Publishing Access Rules
ISA Server access rules determine how clients on a source network can access resources on a destination network. They are generally used to give internal computers protected by ISA Server access to resources on external networks, or to control traffic between the Internal network and servers located in a perimeter network.
ISA Server publishing rules are most often used to allow external clients to access resources protected by ISA Server. For example, you may allow public access from the Internet to a Web server published with a Web publishing rule, or allow external access to a specific server using server publishing rules. Server publishing in a NAT relationship hides the actual address of the published server (a SecureNAT client), so that the user requesting the object sees the IP address of the ISA Server computer rather than the private IP address of the internal server being published.
There are some circumstances in which you may consider giving internal clients access to resources in other networks by using a server publishing rule, rather than by means of an access rule permitting access using a specific protocol.
One common scenario is when you have a perimeter network defined, and you want to allow computers in the perimeter network to contact Internal network hosts, or to allow computers in the Internal network to contact hosts in the perimeter network. When choosing whether to use access rules or server publishing rules, consider the following:
- A server publishing rule can only publish a single server.
- Port translation can easily be performed with server publishing.
- Some built-in application filters, such as the Simple Mail Transfer Protocol (SMTP) filter are designed to work with server publishing rules, and not with access rules.
- In a NAT relationship, you cannot use an access rule to permit access to a computer if that computer is a SecureNAT client. In this scenario, you must use a server publishing rule. If there is a route relationship, an access rule will work.
- When using server publishing in a route relationship, the server publishing rule works like an access rule to allow access to the published server. Clients send requests directly to the IP address of the server being published, and not to the IP address of the ISA Server client-facing network interface.
- If you are using Network Load Balancing (NLB), use server publishing rules in preference to access rules. Server publishing rules allow correct load balancing of traffic to the published server.
- An access rule allowing Hypertext Transfer Protocol (HTTP) always uses NAT in both directions by default, even between networks with a route relationship.
- If you choose to configure a route relationship rather than NAT between two separate networks, there is no loss in functionality using server publishing rules. Filters (for example SMTP, POP3, or DNS) should work as they would for server publishing rules across networks with a NAT relationship. Note that the H.323 filter does not support server publishing.
In the scenario described, there may be either of the following relationships between the perimeter network and the Internal network:
- You have a route relationship between the perimeter network and the Internal network.
- You have a NAT relationship between the perimeter network and the Internal network.
The following table summarizes how the use of access rules or server publishing rules is affected in a NAT or route network relationship.
| Perimeter and internal relationship | Control traffic with access rules | Control traffic with server publishing rule |
|---|---|---|
NAT |
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer. For example, if a NAT relationship is defined from source Network_A to destination Network_B, the IP address of client computers on Network_A are replaced with the IP address of the network adapter connected to Network_B on the ISA Server computer. Packets from Network_B returned to clients on Network_A are not translated. |
ISA Server listens for requests on the client-facing network adapter on the ISA Server computer. Clients should make requests to the client-facing adapter, and not directly to the IP address of the published server. Client source IP address is that of the ISA Server computer unless you configure the rule to forward the original client source IP address. Note that there is a difference between server publishing (where the default is to pass the client address, and Web publishing, where the default is to use the ISA Server internal address. |
Route |
ISA Server listens on the IP address of the published server. Published server log shows original client source IP address. Note that if access rules allow HTTP traffic, this will go through Web Proxy Filter and be subject to NAT, even in a route relationship. To override this default behavior, you would disable the filter for the HTTP traffic. For more information, see Troubleshooting Web Proxy Traffic in ISA Server 2004 at the Microsoft TechNet Web site. |
ISA Server listens on the IP address of the published server. Clients should request the actual IP address of the published server. Use the From part of the server publishing rule to limit clients who can use the rule. |