Filtering email on ISA
From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 06/25/04
- Next message: Steve: "Re: Server publishing rules with dynamic IP"
- Previous message: Boris Merryweather: "Re: No internet or news access on XP (W98 okay)"
- In reply to: Hebba: "Filtering email on ISA"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 25 Jun 2004 09:20:30 -0700
NOTE: Unless you choose to create a new IIS SMTP Virtual
Server, ordinarily you will want to Server Publish
directly to the Exchange SMTP, and although Exchange uses
IIS SMTP Services you should be configuring the SMTP
properties <only> through Exchange, <not> through IIS.
These instructions are to Server Publish Exchange directly
and not through an intermediate IIS SMTP Server (can
follow up with that if that is really what you're trying
to do, but is rarely discussed)
What version of Windows are you using?
If Win2K, then your use of MetaEdit2.2 is correct.
If Win2K3, then MetaEdit2.2 probably won't do anything
effective. I've found documentation for SMTP socket
pooling on Win2K, but SMTP Socket Pooling seems not to be
an issue on Win2K3, at least if you configure following my
instructions.
Follow this:
Install Featurepack1 for the enhanced message screener
features.
Configure Exchange' Virtual SMTP Server for the LAN IP
address only and clear any addresses out of the IP
addresses permitted to relay, while checking the box which
permits any authenticated user to relay. In particular, be
certain that 127.0.0.1 is not listed.
There should not be any PF created for SMTP
Configure a Server Publishing rule for the SMTP Server
protocol forwarding from your WAN address to your LAN
address. Note that the LAN address must match the address
of your Exchange Virtual SMTP Server.
Start the SMTP application filter if it isn't already
started. Configure acordingly.
Stop/Restart the ISA services after creating your rule.
This will support all Exchange Clients who send/receive
through Exchange. If you support LAN IMAP or POP clients
you may have to add a private address range for those
clients.
HTH,
Tony Su
>-----Original Message-----
>I performed the following steps. However, keywords that I
>added to the SMTP application filter still go through.
>
>
>Enabling SMTP Filter on ISA using Message Screener:
>
>
>
>Our ISA server is called NHL. On this server the
following
>is installed:
>
> a.. ISA + Message screener
> b.. IIS + SMTP
>
>
>Our application server is called APPS. On this server the
>following is installed:
>
> a.. Message screener only
> b.. IIS + SMTP
> c.. Exchange server
>
>
>Details of Configuration:
>
> 1.. NHL (ISA server):
> 1.. Install IIS
> 2.. Install ISA in full which includes Message
Screener
>
>----------------------------------------------------------
>Problem encountered and solved:
>(If SMTP service fails to start: IIS MetaEdit 2.2 Utility
>| LM and SmtpSvc | Right-click SmtpSvc,click New, and
then
>click DWORD. In the Id list, click DisableSocketPooling.
>The field to the right should now read 1029. If
>DisableSocketPooling is not in the list, click (Other),
>and then type 1029 in the box. In the Data
>field, type 1. Click to select the Inherit attribute.
>Restart the Simple Mail Transport Protocol (SMTP)
service).
>End of Problem
>----------------------------------------------------------
-
>
> 3.. Enable SMTP application filter in ISA |
Extensions
>| Application filters (added a keyword: "bom")
> 4.. Start | Run: dcomcnfg.exe (because SMTP message
>screener and ISA communicate through DCOM: Applications
>tab | VendorData class properties | Security tab |Use
>custom launch permissions | Edit | Add | Everyone | Type
of
>Access: allow launch | Use custom access permissions |
>Edit | Add | Everyone | Type of Access: allow access |
>Use custom configuration permissions | Edit | Add
>| Everyone | Type of Access: Full Control
>
>
>
> 1.. APPS (Application server):
> 1.. TCP/IP properties | Default Gateway = ISA IP
>address
> 2.. Install IIS in full which includes SMTP
> 3.. Install Exchange Server: CDROM\setup\i386
>\setup.exe /forestprep, CDROM\setup\i386
>\setup.exe /domainprep, CDROM\setup\i386\setup.exe
>
> 4.. IIS:
>- Configure SMTP to use the internal IP address only,
>- Create remote domain to accept mail from
>*.internal_domain
>- Configure remote domain to relay to Exchange server
>- select forward all mail to smart host: [IP_of_APPS
>(ExchangeServer)]
>- select allow incoming mail to be relayed to this
>domain
>
>- Configure Exchange server to accept mail from message
>screener SMTP server
>(System Manager | Servers | Protocols | SMTP | Default
>SMTP Virtual server Properties | General tab | Advanced |
>verify only internal IP address is used)
>
> 1.. Install message screener from ISA CD-ROM
> 2.. Run ISACD-ROM\isa\i386\SMTPCred.exe (to set
>authentication credentials to ISA server: I used the
>domain administrator account)
> 3.. Start | Run | dcomcnfg.exe: (because SMTP message
>screener and ISA communicate through DCOM)
>
> 1.. Exchange System Manager | Server | Protocols |
>right-click Default SMTP Virtual Server properties |
>Access tab | Relay | I gave access to my own computer to
>test
>
>
> 1.. NHL (ISA server):
> 1.. Create a server publishing rule using the wizard
>and select SMTP
> 2.. Create a protocol rule to allow DNS queries for
>name resolution
> 3.. Create a new Protocol filter and enable it to
>allow: TCP port 135 as
>this port is used by outlook clients to access exchange
>server
>
>
> 1.. APPS (Application Server)
>----------------------------------------------------------
>Problem encountered and solved:
>If you attempt to start Exchange services that run in the
>Inetinfo.exe tool, you may receive the following error
>message:
>
>Error 1083: The executable program that this service is
>configured to run in
>does not implement the service.
>
>This issue occurs when you start the following services
>from within Exchange
>server:
>
> Simple Mail Transport Protocol (SMTP)
>
> Network News Transport Protocol (NNTP)
>
> Post Office Protocol version 3 (POP3)
>
> Internet Message Access Protocol version 4 (IMAP4)
>
> Microsoft Exchange Routing Engine
>
>CAUSE
>This issue can occur because these services have not been
>configured to run
>in the Inetinfo.exe tool. They have been either
configured
>to run in the
>Dllhost.exe tool, or not configured to run in any tool.
>
>RESOLUTION
>1. Start Registry Editor
>(Regedt32.exe).
>
>2. Locate and click the following
>registry key:
>
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetI
n
>fo\Parameters\Dis
>patchEntries
>
>3. Click the value for the service
>that you attempted
>to start.
>
>4. On the Edit menu, click Multi
>String, and then add
>the following values:
>
>Ldapsvc
>Smtpsvc
>Nntpsvc
>Imap4svc
>Pop3svc
>Resvc
>
>5. Click OK.
>
>6. Quit Registry Editor.
>
>7. Start Administrative Tools,
>click Services, and
>then restart the Internet Information Service (IIS)
>Administrator service.
>
>STATUS
>Microsoft has confirmed that this is a problem in
>Microsoft Exchange 2000
>Server.
>End of Problem
>----------------------------------------------------------
-
>
>
>Hebba Hussain Rostom
>Facility Manager
>New Horizons (Jeddah, S.A.)
>E-mail: hebba@newhorizons.com.sa
>
>.
>
- Next message: Steve: "Re: Server publishing rules with dynamic IP"
- Previous message: Boris Merryweather: "Re: No internet or news access on XP (W98 okay)"
- In reply to: Hebba: "Filtering email on ISA"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
