Welcome to ISAserver.org

SMTP relay in DMZ on Tri-homed ISA server

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Server Publishing >> SMTP relay in DMZ on Tri-homed ISA server

Page: [1]

Message

<< Older Topic Newer Topic >>

SMTP relay in DMZ on Tri-homed ISA server - 17.Apr.2003 9:28:00 PM

wim

Posts: 15
Joined: 11.Mar.2003
Status: offline

Dear all,

I've a question:

Background:
We are running ISA in a tri-homed configuration. In the DMZ we have a Windows 2000 SMTP relay server and a DNS server hosting external zones. On the Internal network we have a Bridgehead running E2K with a SMTP connector. The bridgehead has an internal router configured as gw. This gw can route packets for the DMZ to the ISA server. We don't want the bridgehead to do DNS queries, we want the SMTP relay to handle this.

What we want:
1) We want the SMTP relay server to accept email for specific domains and forward these messages to the internal bridgehead (smart host for these domains).

2) We want the SMTP relay to accept messages from the internal server to be relayed to the Internet (using external DNS in the DMZ).

3) We want the Internal E2K server to send all Internet mail to the SMTP relay in the DMZ (by using the relay as a smart host).

Question:
HOW CAN WE DO THIS???? I've read the books of Tom. In the Beyond book a tri-homed scenario is described, but not exactly like we would like it to work. The book only talks about Internet mail being relayed through a SMTP relay server to an internal server, but not the other way around.

When we create the packet filter (custom, both directions) to enable mail to route through the ISA server to and from the SMTP relay, this work fine.

When we then publish the internal server (initially we tried directly to the DMZ interface, which is scenario 2 in the book so we don't need the second packet filter), mail flows to the internal server, but not to the Internet anymore! I have the feeling that it has something to do with the fact that the port 25 is already used by the publishing rule and therefore when mail is send to the Internet, it is picked up by the publishing rule and is not routed to the Internet host.

Also, how can we make sure that when the internal host sends a mail, this mail is routed to the SMTP relay? My feeling is that the mail arrives at the ISA server and then ISA needs to be able to resolve the address using external DNS. This way the mail is NOT routed to the relay in the DMZ.

Can we also use Packet filters between the internal and DMZ interface to route this traffic??

Can anyone please help us! we are pretty desperate at the moment!

Thanks a million,

Wim.

Post #: 1

Featured Links*

RE: SMTP relay in DMZ on Tri-homed ISA server - 17.Apr.2003 11:35:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Wim,

as far as I understand your configuration, it should work.

You need:

1) a packet filter for the inbound smtp traffic to the DMZ relay server.

2) a server publishing rule for the internal smtp server on the DMZ interface. This allows the DMZ relay server to forward the received mail from external to the internal smtp server.

3) a protocol and site&content rule to allow access from the internal smtp server to the DMZ relay server.

4) a packet filter for the outbound smtp traffic from the DMZ relay server.

First test the whole connectivity with the command "telnet destination 25" and check out the ISA log files. Once that's working, make sure the smtp forwarding and MX DNS record resolving is properly configured on the DMZ relay server.

BTW --- If something isn't working as expected, you should consult the ISA logfiles. They are your primary resource for debugging. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.

HTH,
Stefaan

(in reply to wim)