Need outside access to Local IP Camera through ISA 2004 without VPN connection occuring

Basically we have local IP Cameras with Static IP's.
Ownership wants to be able to access the cameras via an iPhone Ap or IP address from Outside our network, they want to use this to show clients.
Normally they VPN in and access the camera's via IP, but they now need to be able to do it without VPN'ing in first since they will be doing it from different locations/devices.
We run ISA 2004 and do have a static outside facing IP.

What's the easiest and safest way to go about this (even though easiest and safest rarely seem to coincide with one another).

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
You have two choices.

1. you can get an additional external IP address for each camera that you need to access from the Internet and create a new non-web publishing rule on each ip address forwarding it to a different internal camera ip address internally


2. You can use multiple port numbers on the single external IP address. In ISA you would need to create a non-web publishing rule that listened on different port numbers and, when that traffic arrived, ISA would forward it on the correct port to the specific ip address internally.
For example
web browser url ISA Listens on.... ISA forwards out on camera/port 81 1st internal camera IP on port 80 82 2nd internal camera ip on port 80

and so on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Josh_EPAuthor Commented:
So, with solution 2-

Lets say my external IP is XXX.XXX.XXX.XXX and my Camera Internal is YYY.YYY.YYY.YYY

How would I determine what port I can/should use?
Would I create a Non-Web Publishing Rule that listened on Port ####, and then forwarded it to YYY.YYY.YYY.YYY

So then from an iPhone or other off-network device, the user could browse to XXX.XXX.XXX.XXX:#### and ISA would see this and redirect to the local Camera's IP and Homepage?

The camera is accessible internally via YYY.YYY.YYY.YYY or YYY.YYY.YYY.YYY:80 currently.

We host our email as well as FTP internally. Web is hosted elsewhere. Not sure if that makes a difference at all.

Sorry if I am asking  a simple question in a complicated way, but I am trying to get it right the first time, and not make any mistakes or open anything up more than I should be.

Thanks for the help so far Keith!
Keith AlabasterEnterprise ArchitectCommented:
Externally, the user would put in or etc. Only you know what ports you have in your existing publishing rules. Bottom line, don't use a port that is already in use..... personally I normally pick something like 8081 - 8090 or something similar.

Yes - it is very simple, once you know how.
Create a new protocol called camera-in, using tcp port 8081 - port 8081
Make a new non-web publishing rule (sometimes called server publishing rule) and select the new protocol you have made and give it the internal IP address of one of the cameras. You will see you get the options here where you can change either the default listening port (which in this case is 8081) or the default forwarding port (again, the default will be 8081). Change the forwarding port to 80 and finish the wizard. Now this listener 'listens' on 8081 and forwards to port 80 of that camera ip address

makke a new server publishing rule, select the protocol we made and chnage the listening port to 8082 and the forwarding port to 80 and give this the IP address of anotheer camera and so on.

so you now have the http://aaa.bbb.ccc.ddd:8081 goes to camera 1, http://aaa.bbb.ccc.ddd:8082 goes to camera 2 and so on.
Josh_EPAuthor Commented:
Awesome solution, thanks Keith!
Keith AlabasterEnterprise ArchitectCommented:
Welcome :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.