Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 10)

If you would like to read the other parts in this article series please go to:


Well, folks, our series is almost at an end. You might remember that the last time we got together as part of this very comprehensive overview, we created an FTP Server Publishing Rule. Now, let’s take a look at the details of that Server Publishing Rule and find out about the options that are available to you for modifying this rule. In addition, we’ll delve into more details about how the rule actually works, and that will wrap it up.

Examining the available options

If you right click on your Server Publishing Rule, the first tab you’ll see is the General tab, which is shown in Figure 1. There aren’t many things you can do here. In the Name text box, you can change the name of the rule. Something that you couldn’t do when you created the rule using the Server Publishing Rule Wizard was to add a description for the rule, but here you can add a description for the rule in the Description (optional) text box. I’ve found this can be very valuable and you might want to consider requiring admins to fill this box in, using some standard text. This might include the reason for creating the rule, the name of the person who created the rule, and any special configurations that were made to customize the rule.

You can also enable or disable the rule from this interface, by checking or unchecking the Enable checkbox.

Figure 1

Next, let’s click on the Action tab, shown in Figure 2. Here you will see that you have two very straightforward options: Allow and Deny. Note that in this example, the Deny option isn’t available (it’s grayed out). The reason for that is that you don’t need it in the case of this FTP publishing rule. If you don’t create an FTP rule, then FTP will be denied and there are no subsequent redirect actions you can take. This tab is more useful when you are creating HTTP related rules and you want to deny a connection and subsequently redirect the requestor to another site or to an SSL site.

The Log requests matching this rule option at the bottom of this tab is very useful. You may have some Server Publishing Rules that you really don’t care about monitoring closely. Maybe you only want to monitor them on a periodic basis. If you have Server Publishing Rules that fit that description, then you can uncheck the Log request matching this rule checkbox. When you do this, connections matching the parameters of this rule won’t be logged. This can save disk space and may also increase the overall performance of the TMG firewall.

Figure 2

On the Traffic tab, which is shown in Figure 3, you have a number of different options that are accessed via the four buttons on the right side. Let’s start by clicking on the Properties button.

Figure 3

On the General Tab of the Properties dialog box, shown in Figure 4, you’ll see the name of the protocol that is being used by the Server Publishing Rule. In this case, it’s the FTP Server protocol. There is a description of the protocol in the Description text box.

The Associated Standard Protocol section displays information about which Application Filter is associated with the protocol. Note that not all protocols will have Application Filters associated with them. However, some protocols require this because there might be some security issues with the protocol that need to be handled, or the protocol might be what we call a “complex” protocol. You probably remember from our earlier discussion that a complex protocol is one that requires negotiating multiple inbound or outbound connections.

You can see in the screenshot that the FTP application filter is associated with the FTP Server protocol. Because the filter is required in order to make FTP Server publishing work, you do not have the option to disassociate the filter from the protocol. For some other protocols that have Application Filters associated with them, you have the option to remove the Application Filter from the protocol.

Figure 4

On the Parameters tab, which is shown in Figure 5, you’ll see several pieces of information and buttons for adding, editing and removing the connections listed. Here are some explanations to help you understand the information here:

  • Primary Connections – in this section, you can see the Port Range, Protocol Type and Direction that defines the protocol.
  • Secondary Connections – in this section, you can see any secondary connections that might be required. As you know, the FTP protocol does require secondary connections. The reason they are not listed here is that secondary connection handling is baked into the filter and therefore is not displayed here. If you were to create a custom protocol for a protocol that required secondary connections, then you would include that information here.
  • Direction – This column shows the direction (inbound or outbound). Note that all Server Publishing Rule protocols have their primary connections in the Inbound direction.

In the third section, you can also see any application filters that are assigned to the protocol. As we saw earlier, the FTP filter is bound to the FTP Server Publishing protocol.

Figure 5

On the Traffic tab, which is shown in Figure 6, you have the option of changing the protocol and modifying some of the characteristics of the protocol. You can see the current protocol and select another protocol in the Allow network traffic using the following protocol drop down list.

If you click the Filtering button, you’ll see some options that are related to any filters that are associated with the protocol. Remember that not all Server Publishing Rule protocols are bound to a filter, so the Filtering button won’t always be available here. In this example, we can see the Configure FTP option is available because the FTP Application Filter is bound to the publishing protocol.

Figure 6

The options that are available to you will differ, depending on the Application Filter that is bound to the protocol. For the FTP publishing protocol, we have a single option: Read Only – When Read Only is selected, FTP uploads will be blocked, as shown in Figure 7. Notice that this is the default setting. Many TMG admins will probably be surprised that they get calls from users after enabling their FTP Server Publishing Rule, complaining that FTP doesn’t work. The reason for this is that users have been told that the FTP server is ready, and then those users aren’t able to upload their files. That’s when the TMG firewall admin finds out about this default setting for the FTP publishing protocol.

Figure 7

If you click the Ports button, you can see in Figure 8 that you have a number of options when it comes to customizing the ports that are used by the protocol. In the Firewall ports section, you will see these options:

  • Publish using the default port defined in the protocol definition. Use this option if you want to use the default port; it’s pretty self-explanatory.
  • Publish on this port instead of the default port. Use this one if you want the firewall to listen on an alternate port. You have to be careful with this when you’re using some protocols, because if the protocol is associated with an Application Filter, the filter is keyed to a specific port and it won’t work if you change the port.

In the Published Server Ports section, you have these options:

  • Send requests to the default port on the published server. The TMG firewall will forward the request to the default port for that protocol to the published server. For example, if it’s the SMTP protocol, requests will be forwarded to TCP 25. For the FTP protocol, they will be forwarded to TCP port 21, and so forth.
  • Send requests to this port on the published server. Use this option if you want to forward the connections using an alternate port. For example, you might want to accept incoming connections for SMTP on TCP port 25 at the firewall, but then you might want the firewall to forward the connection to TCP port 2525 on the published server.

The Source Ports section gives you the following options:

  • Allow traffic from any allowed source port. This is the default option. When it is selected, clients that are connecting to the published server can use any random source port.
  • Limit access to traffic from this range of source ports. You can use this option if you want to increase the security of your Server Publishing Rule. For example, if you’re publishing an RDP server, you can configure the RDP Server Publishing Rule so that only clients that have configured themselves to use a small range of source ports will be allowed to reach the published server. Since hackers would have to be able to guess these ports in order to connect, the chances are very small that they will be able to do so. This provides you with a little added security for your publishing rule when you’re in a high security situation.

Figure 8

On the From tab, which is shown in Figure 9, you can specify on which networks you want the firewall to accept incoming connections for the Server Publishing Rule. Notice that there is an option to create Exceptions. This can come in handy. For example, this rule allows incoming connections from Anywhere. Let’s say you want to accept connections from Anywhere except a particular collection of IP addresses that you know to be malicious. You can enter those IP addresses as exceptions by creating a Network Entity and making it an exception.

Figure 9

On the To tab, which is shown in Figure 10, you can change the IP address of the published server, or you can use the Browse button to find it the server.

In the Requests for the published server section, you have two options:

  • Requests appear to come from the Forefront TMG computer. If you select this option, the source IP address that the published server will see is the IP address of the firewall, not the original client IP address.
  • Requests appear to come from the original client. Use this option if you want to preserve the client source IP address so that it appears in the logs of the published server.

Note that if your TMG firewall isn’t in the route path to the default gateway, then you must use the Requests appear to come from the Forefront TMG computer.

Figure 10

On the Networks tab, which is shown in Figure 11, you can configure on which networks and IP addresses you want the TMG firewall to accept connections for this Server Publishing Rule.

Figure 11

On the Schedule tab, which is shown in Figure 12, you can set the schedule by which you want to allow connections to the published server via this Server Publishing Rule. It’s important to note that this schedule applies to new connections only, and not to established connections. If there are established connections at the time you configure this, they will remain connected until the users disconnect. The settings on the Schedule tab will not disconnect users.

Figure 12


In this article, the last in our series, we finished up our discussion of Server Publishing Rules by going over the details of the Server Publishing Rule we created last week. Part 10 completes our deep dive series on Web and Server Publishing Rules. I hope that you found some of it useful and that you will be able to apply some of what you learned in the near future. Thanks! –Deb.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top