Server Publishing Rules and Route Network Rules for ISA and the Forefront TMG
Someone was having DNS problems recently related to his publishing rules and it reminded me of the important difference between how you need to set up your DNS when dealing with NAT and ROUTE relationships between source and destination networks.
For Server Publishing Rules, there are two scenarios -- A NAT relationship between the published server and the external client, and a ROUTE relationship between the published server and the external client.
When there is a NAT relationship between the published server and the external client, your DNS server needs to map the name of the published server to the IP address on the external interface of the ISA Firewall that is listening for those connections, based on the settings you've configured in the Server Publishing Rule for that published server.
When there is a ROUTE relationship between the published server and the external client, your DNS server needs to map the name of the published server to the actual IP address of the published server. This is important in public address DMZ scenarios, where you typically have a ROUTE relationship between the DMZ ISA Firewall Network and the default External Network.
The ISA and TMG firewalls are able to do this because in a ROUTE relationship scenario, the firewall is able to employ something called "port stealing", so that when an incoming connection request to the actual IP address of the server on the DMZ is made, the ISA or TMG firewall intercepts the request and exposes it to its application layer inspection filters before forwarding the connection to the published server.
For more information about the ISA and TMG firewall core, check out the Introduction to the ISA Server 2006 Firewall Core document at http://download.microsoft.com/download/e/7/6/e76fdda3-5c2c-4fbb-9c6f-3bcd0ed4b8ef/Firewall_Corewp.doc
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)