How to use Microsoft ISA Server 2000 to publish an internal SMB Service (906237)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000

INTRODUCTION

This article contains step-by-step instructions that explain how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 to publish an internal Server Message Block (SMB) Service.

MORE INFORMATION


To publish an internal SMB Service, follow these steps.
Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.
  1. Create a new protocol definition and name it "SMB TCP 139 Inbound." To do this, follow these steps:
    1. Open ISA Server Management, click the ISA Server computer where you want to publish the SMB Service, right-click Protocol Definitions, click New, and then click Definition.
    2. On the Welcome page of the New Protocol Definition Wizard, type SMB TCP 139 Inbound as the name of the protocol definition, and then click Next.
    3. On the Primary Connection Information page, follow these steps:
      1. Next to Protocol number, type 139.
      2. Next to Direction, select Inbound.
      3. Next to Protocol type, select TCP, and then click Next.
    4. On the Secondary Connections page, click Next.
    5. On the Completing the New Protocol Definition Wizard page, review the definition, and then click Finish.
  2. Disable network basic input/output system (NetBIOS) over Transfer Control Protocol (TCP)/Internet Protocol (IP) for the external interface of the ISA Server computer. To do this, follow these steps:
    1. Click Start, click Control Panel, and then double-click Network Connections.
    2. In the Network Connections window, right-click the external interface where you want to disable NetBIOS, and then select Properties.
    3. In the Properties dialog box, select Internet Protocol (TCP/IP) under This connection uses the following items, and then click Properties.
    4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
    5. In the Advanced TCP/IP Settings dialog box, click the WINS tab, and then select Disable NetBIOS over TCP/IP under NetBIOS setting.
  3. Set the UselSAAddressInPublishing registry value. For more information about how to set this registry value, click the following article number to view the article in the Microsoft Knowledge Base:

    311777 How to enable translating client source address in Server Publishing

    Note Restart the Firewall service after you make this change.
  4. Create a new server publishing rule. To do this, follow these steps:
    1. Start ISA Server Management, click the ISA Server computer where you want to create this rule, click Publishing, right-click Server Publishing Rules, click New, and then click Rules.
    2. On the Welcome to the New Server Publishing Rule Wizard page, type a name for the server publishing rule, and then click Next.
    3. On the Address Mapping page, type the IP address of the internal SMB Service, and then type the IP address of the external interface of the ISA Server computer under External IP Address on ISA Server.
    4. On the Protocol Settings page, select the protocol that you created in step 1, and then click Next.
    5. On the Client Type page, select Any Request, and then click Next.
    6. On the Completing the New Server Publishing Rule Wizard page, review the configuration, and then click Finish.
  5. On the internal SMB Service, make sure that the specified IP address is listening on TCP port 139. If the SMB Service has multiple IP addresses that are bound to the interface, only the first IP address will listen on TCP port 139.
Note For security reasons, we do not recommend this method for ISA Server computers that face the Internet. If you follow the steps in the "Resolution" section, you will not be able to connect to the Internet by using the Common Internet File System (CIFS) protocol.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

301673 You cannot make more than one client connection over a NAT device

Modification Type:MajorLast Reviewed:11/11/2005
Keywords:kbinfo kbhowto KB906237 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.