Chapter 12: Publishing a Web and FTP Server on the Perimeter Network

ISA Server 2004 firewalls enable you to publish resources located on protected networks so external users can access those resources. There are two primary methods available to publish resources on a protected network:

• Web Publishing Rules
• Server Publishing Rules

Web Publishing Rules can be used to publish Web servers. External users connect to Web Published Web servers using the HTTP or HTTPS (SSL) protocols. Web Publishing Rules have a number of advantages over Server Publishing Rules, and you should always use a Web Publishing Rule when publishing a Web site.

Server Publishing Rules can be created for virtually any Server Protocol. You can use Server Publishing Rules to publish FTP sites, mail servers, news servers, terminal servers and many more. Use Server Publishing Rules when Web Publishing Rules cannot be used to publish a service on a protected network.

In this ISA Server 2004 Configuration Guide chapter, we will publish a Web site and an FTP site located on the perimeter network segment. You should still read this section even if you decided to use the Edge Firewall template instead of the 3-Leg Perimeter Network Template. The same publishing principles apply; the only difference is the location of the servers being published.

Follow these procedures to publish the Web and FTP sites on the perimeter network:

• Configure the Web site
• Configure the FTP site
• Disable the custom rules and enable the template created rules
• Create the Web Publishing Rule
• Create the FTP Server Publishing Rule
• Test the connection

Configure the Web Site

The first step is to configure the Web site on the perimeter network segment. In a production environment, the Web site will already be configured and be ready to publish. In this current example, we need to create a default Web site document and set a few parameters so that we can test it successfully.

Perform the following steps to configure the Web site on the IIS server on the perimeter network:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager console, expand the server name and the Web sites node.
3. Right-click the Default Web Site node and click Properties.
4. In the Default Web Site Properties dialog box, select the IP address of the server in the IP address list.
   
5. Click the Documents tab, and click Add. In the Add Content Page dialog box, enter the name default.txt. Click OK.
   
6. Use the Move Up button to move the default.txt entry to the top of the list.
   
7. Click Apply; then click OK in the Default Web Site Properties dialog box.
8. Right-click the server name in the left pane of the console and point to All Tasks. Click Restart IIS.
9. Select Restart Internet Services on TRIHOMEDMZLAN1 in the Stop/Start/Restart dialog box and click OK.
   
10. Close the Internet Information Services (IIS) Manager console.
11. Click Start and Windows Explorer.
12. Navigate to the C:\Inetpub\wwwroot folder. Click the File menu, point to New and click Text Document.
13. Double-click the New Text Document.txt entry in the right pane of the console. Enter into the document the following text: This is the Web site on the perimeter network segment. Click File and then click Exit. Click Yes in the Notepad dialog box asking if you want to save the changes.
14. Right-click the New Text Document.txt file and click Rename. Rename the file to default.txt.

Configure the FTP Site

The next step is to configure the FTP site so that it is ready to be published. You will set the IP address the FTP site listens on and configure messages for the FTP site to return to users connecting to the site. In addition, you will enable users to upload files to the FTP site. In a production environment, you may want to prevent users from being able to upload to the Web site to prevent Internet intruders from placing illegal and copyrighted material on your site.

Perform the following steps to configure the FTP site:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
2. Expand the server name in the left pane of the Internet Information Services (IIS) Manager console, and then expand the FTP Sites node.
3. Right-click the Default FTP Site and click Properties.
4. In the Default FTP Site Properties dialog box, select the IP address of the perimeter network server in the IP address list.
   
5. Click the Messages tab. In the Banner text box, enter This is the perimeter network FTP site. In the Welcome text box, enter Welcome to the ISA firewall protected FTP site. In the Exit text box, enter Goodbye! In the Maximum connections text box, enter the phrase Site is busy come back later.
   
6. Click the Home Directory tab. On the Home Directory tab, put a check mark in the Write text box. Note that in a production environment you should be very careful about allowing write access to FTP sites. Internet intruders can take advantage of poorly-secured FTP sites and store illegal material on your site.
   
7. Click Apply and OK in the Default FTP Site Properties dialog box.
8. Right-click the server name in the left pane of the console and point to All Tasks. Click Restart IIS.
9. Select the Restart Internet Services on TRIHOMEDMZLAN1 entry in What do you want IIS to do? and click OK.
10. Close the Internet Information Services (IIS) Manager console.
11. Click Start and Windows Explorer.
12. Navigate to the folder C:\Program Files\NetMeeting. Select all the files in that folder and copy them to the Clipboard.
13. Navigate to the folder C:\Inetpub\ftproot. Paste the files you copied to the Clipboard to this folder.

Disable the Custom Rules and Enable the Template Created Rules

In the last chapter in this ISA Server 2004 Configuration Guide, we created Access Rules that allowed for user/group-based access control for outbound connections. We now want to disable those rules and use the rules that the 3-Leg Perimeter Network Template Wizard created.

Perform the following steps to disable the custom rules created in the last chapter and enable the rules created by the Template:

1. At the ISA Server 2004 firewall machine, open the Microsoft Internet Security and Acceleration Server 2004 management console. Expand the server name and click the Firewall Policy node.
2. Click the DNS Servers policy. Hold down the CTRL key and click the Administrator Internet Access and Limited Access Web Users Access Rules. Right-click one of the selected rules and click Disable.
   
3. Click Apply to save the changes and update the firewall policy.
4. Click OK in the Apply New Configuration dialog box.
5. Click the first rule created by the Wizard. In this example, the first rule is the VPN Clients to Internal Network rule. Hold down the CTRL key and click the second rule so that both rules are selected. Right-click one of the selected rules and click Enable.
   
6. With the two Access Rules still selected, click the blue, up-pointing arrow in the console button bar to move the rules to the top of the list.
   
7. Click Apply to save the changes and update firewall policy.
8. Click OK in the Apply New Configuration dialog box.

Create the Web Publishing Rule

You’re now ready to create the Web Publishing Rule. The Web Publishing Rule will configure the ISA Server 2004 firewall to listen for incoming requests for your Web site. Because the ISA Server 2004 firewall is an intelligent, application layer aware firewall, it will accept requests only from external users who enter the correct Web site name to access the site. External users, hackers and Internet worms will not be able to connect to the Web site by using a simple IP address.

Perform the following steps to create the Web Publishing Rule:

1. At the ISA Server 2004 firewall computer, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand your server name. Click the Firewall Policy node.
2. Right-click the Firewall Policy node, point to New and click Web Server Publishing Rule.
3. On the Welcome to the New Web Publishing Rule Wizard page, enter a name for the rule in the Web publishing rule name text box. In this example, we will name the rule Perimeter Web Server. Click Next.
4. On the Select Rule Action page, select Allow and click Next.
5. On the Define Website to Publish page, enter a name for the Web server on the perimeter network in the Computer name or IP address text box. This is the name or IP address of the computer on the perimeter network segment, not the IP address on the external interface of the ISA Server 2004 firewall. In this example, we will use the name perimeter.msfirewall.org; this name must resolve to the IP address used by the Web server on the perimeter network. This can be done by implementing a split DNS infrastructure, or by using a HOSTS file entry on the ISA Server 2004 firewall machine. Later we will create a HOSTS file entry for the perimeter network machine. In the Folder text box, enter /*. Click Next.
   
6. On the Public Name Details page, select This domain name (type below) in the Accept requests for list. In the Public name text box, enter the name that external users will use to access the site. In this example we will use the name perimeter.msfirewall.org. When users enter https://perimeter.msfirewall.org into their browsers, the name will resolve to the external IP address on the ISA Server 2004 firewall that listens for incoming Web requests for the site. In the Path (optional) text box, enter /*. This allows users access to all directories they have permission to access on the Web site. Click Next.
   
7. On the Select Web Listener page, click New.
8. On the Welcome to the New Web Listener Wizard page, enter a name for the Web listener in the Web listener name text box. In this example we will name the listener Listener1. Click Next.
9. On the IP Addresses page, put a check mark in the External check box and click Address.
   
10. On the External Network Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network. In the Available IP Addresses list, select the IP address on the external interface of the ISA Server 2004 firewall and click Add. The address now appears in the Selected IP Addresses list. Click OK.
    
11. Click Next on the IP Addresses page.
    
12. On the Port Specification page, confirm that a check mark appears in the Enable HTTP check box and that the default HTTP port number is 80. Click Next.
    
13. Click Finish on the Completing the New Web Listener Wizard page.
14. The Listener1 entry now appears in the Web listener list. Click Next.
    
15. On the User Sets page, accept the default entry, All Users, and click Next.
16. Click Finish on the Completing the New Web Publishing Rule Wizard page.
17. Click Apply to save the changes and update the firewall policy.
18. Click OK in the Apply New Configuration dialog box.

The next step is to create a HOSTS file entry so that the firewall will resolve the name perimeter.msfirewall.org to the IP address used by the Web site on the perimeter network. In this example, the Web site is listening on IP address 172.16.0.2.

1. Click Start and Run. In the Run dialog box, enter notepad in the Open text box and click OK.
2. Click the File menu and Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
   
3. Add the following line to the HOSTS file:
   172.16.0.2 perimeter.msfirewall.org
   Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to indicate that you want to save the changes.
   

Create the FTP Server Publishing Rule

Server Publishing Rules are simpler than Web Publishing Rules. A Server Publishing Rule forwards incoming requests to the published server and exposes them to application layer filters installed on the ISA Server 2004 firewall. The only information you need to supply to the Server Publishing Rule Wizard is the IP address of the server to be published, the IP address you want the ISA Server 2004 firewall to listen for requests, and the Server Protocol that is published. Note that all Server Protocols have their primary connection set as inbound.

Perform the following steps to create the FTP Server Publishing Rule:

1. At the ISA Server 2004 firewall machine, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Firewall Policy node.
2. Right-click the Firewall Policy node, point to New and click Server Publishing Rule.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server publishing rule name text box. In this example we will use the name Perimeter FTP Server and click Next.
4. On the Select Server page, enter the IP address of the FTP server on the perimeter network in the Server IP address text box. In this example, the FTP server is listening on IP address 172.16.0.2. Click Next.
   
5. On the Select Protocol page, select the FTP Server protocol from the Selected protocol list. Click Next.
   
6. On the IP Addresses page, place a check mark in the External check box. Click the Addresses button.
7. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Select the IP address on the external interface of the ISA Server 2004 firewall in the Available IP Addresses list and click Add. The address now appears in the Selected IP Addresses list. Click OK.
8. Click Next on the IP Addresses page.
9. Click Finish on the Completing the New Server Publishing Rule Wizard page.

The next step is to correct the Network Relationship between the perimeter network and the external network:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the Configuration node and click the Networks node.
2. In the Details pane, click the Network Rules tab. Right-click the Perimeter Access Network Rule and click Properties.
3. In the Perimeter Access Properties dialog box, click the Network Relationship tab.
4. On the Network Relationship tab, select Network Address Translation (NAT). Click Apply and OK.
5. Click Apply to save the changes and update the firewall policy.
6. Click OK in the Apply New Configuration dialog box.

Test the Connection

We are now ready to test the connection. Internet Explorer 6.0 can access both Web and FTP sites within the browser. The only difference in the current example is that you will specify https:// for the Web site and ftp:// for the FTP site. You will also see in the following walkthrough how to configure the FTP site to accept uploads from external users.

Perform the following steps to test the Web and FTP Server Publishing Rules:

1. The first step on the external Windows 2000 client is to configure a HOSTS file entry so that the client will resolve the name perimeter.msfirewall.org to the external address on the ISA Server 2004 firewall.
2. Click Start and Run. In the Run dialog box, enter notepad in the Open text box, and click OK.
3. Click the File menu and Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box, and click Open.
4. Add the following line to the HOSTS file:
   192.168.1.70 perimeter.msfirewall.org
   Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to save the changes.
5. From the external client machine, open Internet Explorer and enter https://perimeter.msfirewall.org into the Address bar. Press ENTER. The default Web page for the site will appear.
   
6. In Internet Explorer, enter ftp://perimeter.msfirewall.org in the Address bar and press ENTER. You will see the contents of the FTP site. By default, you can only download files from the site.
   
7. If you would like to upload files to the site, return to the Microsoft Internet Security and Acceleration Server 2004 management console and right-click the Perimeter FTP Server publishing rule and click Configure FTP.
   
8. In the Configures FTP protocol policy dialog box, remove the check mark from the Read Only check box. Click Apply and OK.
   
9. Click Apply to save the changes and update the firewall policy.
10. Click OK in the Apply New Configuration dialog box.

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed two primary methods that allow external users access to resources contained on protected networks. We first used a Web Publishing Rule to allow inbound access to resources contained in a perimeter network segment. Next, we used a Server Publishing Rule to allow inbound access to an FTP server on the perimeter network segment. You can apply the same principles can when publishing resources contained on an Internet network segment. In the next chapter in the ISA Server 2004 Configuration Guide, we will examine the procedures required to make the ISA Server 2004 firewall computer an application layer f