[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now



Posted on 2007-12-05
Medium Priority
Last Modified: 2010-04-21
I have an ISA Server 2006 Standard Server acting as a firewall for my network.  My ISP has assigned me 8 IP addresses and one of those IP addresses I would like to direct to a server that is on my trusted network.  I have successfully published an access rule that tests passing remote desktop to the server with success so I know the system can respond to an appropriately configured access rule.  The only thing installed on this server is Azureus for bit torrents.  I followed some instructions on Azureus Wiki to no avail.  I configured my Azureus client to use port 5973 TCP and UDP, published the appropriate inbound access protocols and configured an access rule for outbound in accordance with the documentation as well however I have a problem running the NAT test.  The instructions indicate the firewall client needs to be running on the system in the network.  If this is the case I think I read somewhere here that the firewall client should not be installed on a server.  If this is true will my problem vanish if I simply use a workstation running let's say Windows XP instead?  My other option would be to open ALL ports both directions to this one system but I'm not sure how to configure opening ALL ports inbound.  Opening outbound is no problem but I can't seem to figure out inbound.  I know how to specifiy the listening on the one IP but I can't get ALL ports open.

Seems like a dumb request but I'll drop the max points since there really are two questions in here.

Question by:ModernAge
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414438
You do NOT use access rules for traffic coming in from the external interface to the internal network generally unless both ends of the ISA are secure. You use a Publishing rule - for rdp, you would publish a non-web server using terminal services (RDP) and enter in the internal ip of the server you wanted to connect to.

This is weird - after 8 years of installing ISA server i have not found a single administrator in charge of a network and its security who woulod dream of allowing something ads dangerous as bit torrent style traffic onto their internal network for any reason. You are the second in a couple of days - i will leave this part to someone else to advise as, for me, this is so far from best practice that I would not want to get involved with it.

Author Comment

ID: 20414457
Keith...maybe if I clarify this will help.  This is not for a business.  I am doing this at home and the use of ISA to separate my network from the world is simply to become familiar with the rules and functionality...nothing more.

Otherwise I am completely with you and your beliefs...trust me.

LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 20414922
OK - your call Dave but my comments stand.

As I mention above, you need to publish a non-web server - you do not use access rules for inbound traffic such as this regardless of reason.

when prompted for the protocols to use you will need to create a new one (might need two or more) that cover the tcp and udp port ranges that the product requires.
You will need a coresspondin access rule that allows the same protocols from internal to external.

never heard of that product so cannot advise on what ports it requires. However, you can use the ISA gui (monitoring - logging - start query) to identify the traffic that is arriving/leaving and then add these to the protocol definition bit by bit unless you have them documented somewhere. Many Bit Torrent systems need a range of ports numbering in the thousands to be open as they are randomly selected.

Author Closing Comment

ID: 31412870
I got you now...so there really isn't a pre-definited protocol with a wide open port range therefore I have to create one that has the extended open port range.

...and I completely understand now....access rules for outbound and published protocols for inbound...providing the ISA server is using external and internal interfaces.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415171
That about it. The exception to this is, for example, you link two internal networks therefore you trust both sides of the ISA firewall and you just want to control it better - then you may just want to use access rules and you may only want to route vtraffic between external and internal rather than the default NAT. :)

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question