Recipe7.21.Setting IP Address Restrictions for Multiple Servers


Recipe 7.21. Setting IP Address Restrictions for Multiple Servers

Problem

You need to maintain the connection restriction, relay restriction, and global accept/deny lists on your Exchange servers.

Solution

Using a command-line interface

Use the SMTP Internet Protocol Restriction and Accept/Deny List Configuration Tool (ExIpSecurity). You can download it from:

http://www.microsoft.com/downloads/details.aspx?familyid=dcce0536-7edc-40b4-9950-8b6906abda2d&displaylang=en

To add an IP address to the connection restriction list:

> cscript ipsec.vbs -d <DC> -s <server> -i <VSnum> -o a -r connection -v <IPaddress>

Example:

> cscript ipsec.vbs -d DC01 -s EXCH01 -i 1 -o a -r connection -v 192.168.0.1

To add a domain to the relay restriction list:

> cscript ipsec.vbs -d <DC> -s <server> -i <VSnum> -o a -r relay -t domain -v <domain>

Example:

> cscript ipsec.vbs -d DC01 -s EXCH01 -i 1 -o a -r relay -t domain -v contoso.com

To grant connection access to all IP addresses or domains except the list specified:

> cscript ipsec.vbs -s <server> -i <VSnum> -o s -r connection -g grant -d <DC>

Example:

> cscript ipsec.vbs -s EXCH01 -i 1 -o s -r connection -g grant -d DC01

To delete a range of IP addresses from the relay restriction list:

> cscript ipsec.vbs -s <server> -i <VSnum> -o d -r relay -v <IPaddress> -m <mask> -d <DC>

Example:

> cscript ipsec.vbs -s EXCH01 -i 1 -o d -r relay -v 192.168.0.1 -m 255.255.255.0 -d DC01

To add a single entry to the global accept/deny list (Exchange Server 2003 only):

> cscript ipsec.vbs -d <DC> -o a -r [accept | deny] -v <IPaddress>

Example:

> cscript ipsec.vbs -d DC01 -o a -r accept -v 192.168.0.1

To add a range of IP addresses to the global accept/deny list (Exchange Server 2003 only):

> cscript ipsec.vbs -d <DC> -o a -r [accept | deny] -v <IPaddress> -m <mask>

Example:

> cscript ipsec.vbs -d DC01 -o a -r accept -v 192.168.0.1 -m 255.255.255.0

To delete an entry from the global deny list (Exchange Server 2003 only):

> cscript ipsec.vbs -d <DC> -o d -r deny -v <IPaddress>

Example:

> cscript ipsec.vbs -d DC01 -o d -r deny -v 192.168.0.1

To list all entries on the global accept or deny list (Exchange Server 2003 only):

> cscript ipsec.vbs -d <DC> -o e -r [accept | deny]

Example:

> cscript ipsec.vbs -d DC01 -o e -r accept

Discussion

The ExIPSecurity tool is a freely available Visual Basic script and COM object that gives you programmatic access to the connection, relay, and global accept/deny restriction lists. The connection and relay restriction functions work on both Exchange 2000 and Exchange 20003; the global accept and deny lists are specific to Exchange Server 2003. Since the command-line tool is actually VBscript, this recipe does not include an example of directly invoking the COM object; you can look directly at the tool and included documentation to see working examples of how to use this COM object in your own scripts.

Using this tool, you can iterate through lists of servers provided by other recipes in the book (such as the VBScript Active Directory query in Recipe 2.14) and maintain consistent settings for your per-virtual server connection restriction lists and relay restrictions. This tool provides quite a few options but the included documentation includes many examples to help you figure out how to put it to use in your organization.

See Also

Download the SMTP Internet Protocol Restriction and Accept/Deny List Configuration Tool with documentation from the Microsoft Download Center:

http://www.microsoft.com/downloads/details.aspx?familyid=dcce0536-7edc-40b4-9950-8b6906abda2d&displaylang=en

and MS KB 810913 (XGEN: Programmatic Modification of SMTP Virtual Server Access and Relay Control)



Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net