How to publish an Exchange Server 5.5 computer with ISA Server

This article describes how to publish an Exchange Server 5.5 computer behind a computer that is running Microsoft Internet Security and Acceleration (ISA) Server and on a computer that is running ISA Server.

You can publish an Exchange computer with ISA Server in two ways:

• You can put the Exchange computer behind an ISA Server computer.
• You can put the Exchange computer on an ISA Server computer.

For most typical deployments, Microsoft recommends that you deploy Exchange on a secure network, behind an ISA Server computer. When you do so, you can take full advantage of the ISA Server functionality. If you decide to install Exchange on the same computer as ISA Server or if you plan to deploy the Exchange behind an ISA Server computer on the secure network, there are two ways to give Exchange the ability to send and receive Internet e-mail message.

This article describes the following procedures:

• How to publish an Exchange Server 5.5 computer behind an ISA Server computer.
• How to publish an Exchange Server 5.5 computer on an ISA Server computer.

NOTE: The following types of clients exist when you deploy ISA Server:

• Firewall client
• Secure Network Address Translation (SNAT) client
• Web Proxy client

Only the Firewall Client configuration and the SNAT Client configurations apply to publishing Exchange.

How to Publish an Exchange Server 5.5 Computer Behind an ISA Server Computer

You can use either of the methods that are described in this section to publish an Exchange Server 5.5 computer behind an ISA Server computer. Microsoft recommends that you use Method 1 to take advantage of all the functionality of ISA Server.

Method 1

1. In the TCP/IP properties, configure the Exchange Server computer's default gateway address to point to the internal Internet Protocol (IP) address of the ISA Server computer.
   
   When you do so, the Exchange Server computer acts as an SNAT client.
2. On the ISA Server computer, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
3. Expand Publishing Rules, right-click Server Publish Rules, and then click Secure Mail Server.
4. After the wizard starts, click Next, and then enter the configuration information.
   
   In a typical deployment, click Incoming SMTP and Outgoing SMTP. If you want to make the server available to Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4 (IMAP4) users and if you require the use of Secure Sockets Layer (SSL) authentication, click the appropriate settings.
5. Enter the external IP address of the ISA Server computer.
   
   NOTE: Avoid running the Exchange server services that are being published (POP3, SMTP, and others) on the ISA Server computer. If they are running on the ISA Server computer, disable them. Otherwise, the services will cause port conflicts and publishing rules will not take effect.
6. Enter the internal IP address of the Exchange Server computer.
7. Click Finish.

After you complete the wizard, the new rules are listed under Server Publishing Rules. These rules are named "Mail Wizard Rule - Example." Notice that one rule applies to each option that you selected in step 4. You also see a new mail wizard rule inside your protocol rules.

Method 2

If you use this method, you cannot have the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service installed on the ISA Server computer. This means that you cannot use SMTP filters and that you cannot use the full functionality of ISA Server. Microsoft recommends this deployment only if you cannot configure the Exchange Server computer as a SNAT client.

1. Install and configure Microsoft ISA Server.
2. Install the ISA Server Firewall client on the Exchange Server computer.
   
   NOTE: If the Firewall client is already installed, reinstall it. To do so, connect to the Mspclnt share on the ISA Server computer, and then run Setup.exe from the root folder.
3. Change the DNS settings on the Exchange Server computer.
   
   If an Internet DNS server address is not defined on the Exchange Server computer, the Exchange Server computer cannot send mail correctly.
4. After the ISA Server Firewall client is working, create two Wspcfg.ini files for the Exchange Server computer.
   
   Create the first Wspcfg.ini file for use with the Exchange Server SMTP service. To do so, type the following text into a Notepad file, and then save this file as Wspcfg.ini in the folder in which Msexcimc.exe is located.
   [MSEXCIMC]
   ServerBindTcpPorts=25
   Persistent=1
   KillOldSession=1
   NOTE: After you do so, the SMTP port (25) on the Exchange Server computer is bound to external TCP port 25 on ISA Server. The default location of the Msexcimc.exe file is C:\Exchsrvr\Connect\Msexcimc\Bin\Msexcimc.exe
   
   Create the second Wspcfg.ini file for use with the Exchange Server information store (Store.exe). Paste the following text into a Notepad file (do not manually type the text), and then save this file as Wspcfg.ini in the folder in which Store.exe is located:
   [STORE]
   ServerBindTcpPorts=110,119,143
   Persistent=1
   KillOldSession=1
   
   The default location of Store.exe is C:\Exchsrvr\Bin\Store.exe
   
   NOTE: Do not save the file in Unicode format.
   
   Additional ports, such as ports 119 and 143 listed earlier, can be listed because Store.exe provides Network News Transfer Protocol (NNTP) on port 119, POP mail on port 110, and others.
   
   When you configure the Exchange Server computer to use IMAP4 mail or secure mail, Exchange Server connects to ports 993 and 995 on the ISA Server computer. To make this work, edit the Wspcfg.ini file that is located in the folder in which the Exchange Server Store.exe file is located. These ports must be bound to the external interface on the ISA Server computer. Make the following changes to the Wspcfg.ini file:
   ProxyBindIp=993:ISA_server_address,995:ISA_server_address;
   ServerBindTCPPorts=993,995
   KillOldSession=1
   Persistent=1
5. Verify that the two Wspcfg.ini files do not have a .txt extension appended to the file name.
   
   The .txt extension is appended if your Microsoft Internet Explorer interface settings are set to the default values. The file may appear as Wspcfg.ini.txt. Rename the file if it has a .txt extension.
6. Restart the Exchange Server computer.
   
   After you restart the Exchange Server computer, it automatically listens on the external interface of the ISA Server computer.
7. Test connectivity to the Exchange Server services from a computer that is directly connected to the Internet:
   1. On the test computer, click Start, click Run, and then run Telnet.exe.
   2. Click Connect, and then click Remote System:
      HOST NAME: External IP address of the ISA server
      PORT: 25
      TERM TYPE: vt100
      
   3. After you are connected, you see a blank screen. Press ENTER and wait for 30 seconds. You receive a message from the Exchange Server SMTP service that indicates a good setup. If you do not receive this message, check your settings.
   4. You can also try port 110 to test the POP service.

How to Publish Exchange Server 5.5 on an ISA Server Computer

Method 1

Microsoft recommends this method.

1. On the ISA Server computer, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
2. Expand Publishing Rules, right-click Server Publish Rules, and then click Secure Mail Server.
3. After the wizard starts, click Next, and then enter the appropriate configuration information. In a typical deployment, click the following items:
   • Incoming SMTP
     
   • Outgoing SMTP
     
   If you want to make the server available to POP3 or IMAP4 users or if want to use SSL authentication, select the appropriate settings.
4. Enter the external IP address of the ISA Server computer.
5. Click On the local Host, and then click Next.
6. Click Finish.

After you complete the wizard, two new packets appear. The wizard creates these packets filters automatically to allow incoming and outgoing traffic on port 25 (SMTP). To create these packet filters manually, use Method 2 that is described in this section.

Method 2

To create an inbound SMTP filter, follow these steps:

1. Start ISA Management.
2. Expand Access Policy Tree, and then click IP Packet Filters.
3. Right-click any place in the right pane, and then click New Filter.
4. Type a name for the filter (for example, SMTP Inbound), and then click Next.
5. Click Allow packet transmission, and then click Next.
6. On the Use this Filter page, click Custom.
7. On the Setting page, type the following information:
   IP Protocol: TCP
   Direction: Inbound
   Local Port: Fixed Port
   Port Number: 25
   Remote Port: All ports
   
8. Click Next.
9. In the Default IP address for each external interface on the ISA Server computer box, click the packet filter that you just created, and then click Next.
10. In the All remote computers box, click the packet filter that you just created, and then click Next.
11. Click Finish.

To create an outbound SMTP filter:

1. Start ISA Management.
2. Expand Access Policy Tree, and then click IP Packet Filters.
3. Right-click any place in the right pane, and then click New Filter.
4. Type a name for the filter (for example, SMTP Outbound), and then click Next.
5. Click Allow packet transmission, and then click Next.
6. On the Use this Filter page, click Custom.
7. On the Setting page, type the following information:
   IP Protocol: TCP
   Direction: Outbound
   Local Port: All Ports
   Remote Port: Fixed Port
   Port Number: 25
8. Click Next.
9. In the Default IP Address for each external interface on the ISA Server computer box, click the packet filter that you just created, and then click Next.
10. In the All remote computers box, click the packet filter that you just created, and then click Next.
11. Click Finish.

This article does not apply to configuring Exchange Server 5.5 behind Proxy Server 2.0. For information about this configuration, see the following Microsoft Knowledge Base article: