Route Relationships, Server Publishing Rules, and Port Stealing

A best kept secret in the ISA Firewall world is the ability to publish servers using Server Publishing Rules even when there is a route relationship between the source and destination networks. Most people think of Server Publishing Rules as a form of reverse NAT that supports application layer inspection. While that is one scenario, there is no requirement for NAT when publishing servers.

For example, suppose you have  branch office that connects to the main office via a site to site VPN connection. It’s likely that you have a route relationship between the main office and branch office and you probably use Access Rules to allow connections from branch office clients to main office servers. That works well so you’ve probably not seen a reason to change your approach.

In what circumstances might you want to change your approach and use Server Publishing Rules instead of Access Rules? The primary reasons I can think of using a Server Publishing Rule instead of an Access Rule is when the Application Filter for the protocol that you’re allowing access to doesn’t work for outbound connections (Access Rules always use outbound connections) and when you don’t want to change your DNS infrastructure to support NAT for Server Publishing Rules (although you can use Access Rules to allow access, you don’t have the option of controlling the source IP address delivered to the published server when using Access Rules).

For example, the SMTP and POP3 application filters only work for SMTP Server and POP3 Server protocols. If you want to make sure branch office users are subjected to protocol inspection for those protocols, then you’ll need to use a Server Publishing Rule to publish the main office SMTP and POP3 servers to the branch offices.

The nice thing about using Server Publishing Rules when there is a route relationship between the source and destination is that clients connect to the actual IP address of the published server, not the address on the ISA Firewall listening for the request. What happens in this scenario is that the ISA Firewall uses something called port stealing intercept the request so that application layer inspection can be performed on the request and then be passed to the published server if the connection passes application layer inspection.

Another thing you can do with Server Publishing Rules that you can do with Access Rules is control the source IP address of the incoming request to the published server. This is extremely useful if you can’t make the published server a SecureNAT client of the ISA Firewall.



Thomas W Shinder, M.D.


Email: [email protected]

MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top