Configuring the ISA Server 2000 Firewall to Support the Exchange SMTP Service

 

 

A Site and Content Rule and Protocol Rule is required for any computer that needs outbound access to Internet servers. The Exchange Server’s SMTP service may require access to all SMTP servers on the Internet and the access to the SMTP protocol allows this access. SMTP access allows the Exchange Server’s SMTP service to forward SMTP mail to all servers on the Internet.

 

In addition to access to the SMTP protocol, the SMTP server requires access to the DNS protocol. The SMTP service must be able to resolve the mail domain name to an IP address of an SMTP server responsible for that mail domain before the SMTP server can forward SMTP messages to the server. The SMTP service can resolve the name itself, or forward the name resolution request to a DNS server on the internal or external network.

 

There are a number of ways you can configure your network to support Exchange Server’s SMTP and DNS requirements. The following procedure represents a common ISA Server setup that supports the SMTP and DNS requirements for the SMTP service on the Exchange Server:

 

• Create a Client Address Set that includes the address of the Exchange Server and assign the Client Address Set permission to use an SMTP Protocol Rule
• Create a Client Address Set that includes the address of the Exchange Server and/or a DNS server on the internal network and assign this Client Address Set permission to the DNS Query and DNS Zone Transfer Protocol Rules
• Create an SMTP Protocol Rule the Exchange Server can use to forward outbound SMTP messages
• Create a DNS Query Protocol Rule the Exchange Server or an internal DNS server can use to Resolve MX domain names
• Create a DNS Zone Transfer Protocol Rule that the Exchange Server or an internal DNS server an use to resolve MX domain names

 

Note:
You can use a single Protocol Rule to allow outbound access to the SMTP, DNS Query and DNS Zone Transfer protocols. The only reason why you might want to create separate Protocol Rules is if you need to assign permission to use a particular protocol to different client address sets.

 

Let’s look at an example. You want use to an internal DNS server and configure the Exchange SMTP service to use this internal DNS server to resolve Internet MX domain names. You do not, at any time, want the Exchange SMTP service to resolve Internet MX domain names on its own. You would create the following Client Address Sets and Protocol Rules to support this configuration:

 

• A Client Address Set that includes the IP address of the Exchange Server
• A Client Address Set that includes the IP address of your DNS server
• An SMTP Protocol Rule. The Client Address Set that has the Exchange Server’s IP address is assigned permission to use this Protocol Rule
• A DNS Query and DNS Zone Transfer Protocol Rule (both protocols are included in the same Protocol Rule). The DNS server is assigned permission to use this Protocol Rule

 

There are many variations on this approach. You might want to allow the Exchange Server to perform recursion if the DNS server fails to resolve the name. Or you might want not want to use an internal DNS server and allow the Exchange Server to resolve MX domain names itself by querying an external DNS server. Or, you may want to configure the Exchange Server to use an internal DNS server and allow the internal DNS server to use a forwarder or perform recursion itself. Finally, you could configure the Exchange Server’s SMTP service to use a smart host and allow the smart host to resolve the MX domain names; this completely removes the responsibility for name resolution from the Exchange SMTP service.

 

However, the Client Address Set that has the Exchange Server’s IP address will always need access to the SMTP Protocol Rule. The SMTP service must have access to this Protocol Rule so that it can forward mail to Internet mail domains.

 

In this ISA Server 2000 Exchange 2000/2003 Deployment Kit document we will go over the procedures required to allow a DNS server on the internal network to resolve Internet MX domain names and allow the Exchange Server to send outbound SMTP messages. You must do the following to accomplish this task:

 

• Create the Client Address Sets
• Create the Protocol Rules
• Create a Site and Content Rule to support access to all sites
• Configure the Exchange Server’s SMTP service’s name resolution behavior

 

Creating the Client Address Sets

 

The first step is to create the Client Address Sets that contain the IP addresses of the Exchange Server and the DNS server. You could create a single Client Address Set that contains both the DNS server and Exchange Server addresses, but this would not allow you granular control over the protocols allowed to the members of the set. For example, if the DNS server does not require access to outbound SMTP, you should not include the DNS server’s address in the same Client Address Set as the SMTP server.

 

Perform the following steps to create the SMTP server’s Client Address Set:

 

1. Open the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Policy Elements node and right click on the Client Address Sets node. Point to New and click Set (figure 1).

 

Figure 1

 

2. In the Client Set dialog box, type a name for the Client Address Set in the Name text box (figure 2). Type in a description for the Client Address Set in the Description (optional) text box. Click the Add button.

 

Figure 2

 

3. In the Add/Edit IP Address dialog box, type in the IP address for your SMTP server (figure 3).  If you have more than one SMTP server, you can create multiple entries. If the SMTP servers have consecutive IP addresses, you can type in the first IP address in the From text box and the last IP address in the To text box. If you have a single SMTP server, type in the IP address of the SMTP server in the From and To text boxes (figure 3).

 

Figure 3

 

4. The IP address range appears in the Members list on the Client Set dialog box (figure 4). Click OK.

 

Figure 4

 

5. The Client Address Set appears in the right pane of the ISA Management console (figure 5).

 

Figure 5

 

 

The next step is to create the Destination Set for the DNS server so that the DNS server on the internal network can contact Internet DNS servers:

 

1.       Right click on the Client Address Set node in the left pane of the console, point to New and click Set (figure 6).

 

Figure 6

 

2.       Type in a name for the DNS servers Client Address Set in the Name text box of the Client Set dialog box (figure 7). Type in a description of the Client Address Set in the Description (optional) text box. Click the Add button.

 

Figure 7

 

3.       Type in the address of the DNS server in the Add/Edit IP Addresses dialog box (figure 8). Click OK.

 

Figure 8

 

4.       The IP address of the DNS server appears in the Members list on the Client Set dialog box (figure 9). If you have more than one DNS server, you can create multiple entries in this Client Address Set. Click OK.

 

Figure 9

 

5.       The DNS servers Client Address Set appears in the right pane of the ISA Management console (figure 10).

 

Figure 10

 

 

Create the Protocol Rules

 

You need to create two Protocol Rules:

 

• An SMTP Protocol Rule allowing the SMTP Server Client Address Set outbound access to TCP port 25
• A DNS Protocol Rule allowing the DNS server outbound access to the DNS Query and DNS Zone Transfer Protocols (TCP port 53 and UDP port 53)

 

Perform the following steps to create the SMTP Protocol Rule:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Access Policy node, point to New and click Rule (figure 11).

 

Figure 11

 

2.       Type in a name for the Protocol Rule in the Protocol rule name text box on the Welcome to the New Protocol Rule Wizard page (figure 12). Click Next.

 

Figure 12

 

3.       On the Rule Action page, select the Allow option and click Next (figure 13).

 

Figure 13

 

4.       On the Protocols page, select the Selected protocols option from the Apply this rule to drop down list. Select the SMTP protocol from the list of Protocols. Put a checkmark in the Show only selected protocols checkbox after you have selected the SMTP protocol. This makes it easier to determine which protocols apply to the rule (figure 14). Click Next.

 

Figure 14

 

5.       On the Schedule page, use the default entry. The default is Always (figure 15). Your mail server should always be able to send out SMTP mail. If you do not wish your SMTP server to send out mail at all times, you can select from the default options on the Use this schedule list, or create your own custom schedule which will appear on the list after you have created it. Click Next.

 

Figure 15

 

6.       On the Client Type page, select the Specific computers (client address sets) option and click Next (figure 16).

 

Figure 16

 

7.       On the Client Sets page, click the Add button (figure 17).

 

Figure 17

 

8.       On the Add Client Sets page (figure 18), you will see a list of Client Address Sets you have already created in the Defined sets list. Notice that you have the option to create a new Client Address Set “on the fly” by clicking the New button. In this example, we have already created the Client Address Set that we will allow to use this Protocol Rule. Select the SMTP Servers Client Address Set and click the Add button.

 

Figure 18

 

9.       The SMTP Servers Protocol Rule appears in the Include these sets list (figure 19). Click OK.

 

Figure 19

 

10.   The client sets that are allowed to use the Protocol Rule appear in the Clients Sets list on the Clients Sets page (figure 20). Click Next.

 

Figure 20

 

11.   Review your settings on the Completing the New Protocol Rule Wizard page and then click Finish (figure 21).

 

Figure 21

 

 

12.   The SMTP Protocol Rule that allows the SMTP servers outbound access to TCP port 25 now appears in the right pane of the console (figure 22).

 

Figure 22

 

 

Perform the following steps to create the DNS Protocol Rule allowing the DNS servers outbound access to the DNS Query and DNS Zone Transfer protocols:

 

1.       Right click on the Protocol Rule node in the left pane of the ISA Management console, point to New and click Rule (figure 23).

 

Figure 23

 

2.       Type in a name for your DNS Query and DNS Zone Transfer Protocol Rule in the Protocol rule name text box (figure 24) on the Welcome to the New Protocol Rule Wizard page. Click Next.

 

Figure 24

 

3.       Select the Allow option on the Rule Action page (figure 25).

 

Figure 25

 

4.       On the Protocols page, select the Selected protocols option from the Apply this rule to drop down list box (figure 26). Put a checkmark in the DNS Query and DNS Zone Transfer checkboxes in the list of Protocols. After selecting the protocols, put a checkmark in the Show only selected protocols checkbox. Click Next.

 

Figure 26

 

5.       Select the default Always schedule on the Schedule page (figure 27), unless you wish to limit the times when the DNS server can resolve Internet host names. Click Next.

 

Figure 27

 

6.       Select the Specific computers (client address sets) option on the Client Type page (figure 28). Click Next.

 

Figure 28

 

7.       On the Client Sets page, click the Add button (figure 29).

 

Figure 29

 

8.       Select the DNS servers Client Address Set from the Define sets list. Click Add, then click OK (figure 30).

 

Figure 30

 

9.       The DNS servers Client Address Set appears in the Include these sets list on the Add Client Sets dialog box (figure 31). Click OK.

 

Figure 31

 

10.   The DNS servers Client Address Set appears in the Client Sets list on the Client Sets page (figure 32). Click Next.

 

Figure 32

 

11.   Review your settings on the Completing the New Protocol Rule Wizard page and click Finish (figure 33).

 

Figure 33

 

12.   The outbound DNS Query and DNS Zone Transfer Protocol Rule appears in the right pane of the console (figure 34).

 

Figure 34

 

 

Creating a Site and Content Rule Allowing the DNS and SMTP Servers Access to All Sites

 

The DNS and SMTP servers need access to all sites on the Internet. In reality, the DNS and SMTP servers require access only to other DNS and SMTP servers. The problem is that you can not predict what DNS or SMTP servers may need to be contacted, so you must allow access to all DNS and SMTP servers.

 

Note:
If you configure the DNS server to use a forwarder and you do not allow the DNS server to perform recursion in the event that the forwarder fails to resolve the name, then you can configure a Site and Content Rule that allows the DNS Client Address Set access only to the forwarder. If you configure the Exchange SMTP service to use a smart host, you can configure a Site and Content Rule to allow the SMTP service access only to the address of the smart host.

 

In this example we’ll create a single Site and Content Rule that allows the SMTP server and DNS server Client Address Sets access to all sites. You do not need to configure access control for content type because content control is only available for the HTTP protocol.

 

Perform the following steps to create the Site and Content Rule:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and then expand your server node. Expand the Access Policy node, right click on Site and Content Rules, point to New and click Rule (figure 35).

 

Figure 35

 

2.       Type in a name for the Site and Content Rule in the Site and content rule name text box on the Welcome to the New Site and Content Rule Wizard page (figure 36). Click Next.

 

Figure 36

 

3.       On the Rule Action page, select the Allow option (figure 37). Click Next.

 

Figure 37

 

4.       Select the Allow access based on destination option on the Rule Configuration page (figure 38). Click Next.

 

Figure 38

 

5.       On the Destination Sets page, select the All destinations option from the Apply this rule to drop down list box (figure 39). Click Next.

 

Figure 39

 

6.       Review your settings on the Completing the New Site and Content Rule Wizard page (figure 40) and click Finish.

 

Figure 40)

 

7.       The new Site and Content Rule appears in the right pane of the ISA Management console (figure 41). Right click the new Site and Content Rule and click Properties.

 

Figure 41

 

8.       In the Site and Content Rule’s Properties dialog box, click on the Applies To tab (figure 42). Select the Client address sets specified below option. Click the Add button.

 

Figure 42

 

9.       In the Add Client Sets dialog box, click on the DNS servers Client Address Set in the Defined sets list and click Add. Then click on the SMTP servers Client Address Set in the Defined sets list and click Add. Now you see both of these sets in the Include these sets list. Click OK (figure 43).

 

Figure 43

 

10.   The DNS servers and SMTP servers list appear in the Applies to request coming from list (figure 44). This limits access to this rule to only the IP addresses listed in the DNS server Client Address Set and the SMTP servers Client Address Set. Click Apply and then click OK.

 

Figure 44

 

11.   The new Site and Content Rule appears in the right pane of the ISA Management console (figure 45). Note that we have disabled the default Allow rule, which is created automatically on all standalone ISA Server firewall machines. This default Site and Content Rule allows for anonymous outbound access. For security reasons, you should never allow anonymous outbound access.

 

Figure 45

 

 

Configuring the Exchange Server’s SMTP Service Properties

 

The Exchange Server’s SMTP service needs to resolve the name of the mail domain to an SMTP server responsible for that domain’s mail. An MX record on the public DNS server is required for that domain and the MX record points to a Host (A) record. A single mail domain can have multiple MX records of different weighting.

 

Each MX record is given a weighting or preference. Internet SMTP servers send mail to the SMTP servers with the highest preference. If a preferred SMTP server is not available, then mail is forwarded to SMTP servers lower on the list.

 

For example, the internal.net domain may have four SMTP servers responsible for accepting SMTP mail messages. Two of these SMTP servers are on site and the other two are located at other sites. This provides fault tolerance. If the on-site Internet connection fails, the SMTP messages will be sent to the off-site SMTP servers.

 

The Exchange SMTP service can use the DNS server entered into the TCP/IP Properties dialog box of its network interface card to resolve mail domain names, or it can be configured to use an external DNS server. When you configure the SMTP service to use an external DNS server, the SMTP service bypasses the DNS server configuration on the network interface card and uses another DNS server that you specify in the SMTP service’s Properties dialog box.

 

You might wish to use an external DNS server if you want to configure the NIC to use an internal DNS server to resolve internal DNS names, but allow the Exchange SMTP service to use an external DNS server to resolve public DNS names. The Exchange SMTP service must be able to resolve public DNS names to send mail to mail domains that are not part of your internal network.

 

Perform the following steps to configure the mail domain resolution behavior of the Exchange Server’s SMTP Service:

 

1.       Open the Exchange System Manager (figure 46). Expand the Servers node and then expand the Protocols node. Expand the SMTP node and click on the Default SMTP Virtual Server node. Right click on the Default SMTP Virtual Server and click the Properties command.

 

Figure 46

 

2.       In the Default SMTP Virtual Server Properties dialog box (figure 47), click on the Delivery tab. On the Delivery tab, click on the Advanced button.

 

Figure 47

 

3.       You can enter a smart host IP address or DNS name in the Smart host text box on the Advanced Delivery dialog box (figure 48).

 

A smart host is an SMTP server that does the name resolution work for the Exchange Server’s SMTP service. When you configure the SMTP service to use a smart host, the service forwards all outgoing SMTP messages to the smart host and the smart host determines the IP address of the SMTP server responsible for handling messages to that particular domain. When you use a smart host, the Exchange Server’s SMTP service never needs to be able to resolve the mail domain addresses; the smart host does all the work. The smart host works as an SMTP relay for outbound messages.

 

If you enter an IP address for the smart host, you must put square brackets around the address. If you use a fully qualified domain name for the smart host, the Exchange Server must be able to resolve the name.

 

Click the Configure button on the Advanced Delivery dialog box.

 

Figure 48

 

4.       You can add the address of an external DNS server in the Configure dialog box (figure 49). Click the Add button and enter the IP address of the external DNS server.

 

Note:
Do not configure an external DNS server if you use a smart host. All mail is forwarded to the smart host and the Exchange Server does not require the services of an external DNS server.

 

Figure 49

 

5.       The address of the external DNS server appears in the External DNS list on the Configure dialog box (figure 50).

 

Note that the DNS servers included in this list are used by the Exchange Server’s SMTP service only. Any other DNS name resolution is done by the DNS server configured on the Exchange Server’s network interface card.

 

Figure 50

 

Restart the SMTP service after configuring the smart host or external DNS server addresses.

 

 

Summary

 

In the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we discussed ISA Server firewall and Exchange Server configuration parameters that allows the Exchange Server’s SMTP service to send outbound SMTP messages to Internet SMTP servers. Client Address Set-based access controls were used on the Protocol and Site and Content Rules that allow the DNS and Exchange servers access to SMTP and DNS services on the Internet.