Securing Your Network with an ISA Server
This section includes information about how to enable communication between multiple servers in different domains. Each deployment has a Web farm and a data environment, and each deployment uses a firewall to help protect these environments from clients on the Internet.
Protocol Definitions
The following table lists the protocol definitions that you must define on the internal ISA Server so that administrators can log on to the internal domain. Protocol definitions identify the specific protocols that you use for communication between networks and domains. If the deployment does not support transactions, the protocol definitions for Microsoft Distributed Transaction Coordinator (MSDTC) do not apply.
Protocol definition name |
Port number |
Protocol type |
|---|---|---|
139 (TCP) In |
139 |
TCP |
Direct Host (TCP) Inbound |
445 |
TCP |
Direct Host (TCP) Outbound |
445 |
TCP |
SMB service (TCP) Inbound |
445 |
TCP |
Kerberos (UDP) In |
88 |
UDP |
Kerberos (TCP) In |
88 |
TCP |
Kerberos-Sec (UDP) Server |
88 |
UDP |
LDAP (TCP) Inbound |
389 |
TCP |
LDAP (UDP) Inbound |
389 |
UDP |
LDAP (UDP) Outbound |
389 |
UDP |
LDAP Global Catalog In |
3268 |
TCP |
SCOM Encrypted |
51515 |
TCP |
SCOM Encrypted Outbound |
51515 |
TCP |
MSDTC (TCP) Outbound 0 |
5000 |
TCP |
MSDTC (TCP) Outbound 1 |
5001 |
TCP |
MSDTC (TCP) Outbound 2 |
5002 |
TCP |
MSDTC (TCP) Outbound 3 |
5003 |
TCP |
MSDTC (TCP) Outbound 4 |
5004 |
TCP |
MSDTC (TCP) Outbound 5 |
5005 |
TCP |
MSDTC (TCP) Outbound 6 |
5006 |
TCP |
MSDTC (TCP) Outbound 7 |
5007 |
TCP |
MSDTC (TCP) Outbound 8 |
5008 |
TCP |
MSDTC (TCP) Outbound 9 |
5009 |
TCP |
MSDTC (TCP) Outbound 10 |
5010 |
TCP |
MSDTC (TCP) Outbound 11 |
5011 |
TCP |
MSDTC (TCP) Outbound 12 |
5012 |
TCP |
MSDTC (TCP) Outbound 13 |
5013 |
TCP |
MSDTC (TCP) Outbound 14 |
5014 |
TCP |
MSDTC (TCP) Outbound 15 |
5015 |
TCP |
MSDTC (TCP) Outbound 16 |
5016 |
TCP |
MSDTC (TCP) Outbound 17 |
5017 |
TCP |
MSDTC (TCP) Outbound 18 |
5018 |
TCP |
MSDTC (TCP) Outbound 19 |
5019 |
TCP |
MSDTC (TCP) Outbound 20 |
5020 |
TCP |
MSDTC (TCP) Outbound 20 |
5021 |
TCP |
MSDTC (TCP) Outbound 22 |
5022 |
TCP |
MSDTC (TCP) Outbound 23 |
5023 |
TCP |
MSDTC (TCP) Outbound 24 |
5024 |
TCP |
MSDTC (TCP) Outbound 25 |
5025 |
TCP |
MSDTC (TCP) Outbound 26 |
5026 |
TCP |
MSDTC (TCP) Outbound 27 |
5027 |
TCP |
MSDTC (TCP) Outbound 28 |
5028 |
TCP |
MSDTC (TCP) Outbound 29 |
5029 |
TCP |
MSDTC (TCP) Outbound 30 |
5030 |
TCP |
NetBIOS Datagram Server |
138 |
UDP |
NetBIOS Name Server |
137 |
UDP |
NTDS (TCP) Inbound |
1026 |
TCP |
NTDS (TCP) Outbound |
1026 |
TCP |
RPC Outbound |
135 |
TCP |
Note
When creating the RPC Outbound protocol definition, enter ports 2000 to 2030 in the port range boxes for the secondary connection. For Protocol Type, select TCP. For Direction, select Outbound.
Server Publishing Rules
To map incoming requests to the appropriate servers in the internal domain, you create the server publishing rules listed in the following table. For ISA Servers configured in an array, you only have to create the server publishing rules on one server. ISA Server will synchronize these rules across the array. If the deployment does not support transactions, the server-publishing rule for MSDTC does not apply.
Server publishing rule name |
Mapped protocol |
|---|---|
139 (TCP) In |
139 (TCP) In |
Direct Host (TCP) - 1 |
Direct Host (TCP) Inbound |
DNS Query Server |
DNS Query Server |
DNS Zone Transfer Server |
DNS Zone Transfer Server |
Kerberos (UDP) Inbound - 1 |
Kerberos-Sec (UDP) Server |
Kerberos (TCP) In |
Kerberos (TCP) In |
LDAP (TCP) Inbound -1 |
LDAP (TCP) Inbound |
LDAP (UDP) Inbound - 1 |
LDAP (UDP) Inbound |
LDAP Global Catalog In |
LDAP Global Catalog In |
MOM Encrypted Inbound |
MOM Encrypted |
MSDTC Outbound - 1 |
MSDTC (TCP) Outbound |
NetBIOS Datagram Server |
NetBIOS Datagram Server |
NetBIOS Name Server |
NetBIOS Name Server |
NTDS (TCP) Inbound - 1 |
NTDS (TCP) Inbound |
RPC (TCP) Inbound - 1 |
Any RPC server |
SQL Server |
Microsoft SQL Server |
Protocol Rules
The enterprise deployment requires protocol rules to allow for Domain Name System (DNS) queries from the internal domain controllers to reach the external domain controllers. The following table specifies these protocol rules. If the deployment does not support transactions, the protocol rule for MSDTC does not apply.
Protocol rule name |
Protocol |
Applies to |
Schedule |
|---|---|---|---|
Direct Host (TCP) Outbound |
Direct Host (TCP) Outbound |
Any Request |
Always |
DNS Query |
DNS Query |
Any Request |
Always |
DNS Zone Transfer |
DNS Zone Transfer |
Any Request |
Always |
HTTP Outbound |
HTTP |
Any Request |
Always |
HTTPS Outbound |
HTTPS |
Any Request |
Always |
Kerberos (TCP) |
Kerberos-Sec (TCP) |
Any Request |
Always |
Kerberos (UDP) |
Kerberos-Sec (UDP) |
Any Request |
Always |
LDAP (TCP) Outbound |
LDAP |
Any Request |
Always |
LDAP (UDP) Outbound |
LDAP (UDP) Outbound |
Any Request |
Always |
LDAP Global Catalog |
LDAP GC (Global Catalog) |
Any Request |
Always |
MOM Encrypted Outbound |
MOM Encrypted Outbound |
Any Request |
Always |
MSDTC (TCP) Outbound |
MSDTC (TCP) Outbound 0 - 30RCP Outbound |
Any Request |
Always |
NetBIOS Datagram |
NetBIOS Datagram |
Any Request |
Always |
NetBIOS Name Service |
NetBIOS Name Service |
Any Request |
Always |
NetBIOS Session |
NetBIOS Session |
Any Request |
Always |
NTDS (TCP) Outbound |
NTDS (TCP) Outbound |
Any Request |
Always |
See Also
Other Resources
What are the Network Deployment Requirements?
What are the Hardware Deployment Requirements?