Overview of non-HTTP server publishing

  • Article

Microsoft Forefront Threat Management Gateway uses server publishing rules to map requests for non-Web servers located in a Forefront TMG network from clients located in other networks. Clients can be external clients located on the Internet or internal clients located on a different internal network.

When the network on which the published server is located has a NAT relationship with the network from which client requests are located, server publishing works as follows:

  • The IP address published by the server-published rule belongs to Forefront TMG. Clients make a request for the published resource to the client-facing adapter on the Forefront TMG server and not directly to the internal server.
  • By default, the client source address sent to the published server is that of client. You can change this setting to specify that the source address sent to the published server is that of the Forefront TMG server.

When the network on which the published server is located has a route relationship with the network from which client requests are located, server publishing works as follows:

  • Forefront TMG listens for requests on the IP address of the published server.
  • Clients make a request to the IP address of the internal server.
  • Server publishing rules display the following characteristics:
    • Server publishing can be used to publish most TCP and UDP protocols.
    • The published server should be configured as a SecureNAT client with a default gateway pointing to Forefront TMG.
    • You cannot authenticate user requests for server publishing rules.
    • You can use IP address control to specify who can access published resources.
    • A server publishing rule can only publish a single server and protocol

In some circumstances you may want to consider using server publishing rules instead of access rules for internal client requests. For example, if you want to allow internal clients to access a non-Web server located in a perimeter network. For a comparison of using server publishing rules or access rules, see About network relationships and firewall policy.

Overriding default ports

Server publishing configures Forefront TMG to listen on a specific port and forward requests to a published server. You can configure the following port properties:

  • Specify the port on which should listen for requests for request. If you publish on a port other than the default port, Forefront TMG receives client requests for the published service on the nonstandard port, and then forwards requests to the designated port on the published server. For example, a server publishing rule may specify that client requests for FTP services connect through port 22 on the Forefront TMG computer before being redirected to the default port 21 on the published server.
  • Specify the port on the published server to which requests should be sent. This can be the default port or an alternative port.
  • Limit the source ports from which client requests can be received.