Publishing Policy Rules

You can use Forefront TMG to configure a publishing policy, which consists of server publishing rules and Web publishing rules.

Each server publishing rule or Web publishing rule is represented by an FPCPolicyRule object contained in an FPCPolicyRules collection. When an enterprise with central array management is deployed, server publishing rules and Web publishing rules can be defined only in array policies, not in the enterprise policy.

Note  Central array management is not available in Forefront TMG Medium Business Edition.

Server Publishing Rules

Server publishing rules filter all incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests may be forwarded downstream to an internal server, located behind the Forefront TMG computer.

Server publishing rules can be used when there is a network address translation (NAT) relationship defined by a network rule (FPCNetworkRule) between the network on which the clients sending requests to the published server are located (the source network) and the network on which the published server is located (the destination network). A server publishing rule uses secure network address translation (SecureNAT), which allows requests that are sent to an IP address that is valid on the source network to reach an IP address on a protected network behind the Forefront TMG computer. The server publishing rule maps a port number and an IP address (or IP addresses) on the network adapter of the Forefront TMG computer that listens for requests from the clients to a port number and an IP address on the published server. Requests that are sent to the IP address of the Forefront TMG computer and meet the conditions specified by the rule are then redirected to the IP address of the published server. However, only requests that are identified as part of the designated protocol are processed by the server publishing rule and redirected to the published server. Note that the published server must be configured to use the Forefront TMG computer as its default gateway.

If the network rule between the client network and the network where the server is located defines a routing relationship, server publishing rules can be used, but the clients must send requests directly to the IP address of the published server. With a routing relationship, an access rule can also allow the clients to send requests directly to the IP address of a server located on a network behind the Forefront TMG computer.

The definitions of the protocol (or protocols) associated with a server publishing rule or an access rule specify the application filters that are invoked for deeper inspection when the rule allows traffic. In general, application filters can process traffic allowed by a server publishing rule or an access rule, but some application filters process traffic allowed by these types of rules differently. The specific behavior for each type of rule is defined by the application filter. In particular, SMTP Filter only processes traffic that is allowed by a server publishing rule. Note that server publishing rules must use protocols defined with inbound primary connections, while access rules usually use protocols defined with outbound primary connections.

When a Network Load Balancing (NLB) cluster (not available in Forefront TMG Medium Business Edition) is configured, only servers published by server publishing rules are load-balanced according to the client IP address.

Web Publishing Rules

A Web publishing rule maps public DNS names and IP addresses to the name or IP address of a Web server located behind the Forefront TMG computer and maps external paths that can be used by users in incoming requests to internal paths of directories on the published Web server. A Web publishing rule also determines how Forefront TMG should handle incoming requests for HTTP objects on the published Web server and how Forefront TMG should respond on behalf of the Web server. Requests are forwarded downstream to the published Web server, or, if possible, they are serviced from the Forefront TMG cache.

A Web publishing rule defines the response to attempts by outside users to access an internal site. Possible responses include:

When an HTTP or FTP request (or response) is allowed by a Web publishing rule, the address translation defined by the rule is always performed, and the host receiving the request (or response) sees the packets as having come from the Forefront TMG computer even if a network rule defines a routing relationship between the source and destination IP addresses, or if no network rule exists between the source and destination IP addresses.


Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.

[an error occurred while processing this directive]