Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

Celebrity Deathmatch: Access Policy Rules vs. Server Publishing Rules

  • Comments 8
  • Likes

We often get asked about the difference between access policy rules and server publishing rules.When should you use one in preference to the other?

Some of the differences (in no particular order) are:

[Trivial point #1] Access policy rules allow or deny traffic. Server publishing rules can only allow traffic.

[Trivial point #2] Access policy rules can allow traffic to multiple targets. Server publishing rules can only allow traffic to a single target.

[Trivial point #3] An access policy rule may allow several protocols. A server publishing rule can only publish a single protocol.

[Trivial point #4] A server publishing rule can publish services on a different port than the actual service port.

[Major point #5] Access policy rules allowing traffic from A to B work if the address relationship between A and B is ROUTE A/B or if it is NAT AàB. They won’t work if the address relationship is NAT BàA. Server publishing rules publishing a server in B to clients in A work if the address relationships is ROUTE A/B or if it is NAT BàA.

[Often overlooked point #6] Yes, you read that last point right: server publishing rules can operate when the address relationship is ROUTE. It works as you’d expect: the client connects to the server’s actual address (and not the publishing address on the ISA Server machine, although that might also work in some cases).

[Major point #7] The HTTP protocol is special. The web filter works with access policy rules as well as its own web publishing rules. Also, the web filter always acts as a proxy to HTTP requests even for clients that attempt to connect directly to the server and not as web proxy clients. Thus, the server never sees the address of the client itself, but the address of the firewall. It is as if the firewall always does address translation, even if the address relationship is ROUTE. (Note: web publishing rules are not the same as server publishing rules; for example, you can have deny web publishing rules.)

[Major point #8] If NLB integration is used, ISA Server ensures that clients connecting to a server published via a server publishing rules are load-balanced properly (according to the client’s address). If you use access policy rules, you don’t get this guarantee.

[Hidden point #9] Some application filters behave differently when the traffic is allowed through access policy rules vs. when it is allowed by server publishing rules. For example, the built-in SMTP filter only inspects SMTP traffic that is allowed by server publishing rules.

[Confusing point #10] Server publishing rules operate on protocols defined as “incoming” (for TCP), “receive” (UDP), or “receive send” (also UDP). Access policy rules operate on protocols defined as “outgoing” (TCP), “send” (UDP and RAW), or “send receive” (UDP and RAW).

[Confusing and little-known point #11] Access policy rules might, if the moon is under the right sign, also operate on protocols defined as “incoming”, “receive”, or “receive send”. This is done for legacy reasons, and support for this is likely to be dropped in future releases of ISA Server, so I won’t tell you how to do this :-)

[Minor point #12] Server publishing rules can do address translation in both directions, so that ISA hides both the address of the client from the server, and vice versa. (Internally, we refer to server publishing rules operating in this mode as “full proxy”.)

[Minor point #13] A nice variation of point #8 is that server publishing rules can actually allow a client in network A to access a server in the same network via a server publishing whose “listener” is on some other network B. Without this feature, you’d need to have a split DNS if you want clients in both network A and B to access the server (the server name resolves to the firewall’s address for clients in network B, but to the actual server’s address for clients in network A).

 

Hope you find this useful,

Ziv Caspi (2/3)

Comments
  • Hi Ziv,
    This is a fantastic set of facts, tips and tricks! Keep up the good work and give us more! :) Thanks! --Tom.

  • More about this at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/internalclientaccess.mspx

  • The updated on-line (product) help also has a topic titled "Access rules and server publishing rules" which includes a table comparing the different rule types.

  • I have a suggestion for a future article.

    Explain, in detail, why an access rule (for example, allowing Secure NAT HTTP but the user condition is 'All Authenticated Users') that Allows access can result in traffic being denied.

    The rationale seems pretty straightforward, 'If ISA can't verify all parameters of a rule, then the rule should deny the request', but examples of when this is required would be very helpful. There have been some heated discussions on isaserver.org newsgroups about the wisdom of this decision - some consider it a design flaw or bug, while others feel it is the right decision (I'm in the latter group).

    Is it a simple problem with the browser? As in, a Secure-NAT client resolves the destination web server through DNS and attempts to connect to it - since the destination of the packet is the external web server, ISA can't simply inject a HTTP 407 response to the browser since ISA isn't the destination of the packet?

  • Just to clarify - the folks who consider the 'Denied by an Allow Rule' scenario a bug feel that if ISA can't verify a parameter (as in a rule allowing HTTP access for All Authenticated Users and Secure NAT clients getting blocked as a result of this), it should move on to the next rule.

    Furthermore, they feel the 'Default Deny' rule should be the only rule that denies access, short of admins creating Deny rules.

  • Hi Clint,
    I recall mentioning this during the private beta in the newsgroups, and they were aware of the issue. I think it was recognized that this would create confusion, but it was too late to change the model. Maybe in an upcoming version anonymous connections will only match anonymous rules? --Tom

  • Yes, the folks behind ISA Server have their own blog now. And have done for a month.  Go subscribe!...

  • If no IP addresses are in the list and you want to prevent requests from IP address 127.0.9.1 from being routed, add 127.0.0.1 as an FQDN to the list.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment