Hello
Sorry about the big mail list, but my question involves 3 different 
expertise, so I am not sure where to post.

In a nutshell what I am trying to do is the following.
a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through an 
ISA server 2004 firewall
I haven't figured out yet how to get the mail server to pick up email, I 
could publish the SMTP server on the external firewall, but all email is 
currently being sent to my ISP and I quite like this because they can take 
care of a lot of spam filtering, virus etc. problems for me.

b) I then want IIS to forward the email to an internal exchange server 
(through another ISA firewall)
I am trying to setup IIS to relay email. when I configure SMTP I get the 
error "the domain name is not valid". I am setting up a domain and selecting 
forward all email to smarthost, but when I check this option and type in the 
IP address of the Exchange server, this is the error I get. It will be 
picking up email destined for three different comains x.com , y.com and 
z.com. The domain name for the Windows domain that needs to accept these 
emails is called b.com. is this going to be a problem? I have not set up 
anything on the Exchange server yet (should I be doing this first?)

c) Theoretically Exchange should then deliver the incoming mail to the 
indovodual users. I have configured the exchange policies such that all 
users have the appropriate associated SMTP email addresses against their 
user names, so hopefully this should just work.

Sorry for all the questions, I seem to have half answers for most issues, 
but just can't seem to get there.

Thanks to anyone who profers help/advice.

Saira

The users in Exchange 

On Wed, 1 Mar 2006 18:32:59 -0000, "Saira" <Saira@BayonetVentures.com>
wrote:

>Hello
>Sorry about the big mail list, but my question involves 3 different 
>expertise, so I am not sure where to post.
>
>In a nutshell what I am trying to do is the following.
>a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through an 
>ISA server 2004 firewall
>I haven't figured out yet how to get the mail server to pick up email, I 
>could publish the SMTP server on the external firewall, but all email is 
>currently being sent to my ISP and I quite like this because they can take 
>care of a lot of spam filtering, virus etc. problems for me.

Your IIS server won't do any picking up of email. You would need a 3rd
party POP3 connector on that server to collect the mail and deliver it
to a local SMTP server. That server has the anti virus and spam
solution on it and will forward it to the Exchange server.

>
>b) I then want IIS to forward the email to an internal exchange server 
>(through another ISA firewall)
>I am trying to setup IIS to relay email. when I configure SMTP I get the 
>error "the domain name is not valid". I am setting up a domain and selecting 
>forward all email to smarthost, but when I check this option and type in the 
>IP address of the Exchange server, this is the error I get. It will be 
>picking up email destined for three different comains x.com , y.com and 
>z.com. The domain name for the Windows domain that needs to accept these 
>emails is called b.com. is this going to be a problem? I have not set up 
>anything on the Exchange server yet (should I be doing this first?)
>
>c) Theoretically Exchange should then deliver the incoming mail to the 
>indovodual users. I have configured the exchange policies such that all 
>users have the appropriate associated SMTP email addresses against their 
>user names, so hopefully this should just work.
>
>Sorry for all the questions, I seem to have half answers for most issues, 
>but just can't seem to get there.
>
>Thanks to anyone who profers help/advice.
>
>Saira
>
>The users in Exchange 
>
I'm a bit lost as to why you want an IIS server in a DMZ and then have
two ISA's. I'm not even sure why you want 2 ISA's. Who has told you
that you should do all this? It's a big waste of hardware for no
tangible gain in security.

> In a nutshell what I am trying to do is the following.
> a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through 
> an ISA server 2004 firewall
> I haven't figured out yet how to get the mail server to pick up email, I 
> could publish the SMTP server on the external firewall, but all email is 
> currently being sent to my ISP and I quite like this because they can take 
> care of a lot of spam filtering, virus etc. problems for me.

You cannot do this with IIS alone. You will need a POP3 connector that 
integrates with your Exchange instance and retrieves mail from your ISP (I 
assume the ISP is using POP3 for message retrieval). In this case there is 
no need for point b) below.


> b) I then want IIS to forward the email to an internal exchange server 
> (through another ISA firewall)

You don't need this if you install and configure the POP3 connector on the 
Exchange server itself. Here's an example of such a connector that 
integrates natively with Exchange 2000/2003:
http://www.mapilab.com/exchange/pop3_connector/

Not too expensive either by comparison with other products of this nature.


> I am trying to setup IIS to relay email. when I configure SMTP I get the 
> error "the domain name is not valid". I am setting up a domain and 
> selecting forward all email to smarthost, but when I check this option and 
> type in the IP address of the Exchange server, this is the error I get.

This should not be a problem, but check your DNS configuration carefully for 
errors.


> It will be picking up email destined for three different comains x.com , 
> y.com and z.com. The domain name for the Windows domain that needs to 
> accept these emails is called b.com. is this going to be a problem? I have 
> not set up anything on the Exchange server yet (should I be doing this 
> first?)

Yes you need to set up Exchange to accept messages for all three domains - 
this is being done mainly through Recipient Policies in the Exchange System 
Manager.

Virgil



>
> c) Theoretically Exchange should then deliver the incoming mail to the 
> indovodual users. I have configured the exchange policies such that all 
> users have the appropriate associated SMTP email addresses against their 
> user names, so hopefully this should just work.
>
> Sorry for all the questions, I seem to have half answers for most issues, 
> but just can't seem to get there.
>
> Thanks to anyone who profers help/advice.
>
> Saira
>
> The users in Exchange
> 

If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
IIS) it doesn't need the connector.  The connector is required if Exchange
"polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
Client".

I use IIS/SMTP to relay to Exchange myself.  The IIS/SMTP box runs a Spam
Filtering system that processes the incomming mail, then passes it on to the
Exchange.  There was nothing to configure on Exchange,..Exchange is
completely "oblivous" to what is happening.

It sounds to me like the IIS/SMTP Service is just simply missconfigured.
The question should be answered in an IIS Group, not ISA.  ISA has nothing
to do with it,..the fact that it is going through an ISA as a result of
Publishing is irrelevant.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"ZVR" <no_spam_ever@me.local> wrote in message
news:4405f815$0$5488$9a6e19ea@unlimited.newshosting.com...
> > In a nutshell what I am trying to do is the following.
> > a) Get IIS, in an anonymous access DMZ, to pick email from my ISP
through
> > an ISA server 2004 firewall
> > I haven't figured out yet how to get the mail server to pick up email, I
> > could publish the SMTP server on the external firewall, but all email is
> > currently being sent to my ISP and I quite like this because they can
take
> > care of a lot of spam filtering, virus etc. problems for me.
>
> You cannot do this with IIS alone. You will need a POP3 connector that
> integrates with your Exchange instance and retrieves mail from your ISP (I
> assume the ISP is using POP3 for message retrieval). In this case there is
> no need for point b) below.
>
>
> > b) I then want IIS to forward the email to an internal exchange server
> > (through another ISA firewall)
>
> You don't need this if you install and configure the POP3 connector on the
> Exchange server itself. Here's an example of such a connector that
> integrates natively with Exchange 2000/2003:
> http://www.mapilab.com/exchange/pop3_connector/
>
> Not too expensive either by comparison with other products of this nature.
>
>
> > I am trying to setup IIS to relay email. when I configure SMTP I get the
> > error "the domain name is not valid". I am setting up a domain and
> > selecting forward all email to smarthost, but when I check this option
and
> > type in the IP address of the Exchange server, this is the error I get.
>
> This should not be a problem, but check your DNS configuration carefully
for
> errors.
>
>
> > It will be picking up email destined for three different comains x.com ,
> > y.com and z.com. The domain name for the Windows domain that needs to
> > accept these emails is called b.com. is this going to be a problem? I
have
> > not set up anything on the Exchange server yet (should I be doing this
> > first?)
>
> Yes you need to set up Exchange to accept messages for all three domains -
> this is being done mainly through Recipient Policies in the Exchange
System
> Manager.
>
> Virgil
>
>
>
> >
> > c) Theoretically Exchange should then deliver the incoming mail to the
> > indovodual users. I have configured the exchange policies such that all
> > users have the appropriate associated SMTP email addresses against their
> > user names, so hopefully this should just work.
> >
> > Sorry for all the questions, I seem to have half answers for most
issues,
> > but just can't seem to get there.
> >
> > Thanks to anyone who profers help/advice.
> >
> > Saira
> >
> > The users in Exchange
> >
>
>

"Phillip Windell" <@.> wrote in message 
news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl...
> If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
> IIS) it doesn't need the connector.  The connector is required if Exchange
> "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
> Client".

I know what you mean, however from the original post I got the impression 
that the mailboxes are currently hosted at the ISP which performs all kind 
of processing on them and also "stores" the messages in which case a POP3 
connector would be required. If the ISP does not "store" the mailboxes and 
simply passes everything on to the IIS relay after applying some anti-virus 
filtering and so on, then the POP3 connector would be unnecessary as you 
pointed out.

Virgil

Ok,..well we'll have to wait and see how they respond back. Maybe they will
clarify it then.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"ZVR" <no_spam_ever@me.local> wrote in message
news:440618bd$0$28053$9a6e19ea@unlimited.newshosting.com...
> "Phillip Windell" <@.> wrote in message
> news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl...
> > If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
> > IIS) it doesn't need the connector.  The connector is required if
Exchange
> > "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a
"POP3
> > Client".
>
> I know what you mean, however from the original post I got the impression
> that the mailboxes are currently hosted at the ISP which performs all kind
> of processing on them and also "stores" the messages in which case a POP3
> connector would be required. If the ISP does not "store" the mailboxes and
> simply passes everything on to the IIS relay after applying some
anti-virus
> filtering and so on, then the POP3 connector would be unnecessary as you
> pointed out.
>
> Virgil
>
>

Either way it's crazy. Why would one use IIS to redirect mail,  if POP 
connector to the ISP is gonna be used?
He's publishing the mail server with ISA anyways, so I gues he's best bet 
would be to configure exchange to only receive email from ISP's smtp 
server(and for "filtering" to use as a smart host for sending as well), 
after Exchange have been published through ISA!

Julian Dragut



"Phillip Windell" <@.> wrote in message 
news:O2DLxKYPGHA.456@TK2MSFTNGP15.phx.gbl...
> Ok,..well we'll have to wait and see how they respond back. Maybe they 
> will
> clarify it then.
>
> -- 
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "ZVR" <no_spam_ever@me.local> wrote in message
> news:440618bd$0$28053$9a6e19ea@unlimited.newshosting.com...
>> "Phillip Windell" <@.> wrote in message
>> news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl...
>> > If Exchange is only recieving from the IIS SMTP (pushed to Exchange 
>> > from
>> > IIS) it doesn't need the connector.  The connector is required if
> Exchange
>> > "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a
> "POP3
>> > Client".
>>
>> I know what you mean, however from the original post I got the impression
>> that the mailboxes are currently hosted at the ISP which performs all 
>> kind
>> of processing on them and also "stores" the messages in which case a POP3
>> connector would be required. If the ISP does not "store" the mailboxes 
>> and
>> simply passes everything on to the IIS relay after applying some
> anti-virus
>> filtering and so on, then the POP3 connector would be unnecessary as you
>> pointed out.
>>
>> Virgil
>>
>>
>
> 

We're not publishing Exchange through ISA, and we do not want to expose our 
internal Exchange server to the internet.
One option that we did have was to put in place another Exchange server in 
the DMZ, in this case we would have used a POP Connector to contact the ISP 
and the email would then have gone through to the backend server, however 
this is not our setup.What we actually have is an IIS server in a DMZ and an 
Exchange server on the internal LAN. My questions was:
What is the best way to get mail from the ISP into the DMZ (yes, the ISP 
stores the email in mailboxes, so from previous feedback, it looks like the 
opinion is that I will need a POP connector to get the mail down).

Once the email gets to the IIS Server I need it to be relayed to the 
internal Exchange server (this is where I am getting the IIS SMTP 
configuration error). My main question here, was how do I make sure that all 
mail for all three domains gets forwarded through to the internal Exchange 
server.

We already have our internal mailboxes configured via recipient policies to 
receive mail from the various different domains, but I was not sure whether 
this was all I needed to do.


"Julian Dragut" <julian.dragut@itsm.ca> wrote in message 
news:u%23CpCJbPGHA.3272@tk2msftngp13.phx.gbl...
> Either way it's crazy. Why would one use IIS to redirect mail,  if POP 
> connector to the ISP is gonna be used?
> He's publishing the mail server with ISA anyways, so I gues he's best bet 
> would be to configure exchange to only receive email from ISP's smtp 
> server(and for "filtering" to use as a smart host for sending as well), 
> after Exchange have been published through ISA!
>
> Julian Dragut
>
>
>
> "Phillip Windell" <@.> wrote in message 
> news:O2DLxKYPGHA.456@TK2MSFTNGP15.phx.gbl...
>> Ok,..well we'll have to wait and see how they respond back. Maybe they 
>> will
>> clarify it then.
>>
>> -- 
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>>
>> "ZVR" <no_spam_ever@me.local> wrote in message
>> news:440618bd$0$28053$9a6e19ea@unlimited.newshosting.com...
>>> "Phillip Windell" <@.> wrote in message
>>> news:%23OkOYzWPGHA.1360@TK2MSFTNGP10.phx.gbl...
>>> > If Exchange is only recieving from the IIS SMTP (pushed to Exchange 
>>> > from
>>> > IIS) it doesn't need the connector.  The connector is required if
>> Exchange
>>> > "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a
>> "POP3
>>> > Client".
>>>
>>> I know what you mean, however from the original post I got the 
>>> impression
>>> that the mailboxes are currently hosted at the ISP which performs all 
>>> kind
>>> of processing on them and also "stores" the messages in which case a 
>>> POP3
>>> connector would be required. If the ISP does not "store" the mailboxes 
>>> and
>>> simply passes everything on to the IIS relay after applying some
>> anti-virus
>>> filtering and so on, then the POP3 connector would be unnecessary as you
>>> pointed out.
>>>
>>> Virgil
>>>
>>>
>>
>>
>
> 

> What is the best way to get mail from the ISP into the DMZ (yes, the ISP 
> stores the email in mailboxes, so from previous feedback, it looks like 
> the opinion is that I will need a POP connector to get the mail down).

Yes you will. However! As I was saying in my previous email, if you 
integrate a POP3 connector into your internal Exchange instance, you will 
not need this intermediate DMZ step, period. The reason being that the 
internal Exchange can connect to your ISP and retrieve the POP3 mail 
directly, then route the messages to the appropriate mailboxes. Nowhere in 
this scenario are you "exposing" the internal Exchange machine - there will 
be no "incoming" connections to it, just outgoing requests made from the 
POP3 connector to your ISP mail servers. This is as secure at it can be - 
you only need to allow outbound access through your firewalls for the ISP 
IP(s), for the POP3 protocol.

> Once the email gets to the IIS Server I need it to be relayed to the 
> internal Exchange server (this is where I am getting the IIS SMTP 
> configuration error).

This type of configuration is actually even less secure than what I am 
suggesting because you need to allow traffic from the DMZ into the internal 
network space, so if your DMZ ever gets compromised, the offenders will have 
a direct access path into your SMTP service. Still secure enough if you ask 
me, but just pointing out for the sake of the design that integrating the 
POP3 connector into your internal Exchange instance is probably the best 
option security-wise.

Virgil

Kinda long,...read it all.

"Saira" <Saira@BayonetVentures.com> wrote in message
news:ORZNtTePGHA.3936@TK2MSFTNGP12.phx.gbl...
> and we do not want to expose our
> internal Exchange server to the internet.

Why not? If you publish it from ISA (followed by the "outer" firewall doing
a Static NAT to the ISA) you are only exposing the SMTP service which isn't
any different (or worse) than using an SMTP service in the DMZ.

> One option that we did have was to put in place another Exchange server in
> the DMZ, in this case we would have used a POP Connector to contact the
ISP
> and the email would then have gone through to the backend server, however
> this is not our setup.

Yes you could do that, but (in my opinion) this whole method is based on
needless paranoia and on top of that the Admin doing it has to buy ($$$$) 2
Exchange Servers to perform a "single" job that could have just as easily
and safely been done with one Exchange.

> What we actually have is an IIS server in a DMZ and an
> Exchange server on the internal LAN. My questions was:
> What is the best way to get mail from the ISP into the DMZ (yes, the ISP
> stores the email in mailboxes, so from previous feedback, it looks like
the
> opinion is that I will need a POP connector to get the mail down).

Then you have exactly what I thought you did.  *IF* you need a POP3
Connector it would have to go on the IIS/SMTP in the DMZ (not the Exchange
machine) so it could interact with the ISP's system. However I don't think
there is such a thing.  There isn't even a POP3 Service with IIS until you
get to the one with Server2003,...and a POP3 Service is not the same thing
as a POP3 Connector, which as far as I know is an "Exchange only" item.

Now with all that said,...you don't need a POP3 Connector.  The ISP's SMTP
Server will use *SMTP* (not POP3) to send whatever it gets to the "outer
firewall's external IP#,...the firewall using Static NAT will pass it on to
the IIS/SMTP in the DMZ.  The IIS/SMTP does a "rinse & repeat" of what the
ISP did and simply forward everything it recieves to the ISA's external IP#
where the Publishing Rule grabs it and passes it to the Exchange Server.
The Exchange Server is the one with the "brains" and will determine what to
do with the messages and if they even really belong there.

> Once the email gets to the IIS Server I need it to be relayed to the
> internal Exchange server (this is where I am getting the IIS SMTP
> configuration error). My main question here, was how do I make sure that
all
> mail for all three domains gets forwarded through to the internal Exchange
> server.

1. In the MMC below the  IIS/SMTP Virtual Server there is a Domains
Object,...in it you have to list all the Domains you are dealing with (do
not include the "@"). Make sure they aren't spelled wrong.

    a. Then in the Properties of each of those Domain (not counting the
Local
        Default one),...enable "Allow the mail to be relayed to this domain"
    b. Then enable "Forward all mail to Smarthost" and give it the external
        ISA's IP# and enclose it in square brackets.
    c. Leave everything else blank. Leave the Advanced Tab blank. Leave
        "Outbound Security" set to anonymous.

2. Then in the Properties of the IIS/SMTP Virtual Server go to the Access
Tab, then the Relay button.  Select "Only the list below",..then leave the
list blank. At the bottom Select the "Allow Computer that successfully
authenticate".

But this group is supposed to be about configuring and troubleshooting
ISA,...not IIS/SMTP.  But then you crossposted to about a million other
groups.

> We already have our internal mailboxes configured via recipient policies
to > receive mail from the various different domains, but I was not sure
whether > this was all I needed to do.

Yes, as far as Exchange is concerned,...that is all you do.  Exchange only
cares about what to do with the mail once it arrives (hence the Recipient
Policy), but Exchange couldn't care less how the mail found its way to the
server.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

Thank you Phillip and Virgil
It is a very long thread, I didn't realise what I was starting when I 
posted!!

What you are saying makes sense, I must admit I am trying to listen to all 
sides (some of whom say it is a bad idea to allow your Exchange server to 
interact directly with the internet).

If I am to publish my Exchange server to the outer firewall (I am working in 
a back to back scenario), do you have any idea on how to do this? I can see 
how to do this if Exchange was in the DMZ, but not in the internal LAN. I 
assume that if I do this, I am basically done and dusted  as Exchange will 
receive all the email and I will then just need to enable the firewall to 
allow outgoing SMTP from Exchange and that's it....

Saira


"Phillip Windell" <@.> wrote in message 
news:uzVbTogPGHA.1124@TK2MSFTNGP10.phx.gbl...
> Kinda long,...read it all.
>
> "Saira" <Saira@BayonetVentures.com> wrote in message
> news:ORZNtTePGHA.3936@TK2MSFTNGP12.phx.gbl...
>> and we do not want to expose our
>> internal Exchange server to the internet.
>
> Why not? If you publish it from ISA (followed by the "outer" firewall 
> doing
> a Static NAT to the ISA) you are only exposing the SMTP service which 
> isn't
> any different (or worse) than using an SMTP service in the DMZ.
>
>> One option that we did have was to put in place another Exchange server 
>> in
>> the DMZ, in this case we would have used a POP Connector to contact the
> ISP
>> and the email would then have gone through to the backend server, however
>> this is not our setup.
>
> Yes you could do that, but (in my opinion) this whole method is based on
> needless paranoia and on top of that the Admin doing it has to buy ($$$$) 
> 2
> Exchange Servers to perform a "single" job that could have just as easily
> and safely been done with one Exchange.
>
>> What we actually have is an IIS server in a DMZ and an
>> Exchange server on the internal LAN. My questions was:
>> What is the best way to get mail from the ISP into the DMZ (yes, the ISP
>> stores the email in mailboxes, so from previous feedback, it looks like
> the
>> opinion is that I will need a POP connector to get the mail down).
>
> Then you have exactly what I thought you did.  *IF* you need a POP3
> Connector it would have to go on the IIS/SMTP in the DMZ (not the Exchange
> machine) so it could interact with the ISP's system. However I don't think
> there is such a thing.  There isn't even a POP3 Service with IIS until you
> get to the one with Server2003,...and a POP3 Service is not the same thing
> as a POP3 Connector, which as far as I know is an "Exchange only" item.
>
> Now with all that said,...you don't need a POP3 Connector.  The ISP's SMTP
> Server will use *SMTP* (not POP3) to send whatever it gets to the "outer
> firewall's external IP#,...the firewall using Static NAT will pass it on 
> to
> the IIS/SMTP in the DMZ.  The IIS/SMTP does a "rinse & repeat" of what the
> ISP did and simply forward everything it recieves to the ISA's external 
> IP#
> where the Publishing Rule grabs it and passes it to the Exchange Server.
> The Exchange Server is the one with the "brains" and will determine what 
> to
> do with the messages and if they even really belong there.
>
>> Once the email gets to the IIS Server I need it to be relayed to the
>> internal Exchange server (this is where I am getting the IIS SMTP
>> configuration error). My main question here, was how do I make sure that
> all
>> mail for all three domains gets forwarded through to the internal 
>> Exchange
>> server.
>
> 1. In the MMC below the  IIS/SMTP Virtual Server there is a Domains
> Object,...in it you have to list all the Domains you are dealing with (do
> not include the "@"). Make sure they aren't spelled wrong.
>
>    a. Then in the Properties of each of those Domain (not counting the
> Local
>        Default one),...enable "Allow the mail to be relayed to this 
> domain"
>    b. Then enable "Forward all mail to Smarthost" and give it the external
>        ISA's IP# and enclose it in square brackets.
>    c. Leave everything else blank. Leave the Advanced Tab blank. Leave
>        "Outbound Security" set to anonymous.
>
> 2. Then in the Properties of the IIS/SMTP Virtual Server go to the Access
> Tab, then the Relay button.  Select "Only the list below",..then leave the
> list blank. At the bottom Select the "Allow Computer that successfully
> authenticate".
>
> But this group is supposed to be about configuring and troubleshooting
> ISA,...not IIS/SMTP.  But then you crossposted to about a million other
> groups.
>
>> We already have our internal mailboxes configured via recipient policies
> to > receive mail from the various different domains, but I was not sure
> whether > this was all I needed to do.
>
> Yes, as far as Exchange is concerned,...that is all you do.  Exchange only
> cares about what to do with the mail once it arrives (hence the Recipient
> Policy), but Exchange couldn't care less how the mail found its way to the
> server.
>
> -- 
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
> -----------------------------------------------------
>
>
>
>
> 

"Saira" <Saira@BayonetVentures.com> wrote in message
news:exIUgwgPGHA.3896@TK2MSFTNGP15.phx.gbl...
> What you are saying makes sense, I must admit I am trying to listen to all
> sides (some of whom say it is a bad idea to allow your Exchange server to
> interact directly with the internet).

I always enjoy "poking" at the guys that believe that.  Just for their
enjoyment,...my Exchange is Published directly to the internet (before I
added the Spam Filtering machine) and I do not run any DMZ at all,...and
probably never will.
A LAN can be made perfectly secure without a DMZ.

> If I am to publish my Exchange server to the outer firewall (I am working
in
> a back to back scenario), do you have any idea on how to do this?

Assuming the ISA is the "inner firewall" and is publishing Exchange to the
DMZ,...you would just pretend that the ISA is the Exchange server and use
the "outer firewall" to publish the ISA Server *as if* it was the Exchange
server.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

So you are saying publish the Exchange server to the Back end firewall and 
then on the Front end publish again, but this time point to the ISA server?

How about mail going out? Do I just allow SMTP from the internal to the 
external netwtork via by the Exchange server?

Saira

"Phillip Windell" <@.> wrote in message 
news:e8bJI6gPGHA.916@TK2MSFTNGP10.phx.gbl...
> "Saira" <Saira@BayonetVentures.com> wrote in message
> news:exIUgwgPGHA.3896@TK2MSFTNGP15.phx.gbl...
>> What you are saying makes sense, I must admit I am trying to listen to 
>> all
>> sides (some of whom say it is a bad idea to allow your Exchange server to
>> interact directly with the internet).
>
> I always enjoy "poking" at the guys that believe that.  Just for their
> enjoyment,...my Exchange is Published directly to the internet (before I
> added the Spam Filtering machine) and I do not run any DMZ at all,...and
> probably never will.
> A LAN can be made perfectly secure without a DMZ.
>
>> If I am to publish my Exchange server to the outer firewall (I am working
> in
>> a back to back scenario), do you have any idea on how to do this?
>
> Assuming the ISA is the "inner firewall" and is publishing Exchange to the
> DMZ,...you would just pretend that the ISA is the Exchange server and use
> the "outer firewall" to publish the ISA Server *as if* it was the Exchange
> server.
>
> -- 
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> 

Actually Philip, now I've got myself really confused with all the options.
Can I not just use the POP 3 Connector to go and fetch mail from the ISP (no 
publishing involved), and allow SMTP mail our through the inner firewall by 
Exchange (just setting the ISP smtp server as the server to use for 
unresolved email?)

Saira

"Saira" <Saira@BayonetVentures.com> wrote in message 
news:O9Ue8ahPGHA.2320@TK2MSFTNGP11.phx.gbl...
> So you are saying publish the Exchange server to the Back end firewall and 
> then on the Front end publish again, but this time point to the ISA 
> server?
>
> How about mail going out? Do I just allow SMTP from the internal to the 
> external netwtork via by the Exchange server?
>
> Saira
>
> "Phillip Windell" <@.> wrote in message 
> news:e8bJI6gPGHA.916@TK2MSFTNGP10.phx.gbl...
>> "Saira" <Saira@BayonetVentures.com> wrote in message
>> news:exIUgwgPGHA.3896@TK2MSFTNGP15.phx.gbl...
>>> What you are saying makes sense, I must admit I am trying to listen to 
>>> all
>>> sides (some of whom say it is a bad idea to allow your Exchange server 
>>> to
>>> interact directly with the internet).
>>
>> I always enjoy "poking" at the guys that believe that.  Just for their
>> enjoyment,...my Exchange is Published directly to the internet (before I
>> added the Spam Filtering machine) and I do not run any DMZ at all,...and
>> probably never will.
>> A LAN can be made perfectly secure without a DMZ.
>>
>>> If I am to publish my Exchange server to the outer firewall (I am 
>>> working
>> in
>>> a back to back scenario), do you have any idea on how to do this?
>>
>> Assuming the ISA is the "inner firewall" and is publishing Exchange to 
>> the
>> DMZ,...you would just pretend that the ISA is the Exchange server and use
>> the "outer firewall" to publish the ISA Server *as if* it was the 
>> Exchange
>> server.
>>
>> -- 
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>
> 

"Saira" <Saira@BayonetVentures.com> wrote in message 
news:eU7CLuhPGHA.428@tk2msftngp13.phx.gbl...
> Actually Philip, now I've got myself really confused with all the options.
> Can I not just use the POP 3 Connector to go and fetch mail from the ISP 
> (no publishing involved), and allow SMTP mail our through the inner 
> firewall by Exchange (just setting the ISP smtp server as the server to 
> use for unresolved email?)

That's what I said all along. Yes you can do that (although it will require 
you purchase such a POP3 connector for your Exchange), and again this is the 
most secure scenario and requires the least amount of reconfiguration 
because everything will continue to work as before. Mail continues to arrive 
in the POP3 mailboxes hosted by your ISP, so no DNS reconfiguration will be 
required, no nothing - you just configure the POP3 connector to fetch email 
from the ISP and that's it. No inbound connections of any kind (=server 
publishing rules) are needed with this setup.

So if you're OK with the ISP having control over your email storage and can 
afford to buy the POP3 connector software, by all means, go with it.

Virgil

"Saira" <Saira@BayonetVentures.com> wrote in message
news:O9Ue8ahPGHA.2320@TK2MSFTNGP11.phx.gbl...
> So you are saying publish the Exchange server to the Back end firewall and
> then on the Front end publish again, but this time point to the ISA
server?

That is correct. As far as the outer-most firewall is concerned, it thinks
the ISA is the Exchange box.

> How about mail going out? Do I just allow SMTP from the internal to the
> external netwtork via by the Exchange server?

Publishing doesn't effect outbound.  The Exchange uses SMTP outbound exactly
the same way a user would use SMTP outbound with Outlook Express or
something. So in that respect Exchange is just nothing more than an SMTP
Client initiating an outbound SMTP connection,...however it *does* need to
be able to do so "anonymously".  It is all completely unrelated to any of
the Publishing,... Publishing is only inbound.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

"Saira" <Saira@BayonetVentures.com> wrote in message
news:eU7CLuhPGHA.428@tk2msftngp13.phx.gbl...
> Actually Philip, now I've got myself really confused with all the options.
> Can I not just use the POP 3 Connector to go and fetch mail from the ISP
(no
> publishing involved), and allow SMTP mail our through the inner firewall
by
> Exchange (just setting the ISP smtp server as the server to use for
> unresolved email?)

I suppose you could,...but it is more work and more complicted (to me) than
the other way.  This all has to be worked out by the ISP.  The ISP has to
configure thier system to *hold* your mail when it would otherwise
immediately send the mail to you over SMTP.  The ISP's system would only let
you have the mail when your machines "comes and gets it" using the POP3
Connector.  To me this is a lot worse to deal with and has the most things
that can go wrong.

Of course, everything would be easier if you eliminated the DMZ & Firewall
and ran the ISA totally alone as an "edge" device between the LAN and the
Intenet.  This is why I preach so much against DMZs,...most people don't
even really know why they have one other than someone somewhere told them
they were more secure if they had one.  Now if someone has a good
justifyable reason for one, then fine, that's great,...but doing it "just
because" isn't enough for me.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks for you advice Philip.
If I publish the Exchange server, what sort of security should I put on it?
Obviously the ISP is not able to 'authenticate'. it's just going to forward 
emails to my IP address. Do i just publish the Exchange server and that's it 
(it all sounds a little simple).

On outgoing, presumably I only need to allow the Exchange server access 
through the firewall and then I'm done.

"Phillip Windell" <@.> wrote in message 
news:eljtE8hPGHA.344@TK2MSFTNGP11.phx.gbl...
> "Saira" <Saira@BayonetVentures.com> wrote in message
> news:eU7CLuhPGHA.428@tk2msftngp13.phx.gbl...
>> Actually Philip, now I've got myself really confused with all the 
>> options.
>> Can I not just use the POP 3 Connector to go and fetch mail from the ISP
> (no
>> publishing involved), and allow SMTP mail our through the inner firewall
> by
>> Exchange (just setting the ISP smtp server as the server to use for
>> unresolved email?)
>
> I suppose you could,...but it is more work and more complicted (to me) 
> than
> the other way.  This all has to be worked out by the ISP.  The ISP has to
> configure thier system to *hold* your mail when it would otherwise
> immediately send the mail to you over SMTP.  The ISP's system would only 
> let
> you have the mail when your machines "comes and gets it" using the POP3
> Connector.  To me this is a lot worse to deal with and has the most things
> that can go wrong.
>
> Of course, everything would be easier if you eliminated the DMZ & Firewall
> and ran the ISA totally alone as an "edge" device between the LAN and the
> Intenet.  This is why I preach so much against DMZs,...most people don't
> even really know why they have one other than someone somewhere told them
> they were more secure if they had one.  Now if someone has a good
> justifyable reason for one, then fine, that's great,...but doing it "just
> because" isn't enough for me.
>
> -- 
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> 

"Saira" <Saira@BayonetVentures.com> wrote in message
news:unfl5CiPGHA.3856@TK2MSFTNGP12.phx.gbl...
> Thanks for you advice Philip.
> If I publish the Exchange server, what sort of security should I put on
it?
> Obviously the ISP is not able to 'authenticate'. it's just going to
forward
> emails to my IP address. Do i just publish the Exchange server and that's
it
> (it all sounds a little simple).

That is pretty much it. It really isn't that complex,..it is just the DMZ
situation that makes it seem that way.  You still have to make sure Exchange
itself isn't an "open relay" for Spam and in all other ways, properly
configured,..but that is always the case,..it is not part of the
"publishing" aspect.

Remember that when published, only the SMTP Serivce is exposed, nothing else
is,...unless you get into POP3 Publishing for "roaming users" but you
haven't indicated you want to do that.

> On outgoing, presumably I only need to allow the Exchange server access
> through the firewall and then I'm done.

Yes,..and it only has to be outbound SMTP.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

> I suppose you could,...but it is more work and more complicted (to me) 
> than
> the other way.  This all has to be worked out by the ISP.  The ISP has to
> configure thier system to *hold* your mail when it would otherwise
> immediately send the mail to you over SMTP.

The ISP does that already Phillip...

> The ISP's system would only let
> you have the mail when your machines "comes and gets it" using the POP3
> Connector.

To the ISP the POP3 connector would look like a client. Nothing special 
there.

> To me this is a lot worse to deal with and has the most things
> that can go wrong.

I don't necessarily share this view :-), once the POP3 connector it's up and 
running, it's smooth sailing - you just set it and forget it. In the end 
it's Saira's decision, I just thought I would suggest this option too.

Virgil

"ZVR" <no_spam_ever@me.local> wrote in message
news:44073523$0$5657$9a6e19ea@unlimited.newshosting.com...
> I don't necessarily share this view :-), once the POP3 connector it's up
and
> running, it's smooth sailing - you just set it and forget it. In the end
> it's Saira's decision, I just thought I would suggest this option too.

It is a valid way to do it, I'm not denying that.  But the ISP may not
already being doing that. It all depends on where the mailboxes reside. If
they already exist on the ISP's server then the POP3 Connection would be the
way to go,...but if the mail boxes don't already eixt at the ISP then the
ISP's server would not be holding the mail and would be just passing the
mail onward to the customers IP#. In fact it may not even touch the ISP's
mail server at all if the customer already has the MX Record pointing to the
themselves which is the assumption I was operating under.

-- 
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in
news:OWaw$giPGHA.3856@TK2MSFTNGP12.phx.gbl: 

> "ZVR" <no_spam_ever@me.local> wrote in message
> news:44073523$0$5657$9a6e19ea@unlimited.newshosting.com...
>> I don't necessarily share this view :-), once the POP3 connector it's
>> up 
> and
>> running, it's smooth sailing - you just set it and forget it. In the
>> end it's Saira's decision, I just thought I would suggest this option
>> too. 
> 
> It is a valid way to do it, I'm not denying that.  But the ISP may not
> already being doing that. It all depends on where the mailboxes
> reside. If they already exist on the ISP's server then the POP3
> Connection would be the way to go,...but if the mail boxes don't
> already eixt at the ISP then the ISP's server would not be holding the
> mail and would be just passing the mail onward to the customers IP#.
> In fact it may not even touch the ISP's mail server at all if the
> customer already has the MX Record pointing to the themselves which is
> the assumption I was operating under. 
> 

2 things that often get overlooked in that scenario are:

A) Delays. POP3 connectors fetch mail on a schedule. Usually no faster than 
every 15 minutes.

B) flexibility. You simply cannot add e-mail addresses to Exchange. It has 
to also be done at the ISP. And often, ISPs charge by the mailbox.