Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

The Simple Mail Transport Protocol (SMTP) is the second most commonly used protocol on the Internet, after the web HTTP protocol. It is ubiquitously used as an email transport mechanism on the Internet and has become a critical tool for online collaboration.

Unfortunately, SMTP is also one of the most abused protocols on the Internet as well. Unsolicited email (spam), phishing attacks, and email-borne viruses all take advantage of the open, unauthenticated nature of SMTP, and it has become a necessity for organizations to control and monitor SMTP traffic entering and leaving the network.

ISA Server 2004's Application-layer inspection capabilities allow for a high degree of SMTP filtering and attack detection. By default, ISA supports the protocol as part of standard rules and policies. In addition, ISA also includes the SMTP Screener component, which enables the ISA server itself to become an SMTP Smarthost, and to filter and scan the SMTP traffic, as well as proxy the SMTP traffic for internal clients.

What this means is that ISA enables an environment to be further secured. The SMTP Screener offloads the need to have an outside MX record point to an internal server, and instead points directly to it instead, as is shown in Figure 13.24. This keeps potential SMTP exploits at bay because external intruders do not have direct access to the SMTP port of internal servers. In addition, it can also provide for outbound SMTP filtering to protect an organization from the liability associated with its own clients sending viruses and exploits out unwittingly or deliberately.

Figure 13.24. Examining SMTP screening with ISA Server 2004.

The one caveat with the SMTP Screener service is that, by itself, it really provides for only a base level of SMTP filtering. It does not have built-in intelligence to filter out email-borne viruses. It can, however, be extended with a third-party virus filter product that is designed for use with ISA Server 2004. The list of these products keeps growing over time, but they can be found at the following URL:

http://www.microsoft.com/isaserver/partners/contentsecurity.asp

With the addition of one of these third-party extensions to the SMTP filter, the capabilities of ISA Server can be further extended to include enterprise SMTP virus scanning and content filtering.

Installing and Configuring the SMTP Service on the ISA Server

The first step in installing the SMTP Screener component of ISA is to install the SMTP Service on the ISA Server. To install this service in Windows Server 2003, do the following:

1.

Click Start, Control Panel, Add or Remove Programs.

2.

Click Add/Remove Windows Components.

3.

Select Application Server (by clicking on the name, not the check box) and click the Details button.

4.

Select Internet Information Services (IIS) by clicking on the name (not the check box) and click Details.

5.

Scroll down and select the SMTP Service, as shown in Figure 13.25. This has the effect of selecting other necessary components that go along with the SMTP service.

Figure 13.25. Installing the SMTP Service

6.

Click OK, OK, and Next.

7.

Insert the Windows Server 2003 Media (if prompted) or point to the i386 files on a local drive or network location and click OK.

8.

Click Finish.

After installing the SMTP Service, it is a good idea to check with Windows Update for any patches that may apply to the sever in its new configuration.

Installing the ISA SMTP Screener Component

After the SMTP Service is installed, the ISA SMTP Screener component can be installed on the ISA Server. If ISA is installed from scratch, the key to installing the SMTP Screener is to choose a custom installation and add the SMTP Screener to the installation options. If ISA is already installed, the following steps can ensure that the service is added:

NOTE

The SMTP Message Screener component can be installed on any Windows Server 2003 system, and is not limited to ISA Server itself. Delegating the SMTP screening tasks to a dedicated, secured server can improve overall security and should be considered.

1.

Click Start, Control Panel, Add or Remove Programs.

2.

Select Microsoft ISA Server 2004 from the list of installed programs and click the Change/Remove button.

3.

Click Next at the Welcome screen.

4.

Select the Modify radio button.

5.

From the Custom Setup Screen, shown in Figure 13.26, select the SMTP Screener component and choose This Feature Will Be Installed on Local Hard Drive.

Figure 13.26. Installing the SMTP Screener component

6.

Click Next and then click Install.

7.

Insert the media if prompted.

8.

Click Finish and then reboot the server.

Enabling Outbound and Inbound SMTP Filtering with the SMTP Message Screener

As with most things with ISA Server, simply installing the service does not automatically enable the functionality. Because ISA is a firewall, rules must be created to allow SMTP traffic to the ISA Server. Several different varieties of SMTP rules can be set up with an SMTP Screener, depending on the type of traffic that will be allowed, such as

  • Inbound SMTP Filtering Inbound SMTP filtering is the most common type of SMTP filtering deployed. The primary security need for organizations with SMTP mail is to secure the anonymous email traffic coming into their networks from the untrusted Internet. At a minimum, inbound SMTP filtering should be enabled.

  • Outbound SMTP Filtering Outbound SMTP filtering is becoming more important. Organizations are finding that they are being held liable for internal employees launching attacks and sending spam (often without their knowledge) to external employees. Filtering and scanning the outbound traffic from a network can help to mitigate these risks.

  • Inbound and Outbound SMTP Filtering The best and most secure approach is to deploy an SMTP filtering strategy that makes use of both inbound and outbound SMTP filtering for an environment. This also has the advantage of enforcing SMTP communications through the ISA Server itself, rather than opening up any direct communications from internal clients or servers.

Creating an Outbound SMTP Filtering Rule

The different types of rules are set up in similar ways, using the standard ISA rule methodology discussed throughout this book. To set up a rule to allow inbound SMTP filtering (to ISA from the Internet), do the following:

TIP

For inbound SMTP filtering to work properly, the MX record on the Internet needs to resolve to the external IP address of the ISA Server, either through the public IP address on ISA or through the single IP address, when ISA is configured as a unihomed server in the DMZ of an existing firewall. In these configurations, the extra firewall needs to establish a NAT relationship between the IP address that the public MX record references, and the ISA Server IP address.

1.

From the ISA console, click on the Firewall Policy node.

2.

In the Tasks pane, select the link for Publish a Mail Server.

3.

Enter a descriptive name for the Publishing Rule, such as "Outbound SMTP to ISA." and click Next to continue.

4.

Select the Server-to-Server Communication radio button from the list and click Next to continue.

5.

Select SMTP from the check boxes in the Select Services dialog box, as shown in Figure 13.27, and click Next to continue.

Figure 13.27. Setting up an outbound SMTP rule.

6.

Enter the IP address of the internal ISA interface (the rule needs to specify that the internal email server can send directly to ISA), and click Next to continue.

7.

Select Listen to Requests from the Internal Network and click Next.

8.

Click Finish, Apply, and OK to save the changes.

Configuring an Inbound SMTP Filter Rule

To configure the Inbound SMTP Filtering rule, perform the following steps:

1.

From the ISA Console, click on the Firewall Policy node.

2.

In the Tasks pane, select the link for Publish a Mail Server.

3.

Enter a descriptive name for the publishing rule, such as "Inbound SMTP to ISA," and click Next to continue.

4.

Select the Server-to-Server Communication radio button from the list shown in Figure 13.28 and click Next to continue.

Figure 13.28. Setting up an inbound SMTP filter rule.

5.

Select SMTP from the check boxes under Select Services and click Next to continue.

6.

Enter the IP address of the External ISA interface (the rule needs to specify that external email servers can send directly to ISA), and click Next to continue.

7.

Select to listen to requests from the External network and click Next.

8.

Click Finish, Apply, and OK to save the changes.

Configuring ISA SMTP Service Security Settings

To make sure that ISA allows mail sent to the proper domain name to be accepted internally, and to also secure the server and allow Exchange to relay outbound messages, the SMTP Virtual Server on ISA itself needs to be configured. To do this, follow these steps:

1.

On the ISA Server, open IIS Manager (Start, All Programs, Administrative Tools, Internet Information Services (IIS) Manager).

2.

Expand to SERVERNAME, Default SMTP Virtual Server.

3.

Right-click the SMTP Virtual Server and choose Properties.

4.

Select the Access tab.

5.

Click the Relay button.

6.

Leave the Only the List Below setting enabled, and click Add to add the IP address of the internal Exchange server. Also, uncheck the box for Allow All computers Which Successfully Authenticate to Relay, Regardless of the List Above, similar to what is shown in Figure 13.29. Click OK.

Figure 13.29. Restricting relaying on the ISA SMTP Service.

7.

Expand the Virtual Server and select Domains.

8.

Right-click Domains and choose New, Domain.

9.

For domain type, select Remote.

10.

Enter the address space for the domain, such as companyabc.com. This allows inbound mail sent to internal domains to be forwarded to Exchange. Click Finish.

11.

Right-click the newly created domain and choose Properties.

12.

Under Route Domain, choose to forward all mail to the Smarthost, (the internal Exchange Server). Note that an IP address must be surrounded by brackets, as shown in Figure 13.30. Click OK when finished.

Figure 13.30. Setting inbound domain Smarthost settings.

13.

Restart IIS by right-clicking the server name and choosing All Tasks, Restart IIS and then clicking OK to confirm.

Configuring an Access Rule for ISA to Forward Outbound Messages

The final step toward configuring ISA to send outbound messages is to allow the actual SMTP traffic from the ISA Server to all external mail servers on the Internet. This can be configured with a simple access rule, set up as follows:

1.

On the ISA Server, open the ISA Console and choose the Firewall Policy node from the console tree.

2.

Under the Tasks pane, click the link for Create New Access Rule.

3.

Enter a descriptive name, such as Allow SMTP Outbound from ISA, and click Next.

4.

Select Allow from the rule action list and click Next.

5.

Under This Rule Applies To, select Specified Protocols.

6.

Click Add under Protocols, then drill down and choose Common Protocols, SMTP, as shown in Figure 13.31. Click Add.

Figure 13.31. Adding an SMTP access rule for ISA outbound SMTP traffic.

7.

Click Close and Next.

8.

Under Access Rule Sources, click Add.

9.

Drill down to Networks, and select Local Host and click Add, then Close.

10.

Under Access Rule Destinations, click Add.

11.

Under Networks, select External, and then click Add and Close.

12.

Click Next, Next, Finish.

13.

Click the Apply button at the top of the details pane and the OK button to confirm.

Configuring Exchange to Forward Outbound Messages to ISA

As a final step in this process, the Exchange organization needs to be configured to forward all outbound mail to the ISA Server, to offload this functionality from the internal servers. To do this in an Exchange Server 2003 organization, perform the following steps:

1.

On an Exchange Server in the organization, open Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager).

2.

Right-click on the organization name (at the top of the console hierarchy) and choose Properties.

3.

Make sure that the box for Display Routing Groups is checked, then click OK.

4.

Drill down to ORGNAME (Exchange), Administrative Groups, ADMINGROUPNAME, Routing Groups, ROUTINGGROUPNAME, Connectors.

5.

Right-click Connectors and choose New, SMTP Connector.

6.

Enter a descriptive name in the name field, and check the box to Forward All Mail Through the Following Smart Host, as is shown in Figure 13.32. Note that the ISA Server's internal IP must be placed in brackets.

Figure 13.32. Creating an Exchange outbound SMTP connector to forward mail to the ISA Message Screener.

7.

Click the Add button, select a local Exchange bridgehead from the list, and click OK.

8.

Select the Address Space tab.

9.

Click Add.

10.

Select SMTP from the address type and click OK.

11.

For email domain, leave it at * and a cost of 1 and click OK.

12.

Click OK to save the changes.

Customizing the SMTP Filter

After SMTP rules have been set up to allow the traffic to flow through the SMTP screener, the ISA SMTP filter can be customized to block specific types of SMTP commands and content. To access the SMTP filter settings on the ISA Server, do the following:

1.

2From the ISA Console, click the Add-ins node in the console tree.

2.

Under Application Filters in the details pane, double-click on SMTP Filter.

3.

Examine and configure the settings on the SMTP Filter Properties dialog box, some of which are shown in Figure 13.33.

Figure 13.33. Configuring SMTP filter settings.

The SMTP Screener filter allows for the following default filtering functionality:

  • Keyword Filtering

  • Email address/domain name filtering

  • Attachment filtering

  • SMTP command filtering

TIP

To take full advantage of the SMTP Screener and its Application-layer filtering technology, a third-party SMTP filtering product from an anti-virus vendor is recommended. It will tie the ISA SMTP Screener engine to the built-in intelligence that these products use to look for viruses and to perform content filtering. Be sure to validate that the specific product is verified for ISA Server 2004.

    Категории