• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1532
  • Last Modified:

Need outside access to Local IP Camera through ISA 2004 without VPN connection occuring

Basically we have local IP Cameras with Static IP's.
Ownership wants to be able to access the cameras via an iPhone Ap or IP address from Outside our network, they want to use this to show clients.
Normally they VPN in and access the camera's via IP, but they now need to be able to do it without VPN'ing in first since they will be doing it from different locations/devices.
We run ISA 2004 and do have a static outside facing IP.

What's the easiest and safest way to go about this (even though easiest and safest rarely seem to coincide with one another).

  • 3
  • 2
2 Solutions
Keith AlabasterEnterprise ArchitectCommented:
You have two choices.

1. you can get an additional external IP address for each camera that you need to access from the Internet and create a new non-web publishing rule on each ip address forwarding it to a different internal camera ip address internally


2. You can use multiple port numbers on the single external IP address. In ISA you would need to create a non-web publishing rule that listened on different port numbers and, when that traffic arrived, ISA would forward it on the correct port to the specific ip address internally.
For example
web browser url ISA Listens on.... ISA forwards out on camera/port
www.camera.com:81 81 1st internal camera IP on port 80
www.camera.com:82 82 2nd internal camera ip on port 80

and so on.
Josh_EPAuthor Commented:
So, with solution 2-

Lets say my external IP is XXX.XXX.XXX.XXX and my Camera Internal is YYY.YYY.YYY.YYY

How would I determine what port I can/should use?
Would I create a Non-Web Publishing Rule that listened on Port ####, and then forwarded it to YYY.YYY.YYY.YYY

So then from an iPhone or other off-network device, the user could browse to XXX.XXX.XXX.XXX:#### and ISA would see this and redirect to the local Camera's IP and Homepage?

The camera is accessible internally via YYY.YYY.YYY.YYY or YYY.YYY.YYY.YYY:80 currently.

We host our email as well as FTP internally. Web is hosted elsewhere. Not sure if that makes a difference at all.

Sorry if I am asking  a simple question in a complicated way, but I am trying to get it right the first time, and not make any mistakes or open anything up more than I should be.

Thanks for the help so far Keith!
Keith AlabasterEnterprise ArchitectCommented:
Externally, the user would put in xxx.yyy.aaa.bbb:81 or xxx.yyy.aaa.bbb:82 etc. Only you know what ports you have in your existing publishing rules. Bottom line, don't use a port that is already in use..... personally I normally pick something like 8081 - 8090 or something similar.

Yes - it is very simple, once you know how.
Create a new protocol called camera-in, using tcp port 8081 - port 8081
Make a new non-web publishing rule (sometimes called server publishing rule) and select the new protocol you have made and give it the internal IP address of one of the cameras. You will see you get the options here where you can change either the default listening port (which in this case is 8081) or the default forwarding port (again, the default will be 8081). Change the forwarding port to 80 and finish the wizard. Now this listener 'listens' on 8081 and forwards to port 80 of that camera ip address

makke a new server publishing rule, select the protocol we made and chnage the listening port to 8082 and the forwarding port to 80 and give this the IP address of anotheer camera and so on.

so you now have the http://aaa.bbb.ccc.ddd:8081 goes to camera 1, http://aaa.bbb.ccc.ddd:8082 goes to camera 2 and so on.
Josh_EPAuthor Commented:
Awesome solution, thanks Keith!
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now