On 1/5/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: [...] "SMTP NAT and source IP packet filtering so that I can specify the two
Internet subnets that are permitted through." – this is only possible using Server Publishing; as I stated, packet filters are only useful for ISA-local services. Server Publishing rules allow exceptions that you can use to block unwanted source IPs.
Yes, sir. "need to deny anonymous SMTP connections" – that's a completely
different-colored barrel of horsemonkeys. I think you mean "unknown"? ISA cannot authenticate SMTP connectio0ns at all.
OK, OK, let me rephrase the requirement: There is a list of two /20 Internet subnets to be permitted to establish SMTP connections to the Exchange server. The rest of the Internet can go play with horsemonkeys or do an MX lookup for the appropriate mail servers. ...D *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Danny *Sent:* Friday, January 05, 2007 9:13 AM *To:* isalist@xxxxxxxxxxxxx *Subject:* [isalist] Re: Limit SMTP connections from several subnets in ISA 2000 On 1/5/07, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote: Nope; that's not true, either. I was just being facetious. I have been inspired by: http://www.tacteam.net/openport.htm SMTP Server Publishing gives you the SMTP Filter and (with ISA 2000 & 2004), the Message Screecher.] For this requirement I just need an SMTP NAT and source IP packet filtering so that I can specify the two Internet subnets that are permitted through. This is far more capable than the "zealot technique". It's packet filters that are for the "openaport" fuuls and they only apply to services operating on the ISA itself. Is this an SBS deployment? Not in the Microsoft SBS software sense, but maybe in employee count. There is a dedicated ISA server and dedicated Exchange server. The change is that email protection has been outsourced to Postini and I need to deny anonymous SMTP connections from the rest of the Internet. ...D *From:* isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx] *On Behalf Of *Danny *Sent:* Friday, January 05, 2007 8:24 AM *To:* isalist@xxxxxxxxxxxxx *Subject:* [isalist] Re: Limit SMTP connections from several subnets in ISA 2000 Actually Mr. Teacher, can I have that back. I want to say, at the end of the day, it is the packet filters. :) Server Publishing rules in ISA 2000 are just for all of the "hardware firewall" zealots. However, in appears as though I can only specify one source subnet per packet filter. ...D On 1/5/07, *Danny* <nocmonkey@xxxxxxxxx> wrote: Server publishing, I believe, but ISA 2000 is like MS02 security bulletins to me. Thanks, ...D On 1/3/07, *Jim Harrison* < Jim@xxxxxxxxxxxx> wrote: How is the SMTP service made public; server publishing rules or packet filters? *From:* isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx] *On Behalf Of *Danny *Sent:* Wednesday, January 03, 2007 8:17 AM *To:* isalist@xxxxxxxxxxxxx *Subject:* [isalist] Limit SMTP connections from several subnets in ISA 2000 Been awhile since I used ISA 2000... what is the best way to restrict SMTP connections from several specific Internet IP subnets? Thanks. All mail to and from this domain is GFI-scanned. -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer All mail to and from this domain is GFI-scanned. -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer All mail to and from this domain is GFI-scanned.
-- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer