000 Feature Pack 1
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Microsoft ISA Server 2000 Feature Pack 1, Version 1
This document outlines traditional methods for making Microsoft Exchange 2000 Server services available to specific users who require access from the Internet. The issues inherent in those strategies, how Exchange 2000 Server will be configured to enable Internet connectivity, and how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 to provide a safe and efficient way to make internal Exchange services available to Internet clients are explained.
On This Page
Definition of Need
Traditional Methods for Accessing Exchange Securely
Exchange Server Configuration
Infrastructure Requirements
ISA Server Configuration
Definition of Need
With the increasing use of the Internet as a means of transporting and accessing information, companies need to make internal services available to their employees across the Internet. Not only does the sales force need access to company information from remote locations, but other types and greater numbers of employees now take their work home at night. Also, more people are working full-time from home.
E-mail is the most sought after resource to which these employees need access.
Companies are also using the Internet as a means of connecting locations that need to share mail services. With the advent of affordable high-speed Internet access, connecting to corporate data across the Internet is increasingly prevalent. To provide secure access to corporate data, many companies create VPN connections so that clients can utilize a secure tunnel through the Internet. However, when users simply need to access e-mail from their home computer, a client site, or a Web kiosk, using a VPN connection is not always feasible. The next section describes ways in which Exchange is normally accessed across the Internet.
Traditional Methods for Accessing Exchange Securely
Microsoft Exchange 2000 Server has two functions that provide access to clients. Microsoft Outlook clients, who connect by using the Internet, can do so through three basic scenarios:
Using Microsoft Outlook or another MAPI client, which connects using RPC
Using Microsoft Outlook, Outlook Express, or another mail client, which uses an IMAP4 or POP3 account
Using Microsoft Outlook Web Access (OWA), which connects using HTTP
How each of these scenarios works will be explained, including their advantages and disadvantages.
On the internal network, most clients use Outlook to connect to the Exchange server. On the Internet, most companies use Outlook Web Access (OWA), which provides Web-based access to e-mail. Many people who work from home access their mail with a POP3 or IMAP4 client, such as Outlook Express. Increasingly, however, clients are in need of, and demand, access using their full Outlook client functionality.
Full functionality with Outlook and other MAPI clients
Exchange clients, Outlook, and Outlook Express can use the Messaging Application Programming Interface (MAPI) to communicate with Exchange 2000 Server stores. Connecting with a MAPI client provides functionality that includes access to calendaring information, encapsulating Word and Excel documents as e-mail messages, and so on. Most clients prefer to use their Outlook client not only at work, but also from home and while traveling. However, because MAPI requests are sent as a remote procedure call (RPC) to the Exchange server, connecting using RPC across the Internet is considered undesirable, due to overhead costs and security issues.
Overhead
RPC requires a large amount of bandwidth. When dial-up networking was the standard, the cost of bandwidth was high in terms of both time and money. To reduce overhead, it was reasonable to trade off some of the features available using RPC, such as calendaring. With the advent of more affordable and much faster Internet connections available through broadband providers, latency is less of an issue, and RPC is more desirable.
Security
Traditionally, RPC connections for Exchange are not considered to be secure. This is because of the way in which services are assigned to dynamic ports in this method. By default, there is no way to predict what port will be associated with the Exchange service. Although services can be locked into a range, additional configuration and administrative overhead is required. By default, the Exchange universally unique identifier (UUID) on the server is registered by the RPC Endpoint Mapper, which is known by all Exchange clients. Other services, such as Active Directory Replication, also have registered UUIDs. Each UUID ensures that applications can be identified by both client and server across distributed environments, which ensures compatibility and interoperability. When a MAPI client connects to an Exchange server using RPC, it first contacts using port 135/tcp, which connects it to the RPC Endpoint Mapper. The Endpoint Mapper, when presented with the UUID for Exchange, provides clients with the communication port to which the Exchange services are registered. This port can range from 1024 through 65535. This dynamic port assignment requires that the firewall allow all outbound connections from 1024 to 655535, which turns a secure firewall into a nonsecure situation. Administrators are reluctant to have so many open ports.
As explained later in this document, ISA Server 2000 provides a secure means of publishing Exchange for MAPI clients.
Advantages and disadvantages of RPC
RPC publishing allows full-featured access to Outlook 2000 and Outlook 2002 clients. It provides secure access to mail services without having to manage the overhead of a VPN connection.
However, problems with RPC can occur if your client is behind another firewall that blocks access to the dynamic, high-level ports that RPC connections require.
RPC publishing cannot provide access to clients who are not using a MAPI client. A user connecting from a browser or Outlook Express cannot take advantage of Outlook features, such as calendaring and mail notification.
Mail-only access using POP3 or IMAP4 clients
Many clients require access to their e-mail, but either do not want or do not need a full MAPI client. Connecting with Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP4) provides a fast and reliable means to obtain e-mail messages. POP3 is the industry standard. Clients download e-mail messages from the Exchange server so that they can be used when the connection to the server is broken. IMAP4 provides access to mail on the server itself, and provides the ability to download only headers of messages for faster access. However, this functionality requires a more persistent connection to the Exchange server. Outlook Express uses both POP3 and IMAP4, as do the majority of other mail readers that are available on the market today. Web-based e-mail portals provide the ability to connect to POP3 and IMAP4 message stores, and consolidate e-mail messages for several accounts. ISA Server 2000 includes the Secure Mail Publishing Wizard, which makes publishing mail protocols easy to configure.
Advantages and disadvantages of POP3 or IMAP4 access
Most clients support POP3 or IMAP4, providing access to e-mail messages with these methods.. However, e-mail access is the only feature. Calendaring, task lists, or public folders are not available.
Web-based access using OWA
Internet cafes and public kiosks with Internet connected browsers are available in many places. These settings provide access to e-mail and Exchange public information stores by means of a Web page, known as Exchange Outlook Web Access (OWA). In this scenario, users can check e-mail from most browsers, although Internet Explorer 5.0 or later is required to take advantage of all features. OWA is set up by default in Exchange 2000 Server, and does not require opening ports outside of the standard HTTP port 80, or (more preferably) port 443 for SSL access, which secures the network.
Although OWA is easy to use, it does not have the same functionality as a MAPI client. Mail rules, journal entries, and spell checking are not available. Working with calendar, task list, and meeting entries is possible, but without the features available in Outlook.
Advantages and disadvantages of OWA
Using OWA, you can access your e-mail from almost any browser that is connected to the Internet, which means you can access your corporate e-mail, calendar, and tasks from any Internet cafe, conference kiosk, or Web-enabled telephone.
The disadvantage is that functionality is limited. There is no support for offline access to e-mail, and calendar support is limited. The following table highlights some of the advantages and disadvantages of Outlook Web Access 2000. This table assumes that OWA is running on Exchange 2000 SP2 or later, and is being accessed by Internet Explorer 5 or later.
Advantages |
Disadvantages |
|---|---|
Mailbox and public folder access, including contact and calendar items |
No advanced security (S/MIME) |
New mail notification and calendar reminders |
No offline mode |
Rich-text editing of HTML e-mail messages |
Unable to create new public folders |
Multimedia control for viewing and recording |
Unable to use Outlook rules and recall messages, and unable to recover deleted items |
Mail access through URLs |
No journaling, notes, or tasks |
Drag-and-drop feature between mailbox folders |
Only Exchange 2000 Server mailbox access |
Front-end and back-end server configuration support |
Unable to open other user's mailbox folders |
Out-of-office and preview pane |
Slow on initial dial-up |
Setting up OWA is easier when you use the OWA Publishing Wizard included in ISA Server 2000 Feature Pack 1.
Exchange Server Configuration
Microsoft Exchange 2000 Server provides messaging and collaboration needs for personal and business users. The opportunities with Exchange 2000 Server are many, such as a wide collection of supported universal protocols for easy client configurations, unlimited data stores, enhanced Outlook Web Access, multiple virtual server capabilities, and Active Directory integration. With an understanding of Exchange 2000 Server, you can provide external users access to their mail prior to determining the configuration of ISA Server. In this section, an explanation of how Exchange 2000 Server is optimally configured, how key components such as the SMTP and HTTP virtual servers are best utilized, and where Exchange 2000 Server will be placed on the network for the most favorable security for your messaging platform is provided.
For step-by-step instructions on configuring the scenarios overviewed here, refer to the scenario documentation included with the feature pack.
Best configuration defined
A primary goal in this section is to establish a basic understanding of how Exchange 2000 Server is configured. This information provides a baseline to avoid issues or inconsistencies when working with the provided scenarios. Each network is unique to the next, but the configuration of Windows-based servers and Exchange servers do not have to be unique.
Service packs are released for each Microsoft core operating system and server product. Service packs typically are a collection of all known hot fixes and security patches up to the dated release of the service pack. A fundamental change is that new features are no longer included with a service pack. This change is noticeable if you compare Exchange 2000 Server Service Pack 2 and Service Pack 3. Exchange 2000 Server Service Pack 2 shipped with a variety of feature changes, especially for Outlook Web Access, while Exchange Service Pack 3 contains no feature additions.
A higher rate of success when publishing Exchange with ISA Server will be accomplished if the following assumptions are met in the provided scenarios:
Windows 2000 with Service Pack 2 or later has been installed. (Service Pack 3 is preferred.)
The servers are up-to-date, with the latest patches and security hot fixes applied. With Service Pack 3 installed for both Windows 2000 and Exchange 2000 Server, there are currently no additional hot fixes or security updates required. For updated patches, see www.microsoft.com/security/.
Exchange 2000 Server with Service Pack 2 or later has been installed. (Service Pack 3 is preferred.)
Exchange security considerations
When configuring Exchange 2000 Server, security of the server is important. One of most common security concerns for Exchange 2000 Server is SMTP relaying. SMTP relaying means that the mail server permits Exchange 2000 Server mail clients to send mail to users in external organizations. Although some situations require relaying, most companies avoid this configuration. This is because it opens the mail server so that junk e-mail messages can be relayed, which gives the appearance that your mail server originated the delivery of the message. SMTP relaying must be controlled and monitored carefully, so that your server does not permit junk e-mail messages. For more information about SMTP relaying, see the Microsoft Exchange Server Web site (https://www.microsoft.com/exchange/default.asp)
The default settings differ between Exchange Server 5.5 and Exchange 2000 Server. In this overview, the default configuration of SMTP relaying in Exchange 2000 Server is considered. For related SMTP relay information with Exchange Server 5.5, see the Microsoft TechNet Web site at www.microsoft.com/technet.
By default, the Exchange server is automatically configured so that only authenticated users can relay mail through the Exchange server.
Because only authenticated users can relay mail through the Exchange server, only internal users can send messages to outside parties. Someone external to the organization could send e-mail messages to an internal user, but could not send e-mail messages to someone in a different organization.
If you are unsure how your Exchange server is configured to handle SMTP relaying, verify the configuration. If you find that your server has been configured as an open relay for some time, it is probable that your server has been added to a network abuse database. To determine whether your mail domain has been added to this type of database, see https://www.abuse.net. You can also find additional information in the Microsoft knowledge base article 249266 (https://support.microsoft.com/default.aspx?scid=KB;EN-US;249266&).
Follow these common procedures to better protect the integrity of your messaging infrastructure:
Install patches in a timely manner.
Harden your servers by using information from white papers, checklists, and tools, such as IISLockdown and URLScan.
Disable unused protocols and services. For example, if Exchange is only being used for SMTP, disable the POP3, IMAP4, and HTTP protocols.
Use Exchange System Policies and Message tracking to maintain settings of log activity.
Stay up-to-date on virus announcements, downloading the most recent virus definitions to protect against unwanted delivery of viruses on the network.
Protect your network by ensuring the security of all entry points.
Use strong, complex passwords on the network.
Exchange internals
When you publish Exchange services, the protocols that can be involved include SMTP, HTTP (OWA), and RPC. The configuration of such protocols on Exchange 2000 Server defines the type of access and options a user may have. Exchange 2000 Server supports virtual servers (SMTP, HTTP, IMAP4, POP3, and NNTP). Unlike previous versions of Exchange where only one instance of a protocol could be used by a single server, with the introduction of virtual servers, an administrator can define multiple virtual servers of a single protocol on an Exchange server. The virtual server accomplishes this by utilizing a combination of the protocol and port. For example, an SMTP server listens by default for SMTP and port 25 traffic.
SMTP virtual server
The SMTP virtual server defines how mail flows from the organization, because the administrator can configure options, such as authentication, relaying, and access control. Simple Mail Transfer Protocol (SMTP) is a native protocol that has become the standard for transferring Internet mail from one mail server to another. The SMTP virtual server is installed by default with the installation of Exchange 2000 Server, and is ready to send mail, without modification of any property settings.
There are four tabs of configurable information for the SMTP virtual server. Focus on the settings that warrant the most attention and have the biggest risks to the publishing of your Exchange server behind the ISA Server computer. The following table defines the key property settings to review when configuring Exchange 2000 Server SMTP virtual servers.
Property |
Location |
Explanation |
|---|---|---|
Outbound Security |
Delivery tab | Outbound Security |
Defines how the SMTP virtual server delivers mail to other SMTP servers. |
Smart Host |
Delivery tab | Advanced |
An SMTP server must be able to resolve external mail domains using DNS.The resolution could be configured so that the SMTP server sends queries to:
|
Relay Restrictions |
Access tab | Relay |
Defines the computers that are allowed to relay messages through the SMTP virtual server. Can be specified by domain, individual IP addresses, or by subnets. |
To deter unwanted access, understand the properties of the SMTP virtual server, determine how your mail server is relaying messages, and ensure all appropriate levels of authentication have been configured.
HTTP virtual server
Outlook Web Access uses the HTTP virtual server. Hypertext Transfer Protocol (HTTP) is a client/server protocol used on the Internet for sending and receiving HTML documents. HTTP operates on port 80, and it is through this medium that most people connect to the Internet.
The HTTP virtual server is configured automatically during the installation of Exchange 2000 Server, which makes Outlook Web Access available.
Configuring the HTTP virtual server cannot be done from within the Exchange System Manager; any attempt will yield the following message:
You must use the IIS Admin to manage this Virtual Server's settings.
The HTTP virtual server is a combination of virtual directories installed with the default Web site located in the Internet Services Manager console.
The virtual directories that comprise Outlook Web Access include:
/Exchange - provides Web browser access to a mailbox.
/Exchweb - provides access to the developer code for the actual Exchange application.
/Public - provides Web browser access to public folders.
In comparison to the SMTP virtual server where there are many configuration options, it is recommended that the HTTP virtual server property settings not be modified. There is no need to edit the properties of the HTTP virtual server. A more efficient way of securing OWA access would be to utilize a front-end back-end model and use SSL for communication between your Internet clients and the OWA front-end server. Also, because the HTTP virtual server is a combination of virtual directories in IIS, install the IIS Lockdown tool to further harden IIS.
Client access to Outlook Web Access is enabled by default. If you want to limit connection to OWA when outside the office, you can disable the use of the HTTP protocol at the mailbox level.
To modify this default setting
Open Active Directory Users and Computers, locate the user account of the user you want to disallow access to OWA, right-click the account, and click Properties.
Click the Exchange Advanced tab, and then click Protocol Settings.
Note: The Exchange Advanced tab will only appear if Advanced Features has been selected from the View menu in Active Directory Users and Computers.
Click HTTP, and then click Settings.
By default, the Enable for mailbox checkbox is selected. Clear this option to disable OWA for a single user, and click OK.
Front-end (access) and back-end (storage) exchange solution
With Exchange 2000 Server Enterprise Edition, companies can establish a front-end back-end solution for the main purpose of providing a single access point and namespace for the users to reference when connecting to Exchange. This solution is useful when allowing users to connect to their mail over the Internet.
A front-end server is an Exchange 2000 Server that does not contain any mailboxes. Its primary purpose is to proxy client requests to the appropriate back-end server. Because a front-end server is proxying client requests and contains no user data, the server can be placed in multiple locations on the network. A front-end server could be located in front of or behind an ISA Server firewall, or located in a perimeter network (also known as a demilitarized zone, DMZ, and screened subnet), where it is located between two ISA Server firewalls.
Note: The provided scenarios focus on the configuration of a front-end back-end solution in a back-to-back ISA environment.
A back-end Exchange server contains the same mailbox stores and public folder stores as any typical Exchange server. By implementing a front-end back-end solution, an administrator can offload SSL activity on the back-end servers, and provide enhanced protection by utilizing ISA Server to control the type of traffic that can be processed directly to the back-end server. There can be one or more back-end Exchange servers, depending on your environment and the number of data stores required.
When a user connects over the Internet to a front-end server, the front-end server must determine on which back-end server the user's mailbox is located. This communication is accomplished by using an LDAP query from the front-end server to a Windows 2000 domain controller located on the internal network. The internal domain controller references the Active Directory database to determine the exact location of the mailbox.
HTTP, IMAP4, and POP3 clients are the only client types that can connect over the Internet to use a front-end back-end configuration. HTTP clients for Outlook Web Access are most typical. A common design is to place a front-end server in a perimeter network located between two ISA Server firewalls. The back-end server and Active Directory domain controllers would be located on the internal network. For HTTP, POP3, and IMAP4 clients to connect, the following ports would need to be opened on both ISA firewalls:
HTTP (80)
Global catalog (3268) and LDAP (389)
SSL (443)
POP3 (110)
SMTP (25)
IMAP4 (143)
The provided scenarios will detail the exact configuration required on both ISA Server firewalls to enable the front-end back-end solution. For more information on definition, design, and configuration of a front-end back-end solution, see the Microsoft whitepaper, "Microsoft Exchange 2000 Front-End and Back-End Topology."
Exchange server placement
This section describes some common network designs, which are discussed in greater detail in the scenarios provided with the feature pack.
Exchange co-located with ISA Server.
Exchange located on the internal network behind an ISA Server computer.
Exchange co-located with ISA Server
Installing Exchange 2000 Server on the ISA Server computer is common. This is because of constraints such as limited hardware or budget, or because Small Business Server 2000 is being used.
The figure illustrates a design with Exchange and ISA Server co-located on the same server.
.gif "epo01")
Exchange located on the internal network behind an ISA Server computer
The most commonly used design is locating Exchange 2000 Server on an internal server behind the ISA firewall. The ISA firewall is configured to publish the Exchange services and to intercept and direct the appropriate traffic to the internal IP address of the Exchange server.
The figure illustrates a design with Exchange located on a separate internal server behind the ISA firewall.
.gif "Cc750289.epo02(en-us,TechNet.10).gif")
Infrastructure Requirements
Exchange 2000 Server differs greatly from previous versions. When working with the scenarios to publish Exchange services behind an ISA Server computer, many elements are involved to ensure that clients can access their e-mail messages while away from work. In addition to Exchange 2000 Server and ISA Server, there are other elements on the network to review prior to making RPC and OWA available to your external user base.
The key items on the network to review include:
Active Directory
DNS
Routers
Active Directory
Active Directory, the latest directory service from Microsoft, is part of the Windows 2000 Server operating system. It provides a single directory that can store millions of network objects, such as users, groups, and computers.
Exchange Server
Exchange 2000 Server utilizes Active Directory as its directory service, meaning the two products share the same directory. In previous versions of Exchange, there was a directory separate from the database used by the Network Operating System (NOS). For a network administrator to install Exchange 2000 Server, Active Directory must already be established in the environment.
The change in the directory service from Exchange Server 5.5 to Exchange 2000 Server meant companies had to upgrade their NOS before they could upgrade their mail infrastructure. For some, this was a reason to move to Windows 2000 and Active Directory; for others, the dependency meant a delay in upgrading to Exchange 2000 Server.
For more information on Exchange and Active Directory dependencies, see the Microsoft Exchange Web site.
ISA Server
ISA Server offers a dependence on Active Directory, although it is not mandatory. You can purchase the ISA Server Standard Edition and install the product in a Windows NT or Windows 2000 environment, without any Active Directory interrelation. ISA Server Enterprise Edition was designed to meet the needs of an enterprise where you can integrate the product with Active Directory. For administrators who want to establish an ISA Server array (one or more ISA Server computers sharing a common cache), Active Directory was a requirement. To establish an ISA Server array, ISA Server includes an Enterprise Initialization Tool, which is used to prepare and extend the Active Directory schema to load the necessary extensions in to the directory.
The remainder of this document, and the scenario-based guides included in the feature pack, assume that:
Windows 2000 and Active Directory have been deployed in the network environment.
Exchange 2000 Server has been installed with at least Service Pack 2. (Service Pack 3 is preferred.)
ISA Server 2000 has been installed with the latest service pack.
DNS
The Domain Name System (DNS) is an essential component that ensures Exchange mail will flow in and out of the organization as expected. There are many posts to the Microsoft ISA Server newsgroups regarding DNS and its place in the environment.
Definitions
In the scenarios, these terms are used:
DNS. A system for naming computers and network services that is organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate computers and services through user-friendly names.
Recursive queries. When queried, a name server is petitioned to respond with information about a domain name, or the fact that the domain name does not exist. The request cannot be referred to another name server.
Iterative queries. When queried by a requester, the name server returns the best answer it can provide, based on the information it has available. This response may be the exact name, or a referral to another name server that would have more information.
Split DNS. This design consists of two independent DNS servers that are updated separately. The internal server contains the database of all the DNS names within the organization, whereas the external server resolves names dealing with the external presence, such as e-mail forwarders and Web servers.
Forwarders. The IP address of one or more name servers to which this name server passes all queries and responses.
Understanding DNS
As an Exchange administrator, be aware that SMTP is dependant on DNS to effectively route user's mail to external domains. For example, for a user inside the organization to send mail to another user outside the organization, the SMTP server must either query a DNS server, which can either forward the request to resolve the IP address of the external domain or be configured to use a smart host. A smart host is a remote server to which the Exchange server can transmit messages intended for a particular remote domain or routing group. Essentially, the smart host acts as a relay station, in that the Exchange server sends mail to the smart host and it, in turn, takes responsibility for using DNS to send the mail on to its destination.
To successfully publish Exchange services with ISA Server, Microsoft recommends that the DNS environment be configured in a split-DNS design. Split DNS, as previously defined, includes two DNS servers, one located internally for servers to find each other and Active Directory, and the other externally for the SMTP server to locate mail domains anywhere. The internal DNS server is located behind the ISA Server computer, and the external DNS server is located in front of the ISA Server computer.
ISA Server clients
DNS name resolution is a primary consideration when choosing which ISA clients to utilize on the internal network. The following table outlines how DNS name resolution is performed by each ISA client.
ISA Server Client |
Name Resolution Method |
|---|---|
SecureNAT client |
Dependent on the environment. Need to provide client with the internal DNS server or configure ISA Server to pass DNS queries directly from the client to an external DNS server. |
Web Proxy client |
Allows the ISA Server Web Proxy service to provide simple DNS functionality. Based on the DNS configuration on the ISA Server computer itself. |
Firewall client |
Allows the ISA Server Firewall service to provide simple DNS functionality. Based on the DNS configuration on the ISA Server computer itself. |
Routers
Routing traffic through various layers on the network is important in the infrastructure that allows end users access to their e-mail messages. A routing topology varies from customer to customer, as some organizations may have simple, flat networks, whereas others may have complex, segmented networks. How the routers are configured to pass traffic through the internal, perimeter, and external networks can prevent mail from reaching your Exchange server when sent from users outside the organization. Understanding routers and how the routers are configured can help to identify and avoid these issues, ensuring that mail is delivered successfully.
Definition
Routers. Physical devices that join multiple networks. A router's interface is assigned an IP address. This address is known as a default gateway for the segment of the network it serves.
Routing requirements
Before beginning the provided scenarios:
Configure published Exchange, OWA, and SMTP servers as SecureNAT clients.
Establish routes for all internal networks before installing ISA Server.
Configuring SecureNAT clients
To route traffic appropriately, the default gateway for the SecureNAT client must be properly configured. The configuration varies, depending on your network topology:
Simple network. A simple network topology does not have any routers configured between the SecureNAT client and the ISA Server computer.
Complex network. A complex network topology has one or more routers bridging multiple subnets that are configured between a SecureNAT client and the ISA Server computer. Ensure that routers are not configured to drop traffic destined for the Internet.
The table shows how to configure the default gateway based on your network topology, to ensure successful routing.
Topology |
Configuration Defined |
|---|---|
Simple |
Set the default gateway address on the SecureNAT client to the IP address assigned to the internal network adapter on the ISA Server computer. |
Complex |
Set the default gateway address on the SecureNAT client to the IP address assigned to the last router in the chain between the SecureNAT client and the ISA Server computer. |
Route Add command
For a complex network, define a route for ISA Server for all network segments on your internal network. The routing table can be manually populated using the ROUTE ADD command, or by using a dynamic routing protocol such as Routing Information Protocol (RIP).
The syntax for the ROUTE ADD command is as follows:
ROUTE ADD "destination network ID" MASK "Default Gateway IP Address"
ISA Server Configuration
ISA Server 2000 provides two basic functions: increasing the speed by which clients can gain access to Internet content, and providing a secure firewall that protects internal resources while providing content in to and out of a private network. ISA Server is an application layer firewall that can makes Exchange services available to external clients.
For step-by-step instructions on configuring the scenarios described in this document, refer to the scenario documentation included with the feature pack.
Best configuration defined
The most secure configuration for an Exchange environment is one that provides clients with the access they need, and nothing more:
Only specified internal servers can send information outside the company. The only servers visible outside the company are the ISA Server computers.
Only the three ports that allow RPC, OWA, and SMTP traffic are visible from outside the company.
Only outbound SMTP and DNS traffic is allowed.
All Web traffic is secure.
The message screener is configured to filter out unwanted mail.
Limiting the points of potential compromise means limiting access to and from your network by using client address sets and protocol rules. Client address sets specify the internal servers that will communicate with the Internet. For publishing Exchange, you need to create only one client address set that contains the IP addresses of all bridgehead servers. A bridgehead server, in this case, is a server that serves as a message transfer point that routes SMTP mail to and from the Internet. You will then create protocol rules, which allow only certain protocol definitions, for example HTTP or SMTP, to come in to or go out of the network. Only necessary protocol definitions will be allowed access into the network. All other traffic is blocked.
Limit outbound traffic
ISA Server 2000 creates ports only for outbound connections. Inbound return traffic is not blocked, because ISA Server dynamically opens ports for the duration of the transaction. Ensure that only outbound SMTP and DNS traffic is allowed from the Exchange server, to restrict the type of information that can come from your internal network. Exchange requires only these protocols: SMTP outbound traffic is necessary to send e-mail messages to recipients outside the company; DNS traffic must be allowed so that the internal DNS server can perform DNS queries to resolve FQDNs.
Restrict visible ports
ISA Server 2000 requires only that TCP ports 25, 135, and 443 be visible, to provide only necessary access. Port 25 allows inbound SMTP traffic to receive e-mail messages from outside the company. SMTP traffic can be further protected using the built-in message screener, which is discussed in more detail later. Port 135 is necessary for RPC requests from MAPI clients to access the Endpoint Mapper service, which connects clients with Exchange services on a dynamically assigned high-level port.
LAT requirements
The local address table (LAT) defines how ISA Server interprets what computer addresses are internal to the network, and what addresses are external to the network. The LAT provides the base of a secure infrastructure by designating a range of IP addresses that are within the bounds of the ISA Server firewall. Anything outside the LAT will be subject to the restrictions provided by ISA Server. The LAT for your ISA Server configuration will contain all servers that are required for Exchange services, including Exchange, SMTP, Active Directory, and internal DNS servers.
ISA server publishing
Server publishing is the way in which ISA Server 2000 makes internal servers available to clients on the Internet. ISA Server will process Internet-based client requests for all published internal servers, making it appear that the ISA Server is the Exchange server for external clients. ISA Server then routes requests to the Exchange server, and returns responses to the clients. ISA Server can perform both forward and reverse proxy functions. Forward proxy makes external content selectively available to internal clients. In publishing Exchange, ISA Server acts as a reverse proxy server, which makes internal content available to external clients. Both server and Web publishing are used to perform these reverse proxy functions. Web publishing is used only for making OWA available to Internet clients. Server publishing is used to make Exchange available to MAPI, POP3, and IMAP4 clients.
How ISA Server publishing works
Consider a scenario where a client computer running Outlook Express needs to connect to its Exchange server. The Exchange server's IP address is 10.1.1.22. The ISA Server computer has an internal address (10.1.1.33) with which it communicates on the local network, and an external address (68.79.25.25) with which it communicates with the Internet.
The client computer requests content from the Exchange server, whose IP address is returned as that of the ISA Server computer, using port 25 (the default for SMTP requests).
The ISA Server computer is listening on port 25. It receives the request, and because of the publishing rule, recognizes that the request was made on port 25, and this content is routed to the Exchange server.
The Exchange server processes the request, and returns the content to the ISA Server computer, which then forwards it on to the client. The Exchange server must be set as a SecureNAT client, (that is, it must have the IP address for the ISA Server computer configured as its default gateway).
Access Policies
ISA Server uses three different rules that control what Internet sites internal users of computers in the LAT can access, what ports they can use, and what type of traffic can come in to and out of the network.
Site and content Rules
Site and content rules determine what external sites your server can visit, and what content it can access. A rule is needed that allows access to all sites, because it is not possible to predict the names of all mail servers. If there are particular sites you wish clients not to access, you will need to create a destination set, which defines Internet destinations either through a domain name such as *.nwtraders.com, or by an IP address. Then, configure a site and content rule to deny access to that destination set.
Protocol rules
Protocols are defined by specifying either a UDP or TCP port number or range, and specifying whether access comes in from the Internet (inbound) or goes out from the local network (outbound). ISA Server comes preconfigured with the most common protocols, such as HTTP, DNS, and SMTP, already defined. Protocol rules define what protocols your ISA Server computer will allow out to and in from the Internet. In ISA Server, you will want to define a protocol rule for your Exchange, DNS, and SMTP servers, allowing only inbound access to ports 25, 135, and 443, and outbound access to ports 25 and 53.
Packet filters
Packet filters are a means to statically open or block access in and out of a particular port. Enable packet filtering to provide the most secure environment, as it prevents any packets, except those that are explicitly allowed, from crossing the firewall boundary. Packet filtering is not enabled by default. Usually, packet filters need to be defined only when you have Exchange configured on a computer in a perimeter network, which separates your Exchange server both from your internal network and the Internet with an ISA Server computer. For more information on defining specific packet filters, see the other scenarios available in the feature pack documentation.
Differences between packet filters and server publishing
Because packet filters statically open ports, use them only when absolutely necessary. Packet filters differ from site and content, protocol, and publishing rules, which are dynamic, or opened and closed on demand. Server publishing rules provide increased security, because they are more specific than packet filters. Rather than make a protocol or port always available through a static mapping, with server publishing you can specify that traffic connecting to these ports be directed only to specific internal servers under certain conditions.
Packet filters are required, however, in the following cases:
You are running a three-homed perimeter network.
You need to publish a service running on the ISA Server itself.
You need to make protocols other than TCP or UDP available.
Configure publishing rules using the Mail Server Security Wizard
Server publishing makes your Exchange server available outside your organization. ISA Server has a wizard that helps create publishing rules for your Exchange server.
The Mail Server Security Wizard sets up all the components necessary to quickly and reliably publish Exchange services to the Internet.
The SMTP filter vs. the message screener
ISA Server includes two components to help prevent mail relaying, the entry of viruses, and unwanted attachments on the network: the SMTP filter and the message screener.
The purpose of the SMTP filter is to allow the filtering of SMTP command verbs and Users/Domains from accessing the network by intercepting all SMTP traffic that arrives on port 25. The SMTP application filter is installed with ISA Server, but is disabled by default.
The SMTP filter is always located on the ISA Server computer. When SMTP traffic arrives at the ISA Server computer, the traffic is analyzed against the rules configured, and passed on if allowed.
By contrast, the purpose of the message screener is to filter keywords and attachments indicated on the other tabs in the SMTP filter properties. The message screener is more complex to configure, because it can only be installed on an IIS 5.0 SMTP server. This server does not have to be the ISA Server computer. For example, the message screener could be installed on the ISA Server computer, on the Exchange 2000 Server computer, or on any other internal IIS 5.0 SMTP server. Preferably, install the message screener on an internal SMTP server not running Exchange 2000 Server.