Another Look at Server Publishing in ISA Server 2006
Author:
Thomas Detzner, Escalation Engineer, Microsoft CSS Forefront Security Edge Team
Technical Reviewers:
Lior Alon, Senior Development Lead, Microsoft TMG Forefront Security Edge Team
Yuri Diogenes, Security Support Engineer, Microsoft CSS Forefront Edge Team
Jim Harrison, Program Manager, Microsoft CSS Forefront CS Team
In the last few months I encountered several customers who had questions about server publishing using ISA Server and we found out that because there are many myths on this subject that it would be time to shed some light on some behaviors of ISA Server.
Scenario 1 - Simple Publishing Rule
Let’s start with a simple scenario (as shown in Figure 1), ISA Server has two interfaces and publishes an internal DNS Server:
.gif "Dd547089.518cc2cf-c2e4-4d00-bde5-4f93a82b7674(en-us,TechNet.10).gif")
Figure 1 - Simple Scenario
There is already a very good article about troubleshooting such a scenario out there and I just want to briefly highlight some additional tools you can use here. One tool that is a must-have for checking server publishing listeners is FWENGMON. The reason this tool is required is explained in Microsoft knowledgebase article 838127.
All you need to do to make this work is to create a Server Publishing rule for the DNS Server protocol from the External network to the published DNS Server on 192.168.174.253:
.gif "Dd547089.71c86434-d94c-48d0-8ce4-ee5ab86ec59d(en-us,TechNet.10).gif")
Figure 2 - Simple Publishing Rule
With the default network rules as shown in Figure 3:
.gif "Dd547089.b1473eea-b4b2-460c-993f-184b58395e64(en-us,TechNet.10).gif")
Figure 3 - Network Rules
After you apply the configuration changes you will see the listener created using the command fwengmon /c as shown in Figure 4:
.gif "Dd547089.cde9c7d8-fcb1-4627-81b7-11cd67b29471(en-us,TechNet.10).gif")
Figure 4 - Using FWEngmon to review the publishing rule
What fwengmon is telling us is that ISA Server created a UDP and TCP listeners on 84.154.75.57 port 53 which accept traffic from 0.0.0.0. An IP address of 0.0.0.0 means “any possible IP address”. (INADDR_ANY). The output is somewhat similar to what you would see using netstat command as shown in Figure 5:
.gif "Dd547089.7de29ee7-3fc2-4c1b-8791-9f0db844bc2d(en-us,TechNet.10).gif")
Figure 5 - Netstat command result
Scenario 2 - Complex Publishing Rule
In the next example we dive into a bit more complex scenario. In this scenario the ISA Server has 4 NIC’s and is connected a number of Networks. In addition to this it hosts a publishing rule for a DNS Server in the DMZ that shall be accessed from internal Clients as you can see in Figure 6:
.gif "Dd547089.abd5160a-445d-4098-847b-2abc38cd95a6(en-us,TechNet.10).gif")
Figure 6 - Complex network topology
The goal in this scenario is to publish the DNS Server in the Network DMZ at IP Address 10.110.0.253 for the clients on the Network ClientNet2. The clients in this network shall also have no direct connection to the network DMZ and shall use the ISA Servers IP Address 192.168.174.101 instead.
When you look at this you may say – well this is an easy task to do, just configure an Access rule on ISA and you are all set. However the 2nd requirement of this task was that the clients shall always use the IP Address 192.168.174.101. This is not possible with an Access rule since in an access rule scenario the client needs to specify the real destination IP Address which would be in10.110.0.253 in this case. So we need to publish the network DMZ. You may say – easy task as well, but as usually the problems come with the details.
The networks had been created as follows:
| Network Name | IP Range | Type |
|---|---|---|
External |
10.100.100.x/24 |
Default External |
Internal |
172.118.112.x/20 |
Default Internal |
DMZ |
10.110.0.x/24 |
Perimeter |
ClientNet2 |
192.168.174.x/24 |
Internal |
The network rule had been defined as shown in Figure 7:
.gif "Dd547089.6d6a91ae-0c92-4db5-aeb0-4ace9ccbb678(en-us,TechNet.10).gif")
Figure 7 - Network rules for this scenario
The Publishing rule is defined as shown in Figure 8:
.gif "Dd547089.ce15b5e4-e25e-4d30-9e0a-9fb16bfb37b6(en-us,TechNet.10).gif")
Figure 8 - Publishing rule for this scenario
For now I’d say all is properly defined and looks like it should work with no issues. If we check the creation objects with our lovely fwengmon tool, we will see an output similar to Figure 9:
.gif "Dd547089.fb0b8552-2c78-4848-8035-977de24a8b1b(en-us,TechNet.10).gif")
Figure 9 - FWengmon result
As you can see there is no listener on any IP address at all for port 53. What happened? Fortunately ISA Server will give us a hint in the event log as shown in Figure 10:
.gif "Dd547089.66a9dd44-6bc5-4230-baa0-c05b09d4539a(en-us,TechNet.10).gif")
Figure 10 - Event id 21174
The event complains that there is no network relationship between the networks, but we did create one! Now I changed the source and Destination network in the rule as shown Figure 11:
.gif "Dd547089.86a2a129-85e7-4358-af93-9b230f1bb941(en-us,TechNet.10).gif")
Figure 11 - New network rules
After applying the changes and again use fwengmon to review the listener creation will show that the result was different as shown in Figure 12:
.gif "Dd547089.782db562-c235-41c1-9fd8-b9b06eefd891(en-us,TechNet.10).gif")
Figure 12 - New fweng result
In addition to this ISA is also telling us that it likes this configuration a lot better using event 1461 as shown in Figure 13:
.gif "Dd547089.57233035-ec7c-406c-914f-731f6ad856ad(en-us,TechNet.10).gif")
Figure 13 - Event that acknowledges that the issue was resolved
From the event you can also see that the mapping between 10.110.0.253 -> 192.168.174.101 exists. The reason for this is we have defined the publishing rule with the Protocol DNS Server as shown in Figure 14:
.gif "Dd547089.2d231e3b-7bf1-4b52-a374-fd3b183a7f76(en-us,TechNet.10).gif")
Figure 14 - DNS Publishing rule
The DNS Server protocol definition defines the parameters showed in Figure 15:
.gif "Dd547089.cd706914-3ad4-410e-add3-259f01fbe0c0(en-us,TechNet.10).gif")
Figure 15 - DNS Server Protocol
So this means that the traffic is supposed originate in the “destination” network of a NAT relationship.
Now there is also an option that you can configure a Publishing rule when the networks have a Route relationship. This works and is fully supported. The only thing you need to know here is that inbound protocols are only supported for publishing rules. For example if you want to take advantage of the SMTP application filter which is attached only to the ‘SMTP Server’ protocol, using an access rule will not work. An SMTP access rule will not use the SMTP application filter.
Clients who want to access the published server when the network relationship is ROUTE need to specify the published Server IP Address as the destination because the rule in this case acts in a similar fashion to an Access rule – with the difference of the Protocols used – outbound for an access rule and inbound for a publishing rule. Let’s see this in detail:
First we changed the network rule to have a ROUTE relationship as shown in Figure 16:
.gif "Dd547089.4fd4d475-201f-43b0-89f9-20211f577d2c(en-us,TechNet.10).gif")
Figure 16 - Network relationship
After applying the configuration, fwengmon was used again to verify the listener creations and the ISA server now listens on the destination IP Address as shown in Figure 17:
.gif "Dd547089.a05c6602-5a3b-4a06-98cb-62a4f8cc6278(en-us,TechNet.10).gif")
Figure 17 - Result of fwengmon
If you think about it, this actually makes sense. In a classical publishing scenario this is how we designed it as well:
The published server lives on the default internal network
The listener is on the default external network
The network rule is defined as source == internal network, destination == external network
So to make this more abstract we can conclude the following:
Where a NAT network relationship is defined so that A is the source network and B is the destination network:
A host in network A can initiate traffic to a host in network B only through an access rule and a host in network B can reach the host in network A in response to the traffic for the matching access rule
A host in network B can initiate traffic to a host in network A only through a server publishing rule
Where a Route network relationship is defined between A →B (source and destination are unimportant for route relationships), A or B can initiate traffic to the opposite network through access or server publishing rules
When ISA creates the publishing listeners determines which listeners need to be created (route listeners or NAT listeners). In order to do this ISA iterates over the addresses in the 'from' tab of the publishing rule and performs the following:
For each address 'a' in the 'from' tab it checks the network relationship between the published server and address 'a'. It creates listeners accordingly (NAT/route)
If no network relationship exists ISA doesn't create any listener and indicates an alert (see Event ID 21174)
Note
Another good reference on NAT x Route relationship can be found in article Server Publishing with ISA Server 2004/2006 and Route Relationship Between Networks.
Conclusion
In this article I walked you through multiple scenarios for server publishing with ISA Server and I hope you have now a better understanding on how ISA server works. The key take away here is that the source and destination network selection for the relevant network rule is critical as ISA will use this information when it decides how to create the listeners. Whenever you are in doubt try to simplify your network as much as possible and make sure you understand where the traffic originates and what direction the rule is supposed to handle.