Re: When do I choose for OUTBOUND or INBOUND in a protocol?

From: Ori Yosefi [MSFT] (oriy_at_online.microsoft.com)
Date: 01/25/05 

Date: Tue, 25 Jan 2005 10:11:10 +0200

Herm hi,

Regarding INBOUND and OUTBOUND.

The usuall meaning of INBOUND is when you have a server in your "internal"
network (or any other network for that matter), usually being NATed, that
you want to expose to the world. In that case you would create a publishing
rule (hence inbound) which would allocate a port on ISA's external network
interface card, and would direct all received traffic to the "published
server". Please note that the scenario I have described is only one scenario
and the published server can be on other networks (including the localhost)
and the scenario between the client's network and the server's network may
also be route.

An OUTBOUND traffic is usually meant when you have a client application in
the "internal" network (again, this is just an example - can be any other
network) and you want to allow the client application access to the outside
world (hence OUTBOUND). In this case you would create an access rule that
would allow a specific traffic outside. In this case ISA does not have to
allocate a port, it only has to pass the traffic sent from the client
application to the outside server, as the server is usually not NATed.

In your example, if you want to allow access to a specific port on ISA
itself, adding an access rule from the external network to the local host
should work. If the rule doesn't work, I suggest that you check the logging
information and see that the traffic indeed matches the policy rule that you
have defined. If it does not, you can see in the logging which fields are
mismatched.

Regarding the Firewall client, I'm not sure that I understand what you are
trying to do.

Are you trying to "expose" an application running on your workstation to the
outside world? This should be easily done by creating a protocol that
defines the ports used by the application and then creating a publishing
rule that would publish the application on your workstation. This would
cause the ISA to listen on those ports and forward the traffic to your
application.

If I have not answered your question, please tell me what I have
misunderstood and I will try again.

Hope this helps,

Ori. 

-- 
This posting is provided "AS IS" with no warranties, and
confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup 
purposes only.
Ori Yosefi[MSFT] ISA Server Team
"Herm" <mighty_herm@hotmail.com> wrote in message 
news:%23ZiS5hiAFHA.3376@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> Maybe this should be the first technologie to get familiar with, but 
> somehow
> I lost the edge here...
> I am a beginner on ISA 2004 and try to figure this box out!
>
> I am a little confused with the terms OUTBOUND and INBOUND when I create a
> protocol. And also using the FW client is not clear to me (strange
> behaviour)...
>
> Example;
>
> Running Windows Server 2003 with ISA 2004 on the same box. Now I  want 
> allow
> an application using port 2004-2006 for example, to accept incoming
> traffic.. Must I setup INBOUND ports or OUTBOUND ports? The the Acces-Rule
> for the selected protocols should be from EXTERNAL to LOCAL HOST, isnt it?
>
> The second problem I have is how to get my workstation listening to this
> ports also. Cause the workstation runs the application. I asume installing
> the FW client is needed here?
>
> But somehow it still not works. The ports are open (tested with shields
> up!), The application on my worstation is assuming the external IP address
> is bound to the workstation. But still the analyzer detects a firewall! 
> And
> the ports are denied in the ISA-loggin. I had it working 2 times now!
> meaning on a sudden moment without even look at the ISA (no changes) it
> worked. Restarting the application is enough to make it fail again.
>
> I am getting a bit frustrated here cause I hate when I dont see the light!
>
> Any suggestions ?
>
> Kind Regards,
> Herm
>
>
>

Relevant Pages

  • Re: Hacked?
    ... have some kind of pointer to try to contact a computer on that network. ... Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate ... installing Zone Alarm on the computer in question would be ... > currently hosting the email server, DNS, as well ...
    (microsoft.public.security)
  • Re: IIS / Web Services Security threats
    ... You will be surprised to know, due to a recent virus attack on the perimeter network, the common ports have been closed too. ... I also develop Java applications which runs on weblogic server. ... Since, the entire world knows about port 80 and 443, I thought opening a specific port with IP Sec configuration may make the network little secure. ... My security team thinks allowing communication between the two IIS ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Getting around corporate firewalls to access ssh server
    ... the ports on the two servers and put the release server on 22. ... restrictive of what the users are allowed to do with the network. ... For those customers where you are having problems, ...
    (comp.os.linux.networking)
  • Re: Question regarding firewalls
    ... In an SBS domain, what firewall ports are really needed for most ... 110 if they use POP3 on external server ... Your clients should need only HTTP and HTTPS outbound, ...
    (microsoft.public.windows.server.sbs)
  • Re: When do I choose for OUTBOUND or INBOUND in a protocol?
    ... Ori YosefiISA Server Team ... > tab I only checked the external network. ... >> If you want to allow access to iSpQ on the internal network, you should>> create a publishing rule that publishes these ports to the external> network. ...
    (microsoft.public.isa)