Archived from groups: microsoft.public.win2000.security (More info?)
I performed the following steps. However, keywords that I
added to the SMTP
application filter still go through.
Enabling SMTP Filter on ISA using Message Screener:
Our ISA server is called NHL. On this server the following
is installed:
a.. ISA + Message screener
b.. IIS + SMTP
Our application server is called APPS. On this server the
following is
installed:
a.. Message screener only
b.. IIS + SMTP
c.. Exchange server
Details of Configuration: (you do not have to read the
text in gray)
1.. NHL (ISA server):
1.. Install IIS
2.. Install ISA in full which includes Message Screener
i. If
SMTP service fails to start:
1. IIS MetaEdit 2.2 Utility | LM and SmtpSvc |
Right-click SmtpSvc,
click New, and then click DWORD. In the Id list, click
DisableSocketPooling.
The field to the right should now read 1029. If
DisableSocketPooling is not
in the list, click (Other), and then type 1029 in the box.
In the Data
field, type 1. Click to select the Inherit attribute.
Restart the Simple
Mail Transport Protocol (SMTP) service.
1.. Enable SMTP application filter in ISA | Extensions
| Application
filters (added a keyword: "bom")
2.. Start | Run: dcomcnfg.exe (because SMTP message
screener and ISA
communicate through DCOM)
i.
Applications tab | VendorData class properties | Security
tab |
1. Use custom launch permissions | Edit | Add |
Everyone | Type of
Access: allow launch
2. Use custom access permissions | Edit | Add |
Everyone | Type of
Access: allow access
3. Use custom configuration permissions | Edit | Add
| Everyone | Type
of Access: Full Control
1.. APPS (Application server):
1.. TCP/IP properties | Default Gateway = ISA IP
address
2.. Install IIS in full which includes SMTP
3.. Install Exchange Server:
i.
CDROM\setup\i386\setup.exe /forestprep
ii.
CDROM\setup\i386\setup.exe /domainprep
iii.
CDROM\setup\i386\setup.exe
1.. IIS:
i.
Configure SMTP to use the internal IP address only
ii. Create
remote domain to accept mail from *.internal_domain
iii.
Configure remote domain to relay to Exchange server
1. select forward all mail to smart host: [IP_of_APPS
(ExchangeServer)]
2. select allow incoming mail to be relayed to this
domain
1.. Configure Exchange server to accept mail from
message screener SMTP
server
i.
System Manager | Servers | Protocols | SMTP | Default SMTP
Virtual server
Properties | General tab | Advanced | verify only internal
IP address is
used.
1.. Install message screener from ISA CD-ROM
2.. Run ISACD-ROM\isa\i386\SMTPCred.exe (to set
authentication
credentials to ISA server: I used the domain administrator
account)
3.. Start | Run | dcomcnfg.exe: (because SMTP message
screener and ISA
communicate through DCOM)
i.
Applications tab | VendorData class properties | Security
tab |
1. Use custom launch permissions | Edit | Add |
Everyone | Type of
Access: allow launch
2. Use custom access permissions | Edit | Add |
Everyone | Type of
Access: allow access
3. Use custom configuration permissions | Edit | Add
| Everyone | Type
of Access: Full Control
1.. Exchange System Manager | Server | Protocols |
right-click Default
SMTP Virtual Server properties | Access tab | Relay | I
gave access to my
own computer to test
1.. NHL (ISA server):
1.. Create a server publishing rule using the wizard
and select SMTP
2.. Create a protocol rule to allow DNS queries for
name resolution
3.. Create a new Protocol filter and enable it to
allow: TCP port 135 as
this port is used by outlook clients to access exchange
server
1.. APPS (Application Server)
If you attempt to start Exchange services that run in the
Inetinfo.exe tool,
you may receive the following error message:
Error 1083: The executable program that this service is
configured to run in
does not implement the service.
This issue occurs when you start the following services
from within Exchange
server:
Simple Mail Transport Protocol (SMTP)
Network News Transport Protocol (NNTP)
Post Office Protocol version 3 (POP3)
Internet Message Access Protocol version 4 (IMAP4)
Microsoft Exchange Routing Engine
CAUSE
This issue can occur because these services have not been
configured to run
in the Inetinfo.exe tool. They have been either configured
to run in the
Dllhost.exe tool, or not configured to run in any tool.
RESOLUTION
1. Start Registry Editor
(Regedt32.exe).
2. Locate and click the following
registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetIn
fo\Parameters\Dis
patchEntries
3. Click the value for the service
that you attempted
to start.
4. On the Edit menu, click Multi
String, and then add
the following values:
Ldapsvc
Smtpsvc
Nntpsvc
Imap4svc
Pop3svc
Resvc
5. Click OK.
6. Quit Registry Editor.
7. Start Administrative Tools,
click Services, and
then restart the Internet Information Service (IIS)
Administrator service.
STATUS
Microsoft has confirmed that this is a problem in
Microsoft Exchange 2000
Server.
Hebba Hussain Rostom
Facility Manager
New Horizons (Jeddah, S.A.)
E-mail: hebba@newhorizons.com.sa
I performed the following steps. However, keywords that I
added to the SMTP
application filter still go through.
Enabling SMTP Filter on ISA using Message Screener:
Our ISA server is called NHL. On this server the following
is installed:
a.. ISA + Message screener
b.. IIS + SMTP
Our application server is called APPS. On this server the
following is
installed:
a.. Message screener only
b.. IIS + SMTP
c.. Exchange server
Details of Configuration: (you do not have to read the
text in gray)
1.. NHL (ISA server):
1.. Install IIS
2.. Install ISA in full which includes Message Screener
i. If
SMTP service fails to start:
1. IIS MetaEdit 2.2 Utility | LM and SmtpSvc |
Right-click SmtpSvc,
click New, and then click DWORD. In the Id list, click
DisableSocketPooling.
The field to the right should now read 1029. If
DisableSocketPooling is not
in the list, click (Other), and then type 1029 in the box.
In the Data
field, type 1. Click to select the Inherit attribute.
Restart the Simple
Mail Transport Protocol (SMTP) service.
1.. Enable SMTP application filter in ISA | Extensions
| Application
filters (added a keyword: "bom")
2.. Start | Run: dcomcnfg.exe (because SMTP message
screener and ISA
communicate through DCOM)
i.
Applications tab | VendorData class properties | Security
tab |
1. Use custom launch permissions | Edit | Add |
Everyone | Type of
Access: allow launch
2. Use custom access permissions | Edit | Add |
Everyone | Type of
Access: allow access
3. Use custom configuration permissions | Edit | Add
| Everyone | Type
of Access: Full Control
1.. APPS (Application server):
1.. TCP/IP properties | Default Gateway = ISA IP
address
2.. Install IIS in full which includes SMTP
3.. Install Exchange Server:
i.
CDROM\setup\i386\setup.exe /forestprep
ii.
CDROM\setup\i386\setup.exe /domainprep
iii.
CDROM\setup\i386\setup.exe
1.. IIS:
i.
Configure SMTP to use the internal IP address only
ii. Create
remote domain to accept mail from *.internal_domain
iii.
Configure remote domain to relay to Exchange server
1. select forward all mail to smart host: [IP_of_APPS
(ExchangeServer)]
2. select allow incoming mail to be relayed to this
domain
1.. Configure Exchange server to accept mail from
message screener SMTP
server
i.
System Manager | Servers | Protocols | SMTP | Default SMTP
Virtual server
Properties | General tab | Advanced | verify only internal
IP address is
used.
1.. Install message screener from ISA CD-ROM
2.. Run ISACD-ROM\isa\i386\SMTPCred.exe (to set
authentication
credentials to ISA server: I used the domain administrator
account)
3.. Start | Run | dcomcnfg.exe: (because SMTP message
screener and ISA
communicate through DCOM)
i.
Applications tab | VendorData class properties | Security
tab |
1. Use custom launch permissions | Edit | Add |
Everyone | Type of
Access: allow launch
2. Use custom access permissions | Edit | Add |
Everyone | Type of
Access: allow access
3. Use custom configuration permissions | Edit | Add
| Everyone | Type
of Access: Full Control
1.. Exchange System Manager | Server | Protocols |
right-click Default
SMTP Virtual Server properties | Access tab | Relay | I
gave access to my
own computer to test
1.. NHL (ISA server):
1.. Create a server publishing rule using the wizard
and select SMTP
2.. Create a protocol rule to allow DNS queries for
name resolution
3.. Create a new Protocol filter and enable it to
allow: TCP port 135 as
this port is used by outlook clients to access exchange
server
1.. APPS (Application Server)
If you attempt to start Exchange services that run in the
Inetinfo.exe tool,
you may receive the following error message:
Error 1083: The executable program that this service is
configured to run in
does not implement the service.
This issue occurs when you start the following services
from within Exchange
server:
Simple Mail Transport Protocol (SMTP)
Network News Transport Protocol (NNTP)
Post Office Protocol version 3 (POP3)
Internet Message Access Protocol version 4 (IMAP4)
Microsoft Exchange Routing Engine
CAUSE
This issue can occur because these services have not been
configured to run
in the Inetinfo.exe tool. They have been either configured
to run in the
Dllhost.exe tool, or not configured to run in any tool.
RESOLUTION
1. Start Registry Editor
(Regedt32.exe).
2. Locate and click the following
registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetIn
fo\Parameters\Dis
patchEntries
3. Click the value for the service
that you attempted
to start.
4. On the Edit menu, click Multi
String, and then add
the following values:
Ldapsvc
Smtpsvc
Nntpsvc
Imap4svc
Pop3svc
Resvc
5. Click OK.
6. Quit Registry Editor.
7. Start Administrative Tools,
click Services, and
then restart the Internet Information Service (IIS)
Administrator service.
STATUS
Microsoft has confirmed that this is a problem in
Microsoft Exchange 2000
Server.
Hebba Hussain Rostom
Facility Manager
New Horizons (Jeddah, S.A.)
E-mail: hebba@newhorizons.com.sa
Facebook
Twitter
Instagram