Configuring the Barracuda SPAM appliance in an ISA 2004 Firewall DMZ
If you have a spam appliance or standalone spam server you would like to place into a DMZ, then you can read on about how it’s done with the Barracuda and substitute your purchased brand instead. We will also be discussing configuration for an Exchange 2003 server, but you can as well substitute your email server in place of Exchange.
The Barracuda Spam appliance (or also known as the Barracuda Spam Firewall, for its virus scanning and other security protections) comes in a 1U or 2U solution for small to enterprise organizations. The model 300, as demonstrated here, is capable of passing up to 2 million emails per day, for an average of 300 – 1000 users, and up to 500 domains and sub-domains. There are too many features to list with this model, and before it sounds like an advertisement, we’ll discuss the basics. Some of those basics are:
- Virus Scanning of Emails
- Denial of service protection
- IP block or allow lists
- Web-based administration
- Configured for inbound OR outbound email (not both)
- SSL support
- Per user quarantine and spam settings
- Exchange and LDAP lookup and acceleration
- And of course spam blocking, with rate control, Bayesian analysis and rule based scoring
For more information, you can visit www.barracudanetworks.com.
Barracuda recommends two ways you could configure the spam appliance for filtering incoming email. The first, as shown below, is as simple as placing the appliance behind your corporate firewall on the same network as your email server.
As shown above, you simply would have to forward your SMTP traffic to whatever IP address you designate on your spam appliance. From there, you can then forward all of your filtered messages on to the destination email server.
In Figure 2, we place the spam appliance in a DMZ which allows better security and isolates your appliance from your network and the internet as well.
Placing it here in a DMZ has the same physical setup as placing a web server in a DMZ. The main difference will be what ports we will allow the barracuda, the ISA server 2004, and our internal network to communicate on as well as how we publish the Barracuda to the outside world. This is the setup type we will be discussing as we move ahead.
What we need to start…
When setting up any email spam service, server, or appliance, we need to do some preliminary work first with the ISA 2004 box, and our ISP or DNS authority.
Let’s first find out our MX record. For those of you who don’t know already, your MX record(s) will probably be registered with your DNS authority (like godaddy.com or MCI) to accept email for your domain. If you don’t know the IP address or the DNS name of your MX record, you can try this helpful online utility at www.dnsstuff.com. Towards the bottom of the page, you can test your companies email records by typing in a real (or fake) email address, as show below:
After hitting the “Mail Test” button, you can get a readout of where it went for @ruhlin.com:
Getting MX record for ruhlin.com (from local DNS server, may be cached)... Got it!
Step 1: Try connecting to the following mailserver:
mail3.ruhlin.com. - 184.108.40.206
Step 2: If unsuccessful in step 1, try connecting to all of these (in the order as returned by the DNS resolver, per RFC1123 5.3.4):
mail.uu.net. - 220.127.116.11
mail.uu.net. - 18.104.22.168
mail.uu.net. - 22.214.171.124
Step 3: If still unsuccessful, queue the E-mail for later delivery.
Trying to connect to all mailservers:
As you can see, we got the information we needed, which was the listing of MX records for our domain (don’t worry about the “Could not connect… message near the bottom. That has to do with the LDAP connection, which we’ll talk about later). The top one with a preference of 10 is what currently is the first stop to deliver email. If this MX record is currently going to your exchange server (or lotus notes, GroupWise, whatever….) it’s probably on your firewall already to accept mail and forward to your appropriate email server on your LAN. We can use the same MX record, just point the destination to our Spam appliance instead of the actual email server on your firewall.
So, we have our MX record, now what? Well, second, we need to be sure we have an available DMZ on our ISA server 2004 firewall ready to go. If you are familiar with doing this already, then proceed to creating yourself a DMZ. If you are unfamiliar, then there are some great articles here on creating and maintaining DMZ’s on your ISA box. I won’t recreate the wheel here in much detail, so here are some good links to start with:
One thing to point out, which you should be aware of, is your NAT and ROUTE rules in your Network Rules list on the Networks node in ISA 2004. You should have a NAT rule setup for your DMZ network (Source) to your Exchange and Domain Controllers (Destination). This is very important, especially if you plan on doing LDAP lookup or Exchange acceleration. We’ll talk more about this later. If you already have a NAT rule setup for a DMZ attached to your ISA box, then you can add the new DMZ you created for your Barracuda. If you are using the Barracuda in an existing DMZ, you may already have a NAT or ROUTE setup. Just do yourself a favor and make sure this rule exists!
Quick setup of the Barracuda Spam Firewall
Before we place our spam appliance in the DMZ, we need to power it on, and assign it an IP address that correlates to what our DMZ network address is. In this example, our DMZ network address is 192.168.5.x. So let’s give it an address of 192.168.5.5. When you first power on the Barracuda spam firewall appliance, the default IP address is 192.168.200.200.
The best way to change this address to accommodate your DMZ subnet is to attach the Barracuda to a small switch and another desktop or laptop to the same switch as well. Change the desktop or laptop address to a similar address in the C class subnet, such as 192.168.200.205. A diagram of this simple setup is shown below:
You can also attach the appliance directly to your network, and use the ARP command from a windows command prompt to add the Barracuda’s MAC address to your ARP table on your local machine with a local address.
Now, use the Internet Explorer on this pc and go to the administration web address of the Barracuda. In this case, the admin address would be http://192.168.200.200:8000. (Notice the port of 8000 at the end of the IP. This is the administration port, and can be changed later from the barracuda if needed. We’ll keep at 8000 for this article.)
Login to the Barracuda (default is admin/admin for ID and password). If it’s the first time you are logging in, you’ll see a screen asking if you want to change your IP address and basic network information. You can say yes, if you like and change the IP address, subnet mask, and default gateway right away. If you want to browse through the admin console first and change later, you can go to the IP Configuration tab, and fill out the appropriate info. The remainder of the IP information we’ll fill out later. For now, let’s just get the barracuda to be part of our DMZ.
After changing the IP, we’ll disconnect the Barracuda from our temporary network and attach our network cable to our DMZ segment.
Setup of our Firewall
Now that we have our MX record, our DMZ setup, and our spam appliance set in our DMZ and powered up, we are ready for setup of our ISA 2004 firewall and spam appliance. Let's start with the ISA box first.
The first necessary task is placing our IP address for our MX record to our External network card, or the network card that will be listening to incoming SMTP requests from the outside world.
Now, launch our ISA Server Management MMC utility. As with anything we change on our ISA server 2004 box, let's backup our current configuration by exporting to an XML file. In case of issues, we can revert back if things don’t go well.
Now, we will publish our Barracuda to the outside world. We do this the same way we would publish an http or https server in our Firewall Policy list. Instead of choosing to publish a web server, we’re going to choose “Create a new server publishing rule.” Go ahead and start, then name the rule what you wish, hit next:
Specify the network IP (Not the MX record, but the IP address of the appliance in the DMZ)
Select “SMTP Server” on the drop down box. Don’t worry about the exclamation warning you may see when selecting the protocol.
Select the Interface to listen to requests on, and in this case it would be our external card.
We also need to click on the Address… button to select the address to listen on attached to the external network card.
If you don’t see your address listed in the available IP Addresses window, then you need to exit the wizard at this time and add that MX record address onto your External network card’s TCP/IP Properties, as mentioned before.
We’re all finished for now with the wizard, and here is a brief summary before clicking finish.
As a general rule of thumb, you should always be sure that your server publishing rules, web server, https server or any published server service is placed at or near the top of your rules list. In our case, mail is pretty important, so ours is at the top. We don’t want deny rules later in the list to block our incoming mail.
At this point, while we are still at our Firewall Policy Page on our ISA box, we should check our Filter rules to be sure that the Barracuda can get to our Email servers and LDAP servers effectively. We are also going to setup the proper ports for the administration console and ports to receive updates for the antivirus portion of our Barracuda appliance. We do this by setting up Access Rules in our Firewall Policy.
First, create a new access rule for forwarding email to the Exchange server.
Allow->SMTP->From Barracuda->To MailServer->All Users
Next, create a rule to allow LDAP queries against our LDAP servers
Allow->LDAP, LDAPS->From Barracuda->LDAPserver1, LDAPserver2->All Users
Now, since we will need to get to the Administration page for our Barracuda, we need to setup the port access to get there. I created a new port on my ISA box, 8000, and named it “Barracuda Admin Port.” I also want only Domain Admins to have access to the Barracuda using this port.
Allow->Barracuda Admin port (8000)->From Internal->to Barracuda->Domain Admins
Lastly, if our Barracuda will be sending bounce back emails to people outside, we need to configure SMTP for outbound. Also, in the same rule, we need to allow HTTP out (80) to download the newest Spam and Virus definitions for the Barracuda.
Allow->HTTP, SMTP->From Barracuda-> to External->All Users
Save our configuration of course.
Setup of our Barracuda for routing incoming GOOD mail
Now we’ll finish with the setup of our Barracuda, so we can get all our good email into our exchange server (Lotus, GroupWise, etc). We should be able to get into our Barracuda from our LAN now, provided NAT is setup correctly, you added your access rules, and also if you are using the Firewall client on your workstation. After getting to the webpage, we login and we’ll continue entering some setup parameters. On the Basic Tab screen, we’ll click on the “IP Configuration” button, and get the following screen.
We should already have the IP Address, subnet mask and gateway filled out. The other settings should be obvious, in that we’ll need:
- IP address and port of mail server
- Test email, if wish to do some testing
- DNS server addresses
- Proxy info can be left blank
- Default hostname (name for bounce back messages)
- And our Default domain (for bounce back messages)
Save your changes on this page. Next, go to the Domains tab.
Here we can setup the Barracuda to route incoming mail for multiple domains to the appropriate email servers on our network. Also, from here, I can setup the Barracuda to do LDAP checks against Active Directory. This allows the Barracuda to verify that the recipients of incoming email are valid users. If you type in your domain, and click the “Add Domain” button, your domain will be added into the list. You can then hit the “Edit Domain” link button to edit the domain and LDAP settings.
Fill in here your destination email server that email should be going to for this domain. Then, for the LDAP settings, we can add the servers that will do our LDAP lookup in our Active Directory. In our environment, we’ve elected to use the Exchange Accelerator and TLS with our Exchange server. You can read more about these configurations at Barracuda’s website. You can turn these on if you wish to later, when you know your Barracuda is working properly.
You must also supply the port your LDAP is listening on (more than likely it’s 389) and a username and password to connect to the LDAP to do queries.
The remaining information is filled in by default, and you generally don’t have to change these remaining settings for using an Exchange server. For other servers such as GroupWise or Note, you may have to look at the Barracuda documentation or website for proper setup filters.
Some Troubleshooting Tips
At this point we should be all finished with configuration of the ISA and Barracuda. Here are some things you can do to make sure your Barracuda is operational, or if you are running into issues here are some tips to help you out.
Users are not receiving email:
- Is your MX record added correctly to your External Card?
- Turn off the LDAP and Exchange Accelerator features. If email starts working, you may have LDAP configuration issues. Check the ID and password you used in your LDAP setup, and you may need to tweak your filter rules on the Barracuda
- Do you have the correct IP for your mail server entered on the Barracuda?
- Are your ISA filter rules allowing the Barracuda access to the internal network or the Mail Server?
- Is your NAT rule setup correctly in your Network Rules List?
Test basic functionality sending an email to your domain account from an outside email source, like hotmail or/and msn account. You can also check the LDAP queries, by sending an email to a non-existing account on your email server. On the Barracuda, you can look at the message logs for each piece of email that gets scanned, and see the results, and the reason why the message may have been sent or blocked.
LDAP or Exchange Accelerator feature not working:
- Check that you have your LDAP server IP address entered correctly in the LDAP setup window for you domain
- Re-enter the domain ID and Password to connect to the appropriate LDAP servers
- Be sure your ISA access rule is entered correctly. The usual port for LDAP is 389
Updates for my virus definitions and spam definitions are not working:
- The Barracuda needs access outbound for port 80. It uses port 80 to download and check your yearly subscription license
- Is the gateway address entered correctly on the Barracuda? It should be the network card address ISA's using for that subnet
The ISA server 2004 Firewall can give us a great isolated solution to scanning incoming email for Spam, spyware, and viruses, before the infected email reaches the internal network. When configuring the Barracuda, or any antispam/antivirus solution for your email, consider the benefits you have by placing it into a DMZ.
Edited by Dr Tom Shinder