IPSEC filter to block 25 outbound on SBS 2003 Standard
Today's post come compliments of Mark Stanfill. This was a quick answer he did to a question a couple of us had, so while this isn't a "documented" Microsoft solution I would take advantage of it if you are attempting to block SMTP traffic on your Small Business Server 2003 Standard based networks. The reason for this is to only allow outbound SMTP email from the server and blocking the clients of which may be sending out SPAM on TCP Port 25. Works on both Single and Dual NIC SBS boxes! Thanks go to Mark for giving me permission to post this! – Steve
You don't even need RRAS for this to work. The filtering is done before the packets leave the client; this setup prevents unwanted traffic in single-NIC and dual-NIC environments.
You create an IPSEC policy, allow all traffic, but deny SMTP originating from internal addresses (only if none of them need to connect to external addresses for POP3/IMAP clients, otherwise you will block those connections in the process).
- Create & link a new GPO to client computers (not anywhere it would apply to the SBS J)
- Create a new IPSEC policy in the GPO:
- Edit the properties. I've only blocked one client, usually you'll want to do a subnet:
Gpupdate /force to apply (it will probably ask you to reboot, but it is already applied.