Creating Server Publishing Rules - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] - نسخه متنی

Thomas W. Shinder; Debra Littlejohn Shinder

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Back Cover Dr. Tom Shinder's Configuring ISA Server 2004 Introduction Acknowledgments About the Authors Technical Editor A Note From the Publisher From Deb and Tom Shinder, Authors Chapter 1: Evolution of a Firewall: From Proxy 1.0 to ISA 2004 The Book: What it Covers and Who It's For It's in the Book: What We Cover This Book's For You: Our Target Audience Security: The New Star of the Show Security: What's Microsoft Got to Do with It? Security: A Policy-Based Approach Security: A Multilayered Approach Firewalls: The Guardians at the Gateway Firewalls: History and Philosophy Firewalls: Understanding the Architecture Firewalls: Features and Functionality Firewalls: Role and Placement on the Network ISA: From Proxy Server to Full-Featured Firewall ISA: A Glint in MS Proxy Server's Eye ISA: A Personal Philosophy Summary Chapter 2: Examining the ISA Server 2004 Feature Set The New GUI: More Than Just a Pretty Interface Examining the Graphical Interface Examining The Management Nodes Teaching Old Features New Tricks Enhanced and Improved Remote Management Enhanced and Improved Firewall Features Enhanced and Improved Virtual Private Networking and Remote Access Enhanced and Improved Web Cache and Web Proxy Enhanced and Improved Monitoring and Reporting Multi-Networking Support New Application Layer Filtering (ALF) Features VPN Quarantine Control Missing in Action: Gone but Not Forgotten Live Media Stream Splitting H.323 Gateway Bandwidth Control Active Caching Summary Solutions Fast Track New GUI: More Than Just a Pretty Face Teaching Old Features New Tricks New Features on the Block Missing in Action: Gone But Not Forgotten Frequently Asked Questions Chapter 3: Stalking the Competition: How ISA 2004 Stacks Up Firewall Comparative Issues The Cost of Firewall Operations Specifications and Features Comparing ISA 2004 to Other Firewall Products ISA Server 2004 Comparative Points Comparing ISA 2004 to Check Point Comparing ISA 2004 to Cisco PIX Comparing ISA 2004 to NetScreen Comparing ISA 2004 to SonicWall Comparing ISA 2004 to WatchGuard Comparing ISA 2004 to Symantec Enterprise Firewall Comparing ISA 2004 to Blue Coat SG Comparing ISA 2004 to Open Source Firewalls Summary Comparing Architecture Comparing Functionality Comparing Cost Solutions Fast Track Firewall Comparative Issues Comparing ISA 2004 to Other Firewall Products Frequently Asked Questions Chapter 4: ISA 2004 Network Concepts and Preparing the Network Infrastructure Our Approach to ISA Firewall Network Design and Defense Tactics Defense in Depth ISA Firewall Fallacies Software Firewalls are Inherently Weak You Can't Trust Any Service Running on the Windows Operating System to be Secure ISA Firewalls Make Good Proxy Servers, but I Need a 'Real Firewall' to Protect My Network ISA Firewalls Run on an Intel Hardware Platform, and Firewalls Should Have 'No Moving Parts' 'I Have a Firewall and an ISA Server' Why ISA Belongs in Front of Critical Assets A Better Network and Firewall Topology Tom and Deb Shinder's Configuring ISA 2004 Network Layout Creating the ISALOCAL Virtual Machine How ISA Firewall’s Define Networks and Network Relationships ISA 2004 Multinetworking The ISA Firewall’s Default Networks Creating New Networks Controlling Routing Behavior with Network Rules The ISA 2004 Network Objects ISA Firewall Network Templates Dynamic Address Assignment on the ISA Firewall’s External Interface Dial-up Connection Support for ISA firewalls, Including VPN Connections to the ISP “Network Behind a Network” Scenarios (Advanced ISA Firewall Configuration) Web Proxy Chaining as a Form of Network Routing Firewall Chaining as a Form of Network Routing Configuring the ISA Firewall as a DHCP Server Summary Solutions Fast Track Our Approach to the ISA Firewall Network Design and Defense Tactics Tom and Deb Shinder's Configuring ISA 2004 Network Layout How ISA Firewalls Define Networks and Network Relationships Frequently Asked Questions Chapter 5: ISA 2004 Client Types and Automating Client Provisioning Understanding ISA 2004 Client Types Understanding theISA 2004 SecureNAT Client Name Resolution for SecureNAT Clients Name Resolution and 'Looping Back' Through the ISA 2004 Firewall Understanding the ISA 2004 Firewall Client ISA 2004 Web Proxy Client ISA 2004 Multiple Client Type Configuration Deciding on an ISA 2004 Client Type Automating ISA 2004 Client Provisioning Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery Special Considerations for VPN Clients Automating Installation of the Firewall Client Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console Group Policy Software Installation Silent Installation Script Systems Management Server (SMS) Summary Solutions Fast Track Understanding the ISA 2004 SecureNAT Client Understanding the ISA 2004 Web Proxy Client Understanding the ISA 2004 Firewall Client Frequently Asked Questions Chapter 6: Installing and Configuring the ISA Firewall Software Pre-installation Tasks and Considerations System Requirements Configuring the Routing Table DNS Server Placement Configuring the ISA Firewall's Network Interfaces Unattended Installation Installation via a Terminal Services Administration Mode Session Performing a Clean Installation on a Multihomed Machine Default Post-installation ISA Firewall Configuration The Post-installation System Policy Performing an Upgrade Installation Performing a Single NIC Installation (Unihomed ISA Firewall) Quick Start Configuration for ISA Firewalls Configuring the ISA Firewall's Network Interfaces Installing and Configuring a DNS Server on the ISA Server Firewall Installing and Configuring a DHCP Server on the ISA Server Firewall Installing and Configuring the ISA Server 2004 Software Configuring the Internal Network Computers Hardening the Base ISA Firewall Configuration and Operating System ISA Firewall Service Dependencies Service Requirements for Common Tasks Performed on the ISA Firewall Client Roles for the ISA Firewall Lockdown Mode Connection Limits DHCP Spoof Attack Prevention Summary Solutions Fast Track Pre-installation considerations Performing a clean installation Default Post-install System Policy and Firewall Configuration Frequently Asked Questions Chapter 7: Creating and Using ISA 2004 Firewall Access Policy Introduction ISA Firewall Access Rule Elements Protocols User Sets Content Types Schedules Network Objects The Rule Action Page The Protocols Page The Access Rule Sources Page The Access Rule Destinations Page The User Sets Page Access Rule Properties The Access Rule Context Menu Options Configuring RPC Policy Configuring FTP Policy Configuring HTTP Policy Ordering and Organizing Access Rules How to Block Logging for Selected Protocols Disabling Automatic Web Proxy Connections for SecureNAT Clients Using Scripts to Populate Domain Name Sets Using the Import Scripts Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports Avoiding Looping Back through the ISA Firewall for Internal Resources Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) Blocking MSN Messenger using an Access Rule Allowing Outbound Access to MSN Messenger via Web Proxy Changes to ISA Firewall Policy Only Affects New Connections Configure the Routing Table on the Upstream Router Configure the Network Adaptors Install the ISA Server 2004 Firewall Software Install and Configure the IIS WWW and SMTP Services on the DMZ Server Create the DMZ Network Create the Network Rules Between the DMZ and External Network and for the DMZ and Internal Network Create Server Publishing Rule Allowing DNS from DMZ to Internal Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allowing DNS from Internal to External Create an Access Rule Allow HTTP from External to DMZ Create an Access Rule Allowing SMTP from External to DMZ Test the Access Rules from External to DMZ Test the DNS Rule from the DMZ to the Internal Network Change the Access Rule Allowing External to DMZ by Disabling the Web Proxy Filter Allowing Intradomain Communications through the ISA Firewall Solutions Fast Track Configuring Access Rules for Outbound Access through the ISA Firewall Using Scripts to Populate Domain Name Sets Creating and Configuring a Public Address Trihomed DMZ Network Frequently Asked Questions Chapter 8: Publishing Network Services with ISA 2004 Firewalls Overview of Web Publishing and Server Publishing Web Publishing Rules Server Publishing Rules The Select Rule Action Page The Define Website to Publish Page The Public Name Details Page The Select Web Listener Page and Creating an HTTP Web Listener The User Sets Page The Web Publishing Rule Properties Dialog Box Creating and Configuring SSL Web Publishing Rules SSL Bridging Importing Web Site Certificates into The ISA Firewall's Machine Certificate Store Requesting a User Certificate for the ISA Firewall to Present to SSL Web Sites Creating an SSL Web Publishing Rule Creating Server Publishing Rules The Server Publishing Rule Properties Dialog Box Server Publishing HTTP Sites Creating Mail Server Publishing Rules The Web Client Access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync Option The Client Access: RPC, IMAP, POP3, SMTP Option Summary Solutions Fast Track Overview of Web Publishing and Server Publishing Creating and Configuring Non-SSL Web Publishing Rules Creating and Configuring SSL Web Publishing Rules Frequently Asked Questions Chapter 9: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls Overview of ISA Firewall VPN Networking Firewall Policy Applied to VPN Client Connections Firewall Policy Applied to VPN Site-to-Site Connections VPN Quarantine User Mapping of VPN Clients SecureNAT Client Support for VPN Connections Site-to-Site VPN Using Tunnel Mode IPSec Publishing PPTP VPN Servers Pre-shared Key Support for IPSec VPN Connections Advanced Name Server Assignment for VPN Clients Monitoring of VPN Client Connections Creating a Remote Access PPTP VPN Server Enable the VPN Server Create an Access Rule Allowing VPN Clients Access to Allowed Resources Enable Dial-in Access Test the PPTP VPN Connection Issue Certificates to the ISA Firewall and VPN Clients Test the L2TP/IPSec VPN Connection Monitor VPN Clients Using a Pre-shared Key for VPN Client Remote Access Connections Creating a PPTP Site-to-Site VPN Create the Remote Site Network at the Main Office Create the Network Rule at the Main Office Create the Access Rules at the Main Office Create the VPN Gateway Dial-in Account at the Main Office Create the Remote Site Network at the Branch Office Create the Network Rule at the Branch Office Create the Access Rules at the Branch Office Create the VPN Gateway Dial-in Account at the Branch Office Activate the Site-to-Site Links Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA Request and install a Web Site Certificate for the Main Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA Request and Install a Web Site Certificate for the Branch Office Firewall Configure the Main Office ISA Firewall to Use L2TP/IPSec for the Site-to-Site Link Activate the L2TP/IPSec Site-to-Site VPN Connection Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways Using RADIUS for VPN Authentication and Remote Access Policy Configure the Internet Authentication Services (RADIUS) Server Create a VPN Clients Remote Access Policy Remote Access Permissions and Domain Functional Level Changing the User Account Dial-in Permissions Changing the Domain Functional Level Controlling Remote Access Permission via Remote Access Policy Enable the VPN Server on the ISA Firewall and Configure RADIUS Support Create an Access Rule Allowing VPN Clients Access to Approved Resources Make the Connection from a PPTP VPN Client Using EAP User Certificate Authentication for Remote Access VPNs Configuring the ISA Firewall Software to Support EAP Authentication Enabling User Mapping for EAP Authenticated Users Issuing a User Certificate to the Remote Access VPN Client Machine Supporting Outbound VPN Connections through the ISA Firewall Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall Creating a Site-to-Site VPN Between an ISA Server 2000 and ISA Firewall Run the Local VPN Wizard on the ISA Server 2000 firewall Change the Password for the Remote VPN User Account Change the Credentials the ISA Server 2000 Firewall uses for the Demand-dial Connection to the Main Office Change the ISA Server 2000 VPN Gateway's Demand-dial Interface Idle Properties Create a Static Address Pool for VPN Clients and Gateways Run the Remote Site Wizard on the Main Office ISA firewall Create a Network Rule that Defines the Route Relationship Between the Main and Branch Office Create Access Rules Allowing Traffic from the Main Office to the Branch Office Create the User Account for the Remote VPN Router Test the connection A Note on VPN Quarantine Summary Solutions Fast Track Overview of ISA Firewall VPN Networking Creating a Remote Access PPTP VPN Server Creating a Remote Access L2TP/IPSec Server Frequently Asked Questions Chapter 10: ISA 2004 Stateful Inspection and Application Layer Filtering Introduction Application Filters The SMTP Filter and Message Screener The DNS Filter The POP Intrusion Detection Filter The SOCKS V4 Filter The FTP Access Filter The H.323 Filter The MMS Filter The PNM Filter The PPTP Filter The RPC Filter The RTSP Filter Web Filters The HTTP Security Filter (HTTP Filter) The ISA Server Link Translator The Web Proxy Filter The SecurID Filter The OWA Forms-based Authentication Filter The RADIUS Authentication Filter IP Filtering and Intrusion Detection/Intrusion Prevention Common Attacks Detection and Prevention DNS Attacks Detection and Prevention IP Options and IP Fragment Filtering Summary Solutions Fast Track Application Layer Filters Web Filters Intrusion Detection and Prevention Frequently Asked Questions Chapter 11: Accelerating Web Performance with ISA 2004 Caching Capabilities Understanding Caching Concepts Web Caching Types Web Caching Architectures Web Caching Protocols Understanding ISA Server 2004's Web Caching Capabilities Using the Caching Feature Understanding Cache Rules Understanding the Content Download Feature Configuring ISA Server 2004 as a Caching Server Enabling and Configuring Caching How to Configure Caching Properties Creating Cache Rules Configuring Content Downloads Summary Fast Track Frequently Asked Questions Chapter 12: Using ISA Server 2004's Monitoring, Logging, and Reporting Tools Introduction Exploring the ISA Server 2004 Dashboard Dashboard Sections Configuring and Customizing the Dashboard Creating and Configuring ISA Server 2004 Alerts Alert-triggering Events Viewing the Predefined Alerts Creating a New Alert Modifying Alerts Viewing Triggered Alerts Monitoring ISA Server 2004 Connectivity, Sessions, and Services Configuring and Monitoring Connectivity Monitoring Sessions Monitoring Services Working with ISA Server 2004 Logs and Reports Understanding ISA Server 2004 Logs Generating, Viewing, and Publishing Reports with ISA Server 2004 Using ISA Server 2004's Performance Monitor Solutions Fast Track Exploring the ISA Server 2004 Dashboard Creating and Configuring ISA Server 2004 Alerts Monitoring ISA Server 2004 Sessions and Services Working with ISA Server 2004 Logs and Reports 1Using ISA Server 2004's Performance Monitor Frequently Asked Questions Appendix: Network Security Basics Introduction Security Overview Defining Basic Security Concepts Knowledge is Power Think Like a Thief Security Terminology Addressing Security Objectives Controlling Physical Access Preventing Accidental Compromise of Data Preventing Intentional Internal Security Breaches Preventing Unauthorized External Intrusions Recognizing Network Security Threats Understanding Intruder Motivations Classifying Specific Types of Attacks Designing a Comprehensive Security Plan Evaluating Security Needs Understanding Security Ratings Legal Considerations Designating Responsibility for Network Security Designing the Corporate Security Policy Educating Network Users on Security Issues Incorporating ISA Server in your Security Plan ISA Server Intrusion Detection Implementing a System Hardening Plan with ISA Summary Index Numbers Index A Index B Index C Index D Index E Index F Index G Index H Index I Index J Index K Index L Index M Index N Index O Index P Index Q Index R Index S Index T Index U Index V Index W Index Z List of Figures List of Tables List of Sidebars

توضیحات
افزودن یادداشت جدید















Creating Server Publishing Rules



Creating Server Publishing Rules is simple compared to Web Publishing Rules. The only things you need to know when creating a Server Publishing Rule are:







The protocol or protocols you want to publish







The IP address where the ISA firewall accepts the incoming connections







The IP address of the Protected Network server you want to publish







A Server Publishing Rule uses protocols with the primary connection set as Inbound, Receive or Receive/Send. For example, if you want to publish an SMTP server, the Protocol Definition for that protocol must be for SMTP, TCP port 25 Inbound. Outbound Protocol Definitions are used for Access Rules.



The ISA firewall comes with a number of built-in Server Publishing Protocol Definitions. Table 8.2 lists these built-in Protocol Definitions.
























































































Table 8.2: Server Publishing Protocol Definitions




Protocol Definition






Usage






DNS Server






TCP 53 Inbound



UDP 53 Receive/Send



DNS Security Filter Enabled



Domain Name System Protocol - Server. An inbound protocol used for server publishing.



Protocol Definition also allows for DNS zone transfer






Exchange RPC Server






TCP 135 Inbound



RPC Security Filter enabled



Only Exchange RPC interfaces are exposed (Exchange RPC UUIDs)



Used for publishing Exchange server for RPC access from External network.






FTP Server






TCP 21 Inbound



FTP Access Filter enabled



File Transfer Protocol - Server. An inbound protocol used for server publishing. Both PASV and PORT modes are supported.






HTTPS Server






TCP 443 Inbound



Secure HyperText Transfer Protocol - Server. An inbound protocol used for server publishing. Used for publishing SSL sites when Web Publishing Rules and enhanced security is not required.






IKE Server






UDP 500 Receive/Send



Internet Key Exchange Protocol - Server. An inbound protocol used for server publishing. Used for IPSec passthrough.






IMAP4 Server






TCP 143 Inbound



Protocol (IMAP) - Server. An inbound protocol used for server publishing.






IMAPS Server






TCP 993 Inbound



Secure Interactive Mail Access Protocol (IMAP) - Server. An inbound protocol used for server






IPSec ESP Server






IP Protocol 50 Receive/Send



IPSec ESP Protocol - Server. An inbound protocol used for server publishing. Used for IPSec passthrough.






IPSec NAT-T Server






UDP 4500 Receive/Send



IPSec NAT-T Protocol - Server. An inbound protocol used for server publishing. Used for NAT Traversal for L2TP/IPSec and other RFC-compliant NAT traversal connections for IPSec.






L2TP Server






UDP 1701 Receive/Send



Layer 2 Tunneling Protocol - Server. An inbound protocol used for server publishing. Used to publish the L2TP/IPSec control channel.






Microsoft SQL Server






TCP 1433 Inbound



Microsoft SQL Server Protocol






MMS Server






TCP 1755 Inbound



UDP 1755 Receive



MMS Filter enabled



Microsoft Media Server Protocol - Server. An inbound protocol used for server publishing.






NNTP Server






TCP 119 Inbound



Network News Transfer Protocol - Server. An inbound protocol used for server publishing.






NNTPS Server






TCP 563 Inbound



Secure Network News Transfer Protocol - Server. An inbound protocol used for server publishing.






PNM Server






TCP 7070 Inbound



PNM Filter enabled



Progressive Networks Streaming Media Protocol - Server. An inbound protocol used for server






POP3 Server






TCP 110 Inbound



Post Office Protocol v.3 - Server. An inbound



protocol used for server publishing.






POP3S Server






TCP 995 Inbound



Secure Post Office Protocol v.3 - Server. An inbound protocol used for server publishing.






PPTP Server






TCP 1723 Inbound



PPTP Filter enabled



Point-to-Point Tunneling Protocol - Server. An inbound protocol used for server publishing.






RDP (Terminal Services) Server






TCP 3389 Inbound



Remote Desktop Protocol (Terminal Services) - Server






RPC Server (all interfaces)






TCP 135 Inbound



RPC Filter enabled



Remote Procedure Call Protocol - Server. An inbound protocol used for server publishing (All RPC interfaces). Used primarily to intradomain communications through the ISA firewall.






RTSP Server






TCP 554 Inbound



Real Time Streaming Protocol - Server. An inbound protocol used for server publishing. Used by Windows Media Server services Windows Server 2003






SMTP Server






TCP 25 Inbound



SMTP Security Filter enabled



Simple Mail Transfer Protocol - Server. An inbound protocol used for server publishing.






SMTPS Server






TCP 465 Inbound



Secure Simple Mail Transfer Protocol - Server. An inbound protocol used for server publishing.






Telnet Server






TCP 23 Inbound



Telnet Protocol - Server. An inbound protocol used for server publishing.






Any of the protocols in Table 8.2 can be used right out of the box for a Server Publishing Rule.



In the following example, we'll create a Server Publishing Rule for a RDP site on the default Internal Network. The RDP site could be a Terminal Server or a Windows XP machine running Remote Desktop:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node. Click the Tasks tab in the Task pane, and click Create a New Server Publishing Rule.







On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server Publishing Rule name text box. In the example, we'll name the rule SPR - Terminal Server. Click Next.







On the Select Server page, enter the IP address of the published server on the ISA firewall Protected Network in the Server IP address text box. In this example, we'll enter 10.0.0.2. You can also click Browse to find the server, but the ISA firewall will need to be able to resolve the name of that server correctly. Click Next.







On the Select Protocol page (Figure 8.42), click the down-arrow for the Selected protocol list, and click the RDP (Terminal Services) Server protocol. You can see the details of the selected protocol in the Properties dialog box. You can also change the ports used to accept the incoming connections and the ports used to forward the connection to the published Web server. Click Ports.








Figure 8.42: The Select Protocol Page







The following options are available to you in the Ports dialog box.







Publish using the default port defined in the Protocol Definition This option allows the ISA firewall to listen on the default port defined in the Protocol Definition for the selected protocol. In the current example, the RDP Protocol Definition listens on TCP port 3389. Using this option the ISA firewall listens on TCP port 3389 on the IP address you set for the listener for this Server Publishing Rule. This is the default setting.







Publish on this port instead of the default port You can change the port number used to listen for incoming requests. This allows you to override the port number in the Protocol Definition. For example, we might want the ISA firewall to listen for incoming RDP connections on TCP port 8989. We could select Publish on this port instead of the default port, and then enter the alternate port, 8989, in the text box next to this option.







Send requests to the default port on the published server This option configures the ISA firewall to forward the connection using the same port the ISA firewall received the request on. In this example, the RDP Server Publishing Rule accepts incoming RDP connections on TCP port 3389. The connection is then forwarded to port 3389 on the published server. This is the default setting.







Send requests to this port on the published server This option allows you to perform port redirection. For example, if the ISA firewall accepts incoming requests for RDP connections on TCP port 3389, you can redirect the connection to an alternate port on the published RDP server, such as TCP port 89.







Allow traffic from any allowed source port This allows the ISA firewall to accept incoming connections from clients that use any source port in their requests to the published server. This is the default setting, and most applications are designed to accept connections from any client source port.







Limit access to traffic from this range of source ports You can limit the source port that the application connecting to the published server uses by selecting this option. If your application allows you to configure the source port, you can improve the security of your Server Publishing Rule by limiting connections from hosts using a specific source port and entering that port in the text box associated with this option. You can also list a range of allowed source ports if you want to allow multiple hosts to connect to the server.







Click OK after making any changes. In this example, we will not change the listener or forwarded port number.







On the IP Addresses page, you can select the Network(s) where you want the ISA firewall to listen for incoming connections to the published Web site. The IP Addresses page for Server Publishing Rules works the same way as that used by Web Publishing Rules. For more information on how to use the options on this page, review the discussion about the IP Address page in the non-SSL Web Publishing Rules section of this chapter. In this example, we'll select External by putting a checkmark in the External checkbox. Click Next.







Click Finish on the Completing the New Server Publishing Rule Wizard page.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.






The Server Publishing Rule Properties Dialog Box




You can fine-tune the Server Publishing Rule by opening the Server Publishing Rules Properties dialog box. Double-click the Server Publishing Rule to open the Properties dialog box. The first tab you'll encounter is the General tab. Here you can change the name of the Server Publishing Rule and provide a description for the rule. You can also enable or disable the rule by changing the status of the Enable checkbox. The General tab is shown in Figure 8.43.








Figure 8.43: The General Tab



On the Action tab, set the rule for whether or not to log connections that apply to this rule. We recommend that you always log connections made via a Server Publishing Rule. However, if you have a reason why you do not want to log these connections (for example, privacy laws in your country do not allow logging this information), you can disable logging by removing the checkmark from the Log requests matching this rule checkbox shown in Figure 8.44.








Figure 8.44: The Action Tab



On the Traffic tab you can change the protocol used for the Server Publishing Rule by clicking the down arrow in the Allow network traffic using the following protocol drop-down list. You can create a new Protocol Definition for a Server Publishing Rule by clicking New, and you can view the details of the Protocol Definition used in the Server Publishing Rule by clicking Properties. You can also customize the source and destination ports allowed by the Server Publishing Rule using the Ports button. See options for the Traffic tab in Figure 8.45.








Figure 8.45: The Traffic Tab



You can control what hosts can connect to the published server using settings on the From tab. The default location allows hosts from Anywhere to connect to the published server via this rule. However, connections will only be allowed from hosts that can connect via Networks configured on the Networks tab. So, while hosts from Anywhere can connect to the published server, connections are still limited to those hosts who can connect via the interface(s) responsible for the Networks listed on the Networks tab.



You can get more granular access control over who can connect to the published server by removing the Anywhere option and allowing a more limited group of machines access to the published server. Click Anywhere, and then click Remove. Then click Add, and select a Network Object defining the group of machines you want to allow access to the published server.



You can further fine-tune access control by setting exceptions to the list of allowed hosts and adding them to the Exceptions list. Click Add in the Exceptions section. See Figure 8.46 for options on the From tab.








Figure 8.46: The From Tab



On the To tab, configure the IP address of the server published via this Server Publishing Rule. You can also control what client IP address is seen by the published server by your selection in the Request for the published server frame. You have two options:







Requests appear to come from the ISA Server computer







Requests appear to come from the original client







Requests appear to come from the ISA Server computer allows the published server to see the source IP address of the incoming connection to the IP address on the network interface on the ISA firewall that is on the same Network as the published server. For example, if the published server is on the Internal network, and the ISA firewall's interface on the Internal Network is 10.0.0.1, then the published server will see the source IP address of the incoming connection as 10.0.0.1.



This option is useful when you do not want to make the published server a SecureNAT client. The SecureNAT client is one where the machine is configured with a default gateway address that routes all Internet-bound connections through the ISA firewall. If you do not want to change the default gateway address on the published server, then use Requests appear to come from the ISA Server computer. The only requirement is, if the published server is on a different subnet from the ISA firewall, the published server needs to be able route to the IP address that the ISA firewall uses when it forwards the connection to the published server.



If you want the published server to see the actual client IP address, select Requests appear to come from the original client. This option requires that the published server be configured as a SecureNAT client. The reason why the machine must be configured as a SecureNAT client is that since the client IP address is from a non-local network, the published server must have a default gateway that routes Internet-bound communications through the ISA firewall. Figure 8.47 illustrates the options on the To tab.








Figure 8.47: The To Tab






On the Networks tab, you can configure which Networks the ISA firewall can listen on to accept incoming connections to the published server. In this example, we set the Server Publishing Rule to accept incoming connections from hosts on the External Network (the default External Network includes all addresses that aren't defined in any other Network on the ISA firewall).



You can configure the ISA firewall to listen on any Network. For example, you can configure the Server Publishing Rule to listen for connections on the VPN Clients Network. VPN clients can then connect to the published server via this Server Publishing Rule. The Networks tab is shown in Figure 8.48.








Figure 8.48: The Networks Tab



On the Schedule tab, you can set when connections can be made to the published server. There are three default schedules:







Always Users can always connect to the published server.







Weekends Users can connect to the published server from 12:00



A.M. to 12:00



A.M. Saturday and Sunday.







Work hours Users can connect to the published server from 9:00



A.M. to 5:00



P.M. Monday through Friday.







You can also create your own schedule using the New button. We'll talk more about creating schedules in Chapter 10. Note that schedules control when users can connect to the published server, but they do not drop existing connections. The reason for this is that users who connected to the published server connected when connections are allowed, and they may have ongoing work that would be disturbed if the connection where arbitrarily halted by the schedule. You can script a disconnect by stopping the Microsoft Firewall service and restarting it if you must stop all connections. The Schedule tab is shown in Figure 8.49.








Figure 8.49: The Schedule Tab



Server Publishing HTTP Sites




You might have noticed when going over the list of Protocol Definitions used for Server Publishing Rules that there wasn't a Protocol Definition for HTTP Server. There is a Protocol Definition for HTTPS servers but not for HTTP. If you want to create a Server Publishing Rule for HTTP server publishing then you will need to create your own HTTP server Protocol Definition.



We recommend that you always use Web Publishing Rules to publish Web sites, but there may be times when you want to publish a Web site that isn't compliant with Web Proxy servers. In this case you will need to use a Server Publishing Rule instead of a Web Publishing Rule.



Perform the following steps to create the Protocol Definition for HTTP Server publishing:







In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Click the Toolbox tab in the Task Pane and click the Protocols header.







Click the New menu and click Protocol.







On the Welcome to the New Protocol Definition Wizard page, enter HTTP Server in the Protocol Definition name text box and click Next.







On the Primary Connection Information page, click the New button.







On the New/Edit Protocol Connection page, set the Protocol type to TCP and the Direction to Inbound. In the Port range frame, set the From and To values to 80. Click OK.








Figure 8.50: The New/Edit Protocol Connection dialog box







Click Next on the Primary Connection Information page.







On the Secondary Connections page, select the No option and click Next.







Click Finish on the Completing the New Protocol Definition Wizard page.







Click Apply to save the changes and update the firewall policy.







Click OK in the Apply New Configuration dialog box.







The new HTTP Server Protocol Definition appears in the list of User-Defined Protocol Definitions.







/ 145