Posted on 2007-12-05
Medium Priority
Last Modified: 2010-04-21
I have an ISA Server 2006 Standard Server acting as a firewall for my network.  My ISP has assigned me 8 IP addresses and one of those IP addresses I would like to direct to a server that is on my trusted network.  I have successfully published an access rule that tests passing remote desktop to the server with success so I know the system can respond to an appropriately configured access rule.  The only thing installed on this server is Azureus for bit torrents.  I followed some instructions on Azureus Wiki to no avail.  I configured my Azureus client to use port 5973 TCP and UDP, published the appropriate inbound access protocols and configured an access rule for outbound in accordance with the documentation as well however I have a problem running the NAT test.  The instructions indicate the firewall client needs to be running on the system in the network.  If this is the case I think I read somewhere here that the firewall client should not be installed on a server.  If this is true will my problem vanish if I simply use a workstation running let's say Windows XP instead?  My other option would be to open ALL ports both directions to this one system but I'm not sure how to configure opening ALL ports inbound.  Opening outbound is no problem but I can't seem to figure out inbound.  I know how to specifiy the listening on the one IP but I can't get ALL ports open.

Seems like a dumb request but I'll drop the max points since there really are two questions in here.

Question by:ModernAge
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414438
You do NOT use access rules for traffic coming in from the external interface to the internal network generally unless both ends of the ISA are secure. You use a Publishing rule - for rdp, you would publish a non-web server using terminal services (RDP) and enter in the internal ip of the server you wanted to connect to.

This is weird - after 8 years of installing ISA server i have not found a single administrator in charge of a network and its security who woulod dream of allowing something ads dangerous as bit torrent style traffic onto their internal network for any reason. You are the second in a couple of days - i will leave this part to someone else to advise as, for me, this is so far from best practice that I would not want to get involved with it.

Author Comment

ID: 20414457
Keith...maybe if I clarify this will help.  This is not for a business.  I am doing this at home and the use of ISA to separate my network from the world is simply to become familiar with the rules and functionality...nothing more.

Otherwise I am completely with you and your beliefs...trust me.

LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 20414922
OK - your call Dave but my comments stand.

As I mention above, you need to publish a non-web server - you do not use access rules for inbound traffic such as this regardless of reason.

when prompted for the protocols to use you will need to create a new one (might need two or more) that cover the tcp and udp port ranges that the product requires.
You will need a coresspondin access rule that allows the same protocols from internal to external.

never heard of that product so cannot advise on what ports it requires. However, you can use the ISA gui (monitoring - logging - start query) to identify the traffic that is arriving/leaving and then add these to the protocol definition bit by bit unless you have them documented somewhere. Many Bit Torrent systems need a range of ports numbering in the thousands to be open as they are randomly selected.

Author Closing Comment

ID: 31412870
I got you now...so there really isn't a pre-definited protocol with a wide open port range therefore I have to create one that has the extended open port range.

...and I completely understand now....access rules for outbound and published protocols for inbound...providing the ISA server is using external and internal interfaces.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415171
That about it. The exception to this is, for example, you link two internal networks therefore you trust both sides of the ISA firewall and you just want to control it better - then you may just want to use access rules and you may only want to route vtraffic between external and internal rather than the default NAT. :)

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question