Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
TCP port direction confusion
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
TCP port direction confusion - 23.Mar.2008 10:09:47 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
Hi all,
Can someone explain to me or show me a good link about inbound or outbound TCP protocols. when creating new custom protocols in ISA, there is an option of inbound or outbound. This really confuses me, as I understand, the direction are decided by the access rules - From and To tabs, why the TCP port itself needs direction defined?
For example, if I have a FTP server using custom TCP port 1234 in my internal network and I want to access it from internet, I publish the FTP server using a custom protocol 1234. why do I need to specify whether this TCP 1234 is inbound or outbound? If this FTP server is on internal and I want to access it from internal, I would make access rule to allow same custom protocol from internal to external, rather than making a new protocol and make it outbound one. so why is there direction on the protocol itself?
Thanks in advance.
|
|
|
|
|
RE: TCP port direction confusion - 23.Mar.2008 10:40:17 AM
|
|
|
ferrix
Posts: 363
Joined: 16.Mar.2005
Status: offline
|
Basically, you use "outbound" for protocols that will be used in access rules, and "inbound" for protocols that will be used in publishing rules.
Another way to think about it is.. if the target IP address of the packets will be ISA, then that's "inbound". If the target IP address of the packets is beyond ISA, then that's "outbound".
It's confusing because the name implies it has something to do with whether the traffic is coming from the lan or the internet, but this is not the case.
Hope this helps!
|
|
|
|
|
RE: TCP port direction confusion - 23.Mar.2008 11:30:33 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
quote:
ORIGINAL: ferrix
Basically, you use "outbound" for protocols that will be used in access rules, and "inbound" for protocols that will be used in publishing rules.
Another way to think about it is.. if the target IP address of the packets will be ISA, then that's "inbound". If the target IP address of the packets is beyond ISA, then that's "outbound".
It's confusing because the name implies it has something to do with whether the traffic is coming from the lan or the internet, but this is not the case.
Hope this helps!
thanks for your reply, I understand how to choose this option as you explained, but this doesn't clear my confusion as why the protocol itself needs direction defined.
Is there a case when you need to use outbound protocols in publishing rules, or inbound protocol in access rules? If not, there is no point for this option of direction.
|
|
|
|
|
RE: TCP port direction confusion - 23.Mar.2008 11:36:33 AM
|
|
|
ferrix
Posts: 363
Joined: 16.Mar.2005
Status: offline
|
From my understanding, there is no case where you would need to use them like that, no. So I agree that the software could simply do the right thing by itself rather than making the additional step for the user.
There may be rationale that I am not familiar with. But in my experience it's just an extra step to get right.
|
|
|
|
|
RE: TCP port direction confusion - 24.Mar.2008 9:52:42 AM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
thanks a lot for your help, if I find out why it's designed like that, I will post it here.
|
|
|
|
|
RE: TCP port direction confusion - 24.Mar.2008 5:01:15 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Is there a case when you need to use outbound protocols in publishing rules, or inbound protocol in access rules?
I do not believe so, other than it is possible for a Protocol to use Secondary Connections in response to an Initial Connection.
If not, there is no point for this option of direction.
Yes there is a point. The direction is based on the direction of the Initial Connection as interpreted by the ISA Server according to how it functions.
Publishing Rules respond to Initial Connections that are Inbound from an unknown external source,...so the Protocols are always Inbound.
Access Rules respond to Initial Connections that leave the External Interface of the ISA (Outbound) to an unknown external destination. so the Protocols are Outbound.
Access Rules may have Secondary Connections that occur inresponse to an Initial Connection. These Protocols will usually be Inbound. These are extremely rare,...they are so rare that I cannot even think of a functioning example.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: TCP port direction confusion - 24.Mar.2008 9:33:21 PM
|
|
|
ming
Posts: 23
Joined: 22.Aug.2007
Status: offline
|
thanks for your reply, it helps a lot. So now i am wondering two things:
1, is this outbound or inbound option designed for ISA only or it's widely used as one of the common parameter for the TCP protocol?
2, what happens if I use outbound protocol in publishing rules and vice-versa, will it work? I will try this myself and post results when i get time, I will create custom outbound TCP protocol with port 1234 and use it to publish my internal FTP server and see if i can access it from Internet.
|
|
|
|
|
RE: TCP port direction confusion - 25.Mar.2008 9:31:59 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
1, is this outbound or inbound option designed for ISA only or it's widely used as one of the common parameter for the TCP protocol?
The definition of inbound and outbound can vary slightly between products manufactured by different companies. You have to deal with it in the proper context according to the device you are working on and who invented it.
2, what happens if I use outbound protocol in publishing rules and vice-versa, will it work?
That is easy. It will fail.
I will try this myself and post results when i get time, I will create custom outbound TCP protocol with port 1234 and use it to publish my internal FTP server and see if i can access it from Internet.
You can't do that with FTP. FTP is a "special" protocol and it is a complex protocol by definition. It depends on the FTP Application Filter in order to function properly. You have to use the built in FTP Server Protocol (not the regular FTP) and then you configure the ports it will use from within the Publishing Rule itself.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
