Solved

ISA SERVER WITH AZUREUS

Posted on 2007-12-05
5
629 Views
Last Modified: 2010-04-21
I have an ISA Server 2006 Standard Server acting as a firewall for my network.  My ISP has assigned me 8 IP addresses and one of those IP addresses I would like to direct to a server that is on my trusted network.  I have successfully published an access rule that tests passing remote desktop to the server with success so I know the system can respond to an appropriately configured access rule.  The only thing installed on this server is Azureus for bit torrents.  I followed some instructions on Azureus Wiki to no avail.  I configured my Azureus client to use port 5973 TCP and UDP, published the appropriate inbound access protocols and configured an access rule for outbound in accordance with the documentation as well however I have a problem running the NAT test.  The instructions indicate the firewall client needs to be running on the system in the network.  If this is the case I think I read somewhere here that the firewall client should not be installed on a server.  If this is true will my problem vanish if I simply use a workstation running let's say Windows XP instead?  My other option would be to open ALL ports both directions to this one system but I'm not sure how to configure opening ALL ports inbound.  Opening outbound is no problem but I can't seem to figure out inbound.  I know how to specifiy the listening on the one IP but I can't get ALL ports open.

Seems like a dumb request but I'll drop the max points since there really are two questions in here.

Thanks...
0
Comment
Question by:ModernAge
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
You do NOT use access rules for traffic coming in from the external interface to the internal network generally unless both ends of the ISA are secure. You use a Publishing rule - for rdp, you would publish a non-web server using terminal services (RDP) and enter in the internal ip of the server you wanted to connect to.

This is weird - after 8 years of installing ISA server i have not found a single administrator in charge of a network and its security who woulod dream of allowing something ads dangerous as bit torrent style traffic onto their internal network for any reason. You are the second in a couple of days - i will leave this part to someone else to advise as, for me, this is so far from best practice that I would not want to get involved with it.
0
 
LVL 1

Author Comment

by:ModernAge
Comment Utility
Keith...maybe if I clarify this will help.  This is not for a business.  I am doing this at home and the use of ISA to separate my network from the world is simply to become familiar with the rules and functionality...nothing more.

Otherwise I am completely with you and your beliefs...trust me.

Dave
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
OK - your call Dave but my comments stand.

As I mention above, you need to publish a non-web server - you do not use access rules for inbound traffic such as this regardless of reason.

when prompted for the protocols to use you will need to create a new one (might need two or more) that cover the tcp and udp port ranges that the product requires.
You will need a coresspondin access rule that allows the same protocols from internal to external.

never heard of that product so cannot advise on what ports it requires. However, you can use the ISA gui (monitoring - logging - start query) to identify the traffic that is arriving/leaving and then add these to the protocol definition bit by bit unless you have them documented somewhere. Many Bit Torrent systems need a range of ports numbering in the thousands to be open as they are randomly selected.
0
 
LVL 1

Author Closing Comment

by:ModernAge
Comment Utility
I got you now...so there really isn't a pre-definited protocol with a wide open port range therefore I have to create one that has the extended open port range.

...and I completely understand now....access rules for outbound and published protocols for inbound...providing the ISA server is using external and internal interfaces.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
That about it. The exception to this is, for example, you link two internal networks therefore you trust both sides of the ISA firewall and you just want to control it better - then you may just want to use access rules and you may only want to route vtraffic between external and internal rather than the default NAT. :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now