One of the most frequently asked questions on the www.isaserver.org site is “how do I publish my internal mail server”. Second on the list of frequently asked questions is “why didn’t my publishing rule work?”. In this article, we’ll take a look at secure mail server publishing using ISA Server.
To accomplish this task, Microsoft has made life easier by including a Secure Mail Server publishing wizard. The mail server publishing wizard will walk you through the steps of publishing your mail server, and automatically create the publishing rules required to allow inbound access to your server.
However, before you run the mail Wizard, there are some preparatory steps you need to take care of so that the publishing rules work the way you want them to. Important issues include:
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Each of these issues must be confronted prior to creating the publishing rules with the mail server publishing wizard.
In order for external clients to access your internal mail server, you will need to create an entry on a publicly available DNS server that maps to an external interface on your ISA Server. While the name of your server can be anything you want, you will probably want to give a standard name, such as mail.domain.com or exchange.domain.com. This entry can be handled by your ISP, or if you run your own DNS servers, you can enter an MX entry for your domain on your own machines.
If you are running a Windows 2000 domain, you will likely have different internal and external domain names. Your internal domain names are private, and should not be accessible to external hosts. Therefore, the DNS entry for the internal mail server that you plan to publish should be in one of your public domains so that external users can access the internal server via the publishing rule. You cannot use the server’s internal domain name, because Internet users do not have access to your internal domain namespace information.
However, some companies maintain the same domain name for both internal and external resources. When that is the case, you should also maintain two separate DNS zone databases. One database will be accessible only to internal clients, and the other only accessible to external clients. This is a bit of a hassle, but some businesses don’t have any choice in the matter. The key is to put the entry for your mail server on a publicly available DNS server.
Another important DNS configuration issue is determining how you want the internal mail server itself to resolve Internet names. When your internal mail server needs to send out mail, it has to decide what mail server it should forward the mail to. There are two ways that mail server can handle this problem:
If the mail server will be resolving the mail domain names itself, the mail server will need to be able to perform DNS queries. The mail servers to which the mail is bound will be on the Internet, and therefore your internal mail server will need to be able to send queries to a DNS server that can resolve Internet names.
To allow the internal mail server to send queries to DNS servers on the Internet, you must create Protocol Rule that allows the mail server access to the DNS query Protocol Definition, which is Outbound UDP 53. However, if you have an Exchange 2000 mail server (which uses the IIS SMTP service), you must also allow access to Outbound TCP 53. The Internet Information Server 5.0 SMTP service uses TCP rather than UDP to send DNS queries.
Another way to allow the mail server to perform DNS queries is to configure it to send queries to an internal DNS server that is configured to use a Forwarder on the Internet. In this case, only the internal DNS server needs access to a Protocol Rule for Outbound DNS queries. Once the internal DNS servers receives a response from the Forwarder, the internal DNS server will send the answer to internal mail server.
If you wish to offload the name resolution work away from your mail server, you can configure the server to send mail to a Smart Host. In this case, you can configure the server with the IP address of the Smart Host and the Smart Host will take care of the work of resolving the mail domain name. The Smart Host will then forward the mail to the appropriate mail server on the Internet.
In this case, you do not need to make any special arrangements for the mail server to resolve external host names, since it will forward all mail to a particular IP address. However, you can also include a FQDN for the Smart Host name. In this case, you will need to allow the mail server to perform DNS queries.
Configuring the Mail Server as an ISA Server Client
One if the biggest advantages ISA Server has over Proxy Server 2.0 is that you can publish internal servers as SecureNAT clients. With Proxy Server 2.0, all published servers had to be configured as Firewall Clients. Along with the requirement of installing the Firewall Client (Winsock Proxy) software, you also had to configure a wspcfg.ini file and place it in the appropriate directory on the mail server. While this wasn’t rocket science, neither was it any fun.
You can still configure your internal mail server as a Firewall Client and use the wspcfg.ini file that you may have used in publishing your mail servers with Proxy Server 2.0. However, I strongly suggest that you make your internal mail server a SecureNAT client. It will make your life a whole lot easier.
External IP Addresses
Server publishing rules do not use Destination Sets. Instead of using destination sets, you use the IP address of the external interface in the publishing rule. This presents a problem if you wish to publish more than one mail server on your internal network. The reason is that once you create a publishing, it consumes a particular port number (such as port 25) for that IP address. Therefore, you cannot use that port number in any other publishing rule for that IP address. This is in contrast to how the Web Publishing Rules work, where you can publish as many internal web servers as you like using a single external IP address and port number.
In order to get around this limitation, you will have to bind multiple IP addresses to the external interface of the ISA Server, or add multiple external interfaces and bind an IP address to be used for inbound mail to each of them. After adding the multiple external IP addresses, you can then use them in your publishing rules to publish multiple internal mail servers.
It is important to note that you cannot perform port redirection using publishing rules. For example, you might want to publish an internal mail server on port 2525 on the external interface of the ISA Server and then have the ISA Server forward messages coming into that port to an internal server’s port 25. This won’t work. The external port on the ISA Server and the port number used on the internal server must be the same.
Running The Secure Mail Server Publishing Wizard
ISA Server includes a Wizard that guides you through publishing a mail server. The Secure Mail Publishing Wizard allows you to publish multiple mail protocols at once. After the Wizard is finished, it will create Server Publishing Rules and Client Address Sets that will allow access to the internal mail server.
These rules will work with all types of mail servers. You can be running Exchange 5.5, Exchange 2000 or even Lotus Notes. As long as the servers used standard ports, the publishing rules will work with them.
To run the Secure Mail Server Wizard, perform the following steps:
After you finish, you’ll see a number of new Server Publishing Rules, as seen below.
The Firewall Service uses these rules to determine inbound access to the mail server. The wizard did not create static packet filters. You do not need to create packet filters to allow a publishing rule to work because the rule will make the port available on the external interface.
Note that when you went through the wizard there was no option to control inbound access to the rules. Double click on any of the publishing rules configured by the Wizard and then click the Applies to tab and you see what appears below.
If you want to limit who can access your internal mail server, then select the Client address sets specified below option. Click the Add button to add a Client Address Set to the list. Note that Client Address Sets only allow you control access by IP address, not by user name or group.
You should only publish SMTP servers on the internal network, and refrain from putting an SMTP server on the ISA Server itself. Any services on the ISA Server take up memory, processor cycles, and are potential vectors of attack.
The only time you might want to consider publishing the SMTP service on the ISA Server is when you wish to implement the Message Screener. However, its often easier to get the message screener working when you publish the IIS SMTP service on the internal network and forward the mail from the IIS SMTP service to the internal mail server.
ISA Server makes it easy to publish your internal mail server to the Internet. However, before firing up the Secure Mail Server Publishing Wizard, you need to make sure your network infrastructure is configured to support mail server publishing. The Wizard will create the required server publishing rules that will allow inbound access to your internal mail server. After the rules are created, external users will be able to access the internal mail server in the same way they would access any other web server located on the Internet.