Possible SSH Publishing Solution
Wilmar Perez, a participant on the ISAserver.org. mailing list, asks a question about how to get his SSH Server Publishing Rules working. I’ve heard this question asked a lot inthe last year, so I wasn’t surprised to hear it again. I don’t run any SSH servers in any of my environments, so I never understood what the problem could be.
SSH is supposed to be a simple protocol, requiring a single primary connection on TCP port 22. No secondary connections, nothing tricky that would require an application filter or the Firewall client (which isn’t supported for Server Publishing Rules anyway in ISA 2004). I always assumed that the people asking questions about broken SSH Server Publishing Rules were doing something else wrong and I never heard any follow up on what those problems might be or if they ever solved their problems.
This time we got lucky. Wilmar took his problem to Microsoft PSS and asked them for help. He said he was told to create Route relationship between the ISA firewall Protected Network and the default External Network. This was interesting because Wilmar already had a NAT relationship between the ISA firewall Protected Network and the default External Network, because he was using private addresses on the ISA firewall Network on which the SSH server was located. It didn’t make sense to create a Route Network Rule between the SSH server’s ISA firewall Network and the default External Network.
Wilmar took the advise from Microsoft PSS. Guess what? It worked! Now, I understand that this makes no sense at all. I asked Wilmar if PSS provided an explanation for this, but he said they didn’t, which is unfortunate. What is so unusual about SSH that something that seems so totally nonsensical would be the solution to his problem?
Whatever the reason (which I hope to someday figure out), that’s the solution. If you have a Server Publishing Rule for an SSH server and you have a NAT Network Rule between the ISA firewall Network on which the SSH sits and the default External Network, then create Route Network Rule between the ISA firewall Network on which the SSH server sits and the default External Network.
Wilmar did point out that the Route Network Rule is above the NAT Network Rule in the list of Network Rules. Since Network Rules are evaluated from the top down, it should be that the Route Network Rule will always be used before the NAT Network Rule. I have to wonder if this will break functionality for other published servers on the same ISA firewall Network.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP — ISA Firewalls
Michael Pietroforte Says:
May 11th, 2006 at 11:03 am
I suppose it has something to do with the IP-authentication feature of the SSH protocol. The hash code of the server is calculated using its real ip-address not the one which is published on the ISA server. The client uses the published ip-address to calculate the hash code. So authentication fails. This is just a wild guess, I am not an SSH expert.
Thomas Shinder Says:
May 11th, 2006 at 9:03 pm
Hi Michael,
That’s a good as an explanation as I can come up with.
Thanks!
Tom
SAN Says:
May 15th, 2006 at 8:11 am
Tom,
Good blog! I always had problems with SSH publishing. This explains why.
Does this mean I will need to assign a public IP number to the SSH server if I want the internet clients to access my server?
Tom Shinder Says:
May 15th, 2006 at 8:16 am
Hi San,
You should not need to do that. Wilmar used private IP addresses for his SSH server and it worked for him.
Thanks!
Tom
Diego Medina Says:
August 22nd, 2006 at 2:00 pm
One other option that worked for me was to setup the secondary port range from 50000 to 51000. and that worked fine.
Casey Friese Says:
August 24th, 2006 at 7:30 am
New Server Publishing Rule with Telnet as the selected protocol, Put in a port override, leaving the Firewall Ports published with the defaults and change the Published Server Ports to send requests to port 22 on the published server. Works like a champ
Thomas Shinder Says:
August 24th, 2006 at 9:39 am
Hi guys,
Thanks!
Tom
Jim Kobak Says:
October 7th, 2006 at 10:48 am
I am still using ISA Server 2000. I can’t seem to locate any way to add a routing rule as described above. They’re all related to web requests only. Am I missing something, or do I need ISA 2004 or better?
If so, anyone have an idea to publish SSH with ISA 2000?
Thanks,
Jim
networkfreek Says:
November 24th, 2006 at 10:22 pm
Hi Diego Medina
It works. Can you explain, why port 50000 - 51000 have to be open for the SSH server publishing to work? Tx
Mikael Ulvesjo Says:
June 8th, 2007 at 4:53 am
I have problems connecting to external ssh services runing on a non default port ( E.g: 2222 ) from a linux client behind an ISA server,
Do anyone have any information or theory why I fail to do this, on the server running the ssh service I can see that the client is able to connect but it fails to authenticate, I’m using certificates to authenticate and that works if I bypass the ISA proxy.
ISA Server SSH Veröffentlichung - MCSEboard.de MCSE Forum Says:
July 9th, 2007 at 3:28 pm
[…] Da gibt es ein paar Lösungsmöglichkeiten: Thomas Shinder Blog » Blog Archive » Possible SSH Publishing Solution grizzly999 […]
Darek Says:
October 2nd, 2007 at 6:09 am
Tried the route solution using ISA 2006 but didn’t work. While monitoring the ssh access ISA jumped to default last rule and did not “see” my publishing rule.
My successfull solution was to remove the route rule I created and to edit the publishing rule “To” tab by seelecting “the request appear to come from the ISA server.
My2Cents
blautens Says:
March 31st, 2008 at 7:13 am
on ISA 2006 EE array, I tried creating a new publishing rule, SSH, port 22 inbound, and used Diego’s suggestion of a secondary port range of 50000 to 51000, and it worked flawlessly with WS_FTP Server. Thanks, Diego!
Russ E Says:
April 4th, 2008 at 2:48 am
I’ve got a similar problem.
ESX environment
ISA 2006 STD on Win2k3E R2
OpenSSH on a Win2k3E R2 server behinds ISA
3 IPS on the box behind ISA. ISA IS the gateway
Port is definitely open at the hardware firewall and allowing ALL protocols in and out (which is why I guess I can see it hitting ISA)
The account I am using to log in to OpenSSH is a local admin
I look and I see that ISA initiates the connection and then I see it close a few mins later. My client, WinSCP, gives me a network timeout error. I look on the OpenSSH server and see that the client reached it but nothing happens.
I’m not sure that its an ISA error but I thought I would throw it out here to see if you have any suggestions. I thought I had everything set up correctly, have looked at this blog as well as this posting:
http://forums.isaserver.org/m_2002037501/mpage_1/k...tm.htm
Maybe I am just slow, or have been looking at it too long, but I am making no headway and am way overdue on a deadline. I really am not that familiar with ISA but have managed to get this far but would love to bring it home. If you dont think its an ISA problem I’d be open to any other suggestions you may have.
Thanks in advance and feel free to contact me publicly or privately…
Russ