As promised earlier, here's a quick look at the ISA rules to put in place to properly segregate deploy Exchange 2007 Edge Transport servers in the perimeter network. These rules depend on some fundamental assumptions:
- The only hsots that should be allowed to initiate SMTP into the external untrusted network are the Edge servers.
- The only hosts that should be allowed to initiate SMTP into the Edge server are the Hub Transport servers.
- The Edge servers must be able to initiate SMTP into the Hub Transport servers to relay in incoming mail.
- The Hub Transport servers must be able to initiate Edge Subscription connections to the Edge servers over the default custom LDAP ports (TCP 50389 and TCP 50636).
- We're only concerned about SMTP; if we need SSL, we'll use TLS over TCP 25.
So, with that in mind, we first need to create two new computer sets:
- Computer set: Internal mail servers
- Add entries for all your HT servers.
- Computer set: Perimeter mail servers
- Add entries for all your Edge servers.
Next we create a new protocol:
- Protocol: Exchange Edge Subscription
- TCP 50389 outbound
- TCP 50636 outbound
And now, we'll create three rules:
- Rule: Allow SMTP between perimeter and internal mail servers
- Action: Allow
- Protocol: SMTP
- From: Internal mail servers, Perimeter mail servers
- To: Internal mail servers, Perimeter mail servers
- Rule: Allow outbound SMTP from perimeter mail servers
- Action: Allow
- Protocol: SMTP
- From: Perimeter mail servers
- To: External
- Rule: Allow Edge Subscription updates
- Action: Allow
- Protocol: Exchange Edge Subscription
- From: Internal mail servers
- To: Perimeter mail servers
Note that on the "Allow SMTP between perimeter and internal mail servers" rule, we've listed both sets of servers in both the To and From fields. This allows a single rule to cover all SMTP traffic regardless of which side initiates the connection.
Combined with the SCW hardening and other security measures, we've now formed an effective isolation between Edge and the HT servers.