لطفا منتظر باشید ...
Lesson 3 Publishing Mail Servers
Mail servers may provide various services through several different protocols, and as a result, publishing a mail server behind a firewall normally requires you to allow each protocol access through the firewall. In ISA Server, the Mail Server Security wizard simplifies this process of publishing mail servers. By running the wizard, you simply specify the services you want to run, the location of your mail server, and the external address of the ISA Server computer. All the necessary rules and/or IP packet filters will be created for you.
After this lesson, you will be able to
Use the Mail Server Security wizard to publish a mail server on an internal network computer
Use the Mail Server Security wizard to publish a mail server on the ISA Server computer
Estimated lesson time: 30 minutes
Mail Server Security Wizard
ISA Server includes the Mail Server Security wizard, which you can use to host a mail server securely behind ISA Server. The wizard configures ISA Server rules to securely publish internal mail services to your external users.
To run the Mail Server Security wizard, right-click the Server Publishing Rules folder in ISA Management and select Secure Mail Server. You can modify an existing mail server publishing rule from the rule's Properties dialog box in the Server Publishing Rules folder in ISA Management.
Follow these steps to run the Mail Server Security wizard:
In the console tree of ISA Management, right-click the Server Publishing Rules folder and then click Secure Mail Server.
Follow the on-screen instructions.
Mail Wizard Settings
By using the Mail Server Security wizard, you can configure the following parameters:
The protocol for the selected mail service
The published IP address of the mail server, which is the external IP address of the ISA Server
The internal IP address of the mail server
The Mail Server Security wizard also creates a protocol rule that allows outgoing mail traffic. The protocol rule has the following parameters:
The protocol is SMTP (client).
The client set includes the internal IP address of the mail server computer.
Depending on which settings you select when running the wizard, different rules are created. ISA Server marks rules created by the wizard with a name beginning with "Mail Wizard Rule." For example, if you run the wizard, and configure it to publish outgoing SMTP mail, ISA Server creates a protocol rule named Mail Wizard Rule—SMTP (client). Internal IP: IP_Address, where IP_Address is the internal IP address that you specified when running the wizard. You can view these rule names in the details pane of the Server Publishing Rules folder.
If the mail server is located on the same computer as the ISA Server, the Mail Server Security wizard creates an IP packet filter rather than a protocol rule to allow the SMTP protocol.
Content Filtering
If the SMTP filter is installed and enabled, you can apply content filtering for all incoming mail by selecting the Apply Content Filtering check box in the wizard. The content will be filtered in accordance with the SMTP filter configuration.
Note that if the SMTP filter is already enabled, you cannot use the Mail Server Security wizard to disable it.
Configuring Exchange Server on the Local Network
By using ISA Server Mail Server Security wizard, you can configure an internal Microsoft Exchange Server so that it is available to external clients through one or more of the following protocols:
Messaging Application Programming Interface (MAPI)
Post Office Protocol 3 (POP3)
Internet Messaging Access Protocol 4 (IMAP4)
Network News Transfer Protocol (NNTP)
Secure NNTP
The wizard creates one or more server publishing rules corresponding to each mail service that ISA Server protects. The server publishing rules created by the wizard have the following parameters:
The mail server's internal address
The external address exposed by the ISA Server
The protocol for the selected mail service
The new rules created by the wizard are all named with the prefix "Mail Wizard Rule."
Exchange Server on the ISA Server Computer
You can use the Mail Server Security Wizard to publish an Exchange server on the ISA Server computer. In this scenario, the Mail Server Security wizard creates an IP packet filter. IP packet filters are created for each mail service that you select. For example, suppose you run the Mail Server Security wizard and configure ISA Server to allow outgoing SMTP mail and POP3 client requests. In this scenario, Microsoft Outlook clients will still not be able to access the Exchange server from outside the local network. To allow qualified clients inside and outside the network to use the SMTP server, you would need to create the following four IP packet filters:
An IP packet filter allowing Inbound TCP connections on local port 25 from any remote port (to allow incoming SMTP packets)
An IP packet filter allowing Outbound TCP connections on all local ports from remote port 25 (to allow outgoing SMTP packets)
An IP packet filter allowing Inbound TCP connections on local port 110 from any remote port (to allow incoming POP3 packets)
An IP packet filter allowing Outbound TCP connections on all local ports from remote port 110 (to allow outgoing POP3 packets)
Practice: Publishing the SMTP Service
In this exercise, you configure the SMTP service on Server2. The function of the SMTP service is to send mail, and SMTP relies on other services, such as the POP3 service, to deliver mail to individual mailboxes. Though Windows 2000 does not include a built-in POP3 service, the SMTP service can still be used without POP3 to store all successfully sent mail in the local mail domain's Drop directory. From the Drop directory, messages can be opened and read manually, or they can be further processed and routed through the use of scripts.
Log on to Domain01 from Server2 as Administrator.
Click the Start menu, point to Programs, point to Administrative Tools, and click Internet Services Manager.The Internet Information Services console appears.
In the Internet Information Services console tree, expand the * server2 node.
Right-click the Default SMTP Virtual Server node, and then click Properties.The Default SMTP Virtual Server Properties dialog box appears.
In the IP Address drop-down list box, select 192.168.0.2.
Click OK.
Exercise 2: Creating a Mail Wizard Rule
In this exercise, you use the Mail Server Security wizard to create a rule mapping the external IP address of the ISA Server computer to the internal mail server on Server2.
Log on to Server1 as Administrator.
Open ISA Management.
Expand the Publishing node.
Right-click the Server Publishing Rules folder and click Secure Mail Server.The Mail Server Security wizard appears.
Click Next.The Mail Services Selection screen appears.
In the Default Authentication column, select the Incoming SMTP and Outgoing SMTP check boxes.
Click Next.The ISA Server's External IP Address screen appears.
Click Browse.The Browse For External IP Addresses dialog box appears and the external IP address assigned by your ISP to Server1 appears.
Click OK.The external IP address appears in the External IP Address text box.
Click Next.The Internal Mail Server screen appears.
Select the At This IP Address radio button, and type 192.168.0.2 in the text box.
Click Next.The Completing The Mail Server Security Wizard screen appears.
Click Finish.
Restart the Web Proxy and Firewall services in ISA Management before proceeding to the next exercise.
Exercise 3: Configuring Outlook Express
In this exercise, you configure Outlook Express to send mail using the SMTP server hosted on Server2. For the SMTP server's IP address, you specify its published address—the address corresponding to the external IP address of Server1.
Log on to Server1 as Administrator.
Click the Start menu, point to Programs, and click Outlook Express.Outlook Express opens and the Internet Connection wizard appears.
The Your Name screen appears.
In the Display Name text box, type Test User.
Click Next.The Internet E-mail Address screen appears.
In the E-mail Address text box, type testuser.
Click Next.A message appears warning that the e-mail address does not appear to be valid.
Click Yes to dismiss this warning.The E-mail Server Names screen appears.
In the Incoming Mail (POP3, IMAP, or HTTP) Server text box, type example.microsoft.com. (This name is used merely as a placeholder and does not represent a real server. Alternatively, you may enter the name of any valid POP3 server you use for e-mail.)
In the Outgoing Mail (SMTP) Server text box, type the external IP address assigned to Server1 by your ISP. This must be the same IP address that you used for the Mail Wizard rule in Exercise 2.
Click Next.The Internet Mail Logon screen appears.
Click Next.The Congratulations screen appears.
Click Finish.Outlook Express appears.
Click the Tools menu, and then click Accounts.The Internet Accounts dialog box appears.
Click the Mail tab, verify that the example.microsoft.com account is selected, and then click Properties.The Example.microsoft.com Properties dialog box appears.
Click the Servers tab.
In the Outgoing Mail Server section, click the My Server Requires Authentication check box.
Click the Settings button.The Outgoing Mail Server dialog box appears.
Click the Log On Using radio button.
In the Account Name text box, type Administrator.
In Password text box, type the password you have assigned the Administrator account on Server2.
Click OK.The Example.microsoft.com Properties dialog box appears.
Click OK.
On the Internet Accounts dialog box, click Close.
Exercise 4: Testing the Configuration
In this exercise, you test the configuration first by sending an e-mail by using the published SMTP server and then by verifying that the SMTP server has successfully sent the message to the Drop folder on Server2.
While you are still logged on to Server1 and with Outlook Express still open, click the New Mail icon on the toolbar.A New Message e-mail dialog box appears.
In the To text box, type Your_Name@server2.domain01.local, where Your_Name corresponds to your first name. Note that this name need not be a valid user account.
In the Subject text box, type SMTP test mail.
In the body of the message, type a short message such as This is a test.
Click the Send icon on the toolbar.
From Server2, log on as Administrator to Domain01. Then, browse to the C:\Inetpub\mailroot\Drop folder.
Click the Tools menu and then click Folder Options.
Click the View tab.
Clear the Hide File Extensions For Known File Types check box.
Click OK.The folder now contains an Outlook Express Mail Message file (.eml) with a long alphanumeric name.
Right-click the file, and then click Open. The Internet Connection wizard appears.
Click Cancel.A warning message appears stating that you have not created a mail account on this computer.
Click Yes to dismiss the warning message.Another warning message appears, stating that there is no default mail client.
Click OK to dismiss the warning message.You should see the message you just sent from Server1. Because the mail client has specified an external IP address for the SMTP server, this confirms that the SMTP server is securely published to the Internet from behind ISA Server.
Close the SMTP Test Mail dialog box.
Lesson Summary
The Mail Server Security wizard simplifies the process of publishing mail servers on your network. When you publish a mail server by using the Mail Server Security wizard, you create server publishing rules specifying the published IP address of the mail server (which corresponds to the external IP address of the ISA Server computer) and the internal IP address of the mail server computer. The new server publishing rules created by the wizard are all named with the prefix "Mail Wizard Rule." The Mail Server Security wizard also creates a protocol rule allowing outgoing mail traffic. If the mail server is located on the same computer as the ISA Server, the Mail Server Security wizard creates an IP packet filter rather than a protocol rule to allow the SMTP protocol.
To run the Mail Server Security wizard, right-click the Server Publishing Rules folder in the console tree of ISA Management and select Secure Mail Server.
