ISAserver.org Newsletter of October 2nd 2001

This issue is sponsored by WebTrends:
FIREWALL SECURITY: FREE TRIAL from WebTrends

WebTrends'Firewall Suite captures every action across your firewall. This award-winning software identifies and reports on critical security events, provides immediate alerts and more than 200 reports for IT managers and security professionals.

Firewall Suite supports more than 35 leading firewall and proxy servers, including Cisco and Check Point..
Download it now:
http://www.isaserver.org/pages/WebTrends.htm

http://www.isaserver.org

Isaserver.org Newsletter
Oct 2, 2001

In this issue:

**Feature: Beating the SMTP Message Screener
**ISAServer.org Learning Zone Articles of Interest
**Tip of the Week
**Mailing List Post of the Week
**Web Board Post of the Week
**ISA Server link of the week
**Ask Dr. Tom
**ISA Server Heroes of the Week -- World Trade Center Rescuers

===============================
Welcome to the Isaserver.org newsletter! Each month we bring you
interesting and helpful information on ISA Server. We want to know what
all *you* are interested in hearing about. Please send your suggestions
for future newsletter content to: tshinder@isaserver.org
===============================

**Feature: Beating the SMTP Message Screener**
By Thomas W Shinder, M.D., MCSE, etc. Click Here to purchase Tom's ISA Server book

1. Overview
2. Installing the SMTP Message Screener
3. Enabling the SMTP Application Filter
4. Configuring the Internal SMTP Server
A. Configure permissions with the SMTPCred.exe tool
B. Configure DCOM permissions
5. Summary

-----------------------------------------
1. Overview
-----------------------------------------
A subject that gets a lot of discussion on the Web boards and mailing
list is the SMTP Message Screener. The reason for this is that the
feature isn't the most elegantly implemented ISA Server component. That
said, it does provide functionality that you would otherwise have to pay
third parties to help you implement. The good news is that it does
indeed work!

The challenge is figuring out how to make it work. I think one of the
major stumbling blocks people run into when configuring the SMTP Message
Screener is that they try to make it work by installing it on the ISA
Server itself. This is bad security policy. You purchased ISA Server to
be your firewall and perhaps Web caching server. What you didn't do is
purchase ISA Server to be part of your server consolidation project!
Adding services to the firewall just provides portals of attack.

The SMTP Message Screener configuration that I find least problematic
requires that you use three servers:

1. An ISA Server at the edge of the network
2. An IIS 5.0 SMTP Server on the internal network
3. An SMTP/POP3 server on the internal network (e.g., Exchange or any
other mail server you would like to use).

The IIS 5.0 SMTP server will act as a mail relay and forward mail for
your domain to the mail server. The ISA Server and the IIS 5.0 SMTP
server (with the Message Screener installed) communicate with each other
via DCOM to provide the Message Screener functionality.

Note that this is not the only configuration. Other possibilities
include:

1. Install the IIS 5.0 SMTP server and Message Screener on the ISA
Server
2. Install the Message Screener on your Exchange Server
3. Install Exchange and the Message Screener on the ISA Server

While these configurations are possible, making them work quickly and
easily is not, in my opinion.

In this article we'll go over the procedures you need to carry out to
make the SMTP Message Screener work the way you want.

-----------------------------------------
2. Install the SMTP Message Screener
-----------------------------------------
The SMTP Message Screener needs to be installed on the internal networks
IIS 5.0 SMTP server. This is the server that will be used to relay mail
to your SMTP/POP3 or Exchange mail server.

1. Install the ISA Server Message Screener. Put the ISA Server CD into
the CD drive and let it autorun. If you do not have the CD click the
ISAautorun.exe file.

2. Start the installation of ISA Server. Choose the Custom installation
option. Remove the check mark from the ISA Services check box. Click the
Administration Tools option, and click Change Option. Put a check mark
in the ISA Management check box. Remove the check mark from the H.323
Gatekeeper Administration Tool check box. Click OK.

3. Place a check mark in the Add-in Services check box, and click
Change Option. Remove the check mark from the check box for Install
H.323 Gatekeeper Service. Place a check mark in the check box for
Message Screener. Click OK and click Continue.

4. Setup installs the Message Screener which will be used by IIS 5.0.
Restart the computer after installing the Message Screener

-----------------------------------------
3. Enabling the ISA Server SMTP Application Filter
-----------------------------------------
The SMTP Application Filter on the ISA Server is disabled by default.
Therefore, before you can take advantage of the filter's features,
you'll have to manually enable it. Fortunately, its easy.

1. At the ISA Server Management console, expand your server name and
then expand the Extensions node. Click on the Application Filters node.

2. Right click on the SMTP Filter and click enable.

We're not going to go into the configure of the SMTP application filter
in this article. We'll cover that in a future article at the Web site.

-----------------------------------------
4. Configuring the Internal IIS 5.0 SMTP Server
-----------------------------------------
Now its time to configure the internal network's IIS 5.0 SMTP Server.
This server will be published using server publishing rules. When mail
for your internal network's domain is received by the external interface
of the ISA Server, it will be forwarded to this SMTP server. This SMTP
server will be configured with a Remote Domain that will only accept
mail for your mail domain. This prevents spammers from using your server
as a relay. The Remote Domain will also be configured to Relay mail to
your Exchange or other SMTP server. The Exchange Server will need to be
configured to accept mail from this SMTP Server.

1. Install the IIS 5.0 SMTP service on a Win2k machine on the internal
network.

2. The interface configuration isn't important unless you want to
publish multiple virtual SMTP servers on this machine. Therefore, you
can let the SMTP service listen on all interfaces. Otherwise, you will
have to disable socket pooling. Check the Learning Zone at
www.isaserver.org for details on how to do this.

3. In IIS 5.0, create a Remote Domain to support your incoming messages.
Open the Internet Services Manager from the Administrative Tools menu.
Expand the Default SMTP Virtual Server and right-click the Domains node.
Click the New command, and then click Domain.

4. The New SMTP Domain Wizard appears . Select the Remote option, then
click Next. On the Select Domain Name page type in the domain name for
which your mail server will accept mail. For example, if you wanted the
IIS 5.0 SMTP server to accept mail sent to isaserver.org only, you would
create a remote domain for isaserver.org. Messages destined for other
domains are rejected. This prevents the server from being used as a
relay. Click Next.

5. Double click the remote domain, Select the Forward all mail to smart
host option. Type in the IP address of your internal mail server.
Surrounded the address with straight brackets [example]. Select the
Allow incoming mail to be relayed to this domain option. Click OK. Stop
and Start the SMTP service.

-----------------------------------------
4A. Configure Permissions with the SMTPCred.exe Tool
-----------------------------------------
The Message Screener must be configured with an account that has
permissions to access the ISA Server. An Enterprise Administrator has the
appropriate permissions. You should also be able to use the Local
Administrator account.

1. Search the CD-ROM for the file SMTPCred.exe. Copy that file to your
hard disk, and then double-click it.

2. Enter the name of the ISA Server. You can leave the default time
period that the remote server uses to retrieve settings. Enter a
username/domain and password that has administrator access to the ISA
Server. The SMTP server will use these credentials to communicate with
the ISA Server. Click OK.

-----------------------------------------
4B. Configuring DCOM Permissions
-----------------------------------------
The SMTP Message Screener communicates with the SMTP Application Filter
on the ISA Server using DCOM. You will have to use the Dcomcnfg.exe tool
to configure the proper permissions on the ISA Server.

1. Click Start, click Run and type dcomcnfg.exe in the Open text box,
and then click OK.

2. Click the Applications tab, click the VendorData class entry, and
then click the Properties button.

3. On VendorData Class Properties page click on the Security tab. Select
the Use custom access permissions option . In addition, select the Use
custom launch permissions option button. Finally, select the Use custom
configuration permissions option.

4. For each of these options, click the Edit button. You will see the
Registry Value Permissions dialog box. For each configuration
permissions, you add the Everyone group by clicking Add and then
selecting the Everyone group. Click OK then click OK again.

5. Restart both the ISA Server and the IIS 5.0 SMTP Server. I suggest
restarting the ISA Server first.

-----------------------------------------
5. Summary
-----------------------------------------
The SMTP Message Screener is relatively simple to setup when you use the
configuration covered in this article. If you wish to setup other
configurations, you may have more complications and issues that need to
be attended to, but they are possible. Just keep in mind that ISA Server
should not be a part of your server consolidation plan.

==================================
==================================
ADVERTISEMENT

FIREWALL SECURITY: FREE TRIAL from WebTrends

WebTrends'Firewall Suite captures every action across your
firewall. This award-winning software identifies and reports on
critical security events, provides immediate alerts and more than 200
reports for IT managers and security professionals.

Firewall Suite supports more than 35 leading firewall and proxy
servers, including Cisco and Check Point.. Download it now:
http://www.isaserver.org/pages/WebTrends.htm

==================================
==================================
**ISAServer.org Learning Zone articles of Interest**

We have a great group of articles in the Learning Zone that will help
you get a handle on your most difficult configuration issues. Check out
some of these:

DNS for ISA Server
http://www.isaserver.org/pages/tutorials/dns-4-isa.htm

Denying Access to a Specific Webpage(s) Using Site and Content Rules
http://www.isaserver.org/pages/tutorials/denying%20access%20with%20site%20rules.htm

ISA Server SMTP Server Support
http://www.isaserver.org/shinder/tutorials/isaserver_smtpsupport.htm

Common ISA Server Access Policy Issues
http://www.isaserver.org/shinder/tutorials/trouble.htm

ISA Server Remote Management
http://www.isaserver.org/pages/tutorials/isa%20and%20remote%20manage.htm

==================================
==================================
**TIP OF THE MONTH**

This week's ISA Server Tip is courtesy of Dominicon. This ISAServer.org
web boards poster was having troubles with mail relay and Exchange 2000:

"I have been reading the posts here and many of you have problems with
email and ISA.

Well, after much screaming and having to be held back from smashing a
server or two, I have most of my problems solved. (See earlier message
about the SMTP filter for my remaining irritation.)

IF you configure your ISA server per the guides by Tom and Curt, you
*should* not have any problems from it. However, Exchange is a bear.

Here is how I have my virtual servers configured to allow my internal
and external users to send and receive, as well as we can get mail from
other people too!

Open the properties for your vs, and click Access, Authentication. I
have all of these checked. YOU NEED ANONYMOUS TO RECIEVE MAIL FROM
EXTERNAL MAIL SERVERS! If you turn it off, the external server cannot
access your server (no account to use), and you get no mail. Click OK to
get out.

Then go to the Relay button. Relaying is how spammers send 10,000,000
emails selling viagra to Bob Dole from your domain. Not a happy thing.

I've selected "Only the list below" and leave the list blank. This way
no one can relay through your system. (If you have other Non-Exchange
servers that need to relay, you will need to add them here.) Also check
"Allow all computers that authenticate" (Paraphrased). This allows your
users to relay as long as they send user/pass when sending mail. This is
an option in Outlook/Express, but in Netscape you have to enter it for
all outgoing messages. Keep in mind that if you are using the SMTP
filter, your authentication will never get through.

Ok, now you have allowed your legitimate users to relay, and allowed