Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

smtp and source IP

SOLVED
Go to solution
Highlighted
stephanef
stephanef
Occasional Contributor
‎09-08-2014 04:51:AM
‎09-08-2014 04:51:AM

smtp and source IP

Hi there

We are in the process of doing a POC with the StingRay appliances within our Exchange 2010 environment. We have a requirement to continue with restricting access to our SMTP service by controlling who is allowed to connect. This is based on IP address and relies on preserving source IP of the SMTP connection thru the LB and not the IP of the LB.

Problem is how to setup this up in the LB? If I enable IP transparency SMTP doesn't seem to work correctly after that.

Any help would be appreciated.

0 Kudos
Reply
7 REPLIES
sameh
sameh
Contributor
‎09-10-2014 01:42:AM
‎09-10-2014 01:42:AM

Re: smtp and source IP

Hello Stephane,

I never played with IP transparency on SteelApp TM, but what about enforcing the restrictions at the LB level?

Rate-limiting, ACL to discard connections, etc.

I personally don't use load balancing for SMTP and rather rely on another MTA sitting in-between Exchange and Internet. This is because SMTP inbound already includes failover (multiple MX records) and does not require low latency fallbacks.

If you are setting up an outbound Exchange SMTP though, I understand why the trouble going with IP transparency. Can you elaborate on the problems you're encountering?

0 Kudos
Reply
dnahas
dnahas
Contributor
‎09-10-2014 11:24:AM
‎09-10-2014 11:24:AM

Re: smtp and source IP

Typically when IP Transparency is enabled the problem is with back end nodes routing the reply. This is covered in the user’s guide @ SteelApp Traffic Manager Docs , Chapter 2 - IP Transparency; see the Routing Configuration, and Local Routing Problems sections.

Instead of using IP Transparency and potential routing problems, have you considered offloading this functionality and configuring the Traffic Manager to restrict access to the virtual server by ip address with a Service Protection Class?

Alternatively, This can also be achieved with a Traffic Script Request Rule.


#entire range
 $clientip= request.getremoteip();  
 if( string.ipmaskmatch($clientip, "192.168.1.0/24" ) == 0 ){
 connection.discard();  }



or



 ​#specific addresses 
 $allowed = [  "192.168.1.68", "10.0.0.43", "172.16.1.177", "8.8.8.8" ];
  
 if( ! array.contains( $allowed, request.getRemoteIP() ) {  
 connection.discard();


0 Kudos
Reply
stephanef
stephanef
Occasional Contributor
‎09-11-2014 12:57:AM
‎09-11-2014 12:57:AM

Re: smtp and source IP

Note this is for internal SMTP access for internal application servers.

0 Kudos
Reply
stephanef
stephanef
Occasional Contributor
‎09-11-2014 01:01:AM
‎09-11-2014 01:01:AM

Re: smtp and source IP

Thanks for your response, your recommendations are of value and I am going to test the scenario.

However, if I use your second option traffic rule I get the following when trying to do a Check Syntax:

Error: line 4: Syntax Error, unexpected "{"

   if ( ! array.contains( $allowed, request.getRemoteIP() ) {

0 Kudos
Reply
sameh
sameh
Contributor
‎09-11-2014 02:53:AM
‎09-11-2014 02:53:AM

Re: smtp and source IP

The second conditional statement lacks a closing parenthesis.

Cheers

Reply
stephanef
stephanef
Occasional Contributor
‎09-11-2014 04:45:AM
‎09-11-2014 04:45:AM

Re: smtp and source IP

I am very new to this, can you show me what u mean by updating the script?

0 Kudos
Reply
sameh
sameh
Contributor
‎09-11-2014 05:08:AM
‎09-11-2014 05:08:AM

Re: Re: smtp and source IP

Hehe, no problem:


#specific addresses

$allowed = [  "192.168.1.68", "10.0.0.43", "172.16.1.177", "8.8.8.8" ]; 

   

if( ! array.contains( $allowed, request.getRemoteIP() )

{

connection.discard();

}

Should read:


#specific addresses

$allowed = [  "192.168.1.68", "10.0.0.43", "172.16.1.177", "8.8.8.8" ];   

    

if( ! array.contains( $allowed, request.getRemoteIP() )  )

{ 

connection.discard();

}   

Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.