Servers

Publish network resources with ISA Server

When you open up your network to access from the Internet, you'll need to find a way to still maintain control. In this Daily Feature, Tom Shinder explains how Server Publishing Rules on ISA Server can help grant and control access at the same time.

Have you ever wanted to make resources on your internal network available to users on the Internet? Perhaps you have a Web server, a news server, or a mail server that you want Internet users to be able to access, but you don’t have any extra public IP addresses to assign to these computers. One way you can solve this problem is by “publishing” your internal network servers to the Internet.

ISA Server 2000 allows you to make internal network clients accessible to external (Internet) hosts. In this Daily Feature, I’ll take a look at how you can make such resources available to external users by defining and configuring server-publishing rules.

What are server-publishing rules?
ISA Server uses publishing rules to allow you to make internal network clients available to users on external networks. ISA Server sees networks as internal or external. The external network is typically the Internet. Internal network hosts are considered “trusted” computers, and communications between trusted computers are not mediated by ISA Server rules. External network hosts are considered “untrusted” computers.

ISA Server mediates all network communications with untrusted computers. The Local Address Table (LAT) and Local Domain Table (LDT) determine what addresses are internal. All other addresses or domains are considered external and are not trusted by the ISA Server.

ISA Server assumes that all hosts on the trusted network do not need to be screened by the ISA Server rules engine. This does not imply that all hosts on a trusted network can be completely trusted. Trusted network hosts are within your administrative control, but if you fail to secure the hosts on your internal network, they can be as untrustworthy as hosts on external networks.

Communications between the external network and the internal network are subject to network address translation (NAT). Because all messages between the internal and external network are mediated by the NAT service, external network clients on the Internet are not able to establish new inbound connections to internal network clients. The reason for this is that NAT does not directly route packets. The only time the ISA Server will directly route packets is when you have a trihomed DMZ configuration with the DMZ users’ public network addresses or when there are two or more internal network segments that are directly attached to the ISA Server.

You can get the ISA Server to perform “reverse NAT” and route (through NAT) requests that arrive at a specific IP address and port on the external interface of the ISA Server to a particular IP address and port on the internal network. This reverse NAT is sometimes referred to as Server Publishing. ISA Server allows you to perform Server Publishing through the use of Server Publishing Wizards.

Configuring a server-publishing rule
Let’s go through an example to give you an idea of how server publishing works with ISA Server. Suppose you have a news (NNTP) server on your internal network that you want to make available to everyone on the Internet. News servers are very handy for carrying out asynchronous conversations with people all over the world, they’re faster than Web-based discussion boards, and the contents don’t get lost as easily as e-mail. You only have one public IP address, and that address is being used on the external interface of the ISA Server. Because of this, you need to publish a news server on your internal network.

To configure the Server Publishing Rule in ISA Server, open the ISA Management console by clicking Start | Programs | Microsoft ISA Server | ISA Management. When the ISA Management console starts, expand your server or array name in the left pane. Then, expand the Publishing node. Right-click on the Server Publishing Rules node and click New | Rule.

This will start the New Server Publishing Rule Wizard. On the Welcome To The New Server Publishing Rule Wizard page, shown in Figure A, type in a name for the rule. In this example, I’ll use the name News Server.

Figure A
The New Server Publishing Rule Wizard helps you create publishing rules for ISA Server.


Click Next to continue. On the Address Mapping page shown in Figure B, type in the IP address of the internal network server in the IP Address Of Internal Server text box. Then, type in the IP address on the external interface of the ISA Server in the External IP Address On ISA Server text box.

Figure B
You must enter both the internal and external addresses for the rule.


Note that if you have multiple IP addresses bound to the external interface of the ISA Server, you can use any one of them. However, most people are going to connect to your server via a name such as news.domain.com, so make sure that the IP address you use on the external interface resolves to the name you want the external network users to use. Server Publishing Rules do not require such fully qualified domain names (FQDNs) to work correctly, so if you just want your users to access the internal network server by using the IP address on the external interface of the ISA Server, that will work too. Click Next to continue.

On the Protocol Settings page, shown in Figure C, click the down arrow in the Apply The Rule To This Protocol drop-down list box and select the server protocol definition you wish to use. In this example, I’ll use the NNTP Server protocol definition. A server protocol definition is defined as a protocol where the primary connection is inbound.

Figure C
The Protocol Settings page helps control the type of inbound traffic the ISA Server will allow.


ISA Server includes a number of server protocol definitions right out of the box. Some of the default server protocol definitions you can select include:
  • FTP Server—File Transfer Protocol
  • HTTP Server—Web (http) protocols
  • Gopher—Gopher services
  • POP3
  • RealAudio
  • SMTP
  • Windows Media

Select your protocol definition and click Next to continue. You’ll then see the Client Type page, shown in Figure D. Select the Any Request option. This allows anonymous access to the server-publishing rule. If you want to limit access to a subset of computers on the Internet, select the Specific Computers option. If you select that option, you can select a client address set to allow access to the Server Publishing Rule. Click Next to continue.

Figure D
The Client Type page allows you to control who can access ISA Server.


Finally, you’ll see the Complete The New Server Publishing Rule Wizard page. Here, you can review the selections you’ve made to make sure they’re correct. Review the rule configuration and click Finish.

It will take a few moments for the Server Publishing Rule to take effect. Once it does, external network users will be able to access the internal network NNTP server by going to IP address 222.222.222.222 or a FQDN that resolves to that address.

Conclusion
When you connect your network to the Internet, not only do you enable users to access Internet resources, but you can also provide Internet users with the ability to access resources on your internal network. This can be both a good and bad thing. To control who can access internal resources, and what they can access, you can use ISA Server’s Server Publishing Rules.
0 comments

Editor's Picks