I don’t think a day goes by without someone asking either how to configure ISA Server to allow Outlook Express to work, or how fix a problem with ISA Server because Outlook Express isn’t working properly. Instead of answering this same question over and over again, I’ve decided to put together this article on how to configure ISA Server to work with Outlook Express, or any other email client that needs access to common email protocols.
I am going to assume that those of you who have difficulties getting your email clients to work are in a small office environment, and therefore do not have a sophisticated supporting network infrastructure. I will assume you do not have a WINS, DNS or DHCP server on your network. If you do have a sophisticated network infrastructure in place, you should be able to figure out what the problem is on your own!
After you go through each of these configuration issues, Outlook Express or any other email client should work famously!
Configure the ISA Server Interfaces
If you are using a dial-up interface, your ISP will configure it automatically for you when the dial-up connection is established. The dial-up interface will be automatically assigned an IP address, gateway, and DNS server. So, there’s no reason for you to configure any of these on the DUN connectoid.
If you are using a permanent interface, then you’ll need to manually configure it, unless you’re using a DSL or cable connection. In that case, DCHP will configure the interface for you.
To manually configure the external interface, do the following:
Everyone has to configure their internal interface, regardless of the type of external interface you are using. To manually configure the internal interface, do the following:
The ISA Server uses the DNS settings on the ISA Server to resolve Internet host names for Firewall clients. You want to make sure the DNS server settings are configured correctly.
There are other considerations for setting up the internal and external network interfaces.
Configure the LAT and LDT
It’s critical that you have the correct entries in the LAT. If you accidentally include external network IP addresses in the LAT, you can severely compromise the security of your ISA Server. If you do not include your internal network addresses in the LAT, the clients may not be able to access the Internet.
One tip for configuring the LAT: allow the ISA Server setup procedure to create the LAT based on the routing table and select the internal network interface in the setup dialog box. There’s little chance that you’ll get things wrong if you do it this way.
For a small network like yours, it’s unlikely that you’ll have multiple internal network segments. But if you do have multiple internal network segments, you’ll need to add routing table entries for each network segment. Check out the Windows Help File or our book for details on how to add these routing table entries.
The Local Domain Table isn’t important unless you host internal network domains, or you want to access external domains directly without being subject to ISA Server access policies. However, if you do have a domain environment for your internal network, you should create a LDT entry for your domain. Note that you do not configure the LDT during installation. You can configure the LDT after installation is complete.
To configure the LDT, perform the following steps:
Configuring Dial-up Entry if using a Dial-up Connection
Make sure you have created the DUN connectoid first, and then perform the following steps to configure ISA Server to use your dial-up connection:
After the dial-up connection is configured, you want to make sure the ISA Server uses the dial-up connection as its primary network connection. This also enables the autodial feature of ISA Server. There are two places where you need to configure the dial-up connection as a primary: Firewall routing and Default Web Routing.
Do the following to configure your routing rules:
Configure Protocol Rules
If you want to use Outlook Express to send and receive mail, you typically need access to the POP3 and SMTP protocols. If you want to use Outlook Express to access your Hotmail account, you will need to allow outbound access for the HTTP and HTTPS protocols. HTTPS is required for the secure log on phase of the connection, but the remainder of the session is via HTTP. Finally, some people like to use IMAP to connect to their mail servers at work. IMAP is a wonderful protocol and it really should be used more often.
You need to create Protocol Rules to allow outbound access for internal network clients. Protocol Rules are used for outbound access control for internal network clients. You will NEVER, I repeat NEVER, use packet filters to control outbound access for internal network clients, unless you need to allow outbound access for non-TCP/UDP protocols. Fortunately, all mail protocols are TCP based.
Since you are using the Firewall client, you do not need to create a Protocol Rule for outbound DNS queries. The reason for this is that the ISA Server performs DNS queries on the behalf of Firewall clients. The ISA Server can make DNS queries because a packet filter is created by default that allows the ISA Server to make outbound DNS queries. You do not need to create this packet filter.
Note that a packet filter is used because it is the ISA Server itself that needs access to the protocol. Packet filters are used to allow inbound and outbound access to applications and services running on the ISA Server itself.
Before you can create a Protocol Rule, there must be a Protocol Definition for that protocol. ISA Server includes a bunch of Protocol Definitions right out of the box. You will not need to create a new Protocol Definition to support your mail protocols.
To create a Protocol Rule for your mail protocols, perform the following steps:
Install the Firewall Client
The easiest way to install the Firewall client on a small network is to connect to the shared directory on the ISA Server that contains the Firewall client software. There are many ways you can do this. Here’s one way:
Optional Configuration Settings
Now you’re ready to rock and roll with Outlook Express or any other email client you want to use. Just configure the appropriate server settings in your client and you’ll be able to send and receive email.
There are a couple of optional settings you might want configure on the ISA Server. These are the Packet Filtering and the IP Routing options.
You always want to enable Packet Filtering on the ISA Server. When Packet Filtering is enabled, the only traffic that can move to and from the ISA Server is the traffic that you’ve explicitly allowed by creating packet filters, Protocol Rules and Publishing Rules. If you don’t enable packet filtering, all the default ports that are opened by Windows services and applications will be open on the external interface of the ISA Server. This obviously represents a security risk.
You might also want to enable IP Routing. This feature can greatly improve performance for SecureNAT clients. Although we haven’t discussed the SecureNAT client setup in this article, you might find that when this feature is enabled that the Firewall clients perform better as well. You also need to enable IP Routing if you want to run a DMZ segment off the ISA Server itself. But in the simple network configuration we’re discussing here, this isn’t much of an issue.
It could be that your ISP is having problems, or you’re using a DSL connection and having an MTU problem. Check that you can access the Internet using other protocols, such as your HTTP using your Web browser. If you can’t get anywhere, it could be that you have a cable modem and you lost your IP address. In that case, make sure the DHCP packet filter is enabled, and then restart the computer.