Creating the Mail Submission Protocol Definition

The first step is to create a new protocol definition in ISA Server 2006 for the port on which clients will send mail.  As we saw in the previous articles on configuring Windows Live Mail for Exchange 2010 POP3 and publishing POP3 client settings to users the Receive Connector on the Exchange 2010 Client Access server uses TCP port 587.  There is no default protocol definition in ISA Server 2006 for this port.

In the ISA management console go to the Toolbox in the right-hand pane and in the Protocols section click New -> Protocol.

Give the new protocol a meaningful name.

Click the New button to configure the port for the new protocol.

Configure the protocol for TCP, Inbound, on port 587.

Don’t configure any secondary connections.

Click Finish to complete the new protocol definition.

Creating the ISA 2006 Access Rule for Exchange 2010 POP3 Clients

The next step is to create the access rule itself.  There is a mail server publishing wizard that you can use to set up access rules for POP3, IMAP and SMTP but because it doesn’t include the option to set up the correct client mail submission port we’re using in this scenario, which means a little modification is needed at the end.

Start the Mail Server Publishing Rule wizard.

Give the rule a meaningful name.  This name will then be appended automatically by ISA server depending on the protocols you choose in the next steps.

Set the Access Type to Client Access: RPC, IMAP, POP3, SMTP.

Tick the boxes for secure POP3 and standard SMTP (we’ll be changing the SMTP one shortly).

Enter the IP address of the Client Access/Hub Transport server.  Note if these are different servers in your network you would just need to run the wizard twice to create one rule for POP3 to the Client Access server IP, and the other for SMTP to the Hub Transport server IP.

Set the listening network to External.

Click Finish to complete the wizard.

The two newly created rules will be visible in the Firewall Policy.  Double-click the SMTP rule to open it.

On the Traffic tab change the protocol from SMTP to the Client Mail Submission protocol we created earlier.

Click OK to apply the change to the rule.

The final step is to click Apply to commit the changes to the Firewall Policy.

You can now test the firewall rule with an email client outside of the network.

Related posts:

• Exchange Server 2010 POP3: Securing POP3 Client Remote Access
• Exchange Server 2010 POP3: Getting Started
• How to Configure Windows Live Mail for Exchange 2010 POP3
• Exchange 2010 Edge Transport Server: Configuring EdgeSync
• How to Publish Outlook Web App with ISA Server 2006

This article Publishing Exchange 2010 POP3 with ISA Server 2006 is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

This week SonicWALL’s license servers suffered a glitch rendering thousands of customer units useless and leaving the customers’ networks open to attack.  The affected devices included firewall and email security appliances.

Security appliances are popular for no good reason at all.  The decision maker in many organisations falls for marketing hype that a “hardware firewall” is better than the alternative, ignoring the obvious fact that the appliance is ultimately no different to any other firewall that consists of a piece of hardware running secure OS and firewall features.

When purchasing a firewall or security product the decision should not be based on perception but rather fact.  I’m sure no SonicWALL customer ever imagined that the company could make an error on their license servers that would comprimise their security in such a manner.  Its worth noting that once your Microsoft ISA Server firewall is up and running it can never become “unlicensed” by an error at Microsoft.

Related posts:

• Tom Shinder on “hardware” firewalls
• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?
• Email Fundamentals: What is an Open Relay?
• Exchange SSL Certificate Management Survey
• Exchange 2010: How to Grant Send on Behalf Permissions for a Distribution Group

This article Well-designed security systems fail gracefully, SonicWALL does not is © 2008 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

I was drawn to a particular quote in his article about the relative security of ISA Server to other popular firewalls in the context of the number of reported security vulnerabilities for each product.

A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall.

There are a lot of firewall appliances out there so I didn’t do an exhaustive search of their stats on Secunia, but I did take a look at the stats for ISA Server, Cisco Pix, and OpenBSD as those are the three firewalls I am most familiar with in my professional life.

ISA Server

Cisco Pix

OpenBSD

I found those numbers to be pretty interesting. It is not unusual to have a customer request that a two-tiered firewall infrastructure be implemented on their environment. Often this means they request that some type of “appliance”, be that a Cisco Pix or some other third party box painted red and given a secure sounding name, be placed between the internet and the ISA Server that we are implementing for them. Sometimes this is based on the principle of defense in depth, whereas other times it is based on a false belief that a product from Microsoft couldn’t possibly be secure. Maybe if they saw the stats above they would think otherwise.

Related posts:

• Well-designed security systems fail gracefully, SonicWALL does not
• Publishing Exchange 2010 POP3 with ISA Server 2006
• Microsoft Exam 70-350: Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004
• Security hole found in OpenBSD
• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?

This article Tom Shinder on “hardware” firewalls is © 2007 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com