Publishing A Mail Server With ISA Server.








One of the most frequently asked questions on the www.isaserver.org site is “how do I publish my internal mail server”. Second on the list of frequently asked questions is “why didn’t my publishing rule work?”. In this article, we’ll take a look at secure mail server publishing using ISA Server.



To accomplish this task, Microsoft has made life easier by including a Secure Mail Server publishing wizard. The mail server publishing wizard will walk you through the steps of publishing your mail server, and automatically create the publishing rules required to allow inbound access to your server.



However, before you run the mail Wizard, there are some preparatory steps you need to take care of so that the publishing rules work the way you want them to. Important issues include:



  • Configuring DNS
  • Configuring the mail server as an ISA Server Client
  • External IP addresses



Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder


Amazon.com


Each of these issues must be confronted prior to creating the publishing rules with the mail server publishing wizard.



Configuring DNS


In order for external clients to access your internal mail server, you will need to create an entry on a publicly available DNS server that maps to an external interface on your ISA Server. While the name of your server can be anything you want, you will probably want to give a standard name, such as mail.domain.com or exchange.domain.com. This entry can be handled by your ISP, or if you run your own DNS servers, you can enter an MX entry for your domain on your own machines.



If you are running a Windows 2000 domain, you will likely have different internal and external domain names. Your internal domain names are private, and should not be accessible to external hosts. Therefore, the DNS entry for the internal mail server that you plan to publish should be in one of your public domains so that external users can access the internal server via the publishing rule. You cannot use the server’s internal domain name, because Internet users do not have access to your internal domain namespace information.



However, some companies maintain the same domain name for both internal and external resources. When that is the case, you should also maintain two separate DNS zone databases. One database will be accessible only to internal clients, and the other only accessible to external clients. This is a bit of a hassle, but some businesses don’t have any choice in the matter. The key is to put the entry for your mail server on a publicly available DNS server.



Another important DNS configuration issue is determining how you want the internal mail server itself to resolve Internet names. When your internal mail server needs to send out mail, it has to decide what mail server it should forward the mail to. There are two ways that mail server can handle this problem:




  • Resolve the mail domain name itself
  • Forward the mail to a Smart Host

If the mail server will be resolving the mail domain names itself, the mail server will need to be able to perform DNS queries. The mail servers to which the mail is bound will be on the Internet, and therefore your internal mail server will need to be able to send queries to a DNS server that can resolve Internet names.



To allow the internal mail server to send queries to DNS servers on the Internet, you must create Protocol Rule that allows the mail server access to the DNS query Protocol Definition, which is Outbound UDP 53. However, if you have an Exchange 2000 mail server (which uses the IIS SMTP service), you must also allow access to Outbound TCP 53. The Internet Information Server 5.0 SMTP service uses TCP rather than UDP to send DNS queries.



Another way to allow the mail server to perform DNS queries is to configure it to send queries to an internal DNS server that is configured to use a Forwarder on the Internet. In this case, only the internal DNS server needs access to a Protocol Rule for Outbound DNS queries. Once the internal DNS servers receives a response from the Forwarder, the internal DNS server will send the answer to internal mail server.



If you wish to offload the name resolution work away from your mail server, you can configure the server to send mail to a Smart Host. In this case, you can configure the server with the IP address of the Smart Host and the Smart Host will take care of the work of resolving the mail domain name. The Smart Host will then forward the mail to the appropriate mail server on the Internet.



In this case, you do not need to make any special arrangements for the mail server to resolve external host names, since it will forward all mail to a particular IP address. However, you can also include a FQDN for the Smart Host name. In this case, you will need to allow the mail server to perform DNS queries.



Configuring the Mail Server as an ISA Server Client


One if the biggest advantages ISA Server has over Proxy Server 2.0 is that you can publish internal servers as SecureNAT clients. With Proxy Server 2.0, all published servers had to be configured as Firewall Clients. Along with the requirement of installing the Firewall Client (Winsock Proxy) software, you also had to configure a wspcfg.ini file and place it in the appropriate directory on the mail server. While this wasn’t rocket science, neither was it any fun.



You can still configure your internal mail server as a Firewall Client and use the wspcfg.ini file that you may have used in publishing your mail servers with Proxy Server 2.0. However, I strongly suggest that you make your internal mail server a SecureNAT client. It will make your life a whole lot easier.



External IP Addresses


Server publishing rules do not use Destination Sets. Instead of using destination sets, you use the IP address of the external interface in the publishing rule. This presents a problem if you wish to publish more than one mail server on your internal network. The reason is that once you create a publishing, it consumes a particular port number (such as port 25) for that IP address. Therefore, you cannot use that port number in any other publishing rule for that IP address. This is in contrast to how the Web Publishing Rules work, where you can publish as many internal web servers as you like using a single external IP address and port number.



In order to get around this limitation, you will have to bind multiple IP addresses to the external interface of the ISA Server, or add multiple external interfaces and bind an IP address to be used for inbound mail to each of them. After adding the multiple external IP addresses, you can then use them in your publishing rules to publish multiple internal mail servers.



It is important to note that you cannot perform port redirection using publishing rules. For example, you might want to publish an internal mail server on port 2525 on the external interface of the ISA Server and then have the ISA Server forward messages coming into that port to an internal server’s port 25. This won’t work. The external port on the ISA Server and the port number used on the internal server must be the same.



Running The Secure Mail Server Publishing Wizard


ISA Server includes a Wizard that guides you through publishing a mail server. The Secure Mail Publishing Wizard allows you to publish multiple mail protocols at once. After the Wizard is finished, it will create Server Publishing Rules and Client Address Sets that will allow access to the internal mail server.



These rules will work with all types of mail servers. You can be running Exchange 5.5, Exchange 2000 or even Lotus Notes. As long as the servers used standard ports, the publishing rules will work with them.



To run the Secure Mail Server Wizard, perform the following steps:




  1. Open the ISA Management console, expand your server or array, and then expand the Publishing node. Right click on the Server Publishing Rules node, and click on the Secure Mail Server command.


  2. After clicking on the Secure Mail Server command, you’ll be presented with the Welcome page. Click Next to continue.



  3. The Mail Services Selection dialog box appears as seen below.


    Here you select the mail protocols you would like to publish. You have the choice of enabling Default Authentication or SSL Authentication. Different rules will be created to support the type of authentication method you select. Note that the Default Authentication option will send credentials in clear text.

    Generally, its not a good idea to open RPC ports to Internet users. This will happen if you allow Incoming Microsoft Exchange/Outlook. If you have external clients that need to connect to an internal Exchange Server, they should establish a VPN connection with the ISA Server and then access the internal Exchange server.

    Click Next to continue.


  4. On the ISA Server’s External IP address page, type in the IP address of the external interface that you want the ISA Server to listen on for the published mail server. Click Next.



  5. On the Internal Mail Server page you have two choices.


    Choose At this IP address to publish a server on the internal network.

    Choose the On the local host option if the mail server is running on the ISA Server. If you do choose this option, you may see two warning dialog boxes




    Note that the second warning will only appear if you have enabled the Message Screener option in the second page of the wizard. The Message Screener won’t work when you ‘publish’ the mail server on the local host because there must be an intermediary SMTP between the mail server and the Internet.

    When you configure the wizard to use the mail server on the local host, the wizard will create a series of static packet filters to allow the server to listen to the selected services on the external interface of the ISA Server. It does not publish the internal interface of the ISA Server. In order to do that, you would need to select the At this IP address option and type in the IP address of the internal interface.

    In this example, we’ve selected the At this IP address option and typed in the IP address of the server on the internal network. Click Next.


  6. On the last page of the wizard, review your settings, and click Finish.



After you finish, you’ll see a number of new Server Publishing Rules, as seen below.






The Firewall Service uses these rules to determine inbound access to the mail server. The wizard did not create static packet filters. You do not need to create packet filters to allow a publishing rule to work because the rule will make the port available on the external interface.



Note that when you went through the wizard there was no option to control inbound access to the rules. Double click on any of the publishing rules configured by the Wizard and then click the Applies to tab and you see what appears below.





If you want to limit who can access your internal mail server, then select the Client address sets specified below option. Click the Add button to add a Client Address Set to the list. Note that Client Address Sets only allow you control access by IP address, not by user name or group.



You should only publish SMTP servers on the internal network, and refrain from putting an SMTP server on the ISA Server itself. Any services on the ISA Server take up memory, processor cycles, and are potential vectors of attack.



The only time you might want to consider publishing the SMTP service on the ISA Server is when you wish to implement the Message Screener. However, its often easier to get the message screener working when you publish the IIS SMTP service on the internal network and forward the mail from the IIS SMTP service to the internal mail server.



Summary


ISA Server makes it easy to publish your internal mail server to the Internet. However, before firing up the Secure Mail Server Publishing Wizard, you need to make sure your network infrastructure is configured to support mail server publishing. The Wizard will create the required server publishing rules that will allow inbound access to your internal mail server. After the rules are created, external users will be able to access the internal mail server in the same way they would access any other web server located on the Internet.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top