I have an ISA Server 2006 Standard Server acting as a firewall for my network.  My ISP has assigned me 8 IP addresses and one of those IP addresses I would like to direct to a server that is on my trusted network.  I have successfully published an access rule that tests passing remote desktop to the server with success so I know the system can respond to an appropriately configured access rule.  The only thing installed on this server is Azureus for bit torrents.  I followed some instructions on Azureus Wiki to no avail.  I configured my Azureus client to use port 5973 TCP and UDP, published the appropriate inbound access protocols and configured an access rule for outbound in accordance with the documentation as well however I have a problem running the NAT test.  The instructions indicate the firewall client needs to be running on the system in the network.  If this is the case I think I read somewhere here that the firewall client should not be installed on a server.  If this is true will my problem vanish if I simply use a workstation running let's say Windows XP instead?  My other option would be to open ALL ports both directions to this one system but I'm not sure how to configure opening ALL ports inbound.  Opening outbound is no problem but I can't seem to figure out inbound.  I know how to specifiy the listening on the one IP but I can't get ALL ports open.

Seems like a dumb request but I'll drop the max points since there really are two questions in here.

Who is Participating?
Keith AlabasterEnterprise ArchitectCommented:
OK - your call Dave but my comments stand.

As I mention above, you need to publish a non-web server - you do not use access rules for inbound traffic such as this regardless of reason.

when prompted for the protocols to use you will need to create a new one (might need two or more) that cover the tcp and udp port ranges that the product requires.
You will need a coresspondin access rule that allows the same protocols from internal to external.

never heard of that product so cannot advise on what ports it requires. However, you can use the ISA gui (monitoring - logging - start query) to identify the traffic that is arriving/leaving and then add these to the protocol definition bit by bit unless you have them documented somewhere. Many Bit Torrent systems need a range of ports numbering in the thousands to be open as they are randomly selected.
Keith AlabasterEnterprise ArchitectCommented:
You do NOT use access rules for traffic coming in from the external interface to the internal network generally unless both ends of the ISA are secure. You use a Publishing rule - for rdp, you would publish a non-web server using terminal services (RDP) and enter in the internal ip of the server you wanted to connect to.

This is weird - after 8 years of installing ISA server i have not found a single administrator in charge of a network and its security who woulod dream of allowing something ads dangerous as bit torrent style traffic onto their internal network for any reason. You are the second in a couple of days - i will leave this part to someone else to advise as, for me, this is so far from best practice that I would not want to get involved with it.
ModernAgeAuthor Commented:
Keith...maybe if I clarify this will help.  This is not for a business.  I am doing this at home and the use of ISA to separate my network from the world is simply to become familiar with the rules and functionality...nothing more.

Otherwise I am completely with you and your me.

ModernAgeAuthor Commented:
I got you there really isn't a pre-definited protocol with a wide open port range therefore I have to create one that has the extended open port range.

...and I completely understand now....access rules for outbound and published protocols for inbound...providing the ISA server is using external and internal interfaces.
Keith AlabasterEnterprise ArchitectCommented:
That about it. The exception to this is, for example, you link two internal networks therefore you trust both sides of the ISA firewall and you just want to control it better - then you may just want to use access rules and you may only want to route vtraffic between external and internal rather than the default NAT. :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.