Using Outlook 2003 with the Firewall Client
By Thomas W Shinder, MD, MVP
Got questions? Discuss this article over at
I’ve noticed a recent burst of posts from ISA 2004 firewall administrators stating that they can’t get Outlook 2003 to work through the ISA firewall. With further questioning, I’ve discovered that these ISA firewall administrators are using the Firewall client. It’s great to hear they’ve had the good judgment to use the Firewall client! The Firewall client gives them strong user/group based access control for outbound connections for all Winsock TCP and UDP protocols. The Firewall client is one of the key pieces of the ISA firewall that enables it to provide a high level of security that your typical hardware firewall could never provide.
First, let’s get something straight:
You do NOT need the Firewall client to access outbound SMTP or POP3 and you do NOT need to remove the Firewall client to access outbound SMTP or POP3
Over the years I’ve heard people say “you need the Firewall client if you want to use Outlook 2000/2002/2003 to connect to external POP3/SMTP servers” and I’ve also heard “you need to remove the Firewall client to connect to external POP3/SMTP servers”. Both of these statements are WRONG.
The Firewall client connectivity issue has to do with the default Firewall client configuration settings and the authentication requirements on the Access Rule used to allow the outbound connections from the Outlook 2003 client. Note that while I refer to Outlook 2003 throughout this article, the same principles apply to the Outlook 2000 and Outlook 2002 clients. Also, while I am focusing on the ISA 2004 firewall in this article, the same principles apply to the ISA 2000 firewall.
In order to allow outbound SMTP and POP3 connections from the Outlook 2003 client on the Internal network, you need to create an Access Rule allowing these protocols outbound. The Outlook client needs access to POP3 to download mail from the external POP3 server, and it needs access to SMTP to send mail to the external SMTP server. In addition, if you’re not using an Internal DNS server, the Outlook 2003 client should have outbound access to the DNS protocol.
In the example we’ll use in this article, I have created an ISA 2004 firewall on Windows Server 2003. This machine is not a member of a domain. The second machine used in this scenario is a Windows XP machine, which is also not a member of a domain. Because we’re not using a domain scenario, we need to mirror user accounts. I’ve created a user account on the Windows XP machine named tshinder. I’ve created a user account on the ISA 2004 firewall with the name tshinder and have assigned the account the same password on both machines. This allows the Windows XP client to authenticate with the ISA firewall for outbound access control.
The figure below shows the Access Rule used in this scenario. This rule allows the DNS, POP3 and SMTP protocols from the Internal network to External networks. Access is allowed only if users can authenticate with the ISA firewall. This is seen in the Condition – All Authenticated Users.
The Windows XP client has the Firewall client installed. All Firewall client machines receive Firewall client configuration information from the ISA firewall. The ISA firewall includes a number of default firewall client settings. You can see the default Firewall client settings by performing the following steps:
- Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and the expand the Configuration node.
- Click on the General node.
- In the General node, click on the Define Firewall Client Settings link in the Details pane.
- In the Firewall Client Settings dialog box, click the Application Settings tab. You will see what appears in the figure below.
Notice in the application settings for the Firewall client that the outlook application has the Disable setting at 1. When the Outlook.exe executable is run, the Firewall client will ignore the connection. If the machine is also configured as a SecureNAT client, then the machine can use its SecureNAT client configuration to access the protocols. If the machine is not configured as a SecureNAT client, and is configured only as a Firewall client, then no connection request will be sent to the ISA firewall and the connection attempt will fail.
The log file entries in the figure below show what happens with the default Firewall client settings, with the Windows XP machine configured as both a Firewall client and a SecureNAT client. You can see a connection attempt made for the SMTP protocol and the connection is denied by the SMTP/POP3/DNS Access Rule I created.
The reason why connection is denied is that the default Firewall client settings have the Firewall client software set to ignore connections made from the Outlook.exe application. So, the Outlook 2003 connection uses the Windows XP client’s SecureNAT configuration to connect to the Internet. Since the Access Rule requires authentication, the connection attempt fails. SecureNAT clients cannot send credentials to the ISA firewall.
What would happen if we changed the Firewall client configuration settings so that the Firewall client did not ignore connections made by the Outlook.exe application? In this case, the Firewall client software would intercept the communication attempt and forward user credentials to the ISA firewall and the user could then authenticate with the ISA firewall.
Return to the Firewall Client Settings dialog box. Click the Outlook entry and then click the Edit button. In the Application Entry Setting dialog box, change the Value from 1 to 0. Then click OK.
The Application settings tab now looks like what you see in the figure below. Click Apply and then click OK. Then click Apply to save the firewall policy.
Before making a new connection attempt from the Windows XP machine configured as a Firewall client, the Firewall client configuration needs to be refreshed. You can do this by double clicking the Firewall client icon in the System Tray (WARNING: Never disable the Firewall client icon – I know a lot of people think it’s a good idea, but its not; take it from someone who knows). On the General tab, click the Test Server button. You’ll see the Testing ISA Server dialog box and the name of the ISA firewall will be solved and the Firewall client will download the new configuration file.
Now that the Firewall client configuration is refreshed with the new settings, we can connect with our Outlook 2003 client on the Windows XP machine. The log file entries below shows what happens when the Firewall client is enabled for the Outlook.exe application. You can see that the POP3 and SMTP protocols are allowed access and are not denied. You also see the Client Username is the user account I logged onto at the Windows XP machine (which is mirrored on the ISA firewall).
Outlook 2003 (and 2000 and 2002) can access external POP3 and SMTP servers on the Internet. The Firewall client is not required, and if you have the Firewall client installed, you do not need to remove it. Issues people have with the Firewall client and Microsoft Outlook 2003 relate to the default Firewall client configuration, where the Firewall client ignores connections from the Outlook.exe application. If the Firewall client ignores connections attempts from Outlook, then user credentials are not sent to the ISA firewall. If the ISA firewall requires authentication to access the POP3 and SMTP protocols, then the connection attempt fails. You can solve the problem by either removing the authentication requirement from the Access Rule (not recommended) or configure the Firewall client configuration settings so that the Firewall client handles connections coming from the Outlook 2003 application. Note that enabling the Firewall client for Outlook can have adverse effects if you’re using the Outlook 2003 client to connect to an Internal network Exchange Server via a MAPI connection.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000137 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.