ISA Server 2000 with Blackboard Application

Posted on 2004-12-01
Last Modified: 2008-05-29
I am trying to figure out how do the following with ISA Server 2000.  I have an application that requires that I open up all ports between the external server and my internal server.  There (the software vendor) instructions on how to do this are below.  I have one ISA server with Two NICS, one internal, one external.  The Server inside the firewall that I need to allow access to has about 8 different IP Addresses, and the External NIC of the ISA server has about 12 ip addresses on it.  There description of how the communictation takes place is found in the paragraph below.  I am in over my head on this one.

Firewall software and hardware rules and interfaces for manipulating those rules vary widely, but customers in these kind of topologies have had success with configurations that allow packets from any port on to arrive at any port on their local server only if the local server initiated the connection. The local server will typically grab the first available port greater than 1024 to make the outbound connection, and wait on that port for a response. The validation server doesn't initiate any new connections from its side, it just responds to the initial request on the same established channel since the CCAP connection is bi-directional (the inbound packets will be seen to come from the validation server's port 80, regardless of which port the validation server actually uses to send the packets).

Question by:jkelley53
    LVL 2

    Accepted Solution

    First of all opening all the ports is a major security risk.  If I understand you and the vendor correctly, your situation is typical and easy to configure.

    First  for simplicity and troubleshooting, you have to have Site and Content  rule and Protocol rule allowing any outgoing protocols and any internet site access for all internal clients.  This is technically called "anonymous" rule.  If you do have the anonymous rule, then simply use the blackboard application from a machine.  

    Usually, the blackboard application will initiate a connection from your internal network via ISA to at a port (say 400 for example.  This port is set by the Blackboard programmers and supposedly well-known).  The application also tells the machine to respond back at a randam port number above  1024 (say 3000 for example).   So,

    Your machine:3000 ---> sends packets to ---->
    Your machine:3000 <--- blackboard machine sends its repsponse to your machine's port number 3000 <----

    If I understand your vendor correctly, they are saying their server will always use the port 400 regardless of what port your machine asked their system to respond to.  So if that's the case, create a server publishing rule and publish the machine where the blackboard application will run.  Allow only port 80 to come in for this blackboard application machine.  

    Hopefully,  I didn't confuse more!

    LVL 1

    Author Comment

    Thanks.  I just talked with Microsoft and they suggested I install the Firewall client.  (the blackboard server doing the outbound connection from my network) was a secure nat client until we tried the firewall client.  The firewall client combined with adding a specific destination set with the server in it seemed to the do the trick.  Everything is working now.

    You get the points since you were the first one to post some info for me.  Thanks.

    LVL 2

    Expert Comment

    Thanks for the point.  I am surprised MS suggested you to use the firewall client.  All servers should be SecureNAT clients.  But your situation may be an exception.  

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
    Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now