How to enable POP3 access to an external POP3 server in ISA Server 2006 or in ISA Server 2004

This article describes how to create an access rule that enables POP3 access in ISA Server 2006, in ISA Server 2004 or Forefront Threat Management Gateway, Medium Business Edition.

If you are using a client that is running the ISA Server Firewall Client program, you can typically enable POP3 access by creating an access rule. To do this, follow these steps:

1. Start the ISA Server, or the Forefront Threat Management Gateway, Medium Business Edition Management tool.
2. In the Tree pane, right-click Firewall Policy, point to New, and then click Access Rule to start the New Access Rule Wizard.
3. On the Welcome page, type a name for the access rule, such as POP3 Access Rule, and then click Next.
4. On the Rule Action page, click Allow, and then click Next.
5. On the Protocols page, click Selected protocols in the This rule applies to list, and then click Add.
6. In the Add Protocols dialog box, expand Common Protocols, and then click POP3.
7. Click Add, and then click Close.
8. On the Protocols page, click Next.
9. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box.
10. Expand Networks, click Internal, click Add, and then click Close.
    
    Note In this step, it is assumed that the client is part of the ISA Server-protected network that is named "Internal." If this is not the case, select the name of the network where the POP3 client resides.
11. On the Access Rule Sources page, click Next.
12. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box.
13. Expand Networks, click External, click Add, and then click Close.
14. On the Access Rule Destinations page, click Next.
15. On the User Sets page, click the user sets that you want, and then click Next.
    
    Note If you are using a Secure Network Address Translation (SecureNAT) client, you must click All users only. Additionally, this rule must be listed before any access rule that requires user authentication. For example, this rule must be listed according to the following parameters:
    • It must be listed before any access rule for which the All authenticated users setting has been selected.
    • It must be listed before any access rule for which one or both of the following user sets have been selected:
      • Specific user groups
      • Specific users
16. Review the information that is on the wizard summary page, and then click Finish.
17. In the Firewall Policy details pane, click Apply to apply the new access rule.

If you are using a SecureNAT client, a different approach may be needed. You must add an external DNS server to the client's Internet Protocol (IP) settings if the following conditions are true:

• You are using a SecureNAT client.
• The SecureNAT client cannot use the internal Domain Name System (DNS) server to resolve the name of the external POP3 server.

If these conditions are true, you must also take one of the following actions:

• Create an access rule to enable DNS lookups.
• Add the DNS protocol to the access rule that you created in steps 1 through 17.

To create an access rule to enable DNS lookups, follow these steps:

1. Open the ISA Server, or Forefront Threat Management Gateway, Medium Business Edition Management snap-in.
2. In the Tree pane, right-click Firewall Policy, point to New, and then click Access Rule to start the New Access Rule Wizard.
3. On the Welcome page, type a name for the access rule, such as DNS Lookups Rule, and then click Next.
4. On the Rule Action page, click Allow, and then click Next.
5. On the Protocols page, click Selected protocols in the This rule applies to list, and then click Add.
6. In the Add Protocols dialog box, expand Common Protocols, and then click DNS.
7. Click Add, and then click Close.
8. On the Protocols page, click Next.
9. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box.
10. Expand Networks, select Internal, click Add, and then click Close
    
    Note In this step, it is assumed that the client is part of the ISA Server-protected network that is named "Internal." If this is not the case, select the name of the network where the POP3 client resides.
11. On the Access Rules Sources page, click Next.
12. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box.
13. Expand Networks, click External, click Add, and then click Close.
14. On the Access Rule Destinations page, click Next.
15. On the User Sets page, click the user sets that you want, and then click Next.
    
    Note If you are using a SecureNAT client, you must select All users only. Additionally, this rule must be listed before any access rule that requires user authentication. For example, this rule must be listed according to the following parameters:
    • It must be listed before any access rule for which the All authenticated users setting has been selected.
    • It must be listed before any access rule for which one or both of the following user sets have been selected:
      • Specific user groups
      • Specific users
16. Review the information that is on the wizard summary page, and then click Finish.
17. In the Firewall Policy details pane, click Apply to apply the new access rule.