Saturday, 17 January 2009

SBS 2003 - ISA and ExchangeDefender IP Subnets

Since our switch to the ExchangeDefender service for our own e-mail is now over 72 hours old, we can be reasonably confident that there are no other e-mail servers out there that are using our old DNS MX records that pointed to our three SBS sites.

Since we purchased SBS 2003 R2 Premium SA for two of our sites, we will be migrating both sites to SBS 2008 and still be eligible to protect those sites with ISA.

In the mean time, our sites are still behind ISA running on SBS 2003 R2 Premium.

Now, the ExchangeDefender Deployment Guide addresses the need to limit the IP subnets to protect the internal Exchange server without getting into too much detail. The recommendation is to limit SMTP traffic at the firewall, but since there are so many firewall products out there, the deployment guide only shows us how to set the IP subnet restrictions into Exchange itself.

Here are the ExchangeDefender IP subnets:

ExchangeDefender IP Subnets

For SBS 2003 R2 Premium with ISA 2004 SP3 installed, and for the time when we migrate to SBS 2008 protected by our Software Assurance benefit of ISA 2006 SP1, the setup is actually quite simple.

In the case of SBS 2003 R2 Premium, we took the default SBS Smtp Server Access Rule that had the External network set as the From/Listener and removed it. We then created the ExchangeDefender Subnets in the Add dialogue on the From tab for the rule. The following screenshot shows the modification:

ISA - SBS Smtp Server Access Rule Properties - From Tab

And, once the edit is complete and the APPLY button in ISA has been clicked on:

Default SBS SMTP Rule modified with the ExchangeDefender subnets

The rule setup will be similar on the standalone ISA 2006 SP1.

Once the 72 hours have passed and legitimate e-mail is flowing solely through the ExchangeDefender network, head into the ISA live Logging feature and delimit the query on the SMTP protocol. It will become readily apparent that there are a lot of illegitimate SMTP connection attempts being made.

ISA blocking SMTP attempts

In this particular screenshot, the IP address is from Kiev (Kyyiv) in the Ukraine.

And this one is from Kuala Lumpur:

ISA blocking SMTP attempts

We certainly hope that as time goes by that the IP address associated with our Exchange server no longer resides on spammer's e-mail server IP address list.

Now that we have seen this, ExchangeDefender makes even more sense to us.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: