Re: When do I choose for OUTBOUND or INBOUND in a protocol?

From: Ori Yosefi [MSFT] (oriy_at_online.microsoft.com)
Date: 01/30/05 

Date: Sun, 30 Jan 2005 15:01:41 +0200

:-)

I'm glad this helped.

If you have any other questions, please post a new item and I will try to
answer if I can.

It is better that these questions are in a new thread with a relevant
subject. This way other people may also benefit from the information by
searching the newsgroup.

Ori. 

-- 
This posting is provided "AS IS" with no warranties, and
confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup 
purposes only.
Ori Yosefi[MSFT] ISA Server Team
"Herm" <mighty_herm@hotmail.com> wrote in message 
news:esmcWt6AFHA.3336@TK2MSFTNGP11.phx.gbl...
> ORI FOR PRESIDENT!
>
> I tried what you advised me and publish a server rule for ISPQ.
> I created a protocol wich allows inbound TCP traffic on port 
> 2004,2005,2006
> Then I choose that protocol at the "traffic" tab! In the "from" tab I
> selected everywhere!
> At the "to" tab I entered my workstations IP address (server top publish).
> In the "Networks"
> tab I only checked the external network. AND THIS IS WORKIN!!!
>
> Thank you so much Ori. Know I will figure out to understand what is
> ahppening here. Cause I
> want to know the technologie.
>
> Ori, Would you also like to take a look with me on some other problems I
> have according to ISA 2004?
> For example the logon procedure after installing ISA 2004 takes quite some
> time! And what additional configuering do i have to do when i also use a
> Netware client?
>
> Many thanks,
>
> Herman F.
>
> "Ori Yosefi [MSFT]" <oriy@online.microsoft.com> schreef in bericht
> news:ucoF$B4AFHA.3576@TK2MSFTNGP11.phx.gbl...
>> In case you want to run ispq on ISA itself, I think that the best way to
>> allow outsiders access to its ports is by creating access rules allowing
> the
>> traffic (outbound traffic which matches access rules) from the external
>> network to the local host.
>>
>> If you want to allow access to iSpQ on the internal network, you should
>> create a publishing rule that publishes these ports to the external
> network.
>> This would be done by creating an inbound protocol and then creating a
>> publishing rule that listen on the external network and publishes your
>> workstation as the iSpQ server.
>>
>> Please note that you can't have both your workstation and iSpQ on the ISA
>> server listening to the same port. you can only have one application 
>> using
> a
>> single port at any given time.
>>
>> I hope that this answers your question.
>>
>> Ori.
>>
>>
>> -- 
>> This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>>
>>
>> Please do not send email directly to this alias. This alias is for
> newsgroup
>> purposes only.
>> Ori Yosefi[MSFT] ISA Server Team
>>
>>
>> "Herm" <mighty_herm@hotmail.com> wrote in message
>> news:eO$HSxyAFHA.2104@TK2MSFTNGP14.phx.gbl...
>> > Hi Ori,
>> >
>> > Tank you for your great explinations. Should make sense.
>> > You asked if you understand me allright. Wel yes i think you do
>> >
>> > I will tell ya what i want to get working here.
>> >
>> > ISPQ (www.ispq.com) is the videochat application that is running on my
>> > workstation (10.0.0.50)
>> > It listens to the TCP ports 2004,2005,2006...
>> >
>> > Like explained earlier i made the accesrule, i am able to browse the
>> > userdirectory lists, send and receive quick messages! But if someone
> calls
>> > me it will be blocked!
>> >
>> > What do i do worng? How would you set this up?
>> >
>> > Thanks for you help,
>> >
>> > Herman F.
>> >
>> >
>> >
>> >
>> > "Ori Yosefi [MSFT]" <oriy@online.microsoft.com> schreef in bericht
>> > news:%23BKn%23VrAFHA.2552@TK2MSFTNGP09.phx.gbl...
>> >> Herm hi,
>> >>
>> >> Regarding INBOUND and OUTBOUND.
>> >>
>> >> The usuall meaning of INBOUND is when you have a server in your
>> >> "internal" network (or any other network for that matter), usually
> being
>> >> NATed, that you want to expose to the world. In that case you would
>> >> create a publishing rule (hence inbound) which would allocate a port 
>> >> on
>> >> ISA's external network interface card, and would direct all received
>> >> traffic to the "published server". Please note that the scenario I 
>> >> have
>> >> described is only one scenario and the published server can be on 
>> >> other
>> >> networks (including the localhost) and the scenario between the
> client's
>> >> network and the server's network may also be route.
>> >>
>> >> An OUTBOUND traffic is usually meant when you have a client 
>> >> application
>> >> in the "internal" network (again, this is just an example - can be any
>> >> other network) and you want to allow the client application access to
> the
>> >> outside world (hence OUTBOUND). In this case you would create an 
>> >> access
>> >> rule that would allow a specific traffic outside. In this case ISA 
>> >> does
>> >> not have to allocate a port, it only has to pass the traffic sent from
>> >> the client application to the outside server, as the server is usually
>> >> not NATed.
>> >>
>> >> In your example, if you want to allow access to a specific port on ISA
>> >> itself, adding an access rule from the external network to the local
> host
>> >> should work. If the rule doesn't work, I suggest that you check the
>> >> logging information and see that the traffic indeed matches the policy
>> >> rule that you have defined. If it does not, you can see in the logging
>> >> which fields are mismatched.
>> >>
>> >> Regarding the Firewall client, I'm not sure that I understand what you
>> >> are trying to do.
>> >>
>> >> Are you trying to "expose" an application running on your workstation
> to
>> >> the outside world? This should be easily done by creating a protocol
> that
>> >> defines the ports used by the application and then creating a
> publishing
>> >> rule that would publish the application on your workstation. This 
>> >> would
>> >> cause the ISA to listen on those ports and forward the traffic to your
>> >> application.
>> >>
>> >> If I have not answered your question, please tell me what I have
>> >> misunderstood and I will try again.
>> >>
>> >> Hope this helps,
>> >>
>> >> Ori.
>> >>
>> >>
>> >> -- 
>> >> This posting is provided "AS IS" with no warranties, and
>> >> confers no rights.
>> >>
>> >>
>> >> Please do not send email directly to this alias. This alias is for
>> >> newsgroup purposes only.
>> >> Ori Yosefi[MSFT] ISA Server Team
>> >>
>> >> "Herm" <mighty_herm@hotmail.com> wrote in message
>> >> news:%23ZiS5hiAFHA.3376@TK2MSFTNGP12.phx.gbl...
>> >>> Hi,
>> >>>
>> >>> Maybe this should be the first technologie to get familiar with, but
>> >>> somehow
>> >>> I lost the edge here...
>> >>> I am a beginner on ISA 2004 and try to figure this box out!
>> >>>
>> >>> I am a little confused with the terms OUTBOUND and INBOUND when I
> create
>> >>> a
>> >>> protocol. And also using the FW client is not clear to me (strange
>> >>> behaviour)...
>> >>>
>> >>> Example;
>> >>>
>> >>> Running Windows Server 2003 with ISA 2004 on the same box. Now I 
>> >>> want
>> >>> allow
>> >>> an application using port 2004-2006 for example, to accept incoming
>> >>> traffic.. Must I setup INBOUND ports or OUTBOUND ports? The the
>> >>> Acces-Rule
>> >>> for the selected protocols should be from EXTERNAL to LOCAL HOST, 
>> >>> isnt
>> >>> it?
>> >>>
>> >>> The second problem I have is how to get my workstation listening to
> this
>> >>> ports also. Cause the workstation runs the application. I asume
>> >>> installing
>> >>> the FW client is needed here?
>> >>>
>> >>> But somehow it still not works. The ports are open (tested with
> shields
>> >>> up!), The application on my worstation is assuming the external IP
>> >>> address
>> >>> is bound to the workstation. But still the analyzer detects a
> firewall!
>> >>> And
>> >>> the ports are denied in the ISA-loggin. I had it working 2 times now!
>> >>> meaning on a sudden moment without even look at the ISA (no changes)
> it
>> >>> worked. Restarting the application is enough to make it fail again.
>> >>>
>> >>> I am getting a bit frustrated here cause I hate when I dont see the
>> >>> light!
>> >>>
>> >>> Any suggestions ?
>> >>>
>> >>> Kind Regards,
>> >>> Herm
>> >>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: ISA 2006 configuration question - multiple VLANs and domains
    ... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
    (microsoft.public.isa.configuration)
  • RE: Firewall service and remoteaccess service shut down frequently
    ... Do you have run the CEICW after installing the ISA components? ... please open SBS server management console, ... Click the Add Adapter button, and add your internal network adapter ... Meanwhile, from the subject, you said you the firewall service and RRAS ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN breaks after installing patches
    ... I have just received your email due to some network traffic problems. ... access the network shares was denied by ISA Server. ... Open the Server management console, navigate to "Internet and E-mail", ...
    (microsoft.public.windows.server.sbs)
  • Re: Hacked?
    ... have some kind of pointer to try to contact a computer on that network. ... Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate ... installing Zone Alarm on the computer in question would be ... > currently hosting the email server, DNS, as well ...
    (microsoft.public.security)