I don’t think a day goes by without someone asking either how to configure ISA Server to allow Outlook Express to work, or how fix a problem with ISA Server because Outlook Express isn’t working properly. Instead of answering this same question over and over again, I’ve decided to put together this article on how to configure ISA Server to work with Outlook Express, or any other email client that needs access to common email protocols.
I am going to assume that those of you who have difficulties getting your email clients to work are in a small office environment, and therefore do not have a sophisticated supporting network infrastructure. I will assume you do not have a WINS, DNS or DHCP server on your network. If you do have a sophisticated network infrastructure in place, you should be able to figure out what the problem is on your own!
[LIST][*]Configuring the ISA Server interfaces[*]Configuring the LAT and LDT[*]Configuring the Dial up Entry for a dial up connection on the external interface[*]Configuring Protocol Rules[*]Install the Firewall client on Windows based computers[*]Optional Configuration Settings[/LIST]
After you go through each of these configuration issues, Outlook Express or any other email client should work famously!
Configure the ISA Server Interfaces
You should configure the interfaces of the ISA Server to support the ISA Server installation before you install ISA Server. The ISA Server will have two interfaces: an internal interface that is connected to your LAN, and an external interface that is connected to the Internet. The external interface can be a permanent interface or a dial-up interface.
If you are using a dial-up interface, your ISP will configure it automatically for you when the dial-up connection is established. The dial-up interface will be automatically assigned an IP address, gateway, and DNS server. So, there’s no reason for you to configure any of these on the DUN connectoid.
If you are using a permanent interface, then you’ll need to manually configure it, unless you’re using a DSL or cable connection. In that case, DCHP will configure the interface for you.
To manually configure the external interface, do the following:
IP Address: The address the ISP tells you to assign to the interface
Subnet Mask: The subnet mask the ISP tells you to assign to the interface
DNS server: The IP address of your ISP’s DNS server or servers
Default gateway: The gateway address your ISP tells you to use
Everyone has to configure their internal interface, regardless of the type of external interface you are using. To manually configure the internal interface, do the following:
IP Address: Any private IP address that is on the same network ID as your internal network directly connected to this interface.
Subnet Mask: A subnet mask appropriate for the network ID for the network the interface is directly connected to.
DNS server: Since you don’t have your own DNS server, don’t enter a DNS server address here.
Default Gateway: Do not enter a default gateway address on the internal interface. NEVER enter a default gateway address on the internal interface!
The ISA Server uses the DNS settings on the ISA Server to resolve Internet host names for Firewall clients. You want to make sure the DNS server settings are configured correctly.
There are other considerations for setting up the internal and external network interfaces.
What I’ve listed above should be considered the minimum interface configuration. Check the Learning Zone and our book for more details on interface configuration.
Configure the LAT and LDT
The Firewall client uses the Local Address Table (LAT) and the Local Domain Table (LDT) to determine which IP addresses and domain names are external and which are internal. If an IP address or FQDN is on the LAT or LDT, the Firewall client software does not handle the request and the request is sent directly to the internal host. This means that the ISA Server does not handle requests for hosts on the LAT and LDT.
It’s critical that you have the correct entries in the LAT. If you accidentally include external network IP addresses in the LAT, you can severely compromise the security of your ISA Server. If you do not include your internal network addresses in the LAT, the clients may not be able to access the Internet.
One tip for configuring the LAT: allow the ISA Server setup procedure to create the LAT based on the routing table and select the internal network interface in the setup dialog box. There’s little chance that you’ll get things wrong if you do it this way.
For a small network like yours, it’s unlikely that you’ll have multiple internal network segments. But if you do have multiple internal network segments, you’ll need to add routing table entries for each network segment. Check out the Windows Help File or our book for details on how to add these routing table entries.
The Local Domain Table isn’t important unless you host internal network domains, or you want to access external domains directly without being subject to ISA Server access policies. However, if you do have a domain environment for your internal network, you should create a LDT entry for your domain. Note that you do not configure the LDT during installation. You can configure the LDT after installation is complete.
To configure the LDT, perform the following steps:
[LIST=1][*]Open the ISA Management console and expand your server name. Expand the Network Configuration node and right click on the Local Domain Table (LDT) node. Point to New and click LDT Entry.[*]In the Name text box, type the name of your domain. Usually you’ll want to make a wildcard entry, such as *.mydomain.com so that all of you servers on the internal network domain are automatically included. Click OK.[/LIST]
Configuring Dial-up Entry if using a Dial-up Connection
If you use a dial-up connection to access the Internet, you know that you have to create a dial-up networking connectoid to connect to the ISP. ISA Server uses the DUN connectoid to autodial to the Internet when a request for external network resources is made to the ISA Server.
Make sure you have created the DUN connectoid first, and then perform the following steps to configure ISA Server to use your dial-up connection:
[LIST=1][*]Open the ISA Management console, expand your server name and then expand the Policy Elements node. Right click on the Dial-up Entries node, point to New and click on Dial-up Entry.[*]In the New Dial-up Entry dialog box, enter the Name and Description. Click the Select button to select your DUN connectoid. Click the Set Account button and type in the user name you use to connect to your ISP. Do not use your internal network credentials! Type in your password and type it again to confirm your password.[/LIST]
[LIST=1][*]Click OK to close the New Dial-up Entry dialog box.[/LIST]
After the dial-up connection is configured, you want to make sure the ISA Server uses the dial-up connection as its primary network connection. This also enables the autodial feature of ISA Server. There are two places where you need to configure the dial-up connection as a primary: Firewall routing and Default Web Routing.
Do the following to configure your routing rules:
[LIST=1][*]Open the ISA Management console and expand your server name. Right click on the Network Configuration node and click Properties.[*]On a simple network you will not use Firewall chaining. Select the Use Primary Connection option and then place a checkmark in the User dial-up entry checkbox.[*]Click Apply and then click OK.[*]Expand the Network Configuration node and click on the Routing node. Double click on the Default rule.[*]Click on the Action tab. Place a checkmark in the Use dial-up entry for primary route checkbox.[*]Click Apply and then click OK.[/LIST]
Configure Protocol Rules
If you want to use Outlook Express to send and receive mail, you typically need access to the POP3 and SMTP protocols. If you want to use Outlook Express to access your Hotmail account, you will need to allow outbound access for the HTTP and HTTPS protocols. HTTPS is required for the secure log on phase of the connection, but the remainder of the session is via HTTP. Finally, some people like to use IMAP to connect to their mail servers at work. IMAP is a wonderful protocol and it really should be used more often.
You need to create Protocol Rules to allow outbound access for internal network clients. Protocol Rules are used for outbound access control for internal network clients. You will NEVER, I repeat NEVER, use packet filters to control outbound access for internal network clients, unless you need to allow outbound access for non-TCP/UDP protocols. Fortunately, all mail protocols are TCP based.
Since you are using the Firewall client, you do not need to create a Protocol Rule for outbound DNS queries. The reason for this is that the ISA Server performs DNS queries on the behalf of Firewall clients. The ISA Server can make DNS queries because a packet filter is created by default that allows the ISA Server to make outbound DNS queries. You do not need to create this packet filter.
Note that a packet filter is used because it is the ISA Server itself that needs access to the protocol. Packet filters are used to allow inbound and outbound access to applications and services running on the ISA Server itself.
Before you can create a Protocol Rule, there must be a Protocol Definition for that protocol. ISA Server includes a bunch of Protocol Definitions right out of the box. You will not need to create a new Protocol Definition to support your mail protocols.
To create a Protocol Rule for your mail protocols, perform the following steps:
[LIST=1][*]Open the ISA Management console, and expand your server name. Expand the Access Policy node and right click on the Protocol Rules node. Point to New and click on Rule.[*]On the Welcome page, type in a name for the rule, such as Mail Protocols and then click Next.[/LIST]
[LIST=1][*]On the Rule Action page select the Allow option and click Next.[/LIST]
[LIST=1][*]On the Protocols page, click the down arrow under Apply this rule to and select Selected protocols. In the Protocols list, place a checkmark in the checkbox for each of the protocols you want access to. You might want to select SMTP, POP3, IMAP4, HTTP and HTTPS. After you have selected your protocols, put a checkmark in the Show only selected protocols checkbox. This will make it easier for you to see what protocols you selected. Click Next.[/LIST]
[LIST=1][*]On the Schedule page, go with the default, which is Always, and click Next.[*]On the Client Type page, select the Any request option and click Next.[*]On the last page of the Wizard, review your settings and click Finish.[/LIST]
Install the Firewall Client
The ISA Server is now all set up to support Outlook Express, or any other email client you might want to use. Next step is to install the Firewall client application. The Firewall client software will intercept all TCP and UDP communications leaving the client computer and forward them to the Firewall service on the ISA Service. There are a lot of advantages to using the Firewall client. You should install the Firewall client on all Windows computers except Windows 3.x and the original version of Windows 95.
The easiest way to install the Firewall client on a small network is to connect to the shared directory on the ISA Server that contains the Firewall client software. There are many ways you can do this. Here’s one way:
[LIST=1][*]Click Start and then click the Run command.[*]In the Run dialog box, type <server_name>\mspclnt\setup.exe in the Open text box. Replace <server_name> with the name of the ISA Server. Click OK.[/LIST]
[LIST=1][*]Follow the instructions provided by the installation Wizard. On Windows 2000 and Windows XP machines, you won’t have to restart the computer. On downlevel operating systems, you might have to restart.[/LIST]
Optional Configuration Settings
Now you’re ready to rock and roll with Outlook Express or any other email client you want to use. Just configure the appropriate server settings in your client and you’ll be able to send and receive email.
There are a couple of optional settings you might want configure on the ISA Server. These are the Packet Filtering and the IP Routing options.
You always want to enable Packet Filtering on the ISA Server. When Packet Filtering is enabled, the only traffic that can move to and from the ISA Server is the traffic that you’ve explicitly allowed by creating packet filters, Protocol Rules and Publishing Rules. If you don’t enable packet filtering, all the default ports that are opened by Windows services and applications will be open on the external interface of the ISA Server. This obviously represents a security risk.
You might also want to enable IP Routing. This feature can greatly improve performance for SecureNAT clients. Although we haven’t discussed the SecureNAT client setup in this article, you might find that when this feature is enabled that the Firewall clients perform better as well. You also need to enable IP Routing if you want to run a DMZ segment off the ISA Server itself. But in the simple network configuration we’re discussing here, this isn’t much of an issue.
In this article we discussed how to configure the ISA Server to allow email applications to work with external mail servers. If you go through the procedures in this article, your email clients must work. Its very hard to mess up this configuration! If you find that you’re still having problems sending and receiving mail, then look at things other than the ISA Server (after you confirm that you’ve set everything up correctly).
It could be that your ISP is having problems, or you’re using a DSL connection and having an MTU problem. Check that you can access the Internet using other protocols, such as your HTTP using your Web browser. If you can’t get anywhere, it could be that you have a cable modem and you lost your IP address. In that case, make sure the DHCP packet filter is enabled, and then restart the computer.