Subtleties of Denying Traffic

In ISA Server 2004, if you're using custom ports as part of a publishing rule for a protocol, an Access Rule won't be able to block that protocol on a non-default port.

To try to illustrate: 

Say you're Server Publishing RDP for two internal servers using two rules that publish RDP (Terminal Server) Server, one on port 3390 using the Ports button and one on the default 3389.

You want to temporarily disable access to both, so you create an Access Rule specifying to Deny RDP from External to Anywhere, with higher priority than other rules.

And as this is sounding so much like an MCSE question, I think I'll multi-choice the answers!

(the screenshot shows a disabled access rule, but assume it would be enabled.)

Does this solution:

A. Meet the intended objective?

B. Block only the server on the custom RDP port?

C. Block only the server on the default RDP port?

D. Not block RDP to either server?

Show working, and if this doesn't meet the stated objective, propose an alternative solution.

Answers on a postcard or the back of an envelope to this address. Er, or just hit Comment and have a crack.

Comments (2)

  1. Parky says:


    Surely you would only see this solution from some n00b. 😉

    Just disable the two existing rules instead.

  2. Tristan K says:

    Hey Parky, the N00b in this case was me!

    C is the correct answer; when blocking, it doesn’t matter that you varied the port when publishing the protocol.

    It’s something to be aware of, as the alternative ports aren’t immediately visible in the interface without drilling down.

    Another alternative solution is to either define a new protocol for that port, or add a primary connection port range to the protocol you’re trying to block. Rationale: If you’ve more than two rules to disable, it’s probably more time-effective to implement a single block rule that covers all the ports you’re interested in.

Skip to main content