No announcement yet.

ISA publishing rules

  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA publishing rules

    I'm running ISA 2004 with 3 NICs. NICs are connected to Internal network, DMZ and external. On the DMZ network I have a web server I want to publish so Internal and External users can access it.


    On the External side of things everything is working properly but the Internal side is a bit different story. I was experimenting a bit and it seems that if you want to give users on Internal network access to your web server on DMZ you do not need to publish it.

    What I did is this:

    1. Created a new network DMZ (perimeter network)
    2. Created a new network rule: DMZ (Source) - Internal (Destination) - Route (Relation)
    3. Created Access Rule: Allow - Internal (From) - DMZ (To) - HTTP (Traffic) - All Users

    After above 3 steps I can normally access my web server on DMZ from my Internal network without any publishing rule.

    So my question is: Are publishing rules only meant for Internet (or any users connecting through external interface) users or am I doing something wrong?

  • #2
    Re: ISA publishing rules

    For most websites hosted internally I would do what you did. There are however exceptions. The main example I can think of is OWA.

    It's quite common to want to present the same OWA interface both internally and externally to users, and the main way to do that is to have a seperate web listener listening on the internal network for OWA requests, so that all users get the same OWA FBA login.

    The reason for the distinction, as I understand it, is that you couldn't, even if you wanted to, create an access rule from external to any other network, as the network relationship to external is NAT and not route. In other words, you CAN publish from any network to any other but access rules can also be used. You MUST publish to the internet.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    Cruachan's Blog


    • #3
      Re: ISA publishing rules

      Publishing is only being used when the traffic is being NAT-ted by the ISA server. Else, when using routing, you should use the way you did.
      Technical Consultant

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"