AHIT -> RE: Publish DVR server to outside (26.Mar.2008 9:34:35 PM)
From the help feature on 'server publishing' within the ISA 2000 Management Console:
Server publishing rules
Microsoft Internet Security and Acceleration (ISA) Server uses server publishing to process incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests are forwarded downstream to an internal server, located behind the ISA Server computer.
Server publishing allows virtually any computer on your internal network to publish to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the Internet Protocol (IP) addresses that are published are actually the IP addresses of the ISA Server computer. Users who request objects think that they are communicating with the ISA server—whose name or IP address they specify when requesting the object—while they are actually requesting the information from the actual publishing server.
Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the ISA Server computer. Server publishing rules map incoming requests to the appropriate servers behind the ISA Server computer. These rules will grant access dynamically, as specified, from Internet users to the specific publishing server.
The published server is actually a secure network address translation (SecureNAT) client. Because the published server is a SecureNAT client, no special configuration of the published server is required after you create the server publishing rule on the ISA Server computer. Note that ISA Server must be configured as the default gateway on the published server. For more information, see Configuring SecureNAT clients.
Use IP packet filters to publish servers located on a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet). For more information on when to use packet filters and when to use server publishing rules, see Server publishing rules and IP packet filters.
Client address sets
You can limit server publishing rules to specific clients by specifying the client address sets to which the rule applies. Client address sets probably include IP addresses of clients located on the Internet, including those not necessarily in your corporate network. For configuration instructions, see Configure clients for a server publishing rule.
The server publishing rule is applied to client address sets only if IP packet filtering is enabled. If IP packet filtering is not enabled, then the server publishing rule applies to all clients.
When you create the server publishing rule, you specify the following:
- IP address of the ISA Server. This is the address made available to external clients. When external clients communicate with the publishing server, they actually are communicating with this IP address. This address must be configured as the external IP address on the ISA Server computer.
- IP address of the publishing server. All requests arriving at the IP address specified by the ISA Server computer are forwarded to this IP address.
- Mapped server protocol. The data is passed to the internal server, depending on which protocol you specify here. You can select from all protocol definitions configured on the ISA Server with an Inbound direction. For more information, see Configuring protocol definitions.
For more information, see Configure a server publishing rule action.
How Server Publishing Works
To do this, ISA Server takes these steps:
- A client computer on the Internet requests an object from an IP address known as that of the publishing server. The IP address is actually associated with the ISA Server computer—it is the IP address of the external network adapter belonging to the ISA Server computer.
- The ISA Server computer processes the request, mapping the IP address to an internal IP address of an internal server.
- The internal server returns the object to the ISA Server computer, which passes it on to the requesting client.
Suppose you want to allow external clients access to an Simple Mail Transfer Protocol (SMTP) server, whose IP address is 220.127.116.11, and which listens on port 25. You should create a server publishing rule with the following parameters:
- Set the internal server IP address to 18.104.22.168.
- Set the mapped external address to an IP address on the external interface card belonging to the ISA Server computer.
- Set the mapped server protocol to SMTP (server).
To see how server publishing rules are used in a deployment scenario, see Back-to-back perimeter network configuration.