Posted on 2007-12-05
Medium Priority
Last Modified: 2010-04-21
I have an ISA Server 2006 Standard Server acting as a firewall for my network.  My ISP has assigned me 8 IP addresses and one of those IP addresses I would like to direct to a server that is on my trusted network.  I have successfully published an access rule that tests passing remote desktop to the server with success so I know the system can respond to an appropriately configured access rule.  The only thing installed on this server is Azureus for bit torrents.  I followed some instructions on Azureus Wiki to no avail.  I configured my Azureus client to use port 5973 TCP and UDP, published the appropriate inbound access protocols and configured an access rule for outbound in accordance with the documentation as well however I have a problem running the NAT test.  The instructions indicate the firewall client needs to be running on the system in the network.  If this is the case I think I read somewhere here that the firewall client should not be installed on a server.  If this is true will my problem vanish if I simply use a workstation running let's say Windows XP instead?  My other option would be to open ALL ports both directions to this one system but I'm not sure how to configure opening ALL ports inbound.  Opening outbound is no problem but I can't seem to figure out inbound.  I know how to specifiy the listening on the one IP but I can't get ALL ports open.

Seems like a dumb request but I'll drop the max points since there really are two questions in here.

Question by:ModernAge
  • 3
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414438
You do NOT use access rules for traffic coming in from the external interface to the internal network generally unless both ends of the ISA are secure. You use a Publishing rule - for rdp, you would publish a non-web server using terminal services (RDP) and enter in the internal ip of the server you wanted to connect to.

This is weird - after 8 years of installing ISA server i have not found a single administrator in charge of a network and its security who woulod dream of allowing something ads dangerous as bit torrent style traffic onto their internal network for any reason. You are the second in a couple of days - i will leave this part to someone else to advise as, for me, this is so far from best practice that I would not want to get involved with it.

Author Comment

ID: 20414457
Keith...maybe if I clarify this will help.  This is not for a business.  I am doing this at home and the use of ISA to separate my network from the world is simply to become familiar with the rules and functionality...nothing more.

Otherwise I am completely with you and your beliefs...trust me.

LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 20414922
OK - your call Dave but my comments stand.

As I mention above, you need to publish a non-web server - you do not use access rules for inbound traffic such as this regardless of reason.

when prompted for the protocols to use you will need to create a new one (might need two or more) that cover the tcp and udp port ranges that the product requires.
You will need a coresspondin access rule that allows the same protocols from internal to external.

never heard of that product so cannot advise on what ports it requires. However, you can use the ISA gui (monitoring - logging - start query) to identify the traffic that is arriving/leaving and then add these to the protocol definition bit by bit unless you have them documented somewhere. Many Bit Torrent systems need a range of ports numbering in the thousands to be open as they are randomly selected.

Author Closing Comment

ID: 31412870
I got you now...so there really isn't a pre-definited protocol with a wide open port range therefore I have to create one that has the extended open port range.

...and I completely understand now....access rules for outbound and published protocols for inbound...providing the ISA server is using external and internal interfaces.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415171
That about it. The exception to this is, for example, you link two internal networks therefore you trust both sides of the ISA firewall and you just want to control it better - then you may just want to use access rules and you may only want to route vtraffic between external and internal rather than the default NAT. :)

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question