ISA Server 2000 with Blackboard Application

I am trying to figure out how do the following with ISA Server 2000.  I have an application that requires that I open up all ports between the external server and my internal server.  There (the software vendor) instructions on how to do this are below.  I have one ISA server with Two NICS, one internal, one external.  The Server inside the firewall that I need to allow access to has about 8 different IP Addresses, and the External NIC of the ISA server has about 12 ip addresses on it.  There description of how the communictation takes place is found in the paragraph below.  I am in over my head on this one.

Firewall software and hardware rules and interfaces for manipulating those rules vary widely, but customers in these kind of topologies have had success with configurations that allow packets from any port on to arrive at any port on their local server only if the local server initiated the connection. The local server will typically grab the first available port greater than 1024 to make the outbound connection, and wait on that port for a response. The validation server doesn't initiate any new connections from its side, it just responds to the initial request on the same established channel since the CCAP connection is bi-directional (the inbound packets will be seen to come from the validation server's port 80, regardless of which port the validation server actually uses to send the packets).

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First of all opening all the ports is a major security risk.  If I understand you and the vendor correctly, your situation is typical and easy to configure.

First  for simplicity and troubleshooting, you have to have Site and Content  rule and Protocol rule allowing any outgoing protocols and any internet site access for all internal clients.  This is technically called "anonymous" rule.  If you do have the anonymous rule, then simply use the blackboard application from a machine.  

Usually, the blackboard application will initiate a connection from your internal network via ISA to at a port (say 400 for example.  This port is set by the Blackboard programmers and supposedly well-known).  The application also tells the machine to respond back at a randam port number above  1024 (say 3000 for example).   So,

Your machine:3000 ---> sends packets to ---->
Your machine:3000 <--- blackboard machine sends its repsponse to your machine's port number 3000 <----

If I understand your vendor correctly, they are saying their server will always use the port 400 regardless of what port your machine asked their system to respond to.  So if that's the case, create a server publishing rule and publish the machine where the blackboard application will run.  Allow only port 80 to come in for this blackboard application machine.  

Hopefully,  I didn't confuse more!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkelley53Author Commented:
Thanks.  I just talked with Microsoft and they suggested I install the Firewall client.  (the blackboard server doing the outbound connection from my network) was a secure nat client until we tried the firewall client.  The firewall client combined with adding a specific destination set with the server in it seemed to the do the trick.  Everything is working now.

You get the points since you were the first one to post some info for me.  Thanks.

Thanks for the point.  I am surprised MS suggested you to use the firewall client.  All servers should be SecureNAT clients.  But your situation may be an exception.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.