Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
DMZ/Mail Routing question...need help
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
DMZ/Mail Routing question...need help - 14.Oct.2005 4:02:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Hello.
I've been trying to figure out how to setup a access rule that will allow incoming mail that hits my mailgateway, located on a DMZ, to route through my ISA server to my internal mail server.
Here is my setup.
Exterior firewall is a Watchguard. All incoming SMTP requests get forwarded to the mailgateway server on the DMZ. After it is completed, another rule on the Watchguard allows SMTP traffic from the mailgateway server to our internal mailserver.
The IP address of the mailgateway server is 10.0.1.80. The IP Address of the mailserver, is 192.168.100.165.
It was pretty easy to setup a rule on the watchguard to get the traffic to route correctly. But im stuck on how to get this working correctly with ISA.
On my Watchguard firewall, I have 3 interfaces:
WAN, LAN and DMZ.
The LAN interface plugs directly into my EXTERNAL interface for ISA. The DMZ interface plugs directly into the mailgateway server.
Essentially, I need to figure out how to setup a rule that will allow the e-mail traffic that first hits the mailgateway server (IP Address of 10.0.1.80) to then route to the internal mail server (192.168.100.165).
ISA Server IP setup:
EXTERNAL NIC: 192.168.1.2
INTERNAL NIC: 192.168.100.1
Anyone have ideas? I'm blanking here and need help.
Thanks,
Jason
|
|
|
|
RE: DMZ/Mail Routing question...need help - 14.Oct.2005 10:31:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
If anyone has any idea on this, I could REALLY USE SOME help here.
Let me try to give better info:
Watchguard firewall: Two subnets:
192.168.1.0/24 TRUSTED
10.0.1.80/24 OPTIONAL/DMZ
The ISA External NIC is plugged into the TRUSTED interface. ISA External NIC has 192.168.1.2 IP Address
The ISA INTERNAL NIC is plugged into a switch just behind it: IP Address 192.168.100.1
So, traffic flows:
internet--watchguard(192.168.1.1)-->switch--ISAExternal NIC (192.168.1.2)-->Switch-->ISA Internal NIC 192.168.100.1
Now, here is where it gets funky.
On the Optional DMZ, I have the mailgateway with a IP Address of 10.0.1.80. Our internal Mail Server has a IP address 192.168.100.165 (trusted subnet is 192.168.100.0/24)
Now, I setup a rule on the watchguard firewall to pass all inbound SMTP traffic to the Mailgateway. After the email gets scrubed and cleaned, I then setup a rule that would pass traffic from the mailgateway (10.0.1.80) to the external interface of the ISA Server (192.168.1.2).
Now, I just need to figure how to get the routes/traffic/networks setup right so the traffic can get from there to the internal mail server.
Anyone have any idea? I could REALLY use the help.
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 1:20:00 AM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Everything sounds cool so far...
quote:
Now, I just need to figure how to get the routes/traffic/networks setup right so the traffic can get from there to the internal mail server.
Just to make sure we're on the same page, forgive the ISA 101 stuff...
By default, ISA sets up a Network Rule for Internal to External to NAT. This means that, as far as ISA is concerned, anyone inside attempting to go out gets represented by ISAs IP, but for externally initiated traffic, internal machines can only be accessed if ISA NATs inbound to a server.
If this is still set (look under the Networks\Network Rules tab), then the only way the 10.0.1.80 DMZ mail server can access the internal mail server is through an ISA Server Publishing Rule (in other words, a NAT statement) - did you already create this? Have ISA listen on it's "External" Network and provide the 192.168.100.165 as the server to publish.
From the way you described it, it doesn't sound like you want to route from the 10.0.1.80 mail server to 192.168.100.165 - if you do, then you'll need to change the ISA Network Rule for Internal to External to route. You would then create a regular Access Rule to allow SMTP. This is the great example of when you use Access Rules vice Server Publishing rules - whether or not the Network Rule states to Route or NAT respectively.
[ October 15, 2005, 01:24 AM: Message edited by: ClintD ]
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 12:01:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
Originally posted by ClintD:
Everything sounds cool so far...
Just to make sure we're on the same page, forgive the ISA 101 stuff...
By default, ISA sets up a Network Rule for Internal to External to NAT. This means that, as far as ISA is concerned, anyone inside attempting to go out gets represented by ISAs IP, but for externally initiated traffic, internal machines can only be accessed if ISA NATs inbound to a server.
If this is still set (look under the Networks\Network Rules tab), then the only way the 10.0.1.80 DMZ mail server can access the internal mail server is through an ISA Server Publishing Rule (in other words, a NAT statement) - did you already create this? Have ISA listen on it's "External" Network and provide the 192.168.100.165 as the server to publish.
I haven't created or published a server because the mailserver itself, is really just a simple POP server setup on *BSD (which is going to be replaced with Exchange in the next two weeks).
Through publishing, can I make it so ONLY the 10.0.1.80 server can access the 192.168.100.165 server through SMTP? The reason I ask is the Mailgateway server (10.0.1.80)sole purpose is to scrube viruses and spam from e-mails, then pass it on to our email server (192.168.1.165). I don't want the internet to access 192.168.1.165 directly.
quote:
From the way you described it, it doesn't sound like you want to route from the 10.0.1.80 mail server to 192.168.100.165 - if you do, then you'll need to change the ISA Network Rule for Internal to External to route. You would then create a regular Access Rule to allow SMTP. This is the great example of when you use Access Rules vice Server Publishing rules - whether or not the Network Rule states to Route or NAT respectively.
Prefered situation is all incoming mail gets scrubbed on the mailgatewa (10.0.1.80). Once it gets cleaned, it then gets sent to our internal mail server (192.168.100.165) for delivery. Keeps things pretty nice and clean.
If I have to change the INTERNAL to EXTERNAL rule to route, am I changing the entire rule for everyone? So essentially NAT goes away? I'm a little confused here.
One other thing i'd like to ask, that is bugging me. Since the ISA server is not directly attached to the DMZ port on the Watchguard Firewall (10.0.1.0/24), I get a little concerned on how the routing will work properly. I guess, I want to know, how does ISA know where to route SMTP traffic from 192.168.100.165 when destined to 10.0.1.80? (The rule im trying to setup, goes both ways for incoming and outgoing mail)
Thanks ClintD. I can't thank you enough for your help.
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 1:06:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
quote:
Through publishing, can I make it so ONLY the 10.0.1.80 server can access the 192.168.100.165 server through SMTP? The reason I ask is the Mailgateway server (10.0.1.80)sole purpose is to scrube viruses and spam from e-mails, then pass it on to our email server (192.168.1.165). I don't want the internet to access 192.168.1.165 directly.
Sure thing - after you create the ServPubRule, go back into it and on the From tab, remove the "Anywhere" entry and create a Computer object for 10.0.1.80 and have that added.
quote:
If I have to change the INTERNAL to EXTERNAL rule to route, am I changing the entire rule for everyone? So essentially NAT goes away? I'm a little confused here.
Yes - you're right - better to keep it set to NAT and use the ServPubRule for the 10.0.1.80 to 192.168.1.165 server.
quote:
I get a little concerned on how the routing will work properly. I guess, I want to know, how does ISA know where to route SMTP traffic from 192.168.100.165 when destined to 10.0.1.80?
Good point - will the 192.168.100.165 mail server use a Smart Host for delivery (and use 10.0.1.80 for the Smart Host) or will it use DNS to resolve and deliver the messages? If Smart Host then that's easy enough, but for DNS based delivery, ISA can't intercept and deliver it to the 10.0.1.80 server.
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 4:17:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
Originally posted by ClintD:
quote:
Through publishing, can I make it so ONLY the 10.0.1.80 server can access the 192.168.100.165 server through SMTP? The reason I ask is the Mailgateway server (10.0.1.80)sole purpose is to scrube viruses and spam from e-mails, then pass it on to our email server (192.168.1.165). I don't want the internet to access 192.168.1.165 directly.
Sure thing - after you create the ServPubRule, go back into it and on the From tab, remove the "Anywhere" entry and create a Computer object for 10.0.1.80 and have that added.
quote:
If I have to change the INTERNAL to EXTERNAL rule to route, am I changing the entire rule for everyone? So essentially NAT goes away? I'm a little confused here.
Yes - you're right - better to keep it set to NAT and use the ServPubRule for the 10.0.1.80 to 192.168.1.165 server.
quote:
I get a little concerned on how the routing will work properly. I guess, I want to know, how does ISA know where to route SMTP traffic from 192.168.100.165 when destined to 10.0.1.80?
Good point - will the 192.168.100.165 mail server use a Smart Host for delivery (and use 10.0.1.80 for the Smart Host) or will it use DNS to resolve and deliver the messages? If Smart Host then that's easy enough, but for DNS based delivery, ISA can't intercept and deliver it to the 10.0.1.80 server.
I'll give this a go.
As far as the last portion is concerned, I guess I will use a 'smarthost' for both mail servers (the mail gateway itself and the mailserver...both are running sendmail and as long as I specify the correct IP address, I should be ok.)
Two things:
1.) on the mailgateway server itself, for the smarthost (and for the watchguard firewall that will pass the traffic from the gateway to the ISA box), should I specify the EXTERNAL IP address of the ISA box (192.168.1.2), instead of the actual IP address? Makes more sense to use external, right?
2.) I was thinking of making this rule go in reverse as well. Meaning, having all traffic leaving the actual mailserver itself, actually go through the mailgateway. It's nice, but not a necessity. Any reasons I may not need to?
Thanks. I'll will keep posting here.
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 4:34:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Ok. I've tried a few things here, but still no luck. I can see the mailgateway hitting the EXTERNAL interface of the ISA server, but it is getting denied.
Line looks like:
Destination IP: 192.168.1.2 (EXT IP of ISA NIC)
Destination port: 25
Protocol: SMTP
Action: Denied Connection
Rule: (BLANK)
Client IP: 10.0.1.80 (IP of Mailgateway)
Source Network: DMZ (network I setup on networks)
Destination network: Local Host
i feel like im close, but missing something.
I tried publishing the server, but no luck.
Could it be the order of my rules?
The mail is getting routed properly from the mailgateway and Watchguard firewall rules. It just gets denied when it hits the EXTERNAL NIC on the ISA box and doesn't get routed through properly.
Any ideas?
I feel like we are VERY close.
Thanks,
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 5:36:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
quote:
Source Network: DMZ (network I setup on networks)
You don't need to create a "Network" for the DMZ - it's External as far as ISA is concerned - this might be the cause of it.
Once you're in the Logging tab, go into the View menu and select Add/Remove Columns and find the "Result Code" field on the left - it should be near the bottom. Add it to the right and bump it near the top of the list - when the Rule is blank, sometimes the Result Code can give you a better idea of what's going on. It might log that it's a Spoofed Packet - if this is happening, delete the DMZ Network you have defined and try it again.
[ October 15, 2005, 05:39 PM: Message edited by: ClintD ]
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 5:38:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
I've been trying a bunch of things, and I think I am VERY VERY close. It's just a matter of getting the ISA Server rules correct as well as the 'smarthost' or mailertable correct on the mailgateway server.
When I PUBLISH my mail server (granted, its a simple POP server on *BSD) and I try to get some mail sent to it from the mailgateway, it times out. the interesting thing is I don't see any denies in the logging of ISA.
Now, I might have messed up the PUBLISHING rule on the IP Addresses portion. I'm a little fuzzy on what to put there.
The other area I am a little fuzzy on is on the 'smarthost' portion of sendmail on the mailgateway. Should I put the actualy IP address of the mailserver (192.168.100.165), or, should I put the IP address of the EXTERNAL NIC on ISA (192.168.1.2)
Thanks for the help.
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 7:05:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Ok...after some very frustrating times, I think I *might* have figured out something. Let me explain (and I REALLY hope this fixes it).
Incoming mail for my company gets redirected from the external interface on the Watchguard to the mailgateway on the DMZ (10.0.1.80). That specific rule is on the watchguard.
There is a second watchguard firewall rule that I have to implement. This one will pass the mail that has been scrubbed and cleaned to the internal mail server (192.168.100.165) from the mailgateway (10.0.1.80).
The rule should be a filtered SMTP going from 10.0.1.80 --> 192.168.100.165
Ok, in a previous post, I mentioned that when I publish the server and set the 'smarthost' on the mailgateway sendmail to the IP address of the mailserver (192.168.100.165), I wouldn't get anything, meaning, I would not get any denies when I would watch the log on the ISA box. BUT, if I would specify the EXTERNAL NIC on the ISA Box (192.168.1.2)in the 'smarthost' on the mailgateway, I would see the deny messages.
Now that I think about it, here is why:
On the filtered SMTP firewall rule on the WATCHGUARD, I had it like this:
10.0.1.80 ---> 192.168.1.2 (which is the external interface of the ISA server)
Correct me if im wrong, but SHOULDN'T I set the watchguard rule to have the mail from the mailgateway specified to the actual IP address of the mailserver (192.168.100.165) since im publishing the internal mailserver and I only want to accept connections from the mailgateway (10.0.1.80)?!
Essentially:
10.0.1.80 ---> 192.168.100.165
Then, I just need to make sure when im publishing the rule, that I get the address portion correct (little fuzzy there). What I mean is, what needs to listen correctly on the ISA interfaces.
Does that make sense? I REALLY hope this is it.
Sound good?
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 8:45:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Ahh - the DMZ mail server has to point to ISA's External IP as the Smart Host for Inbound delivery - then ISA, with its ServPubRule, translates that to the internal mail server.
The internal mail server can point to the DMZ servers real IP address for its Smart Host for Outbound Delivery.
I didn't make this clear at all earlier.
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 9:27:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
quote:
Originally posted by ClintD:
[QB]Ahh - the DMZ mail server has to point to ISA's External IP as the Smart Host for Inbound delivery - then ISA, with its ServPubRule, translates that to the internal mail server.
I will give this a shot tomorrow when im back in the office.
One last question:
When I am setting up the ServPubRule, my only question is on the "ADDRESSES" section. What specifially should I put?
External?
Internal?
Localhost?
This is the actual interface that ISA will be listening on for the incoming connection?
Thanks
Jason
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 15.Oct.2005 11:37:00 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
Yes - exactly. It'll listen on External.
|
|
|
|
|
RE: DMZ/Mail Routing question...need help - 16.Oct.2005 8:40:00 PM
|
|
|
thecoffeeguy
Posts: 165
Joined: 28.Aug.2005
Status: offline
|
Got it ClintD!
It worked. Specified the external IP of the ISA box in the smarthost, and boom! success.
now I have my mail routing correctly both ways.
I appreciate your help!
Cheers,
Jason
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
