Publishing Policy Rules
You can use Forefront TMG to configure a publishing policy, which consists of server publishing rules and Web publishing rules.
Each server publishing rule or Web publishing rule is represented by an FPCPolicyRule object contained in an FPCPolicyRules collection. When an enterprise with central array management is deployed, server publishing rules and Web publishing rules can be defined only in array policies, not in the enterprise policy.
Note Central array management is available only in Forefront TMG Enterprise Edition.
Server publishing rules filter all incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests may be forwarded downstream to an internal server, located behind the Forefront TMG server.
Server publishing rules can be used when there is a network address translation (NAT) relationship defined by a network rule (FPCNetworkRule) between the network on which the clients sending requests to the published server are located (the source network) and the network on which the published server is located (the destination network). A server publishing rule uses secure network address translation (SecureNAT), which allows requests that are sent to an IP address that is valid on the source network to reach an IP address on a protected network behind the Forefront TMG server. The server publishing rule maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG server that listens for requests from the clients to a port number and an IP address on the published server. Requests that are sent to the IP address of the Forefront TMG server and meet the conditions specified by the rule are then redirected to the IP address of the published server. However, only requests that are identified as part of the designated protocol are processed by the server publishing rule and redirected to the published server. Note that the published server must be configured to use the Forefront TMG server as its default gateway.
If the network rule between the client network and the network where the server is located defines a routing relationship, server publishing rules can be used, but the clients must send requests directly to the IP address of the published server. With a routing relationship, an access rule can also allow the clients to send requests directly to the IP address of a server located on a network behind the Forefront TMG server.
The definitions of the protocol (or protocols) associated with a server publishing rule or an access rule specify the application filters that are invoked for deeper inspection when the rule allows traffic. In general, application filters can process traffic allowed by a server publishing rule or an access rule, but some application filters process traffic allowed by these types of rules differently. The specific behavior for each type of rule is defined by the application filter. In particular, SMTP Filter only processes traffic that is allowed by a server publishing rule. Note that server publishing rules must use protocols defined with inbound primary connections, while access rules usually use protocols defined with outbound primary connections.
When a Network Load Balancing (NLB) cluster (available only in Forefront TMG Enterprise Edition) is configured, only servers published by server publishing rules are load-balanced according to the client IP address.
A Web publishing rule maps public DNS names and IP addresses to the name or IP address of a Web server located behind the Forefront TMG server and maps external paths that can be used by users in incoming requests to internal paths of directories on the published Web server. A Web publishing rule also determines how Forefront TMG should handle incoming requests for HTTP objects on the published Web server and how Forefront TMG should respond on behalf of the Web server. Requests are forwarded downstream to the published Web server, or, if possible, they are serviced from the Forefront TMG cache.
A Web publishing rule defines the response to attempts by outside users to access an internal site. Possible responses include:
- Denying the request.
- Delegating the request to a different internal server.
When an HTTP or FTP request (or response) is allowed by a Web publishing rule, the address translation defined by the rule is always performed, and the host receiving the request (or response) sees the packets as having come from the Forefront TMG server even if a network rule defines a routing relationship between the source and destination IP addresses, or if no network rule exists between the source and destination IP addresses.
Build date: 7/12/2010