ISA 2006 SMB

timbrigham used Ask the Experts™
Can an ISA 2006 server be used to allow named pipes but block all other SMB connections on port 445?
I have an application which requires named pipes from the application server in the DMZ to my internal SQL server.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ISA can be configured to allow/deny traffic on specific ports to/from specific servers.

You should be able to configure ISA to allow the traffic you want but make sure it's tied down to limit security problems.
As far as I know there is no application level filter for SMB protocol in ISA 200x.
That means that you can only accept or deny the 445 TCP port between servers by using a rule but you can not restrict the dialog depending on some SMB functions.
Some protocols in ISA are managed through application-level filters, like HTTP, FTP, SMTP, ... For these protocols you can make rules that can go above the TCP port level to allow or deny a traffic. With these protocols you can prohibit use of some "verbs" or "commands" inside the protocol. As an example you can make a HTTP rule that allow traffic on port 80 but prohibit uses of "POST" http command.
SMB protocol is not managed through application-level filter so I'm afraid you'll have to allow the whole 445 TCP port traffic
Have a good day.


PaciB, that is about what I figured. I've been doing some digging hoping to find a third party plugin which can manage SMB traffic but so far it has been a no go.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial