ISA 2004: Netstat vs Fwengmon and Server Publishing

If I recall correctly [1], ISA 2000 used to bind and listen to Server Published ports as soon as the rule became active. These were then visible in Netstat -AN (and -ANO if on XP, -ANB if on XPSP2).

ISA 2004 is a very different beast to begin with, and while mucking around with server publishing tonight, I was looking at the Netstat -ANO output wondering why none of the server published ports appeared. 

ISA 2004's Inner Beast is called FWENG (pronounced "fweng"). FWENG is the ISA firewall kernel mode driver, responsible for low-level stuff like packet filtering, connection objects and creation objects.

Rather than bind a listener directly when a publishing rule is created, ISA 2004 creates a creation object in FWENG, and it lies in wait for traffic meeting the creation object criteria to arrive before pouncing on them and forwarding them to the published server.

While this is cool, it also does mean that Netstat -ANO doesn't actually have a TCP or UDP listener socket to display as such, but not to worry - FWENGMON can show you what you need to know.

The command to check your published ports are where you expect them is FWENGMON /C.
This lists the Creation Objects that FWENG currently fancies:

FWENGMON /C

Creation Objects:
ID Protocol Source Destination One-Shot
-- -------- ------ ----------- --------
4 TCP(6) 000.000.000.000:0000 1xx.1yy.2aa.1bb:0443 No
6 TCP(6) 000.000.000.000:0000 1xx.1yy.2aa.1bb:3390 No
(chopped)

(IPs changed to protect the allegedly innocent).

Fwengmon also has other powerful features that I haven't tried, like punching massive holes in the firewall (see the /? or the Doc file on the /Allow switch). Possibly a useful tool to have handy.

 

[1] - My memory of ISA 2000 is beginning to fray, as I'm using ISA 2004 Enterprise Edition at home now to get a better feel for it (my SBS box is a Virtual Server Virtual Server (there has to be a better way of saying that), "behind" the ISA 2004 firewall box. But in it. Sort of.), and ISA 2000 is confined to a fleet of VPCs at work.

Update - and here's the KB about it.