How to publish an Exchange 2000 Server computer or an Exchange Server 2003 computer by using Internet Security and Acceleration (ISA) Server 2000 (287646)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
- Microsoft Exchange 2000 Enterprise Server
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
- Microsoft Exchange 2000 Server
This article was previously published under Q287646 This article is a consolidation of the following previously
available article 307632: How to publish Exchange 2000 Server through ISA
Server by using the Firewall Client SUMMARY This article discusses how to configure a
server that is running Microsoft Exchange 2000 Server
or Microsoft Exchange Server 2003 with Internet Security and Acceleration (ISA)
Server 2000. This article does not discuss how to configure Exchange
2000 Server
server or later versions
product versions behind Microsoft Proxy Server 2.0. For
more information about how to configure Exchange 2000 behind Microsoft Proxy
Server 2.0, click the following article numbers to view the articles in the
Microsoft Knowledge Base: 276388
How to configure Exchange 2000 behind Proxy Server 2.0
307914 How to publish Exchange
Server 5.5 and Exchange 2000 Server with Proxy Server 2.0
MORE INFORMATIONHow to publish an Exchange 2000 Server server or an Exchange Server 2003 server behind an ISA Server computerTo configure
an Exchange Server
2000 server
or on
an Exchange Server 2003
server that is behind an ISA Server computer, the
following four main components must be present: - A Site and Content rule to enable outgoing Simple Mail
Transfer Protocol (SMTP) traffic.
- A Protocol rule to enable outgoing SMTP traffic.
- Server Publishing rules for each incoming protocol that you
want to have.
- Correct IP routing.
NoteYou can use the Secure Mail Server Wizard in the ISA Management
snap-in to automatically configure most of these components. You can
use either of the methods that are described in this section to publish an
Exchange 2000 computer or an Exchange 2003 computer behind an ISA Server
computer. Microsoft recommends that you use Method 1 to take advantage of all
the functionality of
the ISA Server. Method 1- In the TCP/IP properties, configure the Microsoft
Exchange Server
server's default gateway address to point to the
internal IP Address of the ISA Server computer.
When
you do this, the Exchange Server
server acts as a Secure
Network Address Translation (SNAT) client. - In
the ISA Server, click Start, point
to Programs, point to Microsoft ISA Server,
and then click ISA Management.
- Expand Publishing, right-click
Server Publish Rules, and then click Secure Mail
Server.
- After the wizard starts,
click Next, and then enter the configuration information.
In
a typical deployment, click Incoming SMTP and Outgoing
SMTP. If you want to make the server available to Post Office Protocol version 3
(POP3) or an Internet Message Access Protocol, version 4(IMAP4) users and you
require SSL authentication, click the appropriate settings. - Click Next, type the external IP address
of the ISA Server computer.
Note Avoid
running the Exchange Server
services that are being published on the ISA Server
computer. If these
Exchange Server services are running on the ISA Server
computer, disable them. Otherwise, the Exchange
Server services will cause port conflicts and
publishing rules will not take effect. - Enter the internal IP address of the Exchange computer.
- Click Finish.
After
you complete the wizard,
the new rules are listed under Server Publishing Rules.
These rules are named "Mail Wizard Rule - Example." Notice that one rule
applies to each option that you selected in step 4. Additionally,
you see a new mail wizard rule inside your protocol
rules. Microsoft recommends this method of publishing the Exchange 2000 Server
server or
the Exchange Server
2003 server
for most deployments. Method 2Use this method if you cannot configure the default gateway
to the ISA Server computer's internal IP address on the Exchange Server
server. This scenario applies if you upgrade a Proxy
Server 2.0 computer to an
ISA Server. The service to Exchange 2000 Server
server or the Exchange Server
2003 server
is not interrupted by the upgrade, because this method of publishing the
Exchange Server services is still available. Note In some failure recovery cases, the configuration
information (Wspcfg.ini) may be lost after an Exchange Server
server has been reinstalled. This behavior causes service interruption to the Exchange
Server server from the ISA Server computer. You can
use either method to restore service back to the Exchange
Server server. However, Microsoft recommends that you
use Method 1 so that you can take full advantage of the SNAT
capabilities of ISA Server. Note Exchange Server 4.0, 5.0, and 5.5 run the Exchange
Server-related services under a domain service account. In Exchange 2000 and
Exchange 2003, the Exchange Server services run under local system accounts
(LocalSystem). These local system accounts cannot authenticate with the ISA Server to bind to the ISA
Server computer. Use the Credtool.exe utility to configure these local system
accounts to authenticate with and bind to the ISA Server computer. The Credtool
utility is installed with the Firewall client, and it is located in the Mspclnt
folder. To
bind the required ports and services to the ISA Server computer,
follow these steps: - Install the ISA Firewall client from the ISA Server Mspclnt
shared folder.
- Make sure that you have a virtual server for each protocol in
which you want to bind to the ISA Server
computer.
- Start Exchange System Manager, and then expands the virtual
server under Servers, and under
Protocols.
- IN the virtual server properties, make sure that the
protocols are set to all unassigned on the
General tab.
- Make sure there are no conflicts on the ISA Server
computer. To do this, use the netstat command to verify that the following ports do not have any
services. For
example, you may have to set the ISA Server computer's SMTP service to Manual.
- Create a file named Wspcfg.ini in your
Winnt\System32\Inetsrv folder that contains the following information:
[inetinfo]
ServerBindTcpPorts=25,110,143,993,995
Persistent=1
KillOldSession=1
ForceCredentials=1
- At a command prompt, change to the ISA Client folder. This ISA Client folder is typically located in the C:\Program Files\Microsoft Firewall Client folder. Then, run the
following command:
credtool -w -n inetinfo -c
user domain
password - In Administrative Tools, double-click
Services, and then restart the IIS Admin Service on the
Exchange computer.
How to publish an Exchange 2000 Server server or an Exchange Server 2003 server on an ISA Server computerThis section describes how to publish an Exchange
2000 Server server or an Exchange
Server 2003 server on the same computer on which ISA
Server is installed. Method 1Microsoft
recommends that you use this method. - In the
ISA Server, start ISA Management, and then expand
Publishing .
- Right-click Server Publish Rules, and
then click Secure Mail Server.
- After the wizard starts,
click Next, and then enter the appropriate configuration
information.
In a typical deployment, click the following options:
- Incoming SMTP
- Outgoing SMTP
If you want to make the server available to POP3 or to
IMAP4 users and you want to use SSL authentication, select the appropriate
settings. - Click Next, and then type the external IP
address of the ISA Server computer.
- Click Next, click the On the
local Host option, and then click Next.
- Click Finish.
After you complete the wizard, two new packets appear. The
wizard creates these packets filters automatically to enable incoming and
outgoing traffic on port 25 (SMTP). To create these packet filters manually,
use Method 2 that is described in this section. Method
2To create an inbound SMTP filter, follow these steps: - Start ISA Management.
- Expand Access Policy , and then click
IP Packet Filters.
- Click Create a Packet Filter, and then
type a name for the filter, and
then click Next..
- Click Allow packet transmission, and then
click Next.
- On the Use this Filter page, click
Custom, and then click Next.
- On the Filter Setting page, enter the
following information:
IP Protocol: TCP
Direction: Inbound
Local Port: Fixed Port
Port Number: 25
Remote Port: All ports - Click Next, click the the Default
IP address for each external interface on the ISA Server computer
option, and then click Next.
- Click the All remote computers option, and
then click Next.
- Click Finish.
To create an outbound SMTP filter, follow these steps: - Start ISA Management.
- Expand Access Policy , and then click
IP Packet Filters.
- Click Create a Packet Filter, and then
type a name for the filter, and
then click Next..
- Click Allow packet transmission, and then
click Next.
- Click Allow packet transmission, and then
click Next.
- On the Use this Filter page, click
Custom, and then click Next.
- On the Filter Setting page, enter the
following the information:
IP Protocol: TCP
Direction: Outbound
Local Port: All Ports
Remote Port: Fixed Port
Port Number: 25
- Click Next, click the the Default
IP address for each external interface on the ISA Server computer
option, and then click Next.
- Click the All remote computers option, and
then click Next.
- Click Finish.
REFERENCESFor information about how to obtain SP1 for ISA Server,
visit the following Microsoft Web site:
For more information about how to configure the Web Publishing Service with ISA
Server, click the following article number to view the article in the Microsoft Knowledge Base:
313072
Configure the Web
Publishing Service to work with Internet Security and Acceleration Server in
Windows 2000
For additional help and support for ISA Server,
visit the following Web sites: back to the
top
| Modification Type: | Major | Last Reviewed: | 11/18/2005 |
|---|
| Keywords: | kbinfo KB287646 kbAudITPRO |
|---|
|