Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Publishing Web Servers Using ISA Server 2004 Enterprise Edition

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition uses Web publishing rules to handle issues associated with publishing Web content to the Internet, without compromising Internal network security. Web publishing rules determine how ISA Server intercepts incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server and how ISA Server responds on behalf of the Web server. Requests are forwarded downstream to an internal Web server, located behind the ISA Server array. If possible, the request is serviced from the ISA Server cache.

Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server array.

Scenarios

Solutions

Appendix A: Using the New Web Publishing Rule Wizard

Appendix B: Creating Rule Elements

More Information

You can use publishing to make content available to groups of users or to all users, typically from an Internal network or perimeter network (also known as a DMZ, demilitarized zone, or screened subnet). Choose Web publishing or server publishing based on what content you are publishing. Web publishing rules are configured to make HTTP and HTTPS content available on Web servers, such as servers running Internet Information Services (IIS). Server publishing rules are configured to make content available using other protocols. Server publishing publishes an entire server through a protocol, and enables you to restrict access to specific computers or networks. You cannot publish HTTP content using server publishing rules.

Web publishing provides you detailed control over access to content. Web publishing rules are rich in features, including the following:

  • Mapping requests to specific internal paths. You can limit the portions of your servers that can be accessed.
  • Restricting access to specific users, computers, or networks. You can restrict access, to further improve security.
  • Requiring user authentication. User authentication can be passed through to the Web server, eliminating the need to reauthenticate at the Web server.
  • Providing link translation. You can handle links to internal servers.
  • Providing SSL bridging. You can encrypt traffic between the ISA Server array and the Web server.

Web Listeners

All incoming Web requests must be received by a Web listener. A Web listener may be used in multiple Web publishing rules.

When you configure a Web listener, you are specifying:

  • The network corresponding to the Internet Protocol (IP) addresses on the ISA Server array that will listen for incoming Web requests. The Web listener can listen on all the IP addresses associated with a network or on specific IP addresses.
  • The port number that will listen for incoming Web requests on the selected network IP addresses.
  • Client authentication methods (optional).

Selecting Web Listener Networks (IP Addresses)

The Web listener network, or networks, that you select depend on the networks from which clients will connect to the published Web server. For example, if the Web site you are publishing allows client requests from the Internet (External network), you should select the External network for the Web listener. By selecting the External network, you are selecting the IP addresses on the ISA Server computer that are associated with the External network adapter. If you do not limit the IP addresses, all the IP addresses associated with the selected network adapter will be included in the listener configuration. If you are using ISA Server integrated Network Load Balancing (NLB), read the important note that follows.

Specifying the Listener Port

By default, ISA Server listens on port 80 for HTTP requests. However, if connecting clients are expected to use a different port, you should change the port number accordingly. You can also enable the Web listener to listen for Secure Sockets Layer (SSL) requests. (The default is port 443.) If you choose SSL, an appropriate certificate must first be installed on each member of the ISA Server array. You must select a server certificate to be used by the Web listener, so that the ISA Server array member can authenticate itself to the client.

Defining Client Authentication Methods

After defining a Web listener, you can edit the Web listener properties to define authentication methods for Web requests. Note that you can configure Integrated Windows authentication on the ISA Server computer or on the Web server, but not both. If you choose to authenticate only on the Web server, ISA Server uses pass-through authentication (Kerberos cannot be used.) For more information see KB article 886996.

Important:
You may want to publish your Web sites using Network Load Balancing (NLB) in your ISA Server array. For the most effective use of NLB, your Web listener should listen on the NLB virtual IP address. If you configure your Web listener to listen on all of the IP addresses for the network adapters, it will listen on the virtual IP address, which will distribute requests using NLB, and on the dedicated IP addresses of the network adapters, which will not make use of NLB. The procedure for configuring NLB is described in Publishing a Web Server Walk-through Procedure 3: Configure Network Load Balancing in this document. The procedure for selecting the virtual IP address in a Web listener is described in Appendix A: Using the New Web Publishing Rule Wizard in this document.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than sending the original host header that ISA Server received. If your Web site has specific features that require the original host header, select Forward the original host header instead of the actual one on the Define Website to Publish page of the New Web Publishing Rule Wizard.

Rule Elements

An ISA Server rule element is an object that you can use to refine ISA Server rules. For example, a subnet rule element represents a subnet within a network. You can create a rule that applies only to a subnet, or a rule that applies to a whole network exclusive of the subnet.

Another example of a rule element is a user set, representing a group of users. By creating a user set and making use of it in an ISA Server rule, you can create a rule that applies only to that set of users.

You can see the rule elements that are available to you by expanding the ISA Server array node, clicking Firewall Policy, and selecting the Toolbox tab in the task pane. There are five types of rule elements:

  • Protocols. This rule element type contains protocols that you can use to limit the applicability of access rules. For example, you can allow or deny access on one or more protocols, rather than on all protocols.
  • Users. In this rule element type, you can create a user set to which a rule will be explicitly applied, or which can be excluded from a rule.
  • Content Types. This rule element type provides common content types to which you may want to apply a rule.
  • Schedules. In this rule element type, you can designate hours of the week during which the rule applies.
  • Network Objects. In this rule element type, you can create sets of computers to which a rule will apply, or which will be excluded from a rule.

You may want to use rule elements in your Web publishing rules, to make the rules more specific. Creation of rule elements is described in Appendix B: Creating Rule Elements in this document.

If the enterprise administrator has created rule elements on the enterprise level, these will also be available to you on the array level, so that you can use those rule elements in Web publishing.

Network Load Balancing

You can use the Network Load Balancing (NLB) functionality of ISA Server to configure and manage the NLB functionality of Microsoft Windows Server™ 2003 running on ISA Server arrays. Network Load Balancing allows all of the computers in a cluster to be addressed by the same set of cluster IP addresses, but also maintains their existing unique, dedicated IP addresses.

Network Load Balancing provides high availability and scalability of servers using a cluster of two or more host computers working together. Clients access the cluster using either an IP address or a set of addresses. The clients are unable to distinguish the cluster from a single server. Server applications do not identify that they are running in a cluster. However, an NLB cluster differs significantly from a single host running a single server application because it can provide uninterrupted service even if a cluster host fails. The cluster can also respond more quickly to client requests than to a single host.

You can configure NLB on the External network of an ISA Server Enterprise Edition array, so that client requests from the Internet are distributed among the array computers. The procedure for configuring NLB through ISA Server is described in Publishing a Web Server Walk-through Procedure 3: Configure Network Load Balancing in this document.

When you configure NLB through ISA Server, NLB is integrated with ISA Server functionality. This provides important functionality that is not available in Windows NLB alone:

  • NLB configuration is performed through ISA Server Management.
  • ISA Server provides NLB health monitoring, and discontinues NLB on a particular computer as necessitated by its status. This prevents the continued functioning of NLB when the state of the computer does not allow the passage of traffic. For example, if there is a failure of the network adapter on the computer, or if you stop the Microsoft Firewall service, ISA Server stops NLB-directed traffic from passing though that computer. When the issue is resolved, ISA Server will again allow NLB traffic to pass through that computer.
  • ISA Server works with Windows NLB to automatically configure bidirectional affinity, and does so for multiple networks. This guarantees that traffic is handled in both directions by the same array server.
    Note:
    When you configure NLB through ISA Server, it is automatically configured in unicast mode and with single affinity. Single affinity ensures that all network traffic from a particular client is directed to the same host.

When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional network adapter, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication. You should then configure intra-array communication to use the IP address of the new adapter on each server.

This document describes several Internet Security and Acceleration (ISA) Server 2004 Web publishing scenarios:

  • Publish a Web server that is located in your Internal network or perimeter network.
  • Publish specific folders to differing public names.
  • Publish two Web servers with different domain names.

The solutions described in this document start with publishing an internal Web server or perimeter Web server, and progress to publishing specific folders, and publishing multiple Web servers behind an Internet Security and Acceleration (ISA) Server 2004 array.

Network Topology

The following sections describe the network topologies when:

  • Publishing a Web server on an Internal network.
  • Publishing a Web server on a perimeter network.

Internal Web Server

To publish a Web server on an Internal network, you need, at a minimum:

  • A connection to the Internet.
  • At least one computer to serve as the computer running ISA Server services (the ISA Server array), and a computer to serve as the Configuration Storage server. You can install the Configuration Storage server and ISA Server services on the same computer. We recommend that in a production environment, the Configuration Storage server be installed on a computer that will be behind the ISA Server array. The computer running ISA Server services must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network. If you are using ISA Server integrated NLB on the ISA Server array, you will also require a network adapter on each computer running ISA Server services, for intra-array communication.
  • A computer that will be the Web server, located in the Internal network.
  • To test the setup, a computer that is external to your network, with a connection to the Internet.

Perimeter Web Server

To publish a Web server on a perimeter network you need, at a minimum:

  • A connection to the Internet.
  • At least one computer to serve as the computer running ISA Server services (the ISA Server array), and a computer to serve as the Configuration Storage server. You can install the Configuration Storage server and ISA Server services on the same computer. We recommend that in a production environment, the Configuration Storage server be installed on a computer that will be behind the ISA Server array. The computer running ISA Server services must have at least three network adapters. One adapter will be connected to the External network (representing the Internet), one adapter will be connected to the perimeter network, and one adapter will be connected to the Internal network. If you are using ISA Server integrated NLB on the ISA Server array, you will also require a network adapter on each computer running ISA Server services, for intra-array communication.
  • A computer that will be the Web server, located in the perimeter network.
  • If you want your perimeter Web server to retrieve data from a data server on the Internal network, you need a computer to serve as the data server.
  • To test the setup, a computer that is external to your network, with a connection to the Internet.

Publishing a Web Server — Walk-through

This walk-through guides you through the steps necessary to publish a Web server.

Publishing a Web Server Walk-through Procedure 1: Back Up Your Current Configuration

We recommend that you back up your array configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous, backup configuration. To back up the complete configuration of your ISA Server array to an .xml document, follow this procedure:

  1. Open Microsoft ISA Server Management.
  2. Expand Arrays, right-click the array through which you are going to publish the Web server, and then click Export (Back up) to start the Export Wizard.
  3. On the Welcome page, click Next.
  4. On the Export Preferences page, you can select the following options:
    • You can choose to export confidential information. If you do, it will be encrypted during export. If you want to export confidential information, select Export confidential information and provide a password.
    • You can choose to export user permission settings, by selecting Export user permission settings. User permission settings contain the security roles of ISA Server users, for example, indicating who has administrative rights.
  5. Click Next.
  6. On the Export File Location page, provide the location and name of the file to which you want to save the configuration. Choose a meaningful name, and consider including the date in the name of the file, such as Cleveland Array ISA Backup 15 October 2004. Click Next.
  7. On the Completing the Export Wizard page, click Finish.
  8. When the export has completed, click OK.
    Note:
    Because the .xml document is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Publishing a Web Server Walk-through Procedure 2: Configure Intra-Array Communication

When you use ISA Server integrated NLB, you must configure the ISA Server array for intra-array communication.

Add a network adapter to each computer running ISA Server services, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication.

Configuring intra-array communication on each server

To configure intra-array communication to use the IP address of the new adapter on each server, follow these steps:

  1. In ISA Server Management, expand the array, expand Configuration, and click Servers.
  2. For each server in the array, right click the server and select Properties (or select Configure Selected Server in the task pane on the Tasks tab).
  3. On the Communication tab, under Use this IP address for communication between array members, select the IP address of the network adapter over which intra-array communication will take place.
  4. Click OK.
  5. After you configure all of the servers, click Apply in the details pane to apply your changes.
Creating an intra-array network

To create an ISA Server network that includes only the addresses of the new network adapters (an intra-array network), follow these steps:

  1. In ISA Server Management, expand the array, expand Configuration, and click Networks.
  2. In the details pane, select the Networks tab.
  3. On the task pane, in the Tasks tab, click Create a New Network.
  4. On the Welcome page, type a name for the network, and then click Next.
  5. On the Network Type page, select Internal Network, and click Next.
  6. On the Network Addresses page, click Add Adapter to open the Select Network Adapters dialog box. Select the network adapter that is used for intra-array communication. Click OK, and click Next.
  7. On the Completing the New Network Wizard page, review the settings, and click Finish.
  8. In the details pane, click Apply to apply your changes.

Publishing a Web Server Walk-through Procedure 3: Configure Network Load Balancing

Follow this procedure to configure Network Load Balancing (NLB) for an array. NLB will be automatically configured in unicast mode and single affinity. Single affinity ensures that all network traffic from a particular client be directed to the same host. This procedure takes place on a computer in an ISA Server array, logged on as an array or enterprise administrator.

To configure NLB on an ISA Server array, follow these steps:
  1. On one of the ISA Server array members, expand Arrays, expand the array on which you are going to configure NLB, expand Configuration, and click Networks.
  2. In the details pane, verify that the Networks tab is selected.
  3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration to start the Network Load Balancing Wizard. On the Welcome page, click Next.
  4. On the Select Load Balanced Networks page, select the networks for which NLB will be enabled. We recommend enabling NLB on at least the External and Internal networks. Do not click Next.
  5. Before you click Next, you have to set the virtual IP address for each network. To set the virtual IP address, select a network, and then click Set Virtual IP. In the Set Virtual IP Address dialog box, provide the IP address and subnet mask for the virtual IP address you will use. Note that this IP address must be a valid static IP address (that cannot be assigned by your DHCP server), and must belong to the network you are configuring. Click Next.
  6. On the summary page, click Finish. You will receive a notice that you must restart the Microsoft Firewall service.
  7. In the details pane, click Apply. You will receive an ISA Server warning, prompting you to restart the Firewall service. Select Save the changes and restart the services, and then click OK.

Publishing a Web Server Walk-through Procedure 4: Create the Web Site

Create the Web site or sites on the internal or perimeter computer using Internet Information Services (IIS). For details, see the IIS documentation. Be aware of the location of the Web site. If the site is not the default Web site on your Web server, you must provide the correct path when creating a Web publishing rule.

Publishing a Web Server Walk-through Procedure 5: Design and Create Web Publishing Rules

You will use Web publishing rules to publish Web servers. The following are some examples of possible Web publishing scenarios, and the rules needed for the solution. For specifics on how to use the New Web Publishing Rule Wizard, see Appendix A: Using the New Web Publishing Rule Wizard in this document. You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Publishing a Web server on an Internal network or a perimeter network

To publish a Web server on the Internal network or a perimeter network, create a Web publishing rule using the procedure in Appendix A: Using the New Web Publishing Rule Wizard in this document. Remember to click Apply in the ISA Server details pane after creating the rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

The following table describes the tabs in the rule properties dialog box.

Tab Property Setting Comments

General

Name

Provide a name.

Make the name as descriptive as possible, to differentiate this rule from other rules.

General

Description

Provide a description.

Optional.

General

Enable

Select Enable.

None.

Action

Allow

Deny

Select Allow.

None.

Action

Log requests matching this rule

Select if you want requests to be logged.

None.

From

This rule applies to traffic from these sources

Specify the networks to which you are publishing the Web site.

None.

From

Exceptions

None.

You can specify a network object to which this rule will not apply. A network object is a rule element, which is described in Rule Elements in this document.

To

Server

Specify the server you are publishing.

None.

To

Forward the original host header instead of the actual one

Select whether to send the original host header.

For more information, see Original Host Headers in this document.

To

Proxy requests to published server

If the Web server requires the original IP address of the external client, select Requests appear to come from the original client.

If you select Requests appear to come from the original client, make sure that the Web server’s response to the original client is routed through the ISA Server array.

Traffic

This rule applies to traffic of the following protocols

Set to HTTP by default.

Also provides access to the HTTP configuration properties, through the Filtering button. For more information, see Configuring HTTP policy in this document.

Listener

This rule applies to requests received on the following listener

Create a listener that listens on the external network adapter IP addresses.

The network containing the listener must be included in the sources listed on the From tab.

Public Name

This rule applies to

Select All requests.

If you are publishing more than one Web site on the same Web listener, you should specify Requests for the following websites (and specify the published site name) so that another rule can publish a server or directory using the same listener. When you specify Requests for the following websites, only requests for the name you provide will match the rule. This also may reduce the amount of traffic handled by the listener.

Paths

External Path

Internal Path

Specify External: /*

Specify Internal: /*

The path /* is generic, indicating that all folders are published under their own names on the Internet. An example of specific folder publication is provided later in this document.

Bridging

Specify the type of server

Select Web server or FTP server.

For details, see SSL bridging in this document.

Users

This rule applies to requests from the following user sets

Select All Users.

Limits access to a specific set of users.

Users

Exceptions

None.

You may define user sets to which this rule will not apply.

Users

Forward Basic authentication credentials (Basic delegation)

Select whether to forward Basic authentication credentials.

For details, see Allowing delegation of Basic authentication in this document.

Schedule

Schedule

Select Always.

You could limit the hours during which the Web site is available by creating a schedule and applying it to this rule. A schedule is a rule element, which is described in Rule Elements earlier in this document.

Link Translation

Replace absolute links in Web pages

Select whether to replace absolute links, and make dictionary entries if needed.

Link translation will only work if you specify Requests for the following websites (and specify the published site name) on the Public Name tab. For details, see Configuring link translation in this document.

Publishing Web server folders on the Internal or perimeter network to one domain name

You can publish specific folders on a Web server on the Internal network or on a perimeter network. In this scenario, both folders are published to the same domain. For example, you want to publish the \news folder to www.fabrikam.com/news, and the \updates folder to www.fabrikam.com/updates. To do this, follow these steps:

  1. Create a Web publishing rule as described in the previous scenario, with the same properties. You do not have to specify any folders when creating the rule, because the New Web Publishing Rule Wizard does not provide the granularity you require for this scenario.
  2. After you create the rule, in the Firewall Policy details pane, double-click the rule to display its properties, and select the Paths tab.
  3. Select the default path displayed (<same as internal> to Internal Path /*) and click Remove.
  4. Click Add to add new paths through the Path mapping dialog box.
  5. Specify the folder that you want to publish on the Web site. This is the name of the folder on your Web server.
  6. In External Path, either:
    • Select Same as published folder if you want the URL that users type to be the same folder name in their browsers. For example, if your internal folder name is /news and you select Same as published folder, users would type http://www.fabrikam.com/news to access that folder.
    • Select The following folder to specify a different name for the folder as accessed from the Internet. For example, you may have a folder on the Web server named news03032003 that you want to publish to www.fabrikam.com/news. In that case, select The following folder and provide the name news.
  7. In the ISA Server details pane, click Apply to apply the changes.
Publishing two Web server folders to two domain names

You can publish specific folders on a Web server on the Internal network or on a perimeter network to two different domain names. For example, you want to publish the \news folder to www.fabrikam.com, and the \updates folder to www.adatum.com. To do this, you will create two Web publishing rules, one for each domain name. To do this, follow these steps:

  1. Create a Web publishing rule for the www.fabrikam.com site using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document, with the changes described in the next steps
  2. On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the Web site that you want to publish. This can be the computer name or the IP address of the Internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is the default condition. For more information, see Original Host Headers in this document. In Path, you can specify the Web site folder that you want to publish, such as News. Click Next.
    Note:
    To publish all of the subfolders under News to www.fabrikam.com, you would provide the folder as News/*
  3. On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.fabrikam.com.
  4. Complete the wizard.
  5. Create a second Web publishing rule, this time for the www.adatum.com site, using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document, with the changes described in the following steps.
  6. On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the Web site that you want to publish. This can be the computer name or the IP address of the Internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is the default condition. For more information, see Original Host Headers in this document. In Folder, you can specify the Web site folder that you want to publish, such as Update (or Update/*, to include its subfolders). Click Next.
  7. On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.adatum.com.
  8. Complete the wizard.
  9. In the ISA Server details pane, click Apply to apply the changes.

Publishing a Web Server Walk-through Procedure 6: Set Web Publishing Options

Web publishing in ISA Server has many options that enable you to adjust your Web publishing rule to meet your needs. Several of those options are described in the sections that follow. Whenever you make changes to a Web publishing rule, you must click Apply in the ISA Server details pane to apply the changes.

Accessing Web publishing properties

The following steps describe how to access the Web publishing properties:

  1. Open Microsoft ISA Server Management and click Firewall Policy.
  2. Double-click the Web publishing rule to open its properties. Alternatively, select the rule, and in the task pane on the Tasks tab, click Edit Selected Rule.
SSL bridging

If you are publishing a server that requires Secure Sockets Layer (SSL) communication, you must have a digital certificate installed on each member of the ISA Server array. In addition, you may have a digital certificate installed on the Web server. To ensure that HTTPS requests are sent from the ISA Server array to the Web server using the appropriate protocol, you must configure SSL bridging accordingly.

SSL bridging is a property for each Web publishing rule. SSL bridging determines whether HTTPS requests received by the ISA Server array are passed to the Web server as HTTPS requests or as HTTP requests, as follows:

  • If there is no digital certificate installed on the Web server, SSL and HTTP requests are passed to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.
  • If there is a digital certificate installed on the Web server, HTTPS requests are passed to the internal Web server as HTTPS requests, and HTTP requests are passed as HTTP requests. In this case, SSL-secured communication takes place from both the external client to the ISA Server array and from the ISA Server array to the Web server.
    Important:
    We recommend that you install digital certificates on both the Web server and the ISA Server array, and pass HTTPS requests as HTTPS. This is a more secure configuration.

If your Web server has a digital certificate, and you want ISA Server to listen for HTTPS requests without purchasing an additional certificate, you must export the certificate from the Web server and import it to each member of the ISA Server array. For more information, see Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink?linkid=20794). To modify the SSL bridging configuration, perform the following steps:

  1. In the properties of the Web publishing rule, select the Bridging tab.
  2. Ensure that Web server is selected.
  3. Select Redirect requests to HTTP port or Redirect requests to SSL port:
    • If you are using the ISA Server digital certificate to handle HTTPS requests (no digital certificate installed on the Web server), select Redirect requests to HTTP port, and then click OK.
    • If you want to continue to use an existing digital certificate on the Web server as well as the certificate on the ISA Server array, select Redirect requests to SSL port, ensure that the default port number 443 is appropriate to your network, and then click OK.
  4. Click OK to close the Web publishing rule properties dialog box.
    Note:
    The option Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.

A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule To tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page.

This problem can be resolved using one of the following approaches:

  • Obtain a new certificate that matches the name on the server.
  • Change the server name on the Web publishing rule To tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server.
  • Change the server name on the Web publishing rule To tab to match the name on the certificate. On each member of the ISA Server array, in the file %WINDIR%\system32\drivers\etc\hosts, add a mapping from the server name to the IP address of the internal Web server.
Creating additional path mappings

In the Web publishing solution, you created a single path mapping, from http://www.fabrikam.com/news to the \news folder on the Internal network or perimeter network Web server. You can add additional path mappings, such as http://www.fabrikam.com/archives to the \archives folder on the Web server. To add additional path mappings, follow this procedure:

  1. In the properties of the Web publishing rule, select the Paths tab.
  2. Select the default path displayed (<same as internal> to Internal Path /*) and click Remove.
  3. Click Add to add new paths in the Path mapping dialog box.
  4. Provide the name of the internal folder, for example, archives. If you leave the default External Path option, Same as published folder, the public name will be the same as the private name, archives. However, if you want your internal folder to be published to a different external name, you should select The following folder and provide the public name. With this selection, you can publish the \archives folder to http://www.fabrikam.com/Old. Click OK.
  5. Click OK to close the Web publishing rule properties dialog box.
  6. In the Firewall Policy details pane, click Apply to apply the changes.
Configuring link translation

Some published Web sites may include references to internal names of computers. Because only ISA Server — and not the whole network — is made available to external clients, these references could appear as broken links. ISA Server includes a link translation feature with several levels of functionality, so that you can provide the appropriate level of link connectivity:

  • Header link translation. This is an inherent part of any Web publishing rule, in which a link returned in a header to the client is translated to an externally recognizable URL. When the user accesses the link, it is recognized by the Web publishing rule, and forwarded to the internal server. This form of link translation is always active in any Web publishing rule. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document.
  • Translation of links in the body of a returned Web page. This functions in the same manner as the header link translation, but includes links returned in the body of Web pages, not just in the header. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document. To enable this functionality, perform the following steps:
    1. In the properties of the Web publishing rule, select the Link Translation tab.
    2. Select Replace absolute links in Web pages to enable link translation.
  • You can also configure the content types to which link translation will be applied. This configuration will apply to all of the Web publishing rules that use link translation. (It cannot be configured per rule.) To configure the content types, perform the following steps:
    1. In the properties of the Web publishing rule, select the Link Translation tab.
    2. Click Content Types, to open the Link Translation dialog box Content Types tab.
    3. Select the content types to which link translation will apply, and then click OK.
  • Translation of links to other internal Web pages. Link translation works only for links to the Web server specified in the Web publishing rule. If you want links to other internal or perimeter Web servers to also be translated (so that the links are recognized by their respective Web publishing rules), you must provide information about how to translate each link. This information is stored by ISA Server in a link dictionary.

For example, consider a scenario where two internal Web servers are published. The Web server computers, Internal_IIS_A and Internal_IIS_B, are accessible by their publicly resolvable names www.wingtiptoys.com and www.woodgrovebank.com. The Web servers include cross-references to the published sites. However, the references are to the internal Web site names and not the publicly resolvable site names. Specifically, Internal_IIS_A contains references to Internal_IIS_B.

External users who access Internal_IIS_A by typing www.wingtiptoys.com will not be able to follow the links to Internal_IIS_B. By enabling link translation and creating a dictionary with entries for each of the Web sites, these internal links can be resolved before the page requested by the client is returned.

Important:
ISA Server cannot translate relative links. This will affect links that begin with /, such as /sports, in a situation where you are using path mappings and the external path is not the same as the internal path.
To make entries in the link translation dictionary, perform the following steps:
  1. In the properties of the Web publishing rule, select the Link Translation tab.
  2. Select Replace absolute links in Web pages to enable link translation.
  3. Click Add to open the Add/Edit Dictionary Item dialog box.
  4. In Replace this text, provide the internal link text, such as Internal_IIS_B. In With this text, provide the external link, such as www.woodgrovebank.com. Click OK.
  5. Click OK to close the Web publishing rule properties dialog box.
Allowing delegation of Basic authentication

ISA Server can handle user authentication when the request arrives at the external listener, and then pass the authentication information to the Web server so that the user does not have to supply credentials again. To do so, perform the following procedure:

  1. In the properties of the Web publishing rule, select the Users tab.
  2. Select Forward Basic authentication credentials (Basic delegation).
  3. Click OK to close the Web publishing rule properties dialog box.
Configuring HTTP policy

ISA Server is an application-layer firewall, and applies a Web filter to HTTP traffic. Because ISA Server can examine HTTP requests, applications that are tunneled through HTTP can be blocked, depending on how you configure the HTTP Web filter. This additional protection offers you the ability to reduce the vulnerability of published servers to malicious requests.

The HTTP Web filter also provides granular control over the HTTP requests allowed by your firewall policy.

You can configure HTTP policy, which encompasses the following settings:

  • Request header maximum length
  • Request payload length
  • Configure URL protection
  • Block executables
  • Allow or block methods
  • Specify actions for specific file extensions
  • Deny specific headers
  • Modify Server and Via headers
  • Block specific signatures

For more information, see HTTP Filtering in ISA Server 2004 (http://www.microsoft.com). 

To configure HTTP policy, follow this procedure:
  1. In the properties of the Web publishing rule, select the Traffic tab.
  2. Click Filtering and select Configure HTTP to open the Configure HTTP policy for rule dialog box.
  3. Select the appropriate tab and configure the policy settings.

Publishing a Web Server Walk-through Procedure 7: Test the Web Publishing Configuration

On a computer in the External network (any computer outside of your corporate networks with a connection to the Internet), open Internet Explorer, and type the URL of the Web site, such as http://www.fabrikam.com/news. Verify that you reach the intended page on the published Web server.

Note:
The URL of the Web site must resolve to the IP address used by the Web listener of the ISA Server array for the request to be received by the array.

Publishing a Web Server Walk-through Procedure 8: View Web Site Access Information in the ISA Server Log

ISA Server will log the requests that match the Web publishing rule. To view the information in the log, perform the following steps :
  1. In the Microsoft ISA Server Management console tree, select Monitoring.
  2. In the Monitoring details pane, select Logging.
  3. Create a filter so that you receive only the log information regarding Web site access attempts. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has three default conditions, specifying that log information from both the firewall and the Web Proxy should be provided, that the log time is Live, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query.
  4. From the list of entries, select Log Time. From the Condition drop-down menu, select Last 24 Hours, and then click Update.
  5. From the list of entries, select Log Record Type. From the Value drop-down menu, select Web Proxy Filter, and then click Update.
  6. You can add another expression by selecting an item from the Filter by drop-down menu, and then providing a Condition and Value. For example, to limit the log to display access to your published Web servers, in addition to the expression Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, which you modified in Step 5, you can add Filter by: Service, Condition: Equals, and Value: Reverse Proxy.
  7. After you have created an expression, click Add To List to add it to the query list, and then click Start Query to start the query. The Start Query command is also available in the task pane on the Tasks tab.

This procedure describes the New Web Publishing Rule Wizard in general terms. You would use the properties of the design phase in creating your rule. To use the New Web Publishing Rule Wizard, follow these steps:

  1. Open Microsoft ISA Server Management, expand the ISA Server array node, and click Firewall Policy.
  2. In the task pane, on the Tasks tab, click Publish a Web Server, to start the New Web Publishing Rule wizard.
  3. On the Welcome page, in the Web publishing rule name field, type a name for the rule, such as Publish internal Web server, and click Next.
  4. On the Select Rule Action page, ensure that the default Allow is selected, which will allow requests to reach your Web server according to the conditions set by the rule. Click Next.
  5. On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the Web site that you want to publish. This can be the computer name or the IP address of the computer. In this example, the computer is called Internal_IIS. Verify that Forward the original host header is not selected. This is the default condition. (For more information, see Original Host Headers in this document). In Path, you can specify the Web site folder that you want to publish, such as News. If you leave this field blank, you will be publishing the entire site. The use of the Path field is described later in this document. Click Next.
  6. On the Public Name Details page, provide information regarding what requests will be received by the ISA Server array and forwarded to the Web server. In Accepts requests for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server array will be forwarded to your Web site. If you select This domain name and provide a specific domain name, such as www.fabrikam.com, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server array, only requests for http://www.fabrikam.com will be forwarded to the Web server. If you specify a folder in Path, such as News, that would also be required in the request: http://www.fabrikam.com/news. The required request format is shown in Site. Click Next.
    Note:
    If you will be publishing under more than one domain name, such as www.fabrikam.com and www.adatum.com, you should specify the domain name in this step (do not select Any domain name), so that separate Web publishing rules for the two domains will route requests to the correct sites. Publication of multiple domain names is described in Publishing two Web server folders to two domain names in this document.
  7. On the Select Web Listener page, specify the Web listener that will listen for Web page requests that should be redirected to your Web server, and then click Next. If you have not defined a Web listener, click New and follow these steps to create a new listener:
    1. On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for internal Web publishing, and then click Next.
    2. On the IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapters of ISA Server. Therefore, select External. Do not click Next.
    3. Before you click Next, on the IP Addresses page, click the Address button to open the External Network Listener IP Selection dialog box. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
    4. Click OK to close the External Network Listener IP Selection dialog box, and on the IP Addresses page, click Next.
    5. On the Port Specification page, the TCP port is set to 80 (default setting). If you want to receive HTTPS requests, select Enable SSL, verify that the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. This requires that you have a digital certificate installed on each member of the ISA Server array. For more information about certificates, see Digital Certificates for ISA Server 2004 (http://www.microsoft.com). Click Next.
    6. On the Completing the New Web Listener Wizard page, review the settings, and click Finish. On the Select Web Listener page, click Next.
  8. On the User Sets page, make sure the default, All Users, is displayed. This will allow any computer in the External network to access the published Web pages. Note that to restrict access to specific users, use the Remove button to remove All Users, and the Add button to access the Add Users dialog box. Click Next.
  9. On the Completing the New Web Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and click Finish.
  10. In the ISA Server details pane, click Apply to apply the changes you have made.

To create a rule element, follow this general procedure:

  1. Open Microsoft ISA Server Management, expand Arrays, expand the ISA Server array node, and click Firewall Policy.
  2. In the task pane, select the Toolbox tab.
  3. Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element.
  4. At the top of the list of elements, click New.
  5. Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created.
  6. Click Apply in the details pane to apply changes. If you prefer, you can click Apply after you have created your Web publishing rules (after you have made all of your changes, rather than after each change). It will take a few moments for the changes to be applied.
    Note:
    You can also create enterprise level rule elements that can be used in the creation of enterprise policy. Follow the same procedure, but in the Enterprise node, under Enterprise Policies.

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance Page (http://www.microsoft.com).

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.