Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 3: The CEICW from the Network Connection Page to the E-mail Retrieval Method Page

Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 –
Part 3: The CEICW from the Network Connection Page to the E-mail Retrieval Method Page
by Thomas W Shinder MD, MVP

The Network Connection Page

On the Network Connection page you select which interfaces on the SBS computer should be used for internal and external networks. In the example used in this series, I set static IP addresses on the internal and external interfaces of the SBS computer before running the CEICW. The external interface was configured with the IP address 192.168.1.70 and the internal interface is configured with the IP address 10.0.0.1.

Select the appropriate interfaces for the ISP network connection (which is the external interface) and the Local network connection (which is the internal interface). The IP address and subnet mask for each of the interfaces appears in the Properties frame after making the selection.

Click Next on the Network Connection page.

Figure 1

The Firewall Page

Now here is where I made my mistake, or at least selected an option having results I didn’t anticipate. On the Firewall page you choose whether you want to enable “a firewall”. The page doesn’t state what kind of firewall. Even when you click the More Information button, it doesn’t provide any information about what firewall will be used.

The Getting Started Guide refers to “a firewall” but hides the specifics. I don’t see why they need to hide the details regarding the firewall configuration. If it’s what I suspect, you’ll be using the Windows Firewall if you’re not using the ISA firewall, and if you install the ISA firewall, then you’ll be using the ISA firewall. But should you enable the Windows firewall first if you plan on using the ISA firewall later? Won’t that break something? Or will it ask what firewall you want to use?

The problem was that since the documentation was vague in this area, I played the classic Windows wizard guessing game of trying to figure out what the actual meanings of these options were. My guess in this situation was the if I enabled the Windows Firewall now, then it might interfere with the subsequent ISA firewall installation routine. Since I didn’t want to break the ISA firewall setup, I selected the Disable firewall option. We’ll see later that this has an interesting effect on how the ISA firewall is ultimately setup after ISA firewall installation is complete.

Figure 2

We’re presented with a warning dialog box telling us that if the “firewall” (whatever that firewall might be) is disabled, then bad things might happen. We’ll deal with this situation later, but it does point out something important: You should never be directly connected to the Internet when installing any server.

If you have a NAT device or a simple stateful packet inspection firewall in front of the SBS computer, then you’re OK. But if you’re using a direct modem connection, make sure the modem is not connected to the Internet when you’re installing the SBS software.

Click OK to dismiss the dialog box.

Figure 3

Web Server Certificate Page

The Web Server Certificate page enables you to specify a Web site certificate for your Web server. This is a critical page since the name you put in the Web server name text box is the name that users must use to access the Web site when using ISA firewall Web Publishing Rules. For example, if the Web site certificate has the common/subject name www.msfirewall.org, then users must use that name in their Web requests, such as http://www.msfirewall.org/exchange.

The primary reason for using SSL is to provide encrypted communications to and from the Web server over the Internet. While this is the primary reason, it’s not the only reason. Intruders or even invited guests can connect to your internal network and use network analyzers (like Microsoft Network Monitor) to “listen” in on unencrypted communications moving over the network. Things like usernames and passwords move over the unencrypted channel, so you should also strongly consider using SSL when connecting to Web services on the SBS server from the internal network.

The name you enter into the Web server name text box must also resolve to the IP address accepting connections to the Web site over the Internet. This will vary with your network configuration. If you have a NAT device or a simple stateful packet inspection firewall that performs NAT in front of the SBS computer, then the public address assigned to the external interface of that front-end device is the IP address that this FQDN must resolve to. If you are connecting the SBS computer directly to the Internet using a cable or DSL “modem”, then the FQDN must resolve to the IP address assigned to the external interface of the SBS computer.

This implies that you’ll need a dedicated or permanent IP address assigned either to the front-end device or the SBS computer itself. This isn’t true. What external users need to do is resolve this name to an IP address that accepts incoming connections from Internet hosts. If your ISP cannot provide you dedicated/permanent public addresses, then you can use dynamic DNS services that will automatically update your DNS records when the ISP’s DHCP server assigns a new address to your Internet connection. TZO is one example of a dynamic DNS (DDNS) service. I’ve been using TZO for many years and they provide top-notch dynamic DNS services at a good price. Check them out at www.tzo.com.

The Use a Web server certificate from a trusted authority option allows you to import a Web site certificate from a file. The file contains the Web site certificate and the site’s private key. The file must contain the site’s private key or else the certificate won’t work for ISA firewall Web Publishing Rules (or anything else). I always recommend that you export your Web site certificates (with their private keys) to a file and copy those to CD and lock them away in a safe deposit box. Then when your server dies, you can easily restore that certificate. You would use this option if you have a currently running SBS installation and have already deployed certificates to clients.

In the example discussed in this series, we are installing a clean SBS SP1 server. For this reason we will select the Create a new Web server certificate option and enter the FQDN that users will use to access the site, which in our example is www.msfirewall.org.

NOTE:
I always use msfirewall.org in my examples on www.isaserver.org and also use msfirewall.org in all the examples in our ISA 2004 book. On your network you would replace this FQDN with the name you’ll be using when connecting to the SBS services over the Internet.

Click Next on the Web Server Certificate page.

Figure 4

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=46;t=000061

The Internet E-mail Page

On the Internet E-mail page you tell the installation wizard whether or not you want to allow remote access to the Microsoft Exchange Server’s e-mail services. This is one of the major buy-ins for SBS and I think it would be a real waste to not enable Internet e-mail. Especially if you’re using an ISA firewall to provide exceptionally secure remote access to these Exchange Server services.

In this example we’ll select the Enable Internet E-mail option and click Next.

Figure 5

The E-mail Delivery Page

On the E-mail Delivery page you specify how the Exchange Server on the SBS computer will resolve Internet MX domain names. When a user on your network using your Exchange Server sends a message to someone on the Internet, the Exchange Server’s SMTP service needs to resolve the domain name in the address that the message is addressed to.

For example, if you send a message to [email protected], the message moves from your e-mail client software to the Exchange Server. Then the Exchange Server needs to find a DNS MX record for smbnation.com. The Exchange Server then sends a series of DNS queries to Internet DNS servers to find the IP address of the mail server responsible for smbnation.com mail. The Exchange Server then sends the message to the IP address of the mail server specified in the smbnation.com MX record and that mail server then becomes responsible for routing the message to bob’s mailbox. This is what happens when you select the Use DNS to route e-mail option.

Your other option is the Forward all e-mail to e-mail server at your ISP. This enables you to use your ISP’s mail server as a smart host. A smart host is an SMTP server that receives mail from your mail server and then does its own DNS queries to find the mail server responsible for messages to the destination domain. The smart host performs its own DNS lookups for MX records. The end result is that you offload DNS query traffic from your Exchange Server to the ISP’s mail server.

Another advantage to using a smart host is that the ISP maintaining the smart host probably has a reverse lookup zone records for the mail server, so benighted ISPs like AOL will accept mail from ISP smart host mail server when they will not accept mail from your mail server (assuming that you have not registered reverse lookup zone records for your server, which you can only do if you have a dedicate/permanent IP address assigned to your NAT device or SBS server).

My professional opinion is that reverse DNS lookups are a waste of processor cycles and should be abandoned by all thinking IT organizations, but many harried IT pros are desparate to do anything and everything they can to stem the flood of spam, so they just blindly enable reverse lookups as a method of stopping spam. Don’t fall into this trap. Do not enable reverse lookups for spam whacking. As the great American Philosopher William James might have said “reverse DNS lookups for spam control is a fool’s paradise and lubber land”

There isn’t a one size fits all option on this page. If you have a small, professionally managed ISP with excellent technical staff who knows how to maintain their e-mail servers in top condition, then I highly recommend using a smart host. However, if you’re using a mass production ISP where they go for the cheapest staff possible, you probably should use DNS to route e-mail. If you don’t know how to gauge the competency of your ISP, ask some established IT pros in your area and check the local user groups and newsgroups. They’ll be able to tell you if your ISP knows which end eats.

In this example we’ll select the Use DNS to route e-mail since our provider is Verizon J. Click Next on the E-mail Delivery Method page.

Figure 6

The E-mail Retrieval Method Page

On the E-mail Retrieval Method page you specify how the Exchange Server on the SBS computer receives e-mail from other users on the Internet. The options provide both push and pull options.

The Use the Microsoft Connector for POP3 Mailboxes option is used when you cannot receive inbound SMTP mail message directly to your Exchange Server. This would be the case if you didn’t have a permanent public IP address or if your ISP prevents incoming SMTP connections or your ISP doesn’t support TURN or ETRN. However, even if your ISP doesn’t support incoming connections to the default SMTP port (TCP port 25), you may be able to receive incoming connections on an alternate port. If your ISP allows new inbound connections on alternate ports that aren’t required for use by other Exchange Server services, you can enlist the aid of dynamic DNS provide such as TZO who can accept SMTP mail for your public domain name and then redirect that mail to your SMTP server using an alternate port.

It’s worthwhile to aggressively investigate alternatives to the POP3 connector. The Internet is strewn with digital carcasses of mail administrators who tried to use POP3 connectors to manage their e-mail services. The POP3 connector should be used as a stopgap measure, for a very limited amount of time during the time you’re settings things up to enable the Exchange Server to receive incoming e-mail.

The Use Exchange option is the preferred option and the one we’ll use in the example deployment described in this article series. When you enable the Use Exchange checkbox, you’re provided with two sub options: E-mail is delivered directly to my server and E-mail is held at my ISP until my server sends a signal.

The E-mail is delivered directly to my server option is used when you can receive incoming e-mail from either the source SMTP services of the domains from which the e-mail is sent, or from an SMTP server that receives mail for your domain first and then directs the e-mail to your Exchange Server.

For example, you might have a friend or a hosting provider provide smart host functionality for your e-mail domain. You can create multiple MX records and prioritize them so that mail servers try to send mail to your Exchange Server first, but if your Exchange Server is not available, then Internet SMTP servers will send mail to servers with a lower MX record priority. If the mail goes to another SMTP server acting as a smart host for your e-mail domain, it will continue trying to forward the mail to your Exchange Server for a pre-defined period of time which is customizable. When you Exchange Server comes back online, the smart host forwards the mail to your Exchange Server. The end result of this configuration is that you never lose any incoming e-mail, even if your SBS-based Exchange Server needs to be offline for days!

The E-mail is held at my ISP until my server sends a signal option allows a third party to receive your mail and hold it for you until the Exchange Server sends a TURN or ETRN request to the ISP’s mail server. This option is a good one for companies who are not able to receive incoming connections for e-mail directly to their Exchange Servers. Your Exchange Server will send intermittent connection requests (which is configurable) to the ISP’s mail server. After authenticating with the ISP’s mail server, the ISP mail server sends the e-mail directly to your Exchange Server. This is a nice setup when you have an ISP or hosting provider who can provide these services and you can’t receive incoming SMTP directly to your Exchange Server from Internet SMTP servers.

The E-mail is delivered directly to my server option’s ETRN sub option requires you to have a dedicated/permanent public address assigned either to your NAT device or SBS computer, depending on your setup. The reason for this is that the TURN approach uses the source IP address as the authenticator. If you’re assigned a public address by your ISP’s DHCP server, then you can’t use the ETRN option.

If you have a DHCP assigned public address, you can use the Turn after authentication option. In this case, your Exchange Server sends authentication credentials to the ISP’s SMTP server, so it doesn’t matter what IP address you have on your public interface. As long as your Exchange Server can send the correct username and password, it will be able to receive your e-mail from the ISP’s Exchange Server. If you choose this option, the next page of the Wizard will ask your for username and password information.

In this example we’ll select the Use Exchange and E-mail is delivered directly to my server option because I can received inbound connection through my FiOS NAT device for TCP port 25 (the SMTP mail port). Click Next.

Figure 7

Have Questions about the article? Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=46;t=000061

Summary

In this, part 3 of our article series on installing and configuring the ISA firewall on SBS, we continued with the CEICW. In the next installment of this series, will continue with the CEICW and follow it through to its completion. See you then! –Tom.

If you would like to read the other articles in this series than please check out:

• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – The Totally Unofficial and Non-Authoritative Guide on ISA Firewall Installation on SBS 2003 SP1 (Part 1)
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 2: The CEICW from the Welcome Page to the Router Connection Page
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 4: E-mail Domain Name Page to Completion of the CEICW
• Tom Shinder’s Trek through Small Business Server 2003 Service Pack 1 – Part 5: Checking DNS and Certificate Settings and Installing the ISA Firewall