ISA Server rules for segregating Exchange 2007 Edge and Hub Transport

Posted on January 11, 2007 by Devin

As promised earlier, here’s a quick look at the ISA rules to put in place to properly segregate deploy Exchange 2007 Edge Transport servers in the perimeter network. These rules depend on some fundamental assumptions:

  1. The only hsots that should be allowed to initiate SMTP into the external untrusted network are the Edge servers.
  2. The only hosts that should be allowed to initiate SMTP into the Edge server are the Hub Transport servers.
  3. The Edge servers must be able to initiate SMTP into the Hub Transport servers to relay in incoming mail.
  4. The Hub Transport servers must be able to initiate Edge Subscription connections to the Edge servers over the default custom LDAP ports (TCP 50389 and TCP 50636).
  5. We’re only concerned about SMTP; if we need SSL, we’ll use TLS over TCP 25.

So, with that in mind, we first need to create two new computer sets:

Computer set: Internal mail servers
  • Add entries for all your HT servers.

 

Computer set: Perimeter mail servers
  • Add entries for all your Edge servers.

Next we create a new protocol:

Protocol: Exchange Edge Subscription
  • TCP 50389 outbound
  • TCP 50636 outbound

And now, we’ll create three rules:

Rule: Allow SMTP between perimeter and internal mail servers
  • Action: Allow
  • Protocol: SMTP
  • From: Internal mail servers, Perimeter mail servers
  • To: Internal mail servers, Perimeter mail servers

 

Rule: Allow outbound SMTP from perimeter mail servers
  • Action: Allow
  • Protocol: SMTP
  • From: Perimeter mail servers
  • To: External

 

Rule: Allow Edge Subscription updates
  • Action: Allow
  • Protocol: Exchange Edge Subscription
  • From: Internal mail servers
  • To: Perimeter mail servers

Note that on the “Allow SMTP between perimeter and internal mail servers” rule, we’ve listed both sets of servers in both the To and From fields. This allows a single rule to cover all SMTP traffic regardless of which side initiates the connection.

Combined with the SCW hardening and other security measures, we’ve now formed an effective isolation between Edge and the HT servers.

Share

About Devin

Husband and father; technology consultant, speaker, author, and blogger; Microsoft Exchange architect and MVP; writer, reader, Xbox player, karate student, and music lover. Seeker of balance, reveler in life, learning how to look for the uplifting.
This entry was posted in 3Sharp, Exchange. Bookmark the permalink.

One Response to ISA Server rules for segregating Exchange 2007 Edge and Hub Transport

  1. Ian Banyard says:
    May 18, 2007 at 09:48

    Actually this is incorrect, only 50636 is required for sync, 50389 is the port that the edge server uses to talk to itself for ADAM services. (would still need to open out in security templates or host based firewall)…

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>