ISA 2004 Routing/Port Forwarding

[Joel]

Hello everyone, I have recently installed ISA 2004 on our SBS 2003 server and
am having problems enabling port routing.

We have two computers on our LAN that need to be accessible from the
internet.
1. XP SP2 workstation hosting a DVR camera server. Can be reached
internally by going to http://<workstation name>:4560
2. Web based timekeeping application hosted on our SQL server. Can be
reached internally by going to http://<sqlserver>:8011/tk

These two web services were fully accessible from the internet, before we
replaced our watchguard firewall with ISA 2004. So I know they are
configured properly.

I tried following another post on this newsgroup on how to setup port
forwarding, but the instructions were for ISA 2000. So I stumbled through it
myself.
1. I went to ISA Server Management--> Firewall Policy and created a new web
publishing rule called Camera.
2. From: Anywhere
3. To: <workstation name>
4. Created a Listener called “Camera Port” going from “All Networks” to
port 4560. “Always Authenticate” is set to no.

When I go to http://<mypublicaddress.com>:4560 I get “the page cannot be
displayed”.

According to ISA’s logs, I am making contact with our SBS but the request is
not being routed to the internal workstation.

I would appreciate any instructions on how to correct this issue.
Preferably step by step, as I have had no previous experience with ISA prior
to the last six days :-)

Background info: SBS SP1 Premium (Dual NIC Config)
ISA is configured as an Edge Firewall.

Thanks

[Jim Harrison (MSFT)]

Unfortunately, the Watchguard is a simple "port-forwarder", while ISA is a true HTTP proxy/firewall, but enough sales talk.
What is the ISA response code in the logs?

Listeners don't have a "to" property; that's the rule.
Can you provide the details of the rules themselves?
You may want to check out the plethora of web publishing articles at www.isaserver.org.
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"Joel" <Jo...@discussions.microsoft.com> wrote in message news:C2F19C7C-E617-49A7...@microsoft.com...

[SuperGumby [SBS MVP]]

Hey Jim, where'd the comment about a 'Watchguard is a simple
"port-forwarder"' come from, some other thread?

and though I am a great fan of ISA most Watchguard boxes are a lot more than
simple NAT routers.

"Jim Harrison (MSFT)" <jmh...@online.microsoft.com> wrote in message
news:uk2Msqrq...@TK2MSFTNGP03.phx.gbl...

[Jim Harrison (MSFT)]

I'll admit that it's been a while since I played with one in earnest (never was much impressed), so they might be smarter than they
once were.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"SuperGumby [SBS MVP]" <n...@your.nellie> wrote in message news:eVX2kBxq...@TK2MSFTNGP04.phx.gbl...

[Joel]

Answers inline.

>Can you provide the details of the rules themselves?

General
Camera
Action
Action to take: Allow
From
This rule applies to traffic from these sources: Anywhere
To
Specify the name or address of the server to publish: <workstation>
Forward the original host head instead of the actual one: Not Checked
Specify how the firewall proxies request to the public server: Requests
appear to come from the ISA server computer.
Traffic
This rule applies to traffic of the following protocols: HTTP
Listener
Listener Properties
Description: blank
Networks: All networks (and local host)
Port(HTTP): 4560
Port(HTTPS): Disabled
Authentication Methods: Integrated
Always Authenticate: No
Public Name
This rule applies to: All Requests
Paths
External Path: <same as internal>
Internal Path: /*
Bridging
Web Server:
Redirect web request to http: 80
Users
This rule applies to requests from the following user sets: All Users
Schedule: Always

>You may want to check out the plethora of web publishing articles at >www.isaserver.org.

Thanks, I have been all over isaserver.org. I have about 15 articles
bookmarked for later reading. Now I just need to find the time :-)

>What is the ISA response code in the logs?

Destination IP: <publicIP>
Destination Port: 4560
Protocol: Unidentified IP Traffic
Action: Initiated Connection
Rule: none

Destination IP: 192.168.0.50 (internal IP of DVR server)
Destination Port: 4560
Protocol: Unidentified IP Traffic
Action: Denied Connection
Rule: SBS Protected Network Access Rule

Destination IP: <publicIP>
Destination Port: 4560
Protocol: HTTP
Action: Failed Connection Attempt
Rule: SBS Protected Network Access Rule

Thanks

[Jim Harrison (MSFT)]

I believe you'll find this to be the core of your problems:

Bridging
Web Server:
Redirect web request to http: 80

Since the published service operates on TCP:4560, you need to set your redirect to 4560 as well.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"Joel" <Jo...@discussions.microsoft.com> wrote in message news:43372A2A-F608-4685...@microsoft.com...

[Joel]

Hello Jim, thank you for your suggestions thus far. However, the port
forwarding is still not working. Here are the only two result codes being
generated by ISA: 0x80074e21, 0x80074e20. In that order. If you would like
the complete log entry, let me know and I will e-mail you the excel file.

[Jim Harrison (MSFT)]

Those are both expected codes (they're explained in the ISA help)
The first thing to forget is the idea of "port forwarding" with ISA; especially where HTTP is concerned.
ISA understands how HTTP traffic is supposed to be created & consumed.
Don't send the whole log; just the results from the live session where you filtered on the external test client IP.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"Joel" <Jo...@discussions.microsoft.com> wrote in message news:85651F03-62A3-442A...@microsoft.com...