1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ISA 2004

Discussion in 'Networks' started by AJ, Oct 25, 2006.

  1. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    We are this week having an upgrade of our firewall and part of our schools agreement is that we get ISA 2004. So a new install of a nice shiney new server and we is up and running, well almost.

    We are testing this first before it goes live on the main network.

    So, we is testing on our test domain, publishing our exchange server through the ISA firewall. All fine and dandy after a couple of tweeks. Can connect to OWA through the internet, nice.

    Next we do a rule for SMTP so that we can receive mail from the internet, job done. But wait, we can't send mail.

    Am I right in thinking that you have to do 2 rules for SMTP traffic in and out of the ISA firewall?

    You can all expect a let of other questions about this 8)

    Thanks
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    I take ISA is using two NICs? Internal and External with no fancy third NIC for a DMZ?

    What are the rules on the external NIC? Outbound>Allow All? If so it should work ok.

    Whats happening in Exchange? Are the emails leaving the queue?

    Questions questions! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    External NIC now there's something I haven't checked.

    Emails are staying in the queue.

    and yes 2 NIC's internal and external. The external NIC had 3 IP addresses bound to it all within our IP range from our ISP.


    I have only just started playing with this ISA thing so not that familiar with it YET.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    I know what you mean, ISA is a beast! :ohmy

    You may have to configure some extra NAT rules as you have a range of external I.Ps. What are the other two for?

    If you allow all outbound then it should work but you will probably want to lock this down after. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    I was quite lucky when I was quoted for our new leased line, and I managed to get a nice amount of public IP addresses. So we are planning to have an individual address for each of our servers that need to be published to the internet.

    We did put a rule in to allow outboand on one IP addy only and it seemed to work ie mail was sent.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Having more than one public I.P can make life much easier! 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    When you published the Exchange server that wizard created the inbound rule. In other words publishing allows access to internal servers, mail, web etc from the Internet.

    You should create a protocol rule for outbound traffic port 25 SMTP from the Exchange box rather than a general rule that allows all protocols from anywhere.

    Have you installed the firewall client on the workstations?

    Oh and do not install the firewall client on the ISA server itself. That is a big no no.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,282
    73
    152
    Hi AJ, good luck with this project. I came across these and thought you might be interested in them

    http://www.msexchange.org/articles/2004protectexch.html

    http://www.msexchange.org/tutorials/2004emaildefenseindepth.html
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  9. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Disclaimer: I don't know specifically about ISA 2004 and Exchange.

    AJ,

    You mention "Next we do a rule for SMTP so that we can receive mail from the internet,..." Does that mean that you are:
    • a) receiving e-mail from the internet to the exchange server or
    • b) receiving e-mail from the exchange server to the client?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  10. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    AJ nice one on the move to ISA2004 (think 2006 is out now tho) :P
    Cracking product and very secure when done right, I use it at home myself! :)

    In answer to your above question I think it's been covered, ISA has a default deny all rule at the bottom, and as an educational institution i imagine you will not be having an allow all outbound so you will have to create a rule to allow SMTP access from exchange outbound, which you seem to have covered

    NAT and stuff is not overly complicated, if your using it as your only firewall you can just bind multiple IPs to your external NIC and be specific with your publishing rules (at home I have 16 ips to play with so i follow the same set up for my exchange, rdp, etc etc access)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Wow - 16 IPs?

    Blimey - If only!

    Who are you with to get that number of statics? I'd dearly love to have a static IP pool to use at home but I can't even get my ISP to give me ONE - unless I go through their 'business' department (cue my wallet being chewed up & spat out on a monthly basis)
     
    Certifications: A few
    WIP: None - f*** 'em
  12. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    To be fair to Plusnet, I asked for more than one public IP on a Premier Home account and they gave them to me!
    They did ask why I couldn't use NAT and i said i wanted them to help with my studies....

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  13. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    I use Zen who are a power user ISP even on there residential stuff
    u do pay for that power user stuff though, I pay 35 a month for 2MB uncapped or i can move to the new contracts that are 8MB but capped at 50gb, ill do some monitoring over a month or two and see if i download that much month by month

    you get 1 or 8 no questions asked, for 16 you have to submit a ripe justification letter like any other corporate, i could justify the 16 though as at the time I was on the UK6X with IPv6 tunneling and all sorts of cleverness that worked better with statics :)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0

Share This Page

Loading...