ISA Server 2004 Getting Started Guide: Configuring the Firewall as a Filtering SMTP Relay

Chapter 13

Published: February 2004

For the latest information, please see http://www.microsoft.com/isaserver/

Contents

Introduction. 1

Restore the System to its Post-installation State. 2

Assign a second IP address to the internal interface of the ISA Server 2004 firewall 3

Install and Configure the SMTP Service. 4

Install the SMTP Message Screener 7

Create the SMTP Server Publishing Rules. 9

Create the Outbound SMTP Access Rule. 14

Configure SMTP Message Screener Logging. 16

Test SMTP Filtering. 18

Conclusion. 19

 

Introduction

One of the optional components included with the ISA Server 2004 is the SMTP Message Screener. The SMTP Message Screener can inspect SMTP messages at the application layer relay or reject messages based on parameters you configure. The SMTP Message Screener can evaluate incoming SMTP mail based on the following characteristics:

·         Sender mail account and sender domain name

·         Attachments name, attachment extension and attachment size

·         Keywords included in the subject line and body of text/plain and text/html messages

For example, a common attachment extension for Internet worms is the .pif extension. Since very few or no legitimate e-mail messages contain attachments with the .pif extension, you can configure the filter to match messages with attachments with this extension and perform one of the following actions:

·         Delete the  message

·         Hold the message

·         Forward message to a specified e-mail account

The SMTP Message Screener is an integral part of your e-mail defense in depth scheme. Internet worms and virus, in addition to spam, represent one of the most significant risks to your network. Worms and viruses can attack network servers, services and workstations throughout the Internal network. Spam clogs Internal network bandwidth and consumes employee time that costs many thousands of dollars per month in employee productivity.

E-mail defense in depth allows you to distribute the processing of incoming and outgoing e-mail messages. SMTP message evaluation is a processor intensive activity, and the more machines the load is distributed to, the more efficient the process. You can use the ISA Server 2004 SMTP Message Screener together with the Exchange SMTP Gateway Server to provide an ideal level of e-mail defense in depth.

In the example discussed in this document, we will configure the ISA Server 2004 firewall as an inbound and outbound SMTP relay. The inbound SMTP relay component will accept incoming mail from external SMTP servers that is destined for e-mail domains that you manage on your Exchange Server. The outbound SMTP relay is used to screen e-mail send out from the Exchange Server to e-mail domains on the Internet (e-mail domains that you do not host or control).

To achieve these goals, you will perform the following steps:

·         Restore the system to its post-installation state

·         Assign a second IP address to the internal interface of the ISA Server 2004 firewall

·         Install and configure the SMTP Service

·         Install the SMTP Message Screener

·         Create the SMTP Server Publishing Rules

·         Configure SMTP Message Screener logging

·         Test SMTP Filtering

Restore the System to its Post-installation State

In order to fully test the inbound and outbound SMTP relay configuration in this scenario, we will return the machine to its post-installation state so that other Access Rules do not interfere with the scenario development. In a production environment, you would leave your current Access Rules intact and add the Server Publishing Rules required to create the inbound and outbound SMTP relays.

Perform the following steps to restore the ISA Server 2004 firewall machine to its post-installation state:

1.       Open the Microsoft Internet Security and Acceleration Server 2004 management console and right click on the server name. Click the Restore command.

2.       In the Restore Configuration dialog box, select the backup file you created earlier and click the Restore button.

3.       In the Type Password to Open File dialog box, enter the password you assigned to the file in the Password text box and click OK.

4.       Click OK in the Importing dialog box after you see the message The configuration was successfully restored.

5.       Click Apply to save the changes and update the firewall policy.

6.       Select the Save the changes and restart the service(s) option in the ISA Server Warning dialog box, then click OK.

7.       Click OK in the Apply New Configuration dialog box.

Assign a second IP address to the internal interface of the ISA Server 2004 firewall

We will add a second IP address to the internal interface of the ISA Server 2004 firewall machine. This will allow use to publish the outbound SMTP relay on a different IP address than the inbound SMTP relay. While this is not required, it greatly simplifies tracking which relay is to be used by particular clients.

Perform the following steps to add a second IP address to the Internal interface of the ISA Server 2004 firewall machine:

1.       At the ISA Server 2004 firewall machine, right click on the My Network Places icon on the desktop and click Properties.

2.       In the Network Connections window, right click the LAN interface and click Properties.

3.       In the LAN Properties dialog box, scroll through the This connection uses the following items list and double click on Internet Protocol (TCP/IP).

4.       In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

5.       In the Advanced TCP/IP Settings dialog box, click the IP Settings tab. In the IP addresses frame, click the Add button.

6.       In the TCP/IP Address dialog box, enter 10.0.0.10 in the IP address text box. Enter 255.255.255.0 in the Subnet mask text box. Click Add.

7.       The IP address 10.0.0.10 now appears second in the list of IP addresses. Click OK.

8.       Click OK in the Internet Protocol (TCP/IP) Properties dialog box.

9.       Click OK in the LAN Properties dialog box.

 

Install and Configure the SMTP Service

The IIS 6.0 SMTP service should be installed before the ISA Server 2004 SMTP Message Screener. The SMTP service works together with the SMTP Message Screener to examine and block offending e-mail messages.

Perform the following steps to install the IIS 6.0 SMTP service:

1.       Click Start and then point to Control Panel. Click Add or Remove Programs.

2.       In the Add or Remove Programs window, click the Add/Remove Window Components button on the left side of the window.

3.       On the Windows Components page, click Application Server in the list of Components and click Details.

4.       In the Application Server dialog box, click Internet Information Services (IIS) and click Details.

5.       In the Internet Information Services (IIS) dialog box, place a checkmark in the SMTP Service checkbox and click OK.

6.       Click OK in the Application Server dialog box.

7.       Click Next on Windows Components page.

8.       Click OK in the Insert Disk dialog box.

9.       Enter the path to the i386 folder in the Copy file from text box on the Files Needed dialog box.

10.    Click Finish in the Completing the Windows Components Wizard page.

The next step is to configure the SMTP server service to support inbound and outbound relay:

1.       Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.

2.       In the Internet Information Services (IIS) Manager console, expand the computer name in the left pane of the console. Right click the Default SMTP Virtual Server and click Properties.

3.       In the Default SMTP Virtual Server Properties dialog box, click the Access tab.

4.       On the Access tab, click the Relay button in the Relay restrictions frame.

5.       In the Relay Restrictions dialog box, confirm that the Only the list below option is selected. Then click the Add button.

6.       In the Computer dialog box, select the Single computer option and enter the IP address of the Exchange Server in the IP address text box. In this example the IP address of the Exchange Server is 10.0.0.2. Click OK.

7.       Click OK in the Relay Restrictions dialog box.

8.       Click Apply and then click OK in the Default SMTP Virtual Server Properties dialog box.

9.       Expand the Default SMTP Virtual Server node in the left pane of the console and right click the Domains node. Point to New and click Domain.

10.   On the Welcome tot eh New SMTP Domain Wizard page, select the Remote option and click Next.

11.   On the Domain Name page, enter the domain hosted on the Internal network in the Name text box. This is the domain that you want the SMTP relay on the ISA Server 2004 firewall to accept incoming mail from Internet SMTP servers. In this example the Internal network domain is msfirewall.org, so we will enter that here. Click Finish.

12.   Double click on the msfirewall.org domain in the right pane of the console.

13.   In the msfirewall.org Properties dialog box, place a checkmark in the Allow incoming mail to be relayed to this domain checkbox. Select the Forward all mail to smart host option. Enter the IP address of the Exchange Server on the Internal network in the text box, enclosed in straight brackets. In our current example, the IP address of the Exchange Server on the Internal network is 10.0.0.2, so we will enter [10.0.0.2]. Click Apply and then click OK.

14.