• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

secure smtp routing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> secure smtp routing Page: [1]
Login
Message << Older Topic   Newer Topic >>
secure smtp routing - 11.Nov.2003 10:43:00 PM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
Hi.

I have recently purchased the migration pack for SBS2000 so that I now have Backoffice 2000.
I have moved Exchange onto a backend server and the ISA Server is now running on its own server.

For virus + spam checking, we use a 3rd party company, who provide us with a range of IP addresses to allow through the firewall on port 25. When I had the old SBS2000 setup, I simply set up packet filters to allow only them addresses through, worked a treat. No other machine could get onto port 25 via my main internet connection.

But now, with Exchange moving to a back-end server, I am unsure of how to make it secure.
To get it working, it is currently set up like this.

A server publishing rule routes any requests to port 25 through to the internal IP of my Exchange server, and this works great, email is coming in fine.
But how do I tie it down so that only a given set of ip ranges can utilize that port.
I cannot use client address sets as this only does ip ranges, not subnets, which packet filtering does do.
But whatever packet filters I put in to block/deny certain addresses, it just lets everything through via port 25

Can somebody please offer advice on this.

Regards
Tommy
Post #: 1
RE: secure smtp routing - 11.Nov.2003 11:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tommy,

you have to use a client address set to limit access to the publishing rule.

BTW --- keep in mind that a subnet can perfectly be represented by an IP range! [Big Grin]

HTH,
Stefaan

(in reply to idsltd)
Post #: 2
RE: secure smtp routing - 11.Nov.2003 11:36:00 PM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
are you saying I can specify a computer range using the client address sets!?? if so, how!?
because at the minute, when I enable it, all and sundry have access to port 25 on my server

Can you elaborate on this a little further?

(in reply to idsltd)
Post #: 3
RE: secure smtp routing - 11.Nov.2003 11:39:00 PM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
If its any help, here is 1 of the ranges that I could use! how do I enter this in a client address set

Range of computers is as follows
subnet - 193.109.254.160
mask - 255.255.255.240

does this mean anything to you? ip subnetting etc.... isnt exactly my fortT [Confused]

(in reply to idsltd)
Post #: 4
RE: secure smtp routing - 11.Nov.2003 11:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tommy,

the subnet '193.109.254.160/28' equals the IP range '193.109.254.160 - 193.109.254.175'. So, in the client address set use '193.109.254.160' in the From field and '193.109.254.175' in the To field.

BTW --- I suggest you check out http://www.howtosubnet.com/ ! [Wink]

HTH,
Stefaan

(in reply to idsltd)
Post #: 5
RE: secure smtp routing - 12.Nov.2003 1:34:00 PM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
Stefaan,

That has worked a treat, thanks.
But 1 more thing.
That rules works all well and good if you have a range ip addresses to use, but what happens if I want to run a web server/ftp server on the perimeter network via a server publishing rule? where do I specify the users who are allowed to connect to it?
Can access only be restriced using the different types of authentication for the web site?
Because isnt the port then still open to the world as the firewall will simply route through any requests

I hope that makes sense.

Cheers
Tommy

(in reply to idsltd)
Post #: 6
RE: secure smtp routing - 12.Nov.2003 8:30:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tommy,

good to hear you have that part already working! [Smile]

You said "That rules works all well and good if you have a range ip addresses to use, but what happens if I want to run a web server/ftp server on the perimeter network via a server publishing rule?". I'm not sure I understand well your question because you are talking about a perimeter network. Can you make a little network diagram to make things clear?

Thanks,
Stefaan

[ November 12, 2003, 08:51 PM: Message edited by: spouseele ]

(in reply to idsltd)
Post #: 7
RE: secure smtp routing - 13.Nov.2003 10:21:00 AM   
idsltd

 

Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
sorry Stefaan, maybe my terminology was a little out.
I now have a Windows 2000 Member server, running only ISA Server. My internet connection comes in via this machine. all email requests are routed through to a back-end server via the server publishing rule we've been discussing.

So lets use another example.
I want to publish a terminal server so that my users can work from home. I've created a server publishing rule and set it up to forward onto the correct server that is hosting Terminal Services.
How do I make this secure? Because I cant use client address sets as I dont know which ip my users will be logging on from, it could be anywhere in the world in fact?
Should I be using a Web Publishing Rule in this case?

Hope that makes more sense?

Cheers
Tommy

(in reply to idsltd)
Post #: 8
RE: secure smtp routing - 13.Nov.2003 9:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tommy,

in general it is quite useless to implement source IP address checking in publishing rules. The reason for it is that IP addresses are easily faked or spoofed. So, they are far from being reliable from an authentication point of view. Therefore, a better strategy is to require some form of user authentication. How that is best implemented depends on the service you want to publish.

In the example of the Terminal Server, you can only use the built-in authentication scheme. Moreover, to protect the login and password in transit, it is highly recommended you enforce high encryption in the RDP properties of the Terminal Service. So, for non-Web based services it is the service you want to publish who determines what is possible.

On the other hand, for Web based services, ISA FP1 have some built-in extensions to enforce strong user authentication at the ISA Web Proxy service level. So, even before the request will hit the published Web server.

It should be clear that enforcing strong user authentication is the key to securely publish internal services.

HTH,
Stefaan

(in reply to idsltd)
Post #: 9
RE: secure smtp routing - 14.Nov.2003 5:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

And there is good news in that you will be able to tunnel encrypted RDP in an SSL tunnel when Windows 2003 SP1 is available.

HTH,
Tom

(in reply to idsltd)
Post #: 10
RE: secure smtp routing - 14.Nov.2003 8:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

isn't SmartCard logon also added to W2K3?

Thanks,
Stefaan

(in reply to idsltd)
Post #: 11
RE: secure smtp routing - 16.Nov.2003 5:20:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Yes, I believe it is. I haven't tried it yet but its worth investigating.

Thanks!
Tom

(in reply to idsltd)
Post #: 12
RE: secure smtp routing - 16.Nov.2003 10:25:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

Great! I love strong user authentication! [Cool]

Thanks,
Stefaan

(in reply to idsltd)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> secure smtp routing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts