DMZ for gaming server - safe? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> DMZ


ras2a -> DMZ for gaming server - safe? (29.Sep.2006 4:07:27 PM)

Hi all,
I cannot get game servers to work on my internal LAN (using dual-homed ISA Server and port forwarding / publishing rules etc).  I was seriously thinking of going down the DMZ route and publishing a box solely for multiplayer gaming etc.  I understand that I'd need an additional NIC for the DMZ segment.  How would I go about publishing the machine on the DMZ and would this then mean that the game server was 'totally' exposed to the internet?  If so, I imagine it would be prudent to deploy some additional client level firewall software on the game server?

In addition, I've read about the 'firewall client' this something that is 'mandatory' for getting gaming to work from Internal network to Internet?

Many thanks for any help and advice you can give

Guest -> RE: DMZ for gaming server - safe? (29.Sep.2006 4:46:46 PM)

Hi mate!
first may I ask you why do you wish to publish a game server behind
a firewall like ISA?

Check Tom's article:

Some services may not work correctly using SecureNAT. You'll see this if you plan
on publishing certain Internet enabled multiplayer games. In this case, you'll need to configure
the server as a Firewall Client and then configure a wspcfg.ini file on that server. If that sounds
too painful, you can place the game server on a DMZ segment and create packet filters to allow
the required ports (typically 'all open' when dealing with a non-secure game server).


Web and Server Publishing Rules support simple protocols, with the exception of those that
have an application installed on the ISA 2004 firewall, such as the FTP Access application filter.
You can install Firewall client software on a published server to support complex protocols, such
as those that might be required if you wished to run a game server on your network. It is important
to note the Microsoft no longer officially supports this configuration and they recommend that you
have a C++ programmer code an application filter to support your application.

also wou might want to check:

ras2a -> RE: DMZ for gaming server - safe? (29.Sep.2006 4:57:32 PM)

Hiya Ade,

Cheers for the extrememly swift reply.  After my initial post I did a bit of digging and found this thread:

Guess I should have searched a bit harder (apologies).  I'm not acutally trying to publish dedicated game servers, merely allow direct IP play with games such as Call of Duty / Medal of Honor (friends specify my public IP to connect).  I've achieved this very easily with a basic (Netgear) NAT router in the past, but since setting up ISA Server, I've not been able to get 'any' games working.  I have read various thing (as you posted) that basically say that M$ don't support games for ISA etc.  I've not looked properly at the other info you posted, but will do so now.

Will try setting up the gaming rig as with Firewall Client and then test the games again..

Many thanks indeed for your advice - much appreciated :)

Cheers matey!


ras2a -> RE: DMZ for gaming server - safe? (2.Oct.2006 2:34:12 PM)

I've installed the Firewall client to my gaming rig, however friends still cannot connect.  However, I've not configured ports etc for the Firewall client from the ISA Server management console.  Not sure exactly what to do here?

Guest -> RE: DMZ for gaming server - safe? (3.Oct.2006 9:33:04 AM)

Hi Ras!
firts of all I think if you don't know excctly
what protocols and ports to allow on ISA you
will never get this to work[image][/image].
so you should host your game internally, connect to the server
and use a network protocol analyzer like wireshark(ex ethereal).
maybe this links will help but I suggest to inspect yourself the traffic
because most of the settings find on web are for dumb firewalls not for a firewall like ISA:
about firewall client that remains to be seen:

Guest -> RE: DMZ for gaming server - safe? (3.Oct.2006 9:33:09 AM)

I forget to mention: do you use gamespy?

ras2a -> RE: DMZ for gaming server - safe? (3.Oct.2006 2:15:52 PM)

Hiya Ade,

lol, no...I 'do' know what ports to use (I just meant I didn't know 'how' to configure ports etc for the Firewall Client (thought I think its somewhere in the ISA Management console).  The ports required for the particular game I'm trying to get running (Medal of Honor: Allied Assault) are all UDP (apparently): 12201, 12202, 12203, 12204, 12210 and 12300.  I won't be using gamespy at all as I simply want to host a direct IP game (on my gaming rig) across the internet (allow friends to connect) so don't need all the convoluted ports for that :)

I will try the Firewall Client tonight....tbh - I'd just about given up getting 'hosted' games to work with ISA, but will try this out.

Alternatively, I was wondering if I could somehow use one of my spare public IPs that I have bound to the external NIC of my ISA box? Maybe I could 'assign' this to the internal LAN IP of my gaming rig and 'allow all' traffic through?

ISA is a superb product, but for apps that use non-standard ports, it's a pain in the neck - lol

Oooh, forgot: I have actually tried Wireshark (Ethereal) the other day, but it seemed to simply report the protocols (namely UDP 12300) that I mentioned above.  However, I will try it again and inspect the traffic more closely to see if other ports are requested.

Thanks for your continued help, mate, I appreciate it. 

Edit: Just checked those links you sent me, every site you got to tells you a different tale with regards to what ports are required any given game....mad!


ras2a -> RE: DMZ for gaming server - safe? (4.Oct.2006 12:06:05 PM)


Check out what I've done as a workaround (for now). See this thread:

Again, it's most definitely not a good solution (to my mind), but it's just temporary.

Page: [1]