Hahah... Thanks, Jim. FWIW, the computer set worked flawlessly. Now all the SMTP connections from others who aren't supposed to be sending us SMTP mail are blocked at the FW. In watching the firewall log now, I can easily pick out all the SMTP traffic that's not supposed to come through... Never ceases to amaze how these connections from various DHCP pools (DSL, cable, whatever) at carriers in Brazil, Tiawan, etc are just spewing this stuff out... All the wasted bandwidth and zombiefied PC's.... *sigh* Joe P From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, June 06, 2008 10:21 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? I guess e need to have another round of <duh> moments to make Joe feel better about himself - I'll start. I filed a bug some months ago because every time I applied an ISA patch through an external RDP session, I'd lose the session and would have to jump on the console to complete the installation. Needless to say, this would drop ISATools.org until I could go home. Just this week, it suddenly occurred to me why this failed and yes; it's "by design", and not entirely that of ISA Server. I don't use system policies to allow RDP from the Internet. Instead, I: 1. server-publish to the internal IP 2. use custom ports for the listener 3. bind TS to the internal NIC only When the ISA services stop, so do any server publishing or web listeners. Although system policies provide for inbound RDP in lockdown mode, because I didn't allow TS to bind to the external NIC, I was breaking myself whenever I'd try to update ISA from "outside". Needless to say, the bug has been closed as "no repro"... Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Pochedley Sent: Friday, June 06, 2008 6:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? Thanks, Jim. For some reason I was so focused on Networks that I forgot about computer sets (and the fact that you can specify address ranges in a computer set). Duh on my part. I'll just blame the lapse in memory on having worked 14 hours yesterday (not wholly on this issue, mostly on our Exchange upgrade)... But if I haven't learned the lesson "if you can't figure it out late in the evening, stop and look at it again in the morning" by now, then I probably never will. J Thanks again. Joe P From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, June 06, 2008 1:22 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? Yes. You create a computer set and populate it with the addresses and subnets as specified in the EHS admin page. Then you apply this computer set to the SMTP server publishing rule "From" tab. Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Pochedley Sent: Thursday, June 05, 2008 8:06 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Possible to Filter inbound publishing rules by source (remote) IP? Hopefully an easy one for the ISA gurus... Recently we signed up for Microsoft's Frontbridge spam filtering service. As part of the setup, the MX record of our company has been changed to Microsoft's service... (Like PostINI and other hosted filtering services.) Microsoft recommends only allowing inbound SMTP connections from their list of servers. This seems like a good idea, as I still see spam coming direct into our IP (old MX record) and not being routed through the service even though it's been more than a month since I changed the MX records... Unfortunately, I can't find a way to make the publishing rule bend to my will and only accept incoming SMTP connections only from the authorized IP addresses. Can it be done? If so would someone be kind enough to point me in the right direction? Running ISA 2006 here. Joe Pochedley Network & Telecommunications Manager The North American Mfg. Co. email: JoePochedley@xxxxxxxxx