ISA 2004: Hosting a Joint Operations Server

Back from the beach now, and starting to wade through the email morass via OWA (1000s of messages... makes you really appreciate fat clients, rules and desktop search). Here's an interesting one from the blog feedback folder:

I am trying to configure our corporate firewall to allow hosting of Joint Ops. On my linksys type firewall this is as easy as port forwarding UDP port 32768 to the game box. But in ISA creating a simple Server listener (on UDP port 32768) isn't enough. There's something missing. Do you know what I'm missing? Are there additional ports I need to open up and if so, what would those be?

Also, what's the difference in ISA when configured a UDP listener between the "Send", "Receive", "Send Receive", and "Receive Send" options?

There was a heated debate in the ISA newsgroup last year (er, 2004 then) as to whether game servers are appropriate behind a corporate firewall (short version: usually not unless you're a hosting company), and it's probably worth a read. Be sure you want to do this: At the end of the day, it's your own bum that'll be kicked if the server turns out to have an exploitable hole and it leads to loss or theft of information. If you're going to do it, have the dedicated game server on an isolated network and turn it off anytime you're not using it - assume it will be compromised, and look to mitigate the damage such a compromise would cause ahead of time.

So, here's the Helpful* Picture I threw together:

I noticed the corporate firewall bit last, after I'd prpared a handy home-network-friendly diagram covering when to use Server Publishing and when to use Access Rules (Server Publishing is an inbound rule where inbound is defined by the NAT relationship direction, Access Rules are an outbound rule, but "outbound" is defined by the source and destination... Check the ISA Server Help for more on that stuff).

If you're still using ISA 2000, instead of using Access Rules to allow access to the local machine from the External network, you use Packet Filters to open certain ports.

For ISA 2004, The specifics of the protocols you'd use are these:

  • For Server Publishing: Joint Ops Server - UDP, 32768-32768, Receive Send (means Receive then Send: Receive a packet on this port, then Send a packet from this port, but expect the incoming packet first).
    • You'd use similar parameters for the ISA 2000 Packet Filter if running on the ISA box itself, otherwise it's the same for ISA 2000.
  • For an Access Rule: Joint Ops - UDP, 32768-32768, Send Receive (client initiates the connection).

If you're finding it's still not working, make sure the JOps server computer's default gateway uses a path that hits the Internet via the ISA Server - it'll need to be able to respond to Internet IP addresses.

Again: be sure you want to do this - and if you are, enjoy!

Other publishing-related posts:
Hosting Locomotion
Publishing Apple Remote Desktop
Publishing RADIUS
Publishing RDP and TSWeb