How to publish a DNS server in Internet Security and Acceleration (ISA) Server or in Microsoft Forefront Threat Management Gateway, Medium Business Edition

This article describes how to publish a DNS server by using Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition.

Create a server publishing rule

To publish a DNS server that is hosted on the ISA Server or Forefront Threat Management Gateway, Medium Business Edition computer or that is hosted on the internal or the perimeter network, create a new server publishing rule. To do this, follow these steps:

1. Start the ISA Server Management tool or the Forefront TMG Management tool.
2. Expand ServerName, where ServerName is the name of your ISA Server computer, and then click Firewall Policy.
3. Click the Tasks tab, and then click Create a New Server Publishing Rule.
   
   Note In ISA Server 2006, click Publish Non-Web Server Protocols.
4. In the Server publishing rule name box, type a descriptive name for this rule, and then click Next.
5. In the Server IP address box, type the IP address of the DNS server that you want to publish, and then click Next.
   
   Note If the DNS server is hosted on the ISA Server computer, type the IP address of the ISA Server computer's internal interface.
6. In the Selected protocol list, click DNS Server, and then click Next.
7. In the Listen for requests from these networks list, click to select the check box of the network that you want ISA Server to listen on for DNS queries. For example, to enable external users to submit queries to your DNS server, click to select the External check box.
   
   Note If you want to specify a particular IP address that ISA Server listens on, click Address, click Specified IP addresses on the ISA Server computer in the selected network, click the IP address that you want ISA Server to listen on, click Add>, and then click OK.
8. Click Next, and then click Finish.
9. Click Apply to save your changes and to update the firewall policy, and then click OK.

To help prevent DNS zone transfers to unauthorized DNS servers, configure the properties on the DNS server to allow zone transfers only to specific DNS servers. You can also modify the server publishing rule to restrict traffic to a specific computer. To do this, follow these steps:

1. Click the Firewall Policy tab, right-click the new server publishing rule that you created, and then click Properties.
2. Click the From tab, click Anywhere, click Remove, and then click Add.
3. In the Network entities dialog box, click New, and then click Computer.
4. In the Name box, type a descriptive name for the new computer rule element, type the computer's IP address in the Computer IP Address box, and then click OK.
5. Expand Computers, click the new computer element that you created, click Add, and then click Close.
6. Click OK.
7. Click Apply to save your changes and to update the firewall policy, and then click OK.

In some scenarios, you may have to modify your firewall rule hierarchy if an earlier firewall rule blocks the DNS traffic before this firewall rule is processed. To move a firewall rule up in the hierarchy, right-click that rule, and then click Move Up. When you have finished modifying your firewall rule hierarchy, click Apply to save your changes and to update the firewall policy. Click OK.

For additional information about how to publish a server in ISA Server, search on "server publishing rules" in ISA Server or Forefront Threat Management Gateway, Medium Business Edition Help. For additional information about computers or about computer sets, search on "network objects" in ISA Server Help.