Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  ISA Central  »  Blog article: Route Relationships, Server Publishing Rules, and Port Stealing

Route Relationships, Server Publishing Rules, and Port Stealing

A best kept secret in the ISA Firewall world is the ability to publish servers using Server Publishing Rules even when there is a route relationship between the source and destination networks. Most people think of Server Publishing Rules as a form of reverse NAT that supports application layer inspection. While that is one scenario, there is no requirement for NAT when publishing servers.

For example, suppose you have  branch office that connects to the main office via a site to site VPN connection. It’s likely that you have a route relationship between the main office and branch office and you probably use Access Rules to allow connections from branch office clients to main office servers. That works well so you’ve probably not seen a reason to change your approach.

In what circumstances might you want to change your approach and use Server Publishing Rules instead of Access Rules? The primary reasons I can think of using a Server Publishing Rule instead of an Access Rule is when the Application Filter for the protocol that you’re allowing access to doesn’t work for outbound connections (Access Rules always use outbound connections) and when you don’t want to change your DNS infrastructure to support NAT for Server Publishing Rules (although you can use Access Rules to allow access, you don’t have the option of controlling the source IP address delivered to the published server when using Access Rules).

For example, the SMTP and POP3 application filters only work for SMTP Server and POP3 Server protocols. If you want to make sure branch office users are subjected to protocol inspection for those protocols, then you’ll need to use a Server Publishing Rule to publish the main office SMTP and POP3 servers to the branch offices.

The nice thing about using Server Publishing Rules when there is a route relationship between the source and destination is that clients connect to the actual IP address of the published server, not the address on the ISA Firewall listening for the request. What happens in this scenario is that the ISA Firewall uses something called port stealing intercept the request so that application layer inspection can be performed on the request and then be passed to the published server if the connection passes application layer inspection.

Another thing you can do with Server Publishing Rules that you can do with Access Rules is control the source IP address of the incoming request to the published server. This is extremely useful if you can’t make the published server a SecureNAT client of the ISA Firewall.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Wednesday, November 29th, 2006 at 7:38 pm and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Route Relationships, Server Publishing Rules, and Port Stealing”

  1. Steven Hope Says:

    November 29th, 2006 at 9:15 pm

    Nice write up Tom!

    I’ve always know you can use server publishing over a routed connection, but I haven’t ever really found a reason to do it as access rules always seem to do the job.

    Another filter that is only used in server publishing rules is the DNS filter, that is a GOOD reason to server publish your HQ AD DNS server instead of using an access rule!

    I need to play with more scenarios around this again, especially since you can connect to the destination IP which you can’t do with NAT. It does make you wander why filters have a “direction” though considering you can just reverse a publishing rule into an access rule anyway to make a filter work in both directions.

    Steven Hope
    Architectural Consultant
    ViRCOM
    Microsoft Gold Certified Partner
    Web: www.vircom.co.uk
    Email: steven@vircom.co.uk
    Mobile: +44-780-188-1085
    Blog: http://spaces.msn.com/members/stevenhope
    “There are 10 kinds of people in this world, those who understand binary and those who don’t.”

  2. Stefaan Says:

    November 30th, 2006 at 4:25 am

    Hi Tom,

    are you sure about the address translation behavior with a route relationship?

    According to my findings as documented in http://blogs.isaserver.org/pouseele/2006/09/29/how...route/ I came to a different conclusion.

    Thanks,
    Stefaan

  3. Jason Jones Says:

    December 1st, 2006 at 6:17 pm

    Tom,

    The RPC filter is another good example - IIRC with access rules the filter is only able to handle the dynamic ports element of RPC, whereas when you use server publishing for RPC you gain access to filter based upon the actual UUID’s (RPC interfaces)

    Exchange RPC Publishing is a good example of where using server publishing with route relationships is very cool!

    JJ

  4. M.N.P.Fard Says:

    December 5th, 2006 at 5:08 am

    Hello. Please Help Me

  5. Fard Says:

    December 5th, 2006 at 5:16 am

    Hi
    Please help me for publish isa server 2006 service for use exchange server 2003
    please with example for define rules on the isa server 2006

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 5 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center