Creating and using a server protocol
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
To create and use a server protocol
In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, on the Toolbox tab, click Protocols.
On the toolbar beneath Protocols, click New, and then click Protocol.
Complete the New Protocol Definition Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Protocol Definition Wizard
Protocol definition name
Type a name for the protocol definition. For example, type MyProtocol Server.
Primary Connection Information
In a typical server protocol definition, to configure the primary connection, click New. Then in Protocol type, select TCP, in Direction, select Inbound, in From and To, type the same applicable port number, and click OK.
Secondary Connection Information
Do you want to use secondary connections?
Select No.
Completing the New Protocol Definition Wizard
Review the settings and click Finish.
In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols to open the New Server Publishing Rule Wizard.
Complete the New Server Publishing Rule as outlined in the following table.
Page Field or property Setting or action Welcome to the New Server Publishing Wizard
Server publishing rule name
Type a name for the protocol definition. For example, type Publish MyProtocol Server.
Select Server
Server IP address
Type the IP address of the server that you want to publish.
Select Protocol
Selected protocol
From the drop-down list, select the protocol that you defined in Step 4. Then click Ports if you want to override the default ports in the protocol definition.
Ports (appears only if you click Ports on the Select Protocol page)
Firewall Ports
Select one of the following:
- Publish using the default port defined in the protocol definition. With this option, Forefront TMG accepts incoming client requests on the default port.
- Publish on this port instead of the default port. With this option, Forefront TMG accepts incoming client requests on the nonstandard port specified and then forwards them to the designated port on the published server.
Published Server Ports
Select one of the following:
- Send requests to the default port on the published server. With this option, Forefront TMG accepts requests for the published service on the default port specified in the protocol definition.
- Send requests to this port on the published server. With this option, Forefront TMG accepts requests for the published service on a port other than the default port.
Source Ports
Select one of the following:
- Allow traffic from any allowed source port. With this option, Forefront TMG accepts requests from any port on allowed client computers.
- Limit access to traffic from this range of source ports. With this option, Forefront TMG accepts requests only from the ports that you specify.
Network Listener IP Addresses
Listen for requests from these networks
Select the External network. To select specific IP addresses on which Forefront TMG will listen, click Addresses, and select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the appropriate IP address, click Add, and then click OK.
In an array with multiple array members, select the same virtual IP address for each array member if Network Load Balancing is enabled. Otherwise, select an appropriate IP address for each array member.
Completing the New Server Publishing Wizard
Review the settings and click Finish.
- Publish using the default port defined in the protocol definition. With this option, Forefront TMG accepts incoming client requests on the default port.
In the details pane, click the Apply button to save and update the configuration, and then click OK.
Note
- For server publishing, the direction of the primary connection for a TCP protocol should be inbound.
- In a multiple-array enterprise deployment, protocols can also be defined on the enterprise level from the Enterprise Policies node. Protocols that are defined or modified at the enterprise level can be used in array-level rules. However, these enterprise-level protocols cannot be modified at the array level.
- If your protocol requires filtering functionality that is not provided by the Microsoft Firewall service, such as a secondary data channel, you must associate the protocol with an application filter that provides the required functionality.
- For a full list of protocols used by Microsoft Windows products and subcomponents, see "Service overview and network port requirements for the Windows Server system" at Microsoft Help and Support (https://www.microsoft.com/).
- By default, client requests that are forwarded by Forefront TMG to the published server appear to come from the IP address of the original client. In this case, the default gateway on the published server must be set to the IP address of the network adapter on the Forefront TMG computer through which the published server connects to it. As an alternative, you can configure your server publishing rule so that forwarded client requests will appear to come from the Forefront TMG computer on the To tab of the server publishing rule's properties.
- Server publishing rules are typically used when there is a network address translation (NAT) relationship defined by a network rule between the network on which the clients sending requests to the published server are located and the network on which the published server is located. Server publishing rules can also be used when the network rule between the client network and the network where the server is located defines a routing relationship. However, in this case, the clients must send requests directly to the IP address of the published server.
- Server publishing rules are not supported in a single network adapter configuration.