Really, SIMPLY is the key word. Hope it is doable...
I have searched high and low and can't find anywhere a simple way to open cerrtain ports and point them to a computer with a Static IP Address. I see there are many other frustrated posts all over asking for the same SIMPLE information.
Can anyone SIMPLY explain how to open ports lets say 7001 and 7002 and point them to IP Adress 192.168.16.xx in SBS 2003 with ISA 2004 environment?
An ideal explanation style would be (IMHO ty): ================================ Go to menu item A Click on B Add certain information in box C Then goto Menu item D and Click on E Click on the Tab F add information in this area G Click on box H Click on OK, OK, OK You don't need to reboot except if: a) afdsk.fkj;j OR b) In which case... etc.. ..... You are done ......... etc.
Ray, rather than have your user wait 3 weeks, why don't you post a specific question instead of jumping on someone else's thread...
I have to admit, after 6 years of being on these forums, I don't really want to answer a question where the poster is asking for the level of detail that was originally asked for - you have to, in the words of Jerry McGuire, "Help me help you". His request for that level of detail is a little presumptuous given the free nature of these forums.
Now, with that said, to address your problem, you could say "I have application Xyz that listens on TCP 56789 and is hosted on a Linux system at IP address 220.127.116.11. I need to make this application publicly accessible through our ISA 2004 Server. Our ISA Server has X network interfaces and with the following IP addresses. The Internal Network has the following IP addresses listed. Please provide the basic steps of making this server accessible to the outside world"
< Message edited by ClintD -- 11.Jan.2007 6:06:01 PM >
Do you really need that much information when all that is needed is information on how to allow traffic through port 8443? Given that question how would the answer be any different if you had 1 NIC or two? How would it help if you knew the IP address? Maybe you do need that information. If so, it may help to tell me why.
Is the question really that complex? How long would it take for someone who knows how to do to post a document with a series of screenshots.
Don't get me wrong here, I'm not trying to be a complete d**k. I do appreciate how much time it takes to answer complex questions with complex scenarios and thank people when they try to help (even on free forums) but how is RTFM any help to anyone?
yep, ISA is *not* a simple packet filter. You need to be very specific in what you want to achieve: - how is ISA installed, as proxy only or as a full blown firewall? - how are the networks configured (Route or NAT relationship)? - is it an inbound or outbound issue (Access or Publishing rule)? - for inbound access, is the protocol used web or non-web based (Web or Server publishing)? - for outbound access, how is the client configured (Web, Firewall and/or SecureNAT)? - ...
< Message edited by spouseele -- 11.Jan.2007 6:43:16 PM >
I don't ask questions for the sake of asking them.
I've worked on this product and these newsgroups enough to know what is relevant information for providing a solution to someone who has provided little or no detail as to their scenario. Now, if you'd like to continue questioning my motives for asking relevant questions, go ahead, but don't expect an answer. However, if you'd like to provide a solution to your user and move on to more important tasks, then answer the questions I've provided and we'll get you set up.
Ok, I think I now know why you need the information requested. I will not post this information here in this thread as I assumed, obviously incorrectly, that the question was a simple one and that no specific information was required. In fact, I don't even have ISA 2004 SBS. I have ISA 2006. I posted here thinking that the solution would be similar if not the the same across these versions. I guessed wrong. I have posted a question in ISA 2006 Web Proxy forum. I'll check to see if I have added every detail I can think off. Thank you.
As an infrequent forum post/reader here but an avid SBS'r nevertheless, I am disappointed by the IMHO arrogant attitude being conveyed to the original poster. This is an SBS forum and not a place to expect anything but a standard SBS environment unless so specified by the poster. This guy is merely trying to translate his knowledge of simple firewalls to ISA's more complex approach and as indicated in his post was unable to figure it out on his own. Furthermore the poster appears frustrated and emphasized a request for "simple" answers. This is why he is reaching out to people and not the ISA Help section, MS knowledgebase, ...etc. If you cannot help beyond directly pointing back to these resources is an insult and run around. Maybe you don't have the time to answer completely. In that case I would suggest giving a pointer to some of the answer or leave it alone for someone who has the time and inclination to fully answer the poster's query. This is called professional courtesy.
To address the original poster - ISA provides no UI for merely opening a port and when you understand Application Layer Filtering, ALF, you will understand why. In ISA you create a filtering rule by which when conditions are met the rule always either allows or denies a specific port associated with specific protocol(s), with specific network object(s), and also associated with other specifications contained in the rule. You create the rule and thereby control how open or closed the firewall behaves. My suggestion to you is to imitate. Find a rule that is pre-existing that closely matches what you want done. Then either copy and modify that rule or create a new rule imitating what you discovered. Many SBS blogs that touch on ISA, for instance Susan Bradley's or Amy Babinchak's (SP?), may cover a filtering rule for a specific situation. You can take that knowledge and refit it for your scenario.
I hope that has been somewhat helpful.
< Message edited by sambo -- 13.Jan.2007 9:44:30 AM >
I think 2 guys who have belonged to these forums for nearly 6 years, who contribute their time to be the Moderators of the forums, and who have provided, in the case of Stefaan, numerous helpful articles on how to implement ISA should be given the benefit of the doubt and not accused of being arrogant. We certainly don't think we're better than anyone - why would we be posting and filling our time on these forums. It's a simple answer - we like helping people.
Now, you might not like Stefaan posting a link to an image somewhat ridiculing the 'open a port' mentality, but it was Tom Shinder himself who first started using this image and I doubt you'd call Tom arrogant or lacks 'professional courtesy'.
I don't know which comments are to be considered without 'professional courtesy' but you have my sincere apologies for them.
In my future posts to both you and RayH, I will ensure that I handle my replies with the utmost delicacy and ensure all of those posts are germane and of the utmost quality with regard to the topic being discussed.
RE: Howto Open Ports - SIMPLY - in ISA 2004 - 15.Jan.2007 6:10:52 AM
Common guys! Just take it easy! I've answered myself to such a question a while ago with a direct answer(if that means I've bought it I care little about that). But the idea behind this is that the answer would not help you at all. What they want to say is that every minute spent by you reading how to proper use ISA related to some issue will help you later saving hours(maybe even your job) and that is not a waste of of time. A waste of time will be just to take the answer of that question and apply it. That funny picture isn't all about laughing. If you read the comments there it is simple to see your solution(the right direction to follow). And using Stefaan indication: the ISA help file probably will solve your problems. You don't need hundreds of hours learning what is an access rule, how you use it or how access is allowed through ISA. Actually some of Stefaan's articles show you how to do that. Spending many hours working with ISA and on this forum it is quite easy to see that people really like simple things with simple solutions and that people tend to quicly don't care if they found a working solution to their problem and then just walk forward. If it works who cares? You can say: "Ok I drive my car every day but I don't know how it works. I'm speaking every day on my cellular phone and I don't know how it works. Actually a lot of people do so. So why bother?" Well what this guys arround here are saying is that you should care about that and before jumping in from a basic firewall to a complex one it will be helpful to read something about it. What they are saying is that based on their experience, what they have seen in many years(they've been there in the same situation as you too, actually everybody was) they can easily know what problems you have, what your level of knowledge about firewalls is and a lot of stuff like those and they can indicate you the right direction to follow. They have seen this like many other things many many times before and they know pretty much what to expect. You can say that is not important when somebody gives you an explanation and then throw in your face their experience and what great stuff they did... They only must throw heavy arguments because if you turn your eyes on how big and strong are corporations they can suddenly look so small compared with a bunch of guys in a small garage. Also everybody can make a mistake. Ok. Now let me tell you something without professional courtesy and with arrogance: Listen to them about your problems related to this issue and they will save your a**. How? Very simple. If they can see all of those things about you, the same thing would be seen by an attacker who is very pronned to such things. Because this will be the first thing an attacker will search for. He will not try to defeat your firewall. He will try to defeat "THE SYSTEM". And you are part of that system. If YOU are vulnerable so is your network. His target is the system and the firewall is also a part of that system and at some point the atacker will focus on it too. What these guys are saying is that the best firewall in the world will be useless without your knowledge. Sharing their knowledge in an innapropiate way would rather give you little help. Kindly best regards! Adrian.