ISA 2004

AJ · Oct 25, 2006

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

We are this week having an upgrade of our firewall and part of our schools agreement is that we get ISA 2004. So a new install of a nice shiney new server and we is up and running, well almost.

We are testing this first before it goes live on the main network.

So, we is testing on our test domain, publishing our exchange server through the ISA firewall. All fine and dandy after a couple of tweeks. Can connect to OWA through the internet, nice.

Next we do a rule for SMTP so that we can receive mail from the internet, job done. But wait, we can't send mail.

Am I right in thinking that you have to do 2 rules for SMTP traffic in and out of the ISA firewall?

You can all expect a let of other questions about this

Thanks

Sparky · Oct 25, 2006

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I take ISA is using two NICs? Internal and External with no fancy third NIC for a DMZ?

What are the rules on the external NIC? Outbound>Allow All? If so it should work ok.

Whats happening in Exchange? Are the emails leaving the queue?

Questions questions!

AJ · Oct 25, 2006

External NIC now there's something I haven't checked.

Emails are staying in the queue.

and yes 2 NIC's internal and external. The external NIC had 3 IP addresses bound to it all within our IP range from our ISP.

I have only just started playing with this ISA thing so not that familiar with it YET.

Sparky · Oct 25, 2006

AJ said:

External NIC now there's something I haven't checked.

Emails are staying in the queue.

and yes 2 NIC's internal and external. The external NIC had 3 IP addresses bound to it all within our IP range from our ISP.

I have only just started playing with this ISA thing so not that familiar with it YET.
Click to expand...

I know what you mean, ISA is a beast!

You may have to configure some extra NAT rules as you have a range of external I.Ps. What are the other two for?

If you allow all outbound then it should work but you will probably want to lock this down after.

AJ · Oct 25, 2006

I was quite lucky when I was quoted for our new leased line, and I managed to get a nice amount of public IP addresses. So we are planning to have an individual address for each of our servers that need to be published to the internet.

We did put a rule in to allow outboand on one IP addy only and it seemed to work ie mail was sent.

Sparky · Oct 25, 2006

AJ said:

I was quite lucky when I was quoted for our new leased line, and I managed to get a nice amount of public IP addresses. So we are planning to have an individual address for each of our servers that need to be published to the internet.

We did put a rule in to allow outboand on one IP addy only and it seemed to work ie mail was sent.
Click to expand...

Having more than one public I.P can make life much easier!

Bluerinse · Oct 25, 2006

AJ said:

Am I right in thinking that you have to do 2 rules for SMTP traffic in and out of the ISA firewall?
Click to expand...

When you published the Exchange server that wizard created the inbound rule. In other words publishing allows access to internal servers, mail, web etc from the Internet.

You should create a protocol rule for outbound traffic port 25 SMTP from the Exchange box rather than a general rule that allows all protocols from anywhere.

Have you installed the firewall client on the workstations?

Oh and do not install the firewall client on the ISA server itself. That is a big no no.

Mitzs · Oct 26, 2006

Hi AJ, good luck with this project. I came across these and thought you might be interested in them

Protecting Microsoft Exchange with ISA Server 2004 Firewalls
Date - Oct 11, 2004 Author - Thomas Shinder Section - Articles
Nobody likes to start from scratch. This is especially true if you have a well established network and firewall infrastructure thats working for you. Why would you want to go and change everything just to add a new application layer intelligent firewall to your setup? Things are working already and you havent been successfully attacked for at least 6 weeks. This article shows how you can place an ISA 2004 firewall on your network to protect your Exchange Servers with minimal changes to your current network topology. Check it out
Click to expand...

http://www.msexchange.org/articles/2004protectexch.html

Providing E-Mail Defense in Depth for Microsoft Exchange with the ISA 2004 Firewall SMTP Message Screener
Date - Mar 09, 2004 Author - Thomas Shinder Section - Tutorials :: Exchange 2003
Theres no doubt that spam is public enemy number one, not only to the e-mail administrator, but also to the firewall admin. Spam clogs Internet connections, wastes corporate bandwidth, reduces employee productivity and consumes valuable Exchange Server software and hardware resources. Spam, together with its evil cousins e-mail worms and viruses, represent the primary threats against corporate networks today. Find out how the ISA 2004 firewall protects your Exchange Server by acting as the first line of defense against spam and viruses
Click to expand...

http://www.msexchange.org/tutorials/2004emaildefenseindepth.html

r.h.lee · Oct 26, 2006

AJ said:

We are this week having an upgrade of our firewall and part of our schools agreement is that we get ISA 2004. So a new install of a nice shiney new server and we is up and running, well almost.

We are testing this first before it goes live on the main network.

So, we is testing on our test domain, publishing our exchange server through the ISA firewall. All fine and dandy after a couple of tweeks. Can connect to OWA through the internet, nice.

Next we do a rule for SMTP so that we can receive mail from the internet, job done. But wait, we can't send mail.

Am I right in thinking that you have to do 2 rules for SMTP traffic in and out of the ISA firewall?

You can all expect a let of other questions about this

Thanks
Click to expand...

Disclaimer: I don't know specifically about ISA 2004 and Exchange.

AJ,

You mention "Next we do a rule for SMTP so that we can receive mail from the internet,..." Does that mean that you are:

a) receiving e-mail from the internet to the exchange server or

b) receiving e-mail from the exchange server to the client?

Phoenix · Oct 26, 2006

AJ nice one on the move to ISA2004 (think 2006 is out now tho) :P
Cracking product and very secure when done right, I use it at home myself!

In answer to your above question I think it's been covered, ISA has a default deny all rule at the bottom, and as an educational institution i imagine you will not be having an allow all outbound so you will have to create a rule to allow SMTP access from exchange outbound, which you seem to have covered

NAT and stuff is not overly complicated, if your using it as your only firewall you can just bind multiple IPs to your external NIC and be specific with your publishing rules (at home I have 16 ips to play with so i follow the same set up for my exchange, rdp, etc etc access)

zebulebu · Oct 26, 2006

Wow - 16 IPs?

Blimey - If only!

Who are you with to get that number of statics? I'd dearly love to have a static IP pool to use at home but I can't even get my ISP to give me ONE - unless I go through their 'business' department (cue my wallet being chewed up & spat out on a monthly basis)

Boycie · Oct 26, 2006

To be fair to Plusnet, I asked for more than one public IP on a Premier Home account and they gave them to me!
They did ask why I couldn't use NAT and i said i wanted them to help with my studies....

Si

Phoenix · Oct 26, 2006

I use Zen who are a power user ISP even on there residential stuff
u do pay for that power user stuff though, I pay 35 a month for 2MB uncapped or i can move to the new contracts that are 8MB but capped at 50gb, ill do some monitoring over a month or two and see if i download that much month by month

you get 1 or 8 no questions asked, for 16 you have to submit a ripe justification letter like any other corporate, i could justify the 16 though as at the time I was on the UK6X with IPv6 tunneling and all sorts of cleverness that worked better with statics

Log in or Sign up

ISA 2004

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

Bluerinse Exabyte Poster

Mitzs Ducktape Goddess

r.h.lee Gigabyte Poster

Phoenix 53656e696f7220 4d6f64

zebulebu Terabyte Poster

Boycie Senior Beer Tester

Phoenix 53656e696f7220 4d6f64

Share This Page

Navigation

Popular Forums

Useful Links

Log in or Sign up

ISA 2004

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

AJ 01000001 01100100 01101101 01101001 01101110 Administrator

Sparky Zettabyte Poster Moderator

Bluerinse Exabyte Poster

Mitzs Ducktape Goddess

r.h.lee Gigabyte Poster

Phoenix 53656e696f7220 4d6f64

zebulebu Terabyte Poster

Boycie Senior Beer Tester

Phoenix 53656e696f7220 4d6f64

Share This Page

Useful Searches