<P>1. A port is transparently forwarded to a server behind a firewall ( such as web services) and all communication between the client and server is run through the same port.<BR>2. This is a little more complex.  And the least desirable. We will look at native (Non-PASV mode) FTP communication for an example.  Two ports and protocols will be used, TCP on port 21 and UDP on port 20.  Port 21/TCP is used for control, and Data will flow across port 20/UDP.  Easy enough for uploading files as it seems right, well sometimes that is true just open the ports and off we go, however it's absolutely not in the case of FTP.  Because the receiver (the server in this case) tells the client to SOURCE the UDP connection on port 20 and to connect to the destination (the server) on a range of DYNAMICALLY ASSIGNED ports in the client port range.  Now the firewall has to forward traffic on ports that it has NO RULES FOR INBOUND to a server because it's not translating all of the data inside the command stream, just the network header data.<BR>So to handle this there are two options.  First is to use PASV connections that only utilize TCP port 21 for all of FTP activity (both control and data.) Second... write a special plug-in for the firewall to manage all of the FTP communications and dynamically create and destroy listeners as per the FTP communications request.  Now figure in security to prevent hackers from using the mechanism to create dynamic UDP pinholes for exploit and the fact that consumer grade firewall do not support this behavior either, the PASV method suddenly gets real attractive.<BR> <BR>Ok, if you made it this far without your eyes glazing over, read it again.  Understanding this topic means you will have a migraine when the picture is clear.<BR> <BR>Got the Migraine now? Good. Let's move on.<BR> <BR>So we have mechanisms to trigger port openings for specific inbound and outbound secondary communication after communication is established on the primary port.  I will forward a few links for a bit of REQUIRED reading on how this works.  There are limitations, and again remember, most consumers either already have or in the process of acquiring the cheapest consumer grade router/firewall on the market today. (or even worse a lynksys or cisco PIX device, they're both garbage) These low-end devices may or may not support secondary port operation dynamically, but usually won't do a good job at it.<BR><END RANT/><BR>Here are the links for reading...<BR> <BR>Basic Overview of the ISA technology:<BR><A href="http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_Configuration.html">http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_Configuration.html</A><BR> <BR>This is easy two port application support:<BR><A href="http://www.isaserver.org/tutorials/kaaza.html">http://www.isaserver.org/tutorials/kaaza.html</A><BR> <BR>Some Specifics on the information I need to create the rules and definitions:<BR><A href="http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_p_c_protocolschem.mspx?mfr=true">http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_p_c_protocolschem.mspx?mfr=true</A><BR> <BR>And one last example to just kick the dead horse one last time:<BR><A href="http://www.kb t be done with the defined parameters."</P>  

|<< Back |