Difference between Inbound and Outbound rules

I am running ISA 2006 as an Edge firewall for my internal network, and client
workstations and servers are connected to the internet as securenat clients
(DG pointed to ISA IP).

I am concerned about the security for the servers and would like to tighten
the amount of access the servers have to the internet.

Right now, I have an access rule which allows common protocols (http, https,
ftp etc) from Internal to External networks. The parameters of these
protocols are all Outbound.

My question is, does 'outbound' here actually mean exclusively outbound?
Correct me if I am wrong, but there is an exchange of data in both inbound and
outbound directions via the ports for protocols such as http or ftp?

If so, does this also mean that 'outbound' is actually moot and that the
ports of these protocols for the servers are open to the internet? that I
should exclude the IP range for my servers in this rule for security purpose?

Sorry I accidentally double posted this question and have no idea how todelete

Sorry I accidentally double posted this question and have no idea how to
delete this. Please close this topic and refer to the other question in this
link:

http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.isa.configuration&tid=058e741d-6fba-4bec-94a7-be87bdd191cb&cat=en_us_a1a8a6c7-7af1-429e-aa0f-f6634a2e81f7&lang=en&cr=us&sloc=&p=1

Cheers

This is a usenet server,...unmoderated, and mostly unadministered.

This is a usenet server,...unmoderated, and mostly unadministered.
Think "the Wild Wild West" with cowboys, indians, and guns
Nothing is "closed".


Anyway,...outbound,....inbound.   You're right,..it is moot.

It works like this.

1. If it is an Access Rule then it is always Outbound no matter what
direction it is actually going.  But it can never go "backwards" over a NAT
Relationship.

2. If it is a Publishing Rule (no matter what type) it is always Inbound.
Publishing is used primarily to go "backwards" over a NAT Relationship,..but
can also be run over a Routed Relationship too.

3. With an Access Rule,....Secondary Connections in a Protocol Definition
can be Inbound,...but in practice I have never seen one in used that
actually belonged there legitamently.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

So let me get this straight, for Access rule, the direction actually holds

So let me get this straight, for Access rule, the direction actually holds no
meaning and traffic will be 2-way?

Could you explain further what the difference is between Publishing and
Access rule? I do not understand fully what you mean by 'going backwards over
a NAT relationship'.

What is the purpose of a secondary connection and how do I use it?

No it is one-way. From the Source "outbound" to the Destination.

No it is one-way.  From the Source "outbound" to the Destination.  It can go
across a routed connection and it can go "forwards" over a NATed connection
(like Internal to External or Trusted to Untrused).   It will never go
Trusted).


There is no way I can describe it simpler than what I have.


You'll never use one.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Ok.

Ok.
So, if 'Inbound' refers to the 'backwards' direction from an external
network to internal network, does that mean that Inbound access rules would
never work on an NAT connection?

Or do 'Inbound' access (allow) rules server same purpose as Publishing
non-web server protocols? If so, when does one use whichever?

Sorry for my weak understanding. I hope you have the patience to educate me
on how to use ISA better.

In any case, I have removed the servers' range of IP from the common
protocols access rule as a precaution.

Cheers

RIght.

RIght.
It also means you would  have a mis-created Access Rule since you just do not use
Inbound Protocols with Access Rules.

Inbound Protocols all have the word "server" tagged onto the end of their
Name.   Everything else is an outbound protocol.


There is no such thing as an Inbound Access Rule.  Inbound Non-web Protocols
are done with:

Server Publishing Rules (ISA2004)
Non-Web Server Publishing Rule (ISA2006)


However these Publishing Rules can use many types of Protocols:

1. Mail Server Publishing Rule (IMAP, NNTP, POP3, POP3S, SMTP, SMTPS)
2. Exchange Web Client Access Publishing Rule (OWA with http or https)
3. Sharepoint Site Publishing Rule (http, https)
4. Web Site Publshing Rule (http, https)

Technically #2, 3, and 4 are all Web Server Publshing Rules,...the
difference is just in the exact questions that the rule creation Wizard asks
you as you step through it.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

Hi PhilipI was thinking more in terms of user-defined protocols when I was

Hi Philip

I was thinking more in terms of user-defined protocols when I was talking
about Inbound access rules ie. Access rules which involve user-defined
Inbound protocols.

So based on what you say, I should never have to use Inbound protocols for
Access rules, but rather for Publishing non-web Server protocols.

access rule = outbound
publishing rule = inbound

Thanks for your explanations and clearing up my doubts!

To simplify:Access Rule - Outbound.

To simplify:

Access Rule - Outbound. Internal server initiates a conversation to the
external network. Traffic flows both ways withinthe confine of that
conversation

Publish Rule - Inbound. conversation is initiated from a computer on the
external network to a server in the internal network. traffic flows both
ways within the confines of that conversation.

If I understood your initial question right, then no, an all protocol
access rule will not allow external computers to initiate a conversation
with an internal server.

Hi AsherThat was exactly what my concern was.Thanks for your reply!

Hi Asher

That was exactly what my concern was.
Thanks for your reply!