Access Security DVR from Behind ISA 2004 Over the Internet - Having Major Troubles!!!

Posted on 2006-05-11
Medium Priority
Last Modified: 2013-11-16
My question is as follows:

We have a security camera DVR setup on our LAN  ip:  Can access it over the LAN No Problems.

SBS 2003 Server with 2 nics  Running ISA 2004

DVR ( - SBS Box/ISA 2004 ( - Router(Linksys) - ASDL Modem - Netopia - Internet

I want to be able to have access from the internet back into the DVR to view Remotely - I would like it to be on a port that would redirect to the DVR on the Lan

Everfocus ESDR900F DVR access is via web browser locally open and works fine.

How do I set this up to say come in from the internet to My.domain.com:XXXX and have that forward through ISA to the DVR box and have it work with ISA to relay the information back out to the client who is trying to view the DVR?

XXXX = any port that we assign to forward to the internal DVR address on the LAN

Also the DVR needs certain ports open to work properly -
They List:

80, 1111, 2222, 3333, 4444, 6666

Can this be done in ISA 2004 and how to go about resolving the issue?

I'm guessing that some sort of redirect has to take place?

I'm guessing some sort of Protocol Rules?

I'm guessing some sort of Webserver Rules?

Please advise as we are stuck on this issue and do not know how to resolve

Question by:Wojohowitz
  • 3
  • 2

Expert Comment

ID: 16666067
Hey Wojohowitz :-)

The best solution is to just use Remote Web Workplace, Connect to a Client Desktop (or server) and type - done.

The hard and NOT safe way is to publish everything in ISA.  Click on Firewall Policy then Publish a Webserver to forward port 80 traffic to .  Then you would have to publish all the other ports (1111, 2222, 3333, 4444, 6666) under Create New Server Publishing Rule.

You would then have to re-run the famous CEICW and open up port 80 as well under firewall - and this is where the problems would start.  BACKUP!!!

Note - if your company is hosting its website or SBS is using port 80 you cannot do this on SBS/ISA.  The website needs to be on port :80 @ on the SBS Server - if you move port 80 to it would break.

Additionally, you have a weird setup if you are using 2 nics and a Linksys rotuer above that.  The Linksys would need all the ports open as well  80, 1111, 2222, 3333, 4444, 6666 (much easier than in ISA though!)

As a security admin and SBS Specialist I would NOT do this.  Opening Port 80 is a bad idea on SBS.  Use the Remote Web Workplace via the VPN



Author Comment

ID: 16668517

I forgot to mention that I could change the http 80 on the DVR to anything I choose - example 9090 etc....

If I do that would that solve the port 80 problem to the DVR

So could I just re-route the traffic that comes into say our www.FQDN.com:9090 and have it point to the DVR machine on the LAN?

1 NIC for LAN    

1 NIC for WAN

ISA Locks everything up as far as I can tell,  how would I do that redirect so that when I put in www.FQDN.com:9090 it would send it on to the right machine on SBS.

and on ISA would the 1111,2222,3333,4444,6666 be an inbound TCP or outbound TCP Rule

Thanks for taking a crack at this for me.



Expert Comment

ID: 16670318
Yup, www.FQDN.com:9090 and create the new ports and rules for Inbound.

I would use 1110,1111 and forward to (then test - if needed open 2222,3333...)

The more I think about this you could also just make a VPN connection and hit - no RWW needed!

If you have a Linksys above the WAN nic you have to open the ports there as well.  You probably have UPnP turned on and have just been getting lucky so far as the CEICW has been modifying it.  On the Linksys you would now have to open 1110,1111 and forward to SBS ( and then SBS would forward to

Author Comment

ID: 16671403

I guess my question i as follows:

How or where to create the new ports in ISA or SBS and then how to configure the rules? and then how to forward the initial request to

and does it matter what port?

Don't want to use the VPN for access


Accepted Solution

harryballz earned 2000 total points
ID: 16672261
Dude you're scarring me now - Microsoft ISA Server Management ...START> ALL PROGRAMS> Micrsosoft ISA Server  *Go here and spend 8-24 hours 1st... http://www.isa2004training.com

Like above "Click on Firewall Policy (left) then Create New Server Publishing Rule - feed it the data, ports and IP you want.  Stay away from ports SBS uses (25,80,443,444,3389,4125)

And don't forget to opne those ports in the lInksys above SBS.

The VPN is the better way.  Just download the Connection Manager in SBS .  Go to https://sbserver/Remote 

Good luck...

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question