Wilmar Perez, a participant on the ISAserver.org. mailing list, asks a question about how to get his SSH Server Publishing Rules working. I’ve heard this question asked a lot inthe last year, so I wasn’t surprised to hear it again. I don’t run any SSH servers in any of my environments, so I never understood what the problem could be.
SSH is supposed to be a simple protocol, requiring a single primary connection on TCP port 22. No secondary connections, nothing tricky that would require an application filter or the Firewall client (which isn’t supported for Server Publishing Rules anyway in ISA 2004). I always assumed that the people asking questions about broken SSH Server Publishing Rules were doing something else wrong and I never heard any follow up on what those problems might be or if they ever solved their problems.
This time we got lucky. Wilmar took his problem to Microsoft PSS and asked them for help. He said he was told to create Route relationship between the ISA firewall Protected Network and the default External Network. This was interesting because Wilmar already had a NAT relationship between the ISA firewall Protected Network and the default External Network, because he was using private addresses on the ISA firewall Network on which the SSH server was located. It didn’t make sense to create a Route Network Rule between the SSH server’s ISA firewall Network and the default External Network.
Wilmar took the advise from Microsoft PSS. Guess what? It worked! Now, I understand that this makes no sense at all. I asked Wilmar if PSS provided an explanation for this, but he said they didn’t, which is unfortunate. What is so unusual about SSH that something that seems so totally nonsensical would be the solution to his problem?
Whatever the reason (which I hope to someday figure out), that’s the solution. If you have a Server Publishing Rule for an SSH server and you have a NAT Network Rule between the ISA firewall Network on which the SSH sits and the default External Network, then create Route Network Rule between the ISA firewall Network on which the SSH server sits and the default External Network.
Wilmar did point out that the Route Network Rule is above the NAT Network Rule in the list of Network Rules. Since Network Rules are evaluated from the top down, it should be that the Route Network Rule will always be used before the NAT Network Rule. I have to wonder if this will break functionality for other published servers on the same ISA firewall Network.
Thomas W Shinder, M.D.
MVP — ISA Firewalls