This issue is sponsored by WebTrends:
FIREWALL SECURITY: FREE TRIAL from WebTrends

WebTrends'Firewall Suite captures every action across your firewall. This award-winning software identifies and reports on critical security events, provides immediate alerts and more than 200 reports for IT managers and security professionals.

Firewall Suite supports more than 35 leading firewall and proxy servers, including Cisco and Check Point..
Download it now:
http://www.isaserver.org/pages/WebTrends.htm

http://www.isaserver.org

Isaserver.org Newsletter
Oct 2, 2001

In this issue:

**Feature: Beating the SMTP Message Screener
**ISAServer.org Learning Zone Articles of Interest
**Tip of the Week
**Mailing List Post of the Week
**Web Board Post of the Week
**ISA Server link of the week
**Ask Dr. Tom
**ISA Server Heroes of the Week -- World Trade Center Rescuers

===============================
Welcome to the Isaserver.org newsletter! Each month we bring you
interesting and helpful information on ISA Server. We want to know what
all *you* are interested in hearing about. Please send your suggestions
for future newsletter content to: tshinder@isaserver.org
===============================

**Feature: Beating the SMTP Message Screener**
By Thomas W Shinder, M.D., MCSE, etc. Click Here to purchase Tom's ISA Server book

1. Overview
2. Installing the SMTP Message Screener
3. Enabling the SMTP Application Filter
4. Configuring the Internal SMTP Server
A. Configure permissions with the SMTPCred.exe tool
B. Configure DCOM permissions
5. Summary

-----------------------------------------
1. Overview
-----------------------------------------
A subject that gets a lot of discussion on the Web boards and mailing
list is the SMTP Message Screener. The reason for this is that the
feature isn't the most elegantly implemented ISA Server component. That
said, it does provide functionality that you would otherwise have to pay
third parties to help you implement. The good news is that it does
indeed work!

The challenge is figuring out how to make it work. I think one of the
major stumbling blocks people run into when configuring the SMTP Message
Screener is that they try to make it work by installing it on the ISA
Server itself. This is bad security policy. You purchased ISA Server to
be your firewall and perhaps Web caching server. What you didn't do is
purchase ISA Server to be part of your server consolidation project!
Adding services to the firewall just provides portals of attack.

The SMTP Message Screener configuration that I find least problematic
requires that you use three servers:

1. An ISA Server at the edge of the network
2. An IIS 5.0 SMTP Server on the internal network
3. An SMTP/POP3 server on the internal network (e.g., Exchange or any
other mail server you would like to use).

The IIS 5.0 SMTP server will act as a mail relay and forward mail for
your domain to the mail server. The ISA Server and the IIS 5.0 SMTP
server (with the Message Screener installed) communicate with each other
via DCOM to provide the Message Screener functionality.

Note that this is not the only configuration. Other possibilities
include:

1. Install the IIS 5.0 SMTP server and Message Screener on the ISA
Server
2. Install the Message Screener on your Exchange Server
3. Install Exchange and the Message Screener on the ISA Server

While these configurations are possible, making them work quickly and
easily is not, in my opinion.

In this article we'll go over the procedures you need to carry out to
make the SMTP Message Screener work the way you want.

-----------------------------------------
2. Install the SMTP Message Screener
-----------------------------------------
The SMTP Message Screener needs to be installed on the internal networks
IIS 5.0 SMTP server. This is the server that will be used to relay mail
to your SMTP/POP3 or Exchange mail server.

1. Install the ISA Server Message Screener. Put the ISA Server CD into
the CD drive and let it autorun. If you do not have the CD click the
ISAautorun.exe file.

2. Start the installation of ISA Server. Choose the Custom installation
option. Remove the check mark from the ISA Services check box. Click the
Administration Tools option, and click Change Option. Put a check mark
in the ISA Management check box. Remove the check mark from the H.323
Gatekeeper Administration Tool check box. Click OK.

3. Place a check mark in the Add-in Services check box, and click
Change Option. Remove the check mark from the check box for Install
H.323 Gatekeeper Service. Place a check mark in the check box for
Message Screener. Click OK and click Continue.

4. Setup installs the Message Screener which will be used by IIS 5.0.
Restart the computer after installing the Message Screener

-----------------------------------------
3. Enabling the ISA Server SMTP Application Filter
-----------------------------------------
The SMTP Application Filter on the ISA Server is disabled by default.
Therefore, before you can take advantage of the filter's features,
you'll have to manually enable it. Fortunately, its easy.

1. At the ISA Server Management console, expand your server name and
then expand the Extensions node. Click on the Application Filters node.

2. Right click on the SMTP Filter and click enable.

We're not going to go into the configure of the SMTP application filter
in this article. We'll cover that in a future article at the Web site.

-----------------------------------------
4. Configuring the Internal IIS 5.0 SMTP Server
-----------------------------------------
Now its time to configure the internal network's IIS 5.0 SMTP Server.
This server will be published using server publishing rules. When mail
for your internal network's domain is received by the external interface
of the ISA Server, it will be forwarded to this SMTP server. This SMTP
server will be configured with a Remote Domain that will only accept
mail for your mail domain. This prevents spammers from using your server
as a relay. The Remote Domain will also be configured to Relay mail to
your Exchange or other SMTP server. The Exchange Server will need to be
configured to accept mail from this SMTP Server.

1. Install the IIS 5.0 SMTP service on a Win2k machine on the internal
network.

2. The interface configuration isn't important unless you want to
publish multiple virtual SMTP servers on this machine. Therefore, you
can let the SMTP service listen on all interfaces. Otherwise, you will
have to disable socket pooling. Check the Learning Zone at
www.isaserver.org for details on how to do this.

3. In IIS 5.0, create a Remote Domain to support your incoming messages.
Open the Internet Services Manager from the Administrative Tools menu.
Expand the Default SMTP Virtual Server and right-click the Domains node.
Click the New command, and then click Domain.

4. The New SMTP Domain Wizard appears . Select the Remote option, then
click Next. On the Select Domain Name page type in the domain name for
which your mail server will accept mail. For example, if you wanted the
IIS 5.0 SMTP server to accept mail sent to isaserver.org only, you would
create a remote domain for isaserver.org. Messages destined for other
domains are rejected. This prevents the server from being used as a
relay. Click Next.

5. Double click the remote domain, Select the Forward all mail to smart
host option. Type in the IP address of your internal mail server.
Surrounded the address with straight brackets [example]. Select the
Allow incoming mail to be relayed to this domain option. Click OK. Stop
and Start the SMTP service.

-----------------------------------------
4A. Configure Permissions with the SMTPCred.exe Tool
-----------------------------------------
The Message Screener must be configured with an account that has
permissions to access the ISA Server. An Enterprise Administrator has the
appropriate permissions. You should also be able to use the Local
Administrator account.

1. Search the CD-ROM for the file SMTPCred.exe. Copy that file to your
hard disk, and then double-click it.

2. Enter the name of the ISA Server. You can leave the default time
period that the remote server uses to retrieve settings. Enter a
username/domain and password that has administrator access to the ISA
Server. The SMTP server will use these credentials to communicate with
the ISA Server. Click OK.

-----------------------------------------
4B. Configuring DCOM Permissions
-----------------------------------------
The SMTP Message Screener communicates with the SMTP Application Filter
on the ISA Server using DCOM. You will have to use the Dcomcnfg.exe tool
to configure the proper permissions on the ISA Server.

1. Click Start, click Run and type dcomcnfg.exe in the Open text box,
and then click OK.

2. Click the Applications tab, click the VendorData class entry, and
then click the Properties button.

3. On VendorData Class Properties page click on the Security tab. Select
the Use custom access permissions option . In addition, select the Use
custom launch permissions option button. Finally, select the Use custom
configuration permissions option.

4. For each of these options, click the Edit button. You will see the
Registry Value Permissions dialog box. For each configuration
permissions, you add the Everyone group by clicking Add and then
selecting the Everyone group. Click OK then click OK again.

5. Restart both the ISA Server and the IIS 5.0 SMTP Server. I suggest
restarting the ISA Server first.

-----------------------------------------
5. Summary
-----------------------------------------
The SMTP Message Screener is relatively simple to setup when you use the
configuration covered in this article. If you wish to setup other
configurations, you may have more complications and issues that need to
be attended to, but they are possible. Just keep in mind that ISA Server
should not be a part of your server consolidation plan.

==================================
==================================
ADVERTISEMENT

FIREWALL SECURITY: FREE TRIAL from WebTrends

WebTrends'Firewall Suite captures every action across your
firewall. This award-winning software identifies and reports on
critical security events, provides immediate alerts and more than 200
reports for IT managers and security professionals.

Firewall Suite supports more than 35 leading firewall and proxy
servers, including Cisco and Check Point.. Download it now:
http://www.isaserver.org/pages/WebTrends.htm

==================================
==================================
**ISAServer.org Learning Zone articles of Interest**

We have a great group of articles in the Learning Zone that will help
you get a handle on your most difficult configuration issues. Check out
some of these:

DNS for ISA Server
http://www.isaserver.org/pages/tutorials/dns-4-isa.htm

Denying Access to a Specific Webpage(s) Using Site and Content Rules
http://www.isaserver.org/pages/tutorials/denying%20access%20with%20site%20rules.htm

ISA Server SMTP Server Support
http://www.isaserver.org/shinder/tutorials/isaserver_smtpsupport.htm

Common ISA Server Access Policy Issues
http://www.isaserver.org/shinder/tutorials/trouble.htm

ISA Server Remote Management
http://www.isaserver.org/pages/tutorials/isa%20and%20remote%20manage.htm

==================================
==================================
**TIP OF THE MONTH**

This week's ISA Server Tip is courtesy of Dominicon. This ISAServer.org
web boards poster was having troubles with mail relay and Exchange 2000:

"I have been reading the posts here and many of you have problems with
email and ISA.

Well, after much screaming and having to be held back from smashing a
server or two, I have most of my problems solved. (See earlier message
about the SMTP filter for my remaining irritation.)

IF you configure your ISA server per the guides by Tom and Curt, you
*should* not have any problems from it. However, Exchange is a bear.

Here is how I have my virtual servers configured to allow my internal
and external users to send and receive, as well as we can get mail from
other people too!

Open the properties for your vs, and click Access, Authentication. I
have all of these checked. YOU NEED ANONYMOUS TO RECIEVE MAIL FROM
EXTERNAL MAIL SERVERS! If you turn it off, the external server cannot
access your server (no account to use), and you get no mail. Click OK to
get out.

Then go to the Relay button. Relaying is how spammers send 10,000,000
emails selling viagra to Bob Dole from your domain. Not a happy thing.

I've selected "Only the list below" and leave the list blank. This way
no one can relay through your system. (If you have other Non-Exchange
servers that need to relay, you will need to add them here.) Also check
"Allow all computers that authenticate" (Paraphrased). This allows your
users to relay as long as they send user/pass when sending mail. This is
an option in Outlook/Express, but in Netscape you have to enter it for
all outgoing messages. Keep in mind that if you are using the SMTP
filter, your authentication will never get through.

Ok, now you have allowed your legitimate users to relay, and allowed
other servers to send you mail, but you still are not getting external
mail. You MUST set up a recipient policy on the Exchange server (System
Manager/Recipients/Recipient Policies) With one domain on the server you
can modify the default and go on, but with multiple domains you must
create additional policies.

Double click the default (or create a new) and click on "Email Addresses
(Policy)" and make sure that the SMTP box is checked and the address
reflects your local domain. That's it.

Why is this a mandatory step? Exchange by default considers all mail
domains as needing to be relayed unless they are in policy and therefore
local. Remember earlier where we set up the relay and access? We have
allowed external servers access (anonymous access) but disallowed
relaying. The result is that all incoming mail is dropped if it is not
local, since it cannot be relayed. Set up the policy, and Exchange
doesn't need to relay, just drop it in the mailbox of the user.

See the following Q articles for info. Mind you, not one of these gives
you the reasons I did above (so you can imagine how sparse they are :>
), but you can piece it together.

Q249299
Q289553
Q274638
Q268838
Q260973
Q255168"

==================================
**MAILING LIST POST OF THE MONTH**

David Dellano was having a heck of a time with the ISA Services failing
to start after enabling VPN services on the ISA Server. It turns out
there was a problem with Dependencies. Here's what he did to make life
worth living again:

"Wooooyooooo it worked!!!!!!! I'm back on the road again.....

Event ID: 14192 after installing 'Allowing VPN for clients'

Work-around - 'Add Microsoft ISA Server Control service before Routing
and
Remote Access services'

Regedt32

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess

WARNING: Using Registry Editor incorrectly can cause serious problems
that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor
can be solved. Use Registry Editor at your own risk.

To create a new dependency, select the subkey representing the service
you
want to delay, click Edit, and then click Add Value. Create a new value
name
"DependOnService" (without the quotation marks) with a data type of
REG_MULTI_SZ, and then click OK. When the Data dialog box appears, type
the
name or names of the services that you prefer to start before this
service
with one entry for each line, and then click OK.

To add the Microsoft ISA Server Control to this list, double-click the
DependOnService value. In the Multi-String Editor, add the entry
"isactrl"
(without quotation marks) above RpcSS, and then click OK. "

==================================
**WEB BOARDS POST OF THE MONTH**

The Month's Web Boards Post of the Month goes to John Munyan. John
answers the often asked questions "How do I get AudioGalaxy to work":

"Disable ftp application filter.
Ensure sock application filter is active.
Create new protocol rule

Primary port 21 in

Secondary port 1117 through 5190 in
Secondary port 41000 through 51000 in "

==================================
**ISA Server Link of the Week**

The ISA Server Link of the Week is Practically Networked's list of
Application Ports. This page should give you a leg up on configuring
your Protocol Definitions.
http://www.practicallynetworked.com/sharing/app_port_list.htm

==================================

**Ask Dr. Tom**

This question comes from Cam Braidwood:

"I have a problem with Destination sets. When publishing a web site
based on an internal LAN via the ISA server I set up a destination set
and a web publishing rule. I then make a connection to the ISA server
via a DNS lookup to one of the listeners defined on the ISA server. But
I am unsure what the destination set should include.

Is it the real DNS / host header name of the destination you require to
reach (ie . www.mydomain.com) or the internal network name of the actual
server I wish to hit (i.e. dev.internaldomain.com)

The first makes sense as then as then you define the bridge /
translation from the ISA server to the internal server and let it know
to pass the host header across as well. However, I get :

10061 - Connection refused
Internet Security and Acceleration Server

I am getting to the ISA Server, but its not making the translation. Any
help appreciated.

Answer:
Good question. You are correct that the Destination Set should be
configured for the FQDN that the external user uses when accessing the
site. Possible reasons for why you are getting a 10061 error:

1. The Incoming Web Requests listener is not configured properly
2. The dreaded IIS WWW server hasn't been disabled on the ISA Server
3. A Server Publishing Rule is using Port 80 on the same IP address as
your Incoming Web Requests listener
4. There's a typo in your Destination Set

All of these are common problems, although typos in the Destination Sets
are the most common. Good luck and I'm sure you're be able to get it
working!

==================================
**ISA Server Heroes of the Week -- World Trade Center Rescuers**

This month's ISA Server Heroes of the Month are the Firefighters and
Police Officers that died trying to save people at the World Trade
Center and the groups of people that have helped search for survivors
after the buildings fell to the ground. My brother was lucky was able to
get out with his life. Over 5000 others were not so fortunate.

Next month we'll continue with our traditional approach to naming ISA
Hero's and Heroines!

==================================

Copyright(c) isaserver.org October 2001
All Rights Reserved
Disclaimer:
We are not responsible for anything good or bad that might happen to
your systems based on the advise given herein. You must test and retest
the configuration options suggested in this newsletter and validate and
confirm for yourself that they work as you intend.