How to publish an Exchange 2000 Server computer or an Exchange Server 2003 computer by using Internet Security and Acceleration (ISA) Server 2000

This article discusses how to configure a server that is running Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 with Internet Security and Acceleration (ISA) Server 2000.

This article does not discuss how to configure Exchange 2000 Server server or later versions product versions behind Microsoft Proxy Server 2.0.

For more information about how to configure Exchange 2000 behind Microsoft Proxy Server 2.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:

How to publish an Exchange 2000 Server server or an Exchange Server 2003 server behind an ISA Server computer

To configure an Exchange Server 2000 server or on an Exchange Server 2003 server that is behind an ISA Server computer, the following four main components must be present:

• A Site and Content rule to enable outgoing Simple Mail Transfer Protocol (SMTP) traffic.
• A Protocol rule to enable outgoing SMTP traffic.
• Server Publishing rules for each incoming protocol that you want to have.
• Correct IP routing.

NoteYou can use the Secure Mail Server Wizard in the ISA Management snap-in to automatically configure most of these components.

You can use either of the methods that are described in this section to publish an Exchange 2000 computer or an Exchange 2003 computer behind an ISA Server computer. Microsoft recommends that you use Method 1 to take advantage of all the functionality of the ISA Server.

Method 1

1. In the TCP/IP properties, configure the Microsoft Exchange Server server's default gateway address to point to the internal IP Address of the ISA Server computer.
   When you do this, the Exchange Server server acts as a Secure Network Address Translation (SNAT) client.
2. In the ISA Server, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
3. Expand Publishing, right-click Server Publish Rules, and then click Secure Mail Server.
4. After the wizard starts, click Next, and then enter the configuration information.
   
   In a typical deployment, click Incoming SMTP and Outgoing SMTP. If you want to make the server available to Post Office Protocol version 3 (POP3) or an Internet Message Access Protocol, version 4(IMAP4) users and you require SSL authentication, click the appropriate settings.
5. Click Next, type the external IP address of the ISA Server computer.
   
   Note Avoid running the Exchange Server services that are being published on the ISA Server computer. If these Exchange Server services are running on the ISA Server computer, disable them. Otherwise, the Exchange Server services will cause port conflicts and publishing rules will not take effect.
6. Enter the internal IP address of the Exchange computer.
7. Click Finish.

After you complete the wizard, the new rules are listed under Server Publishing Rules. These rules are named "Mail Wizard Rule - Example." Notice that one rule applies to each option that you selected in step 4.

Additionally, you see a new mail wizard rule inside your protocol rules. Microsoft recommends this method of publishing the Exchange 2000 Server server or the Exchange Server 2003 server for most deployments.

Method 2

Use this method if you cannot configure the default gateway to the ISA Server computer's internal IP address on the Exchange Server server. This scenario applies if you upgrade a Proxy Server 2.0 computer to an ISA Server. The service to Exchange 2000 Server server or the Exchange Server 2003 server is not interrupted by the upgrade, because this method of publishing the Exchange Server services is still available.

Note In some failure recovery cases, the configuration information (Wspcfg.ini) may be lost after an Exchange Server server has been reinstalled. This behavior causes service interruption to the Exchange Server server from the ISA Server computer. You can use either method to restore service back to the Exchange Server server. However, Microsoft recommends that you use Method 1 so that you can take full advantage of the SNAT capabilities of ISA Server.

Note Exchange Server 4.0, 5.0, and 5.5 run the Exchange Server-related services under a domain service account. In Exchange 2000 and Exchange 2003, the Exchange Server services run under local system accounts (LocalSystem). These local system accounts cannot authenticate with the ISA Server to bind to the ISA Server computer. Use the Credtool.exe utility to configure these local system accounts to authenticate with and bind to the ISA Server computer. The Credtool utility is installed with the Firewall client, and it is located in the Mspclnt folder.

To bind the required ports and services to the ISA Server computer, follow these steps:

1. Install the ISA Firewall client from the ISA Server Mspclnt shared folder.
2. Make sure that you have a virtual server for each protocol in which you want to bind to the ISA Server computer.
3. Start Exchange System Manager, and then expands the virtual server under Servers, and under Protocols.
4. IN the virtual server properties, make sure that the protocols are set to all unassigned on the General tab.
5. Make sure there are no conflicts on the ISA Server computer. To do this, use the netstat command to verify that the following ports do not have any services. For example, you may have to set the ISA Server computer's SMTP service to Manual.
   • 25
   • 110
   • 143
   • 993
   • 995
6. Create a file named Wspcfg.ini in your Winnt\System32\Inetsrv folder that contains the following information:

   [inetinfo] 
   ServerBindTcpPorts=25,110,143,993,995 
   Persistent=1 
   KillOldSession=1 
   ForceCredentials=1
   

7. At a command prompt, change to the ISA Client folder. This ISA Client folder is typically located in the C:\Program Files\Microsoft Firewall Client folder. Then, run the following command:
   credtool -w -n inetinfo -c user domain password
   Note The placeholder user is the user name of a user who has permissions to bind to the ISA Server computer, and the domain is the NetBIOS domain name of that user. The placeholder password is the password of the user.
8. In Administrative Tools, double-click Services, and then restart the IIS Admin Service on the Exchange computer.

How to publish an Exchange 2000 Server server or an Exchange Server 2003 server on an ISA Server computer

This section describes how to publish an Exchange 2000 Server server or an Exchange Server 2003 server on the same computer on which ISA Server is installed.

Method 1

Microsoft recommends that you use this method.

1. In the ISA Server, start ISA Management, and then expand Publishing .
2. Right-click Server Publish Rules, and then click Secure Mail Server.
3. After the wizard starts, click Next, and then enter the appropriate configuration information. In a typical deployment, click the following options:
   • Incoming SMTP
   • Outgoing SMTP
   If you want to make the server available to POP3 or to IMAP4 users and you want to use SSL authentication, select the appropriate settings.
4. Click Next, and then type the external IP address of the ISA Server computer.
5. Click Next, click the On the local Host option, and then click Next.
6. Click Finish.

After you complete the wizard, two new packets appear. The wizard creates these packets filters automatically to enable incoming and outgoing traffic on port 25 (SMTP). To create these packet filters manually, use Method 2 that is described in this section.

Method 2

To create an inbound SMTP filter, follow these steps:

1. Start ISA Management.
2. Expand Access Policy , and then click IP Packet Filters.
3. Click Create a Packet Filter, and then type a name for the filter, and then click Next..
4. Click Allow packet transmission, and then click Next.
5. On the Use this Filter page, click Custom, and then click Next.
6. On the Filter Setting page, enter the following information:

   IP Protocol: TCP 
   Direction: Inbound 
   Local Port: Fixed Port 
   Port Number: 25 
   Remote Port: All ports

7. Click Next, click the the Default IP address for each external interface on the ISA Server computer option, and then click Next.
8. Click the All remote computers option, and then click Next.
9. Click Finish.

To create an outbound SMTP filter, follow these steps:

1. Start ISA Management.
2. Expand Access Policy , and then click IP Packet Filters.
3. Click Create a Packet Filter, and then type a name for the filter, and then click Next..
4. Click Allow packet transmission, and then click Next.
5. Click Allow packet transmission, and then click Next.
6. On the Use this Filter page, click Custom, and then click Next.
7. On the Filter Setting page, enter the following the information:

   IP Protocol: TCP 
   Direction: Outbound 
   Local Port: All Ports 
   Remote Port: Fixed Port 
   Port Number: 25 
   

8. Click Next, click the the Default IP address for each external interface on the ISA Server computer option, and then click Next.
9. Click the All remote computers option, and then click Next.
10. Click Finish.

For information about how to obtain SP1 for ISA Server, visit the following Microsoft Web site: For more information about how to configure the Web Publishing Service with ISA Server, click the following article number to view the article in the Microsoft Knowledge Base: For additional help and support for ISA Server, visit the following Web sites: