Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Configure ISA 06 to only accept certain smtp IP's?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure ISA 06 to only accept certain smtp IP's?


    I've scoured the net and haven't been able to find anything definitive so I'm hoping you all can give me a hand.

    What I'm looking for is a way to setup our ISA 2006 server to only accept inbound smtp traffic from a known set of external IP's addresses and basically refuse/block anyone else coming in on port 25.

    Story is that we have been using MesageLabs as our external filtering service for about 3 months now, and at first we noticed a significant drop in spam but in the last few days it has increased quite a bit. A review of the Exchange 03 smtp logs show that a lot of smtp traffic is coming direct to the exchange server and not through our MX which is pointed at MessageLabs.

    I know that I can (and have successfully tried) setup Exchange so that it will only accept connections from a defined set of subnets. But I would prefer to stop the traffic at the firewall (call me paranoid). I've found some email threads about doing it and after trying to set it up it fails miserably.

    Current setup:

    - ISA 2006 Firewall, SMTP publishing rule points to Exchange 03 server, rule is setup to allow Anywhere to internal IP of Exchange

    To date I have tried the following:

    1. Configured a Network Set
    2. Added Network Set to "From" tab in SMPT publishing rule and removed "Anywhere"
    3. Restart on ISA Firewall
    4. No external email gets through at all (live query shows all smtp "denied" )
    5. Removed Network Set and then created Computer Set (found email thread stating that this was the best way)
    6. did the same as 2 and 3 above
    7. Still no email from any external address

    Can anyone please give me a 'dummies guide' on how to set this up. I must be missing something fundamental as it appears others have set this up successfully. I'm not exactly a noob on ISA but then again I don't have to touch it everyday and therefore I know less than I probably should.