Publishing Web Servers Using ISA Server 2004

Publishing Web Servers Using ISA Se...

Collapse All

Microsoft Internet Security and Acceleration Server 2004

Microsoft® Internet Security and Acceleration (ISA) Server 2004 uses Web publishing rules to handle issues associated with publishing Web content to the Internet, without compromising Internal network security. Web publishing rules determine how ISA Server intercepts incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server and how ISA Server responds on behalf of the Web server. Requests are forwarded downstream to an internal Web server, located behind the ISA Server computer. If possible, the request is serviced from the ISA Server cache.

Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server computer.

Scenarios

Solutions

Web Publishing and Server Publishing

You can use publishing to make content available to groups of users or to all users, typically from an Internal network or perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) server. Choose Web publishing or server publishing based on what content you are publishing. Web publishing rules are configured to make HTTP and HTTPS content available on Web servers, such as servers running Internet Information Services (IIS). Server publishing rules are configured to make content available using other protocols. Server publishing publishes an entire server through a protocol, and enables you to restrict access to specific computers or networks. You cannot publish HTTP content using server publishing rules.

Web publishing provides you detailed control over access to content. Web publishing rules are rich in features, including the following:

Mapping requests to specific internal paths. You can limit the portions of your servers that can be accessed.
Restricting access to specific users, computers, or networks. You can restrict access, to further improve security.
Requiring user authentication. User authentication can be passed through to the Web server, eliminating the need to reauthenticate at the Web server.
Providing link translation. You can handle links to internal servers.
Providing SSL bridging. You can encrypt traffic between the ISA Server computer and the Web server.

Web Listeners

By default, all incoming Web requests must be received by a Web listener. A Web listener may be used in multiple Web publishing rules.

When you configure a Web listener, you are specifying:

The network corresponding to the network adapter on the ISA Server computer that will listen for incoming Web requests. The Web listener can listen on all the Internet Protocol (IP) addresses associated with a network or on specific IP addresses.
The port number that will listen for incoming Web requests on the selected network IP addresses.
Client authentication methods (optional).

Selecting Web listener networks (IP addresses)

The Web listener network, or networks, that you select depend on the networks from which clients will connect to the published Web server. For example, if the website you are publishing allows client requests from the Internet (External network), you should select the External network for the Web listener. By selecting the External network, you are selecting the IP addresses on the ISA Server computer that are associated with the External network adapter. If you do not limit the IP addresses, all the IP addresses associated with the selected network adapter will be included in the listener configuration.

Specifying the listener port

By default, ISA Server listens on port 80 for HTTP requests. However, if connecting clients are expected to use a different port, you should change the port number accordingly. You can also enable the Web listener to listen for Secure Sockets Layer (SSL) requests (the default is port 443). If you choose SSL, an appropriate certificate must first be installed on the ISA Server computer. You must select a server certificate to be used by the Web listener, so that the ISA Server computer can authenticate itself to the client.

Defining client authentication methods

After defining a Web listener, you can edit the Web listener properties to define authentication methods for Web requests.

Note:
You can configure Integrated Windows authentication on the ISA Server computer or on the Web server, but not both. If you choose to authenticate only on the Web server, ISA Server uses pass-through authentication (Kerberos cannot be used.) For more information see KB article 886996.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than sending the original host header that ISA Server received. Select Forward the original host header instead of the actual one on the Define Website to Publish page of the New Web Publishing Rule Wizard if your website has specific features that require the original host header.

Rule Elements

An ISA Server rule element is an object that you can use to refine ISA Server rules. For example, a subnet rule element represents a subnet within a network. You can create a rule that applies only to a subnet, or a rule that applies to a whole network exclusive of the subnet.

Another example of a rule element is a user set, representing a group of users. By creating a user set and making use of it in an ISA Server rule, you can create a rule that applies only to that set of users.

You can see the rule elements that are available to you by expanding the ISA Server computer node, clicking Firewall Policy, and selecting the Toolbox tab in the task pane. There are five types of rule elements:

Protocols. This rule element type contains protocols that you can use to limit the applicability of access rules. For example, you can allow or deny access on one or more protocols, rather than on all protocols.
Users. In this rule element type, you can create a user set to which a rule will be explicitly applied, or which can be excluded from a rule.
Content types. This rule element type provides common content types to which you may want to apply a rule.
Schedules. In this rule element type, you can designate hours of the week during which the rule applies.
Network objects. In this rule element type, you can create sets of computers to which a rule will apply, or which will be excluded from a rule.

You may want to use rule elements in your Web publishing rules, to make the rules more specific. Creation of rule elements is described in Appendix B: Creating Rule Elements in this document.

Scenarios

This document describes several ISA Server 2004 Web publishing scenarios:

Publish a Web server that is located in your Internal network or perimeter network.
Publish specific folders to differing public names.
Publish two Web servers with different domain names.

Solutions

The solutions described in this document start with publishing an internal Web server or perimeter Web server, and progress to publishing specific folders, and publishing multiple Web servers behind an ISA Server 2004 computer.

Network Topology

The following sections describe the network topologies when:

Publishing a Web server on an Internal network.
Publishing a Web server on a perimeter network.

Internal Web Server

To publish a Web server on an Internal network, you need, at a minimum:

A connection to the Internet.
A computer to serve as the ISA Server computer. The ISA Server computer must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network.
A computer that will be the Web server, located in the Internal network.
To test the setup, a computer that is external to your network, with a connection to the Internet.

Perimeter Web Server

To publish a Web server on a perimeter network you need, at a minimum:

A connection to the Internet.
A computer to serve as the ISA Server computer. The ISA Server computer must have at least three network adapters. One adapter will be connected to the External network (representing the Internet), one adapter will be connected to the perimeter network, and one adapter will be connected to the Internal network.
A computer that will be the Web server, located in the perimeter network.
If you want your perimeter Web server to retrieve data from a data server on the Internal network, you need a computer to serve as the data server.
To test the setup, a computer that is external to your network, with a connection to the Internet.

Publishing a Web Server Walk-through

This walk-through guides you through the steps necessary to publish a Web server.

Publishing a Web Server Walk-through Procedure 1: Back Up Your Current Configuration

We recommend that you use the backup functionality of ISA Server to back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous, backup configuration. Follow this procedure to back up the complete configuration of your ISA Server computer.

Right-click the name of the ISA Server computer, and click Back Up.
In Backup Configuration, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2004.
Click Back Up. If you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.
When the backup operation is complete, click OK.

Note:
Because the .xml file is being used as a backup, a copy of it should be saved on another computer, in case of catastrophic failure.

Note:
Because the .xml file is being used as a backup, a copy of it should be saved on another computer, in case of catastrophic failure.

Publishing a Web Server Walk-through Procedure 2: Create the Website

Create the website or sites on the internal or perimeter computer using IIS. For details, see the IIS documentation. Be aware of the location of the website. If the site is not the default website on your Web server, you must provide the correct path when creating a Web publishing rule.

Publishing a Web Server Walk-through Procedure 3: Design and Create Web Publishing Rules

You will use Web publishing rules to publish Web servers. The following are some examples of possible Web publishing scenarios, and the rules needed for the solution. For specifics on how to use the New Web Publishing Rule Wizard, see Appendix A: Using the New Web Publishing Rule Wizard in this document. You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.

Publishing a Web server on an Internal network or a perimeter network

To publish a Web server on the Internal network or a perimeter network, create a Web publishing rule using the procedure in Appendix A: Using the New Web Publishing Rule Wizard in this document. Remember to click Apply in the ISA Server details pane after creating the rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab	Property	Setting	Comments
General	Name	Provide a name.	Make the name as descriptive as possible, to differentiate this rule from other rules.
General	Description	Provide a description.	Optional.
General	Enable	Select Enable.	None.
Action	Allow Deny	Select Allow.	None.
Action	Log requests matching this rule	Select if you want requests to be logged.	None.
From	This rule applies to traffic from these sources	Specify the networks to which you are publishing the website. The default selection Anywhere includes all networks.	None.
From	Exceptions	None.	You can specify a network object to which this rule will not apply. A network object is a rule element, which is described in Rule Elements earlier in this document.
To	Server	Specify the server you are publishing.	None.
To	Forward the original host header instead of the actual one	Select whether to send the original host header.	For more information, see Original Host Headers in this document.
To	Proxy requests to published server	If the Web server requires the original IP address of the external client, select Requests appear to come from the original client.	If you select Requests appear to come from the original client, make sure that the Web server€™s response to the original client is routed through the ISA Server computer.
Traffic	This rule applies to traffic of the following protocols	Set to HTTP by default.	Also provides access to the HTTP configuration properties, through the Filtering button. For more information, see Configuring HTTP policy in this document.
Listener	This rule applies to requests received on the following listener	Create a listener that listens on the external network adapter IP addresses.	The network containing the listener must be included in the sources listed on the From tab.
Public Name	This rule applies to	Select All requests.	If you are publishing more than one website on the same Web listener, you should specify Requests for the following websites (and specify the published site name) so that another rule can publish a server or directory using the same listener. When you specify Requests for the following Web sites, only requests for the name you provide will match the rule.
Paths	External Path Internal Path	Specify External: /* Specify Internal: /*	The path /* is generic, indicating that all folders are published under their own names on the Internet. An example of specific folder publication is provided later in this document.
Bridging	Specify the type of server	Select Web server or FTP server.	For details, see SSL bridging in this document.
Users	This rule applies to requests from the following user sets	Select All Users.	Limits access to a specific set of users.
Users	Exceptions	None.	You may define user sets to which this rule will not apply.
Users	Forward Basic authentication credentials (Basic delegation)	Select whether to forward Basic authentication credentials.	For details, see Allowing delegation of Basic authentication in this document.
Schedule	Schedule	Select Always.	You could limit the hours during which the website is available by creating a schedule and applying it to this rule. A schedule is a rule element, which is described in Rule Elements earlier in this document.
Link Translation	Replace absolute links in Web pages	Select whether to replace absolute links, and make dictionary entries if needed.	Link translation will only work if you specify Requests for the following Web sites (and specify the published site name) on the Public Name tab. For details, see Configuring link translation in this document.

Publishing Web server folders on the Internal or perimeter network to one domain name

You can publish specific folders on a Web server on the Internal network or on a perimeter network. In this scenario, both folders are published to the same domain. For example, you want to publish the \news folder to www.fabrikam.com/news, and the \updates folder to www.fabrikam.com/updates. To do this, follow these steps.

Create a Web publishing rule as described in the previous scenario, with the same properties. You do not have to specify any folders when creating the rule, because the New Web Publishing Rule Wizard does not provide the granularity you require for this scenario.
After you create the rule, in the Firewall Policy details pane, double-click the rule to display its properties, and select the Paths tab.
Select the default path displayed (<same as internal> to Internal Path /*) and click Remove.
Click Add to add new paths through the Path mapping dialog box.
Specify the folder that you want to publish on the website. This is the name of the folder on your Web server.
In External Path, either:
- Choose Same as published folder if you want the URL that users type to be the same folder name in their browsers. For example, if your internal folder name is /news and you selected Same as published folder, users would type http://www.fabrikam.com/news to access that folder.
- Choose The following folder to specify a different name for the folder as accessed from the Internet. For example, you may have a folder on the Web server named news03032003 that you want to publish to www.fabrikam.com/news. In that case, select The following folder and provide the name news.
In the ISA Server details pane, click Apply to apply the changes.

Publishing two Web server folders to two domain names

You can publish specific folders on a Web server on the Internal network or on a perimeter network to two different domain names. For example, you want to publish the \news folder to www.fabrikam.com, and the \updates folder to www.adatum.com. To do this, you will create two Web publishing rules, one for each domain name. To do this, follow these steps.

Create a Web publishing rule for the www.fabrikam.com site using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document, with the changes described in the next steps
On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the website that you want to publish. This can be the computer name or the IP address of the internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is its default condition. For more information, see Original Host Headers in this document. In Folder, you can specify the website folder that you want to publish, such as News. Click Next.

Note:
To publish all of the subfolders under News to www.fabrikam.com, you would provide the folder as News/*
On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.fabrikam.com.
Complete the wizard.
Create a second Web publishing rule, this time for the www.adatum.com site, using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document, with the changes described in the following steps.
On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the website that you want to publish. This can be the computer name or the IP address of the internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is its default condition. For more information, see Original Host Headers in this document. In Folder, you can specify the website folder that you want to publish, such as Update (or Update/*, to include its subfolders). Click Next.
On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.adatum.com.
Complete the wizard.
In the ISA Server details pane, click Apply to apply the changes.

Note:
To publish all of the subfolders under News to www.fabrikam.com, you would provide the folder as News/*

Publishing a Web Server Walk-through Procedure 4: Set Web Publishing Options

Web publishing in ISA Server has many options that enable you to adjust your Web publishing rule to meet your needs. Several of those options are described in the sections that follow. Whenever you make changes to a Web publishing rule, you must click Apply in the ISA Server details pane to apply the changes.

Accessing Web publishing properties

The following steps describe how to access the Web publishing properties.

Open Microsoft ISA Server Management and click Firewall Policy.
Double-click the Web publishing rule to open its properties. Alternatively, select the rule, and in the task pane on the Tasks tab, click Edit Selected Rule.

SSL bridging

If you are publishing a server that requires SSL communication, you must have a digital certificate installed on your ISA Server computer. In addition, you may have a digital certificate installed on the Web server. To ensure that HTTPS requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you must configure SSL bridging accordingly.

SSL bridging is a property for each Web publishing rule. SSL bridging determines whether HTTPS requests received by the ISA Server computer are passed to the Web server as HTTPS requests or as HTTP requests, as follows:

If there is no digital certificate installed on the Web server, SSL and HTTP requests are passed to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

If there is a digital certificate installed on the Web server, HTTPS requests are passed to the internal Web server as HTTPS requests, and HTTP requests are passed as HTTP requests. In this case, SSL-secured communication takes place from both the external client to the ISA Server computer and from the ISA Server computer to the Web server.

Important:
We recommend that you install digital certificates on both the Web server and the ISA Server computer, and pass HTTPS requests as HTTPS. This is a more secure configuration.

If your Web server has a digital certificate, and you want ISA Server to listen for HTTPS requests without purchasing an additional certificate, you must export the certificate from the Web server and import it to the ISA Server computer. For more information, see Digital Certificates for ISA Server 2004 (http://www.microsoft.com). To modify the SSL bridging configuration, perform the following steps.

In the properties of the Web publishing rule, select the Bridging tab.
Ensure that Web server is selected.
Select redirection to HTTP port or SSL port:
- If you are using the ISA Server digital certificate to handle HTTPS requests (no digital certificate installed on the Web server), select Redirect requests to HTTP port, and then click OK.
- If you want to continue to use an existing digital certificate on the Web server as well as the certificate on the ISA Server computer, select Redirect requests to SSL port, ensure that the default port number 443 is appropriate to your network, and then click OK.

Click OK to close the Web publishing rule properties dialog box.

Note:
The option Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.

A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule To tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page.

This problem can be resolved using one of the following approaches:

Obtain a new certificate that matches the name on the server.
Change the server name on the Web publishing rule To tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server.
Change the server name on the Web publishing rule To tab to match the name on the certificate. On the ISA Server computer, in the file %WINDIR%\system32\drivers\etc\hosts, add a mapping from the server name to the IP address of the internal Web server.

Creating additional path mappings

In the Web publishing solution, you created a single path mapping, from http://www.fabrikam.com/news to the \news folder on the internal network or perimeter network Web server. You can add additional path mappings, such as http://www.fabrikam.com/archives to the \archives folder on the Web server. To add additional path mappings, follow this procedure.

In the properties of the Web publishing rule, select the Paths tab.
Select the default path displayed (<same as internal> to Internal Path /*) and click Remove.
Click Add to add new paths through the Path mapping dialog box.
Provide the name of the internal folder, for example, archives. If you leave the default External Path option, Same as published folder, the public name will be the same as the private name, archives. However, if you want your internal folder to be published to a different external name, you should select The following folder and provide the public name. With this selection, you can publish the \archives folder to http://www.fabrikam.com/Old. Click OK.
Click OK to close the Web publishing rule properties dialog box.
In the Firewall Policy details pane, click Apply to apply the changes.

Configuring link translation

Some published websites may include references to internal names of computers. Because only ISA Server€”and not the whole network€”is made available to external clients, these references could appear as broken links. ISA Server includes a link translation feature with several levels of functionality, so that you can provide the appropriate level of link connectivity:

Header link translation. This is an inherent part of any Web publishing rule, in which a link returned in a header to the client is translated to an externally recognizable URL. When the user accesses the link, it is recognized by the Web publishing rule, and forwarded to the internal server. This form of link translation is always active in any Web publishing rule. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document.
Translation of links in the body of a returned Web page. This functions in the same manner as the header link translation, but includes links returned in the body of Web pages, not just in the header. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document. Perform the following steps to enable this functionality.
1. In the properties of the Web publishing rule, select the Link Translation tab.
2. Select Replace absolute links in Web pages to enable link translation.
You can also configure the content types to which link translation will be applied. This configuration will apply to all of the Web publishing rules that use link translation. (It cannot be configured per rule.) Perform the following steps to configure the content types:
1. In the properties of the Web publishing rule, select the Link Translation tab.
2. Click Content Types, to open the Link Translation dialog box Content Types tab.
3. Select the content types to which link translation will apply, and then click OK.
Translation of links to other internal Web pages. Link translation works only for links to the Web server specified in the Web publishing rule. If you want links to other internal or perimeter Web servers to also be translated (so that the links are recognized by their respective Web publishing rules), you must provide information about how to translate each link. This information is stored by ISA Server in a link dictionary.

For example, consider a scenario where two internal Web servers are published. The Web server computers, Internal_IIS_A and Internal_IIS_B, are accessible by their publicly resolvable names www.wingtiptoys.com and www.woodgrovebank.com. The Web servers include cross-references to the published sites. However, the references are to the internal website names and not the publicly resolvable site names. Specifically, Internal_IIS_A contains references to Internal_IIS_B.

External users who access Internal_IIS_A by typing www.wingtiptoys.com will not be able to follow the links to Internal_IIS_B. By enabling link translation and creating a dictionary with entries for each of the websites, these internal links can be resolved before the page requested by the client is returned.

Important:
ISA Server cannot translate relative links. This will affect links that begin with /, such as /sports, in a situation where you are using path mappings and the external path is not the same as the internal path.

To make entries in the link translation dictionary, perform the following steps.

In the properties of the Web publishing rule, select the Link Translation tab.
Select Replace absolute links in Web pages to enable link translation.
Click Add to open the Add/Edit Dictionary Item dialog box.
In Replace this text, provide the internal link text, such as Internal_IIS_B. In With this text, provide the external link, such as www.woodgrovebank.com. Click OK.
Click OK to close the Web publishing rule properties dialog box.

Allowing delegation of Basic authentication

ISA Server can handle user authentication when the request arrives at the external listener, and then pass the authentication information to the Web server so that the user does not have to supply credentials again. To do so, perform the following procedure.

In the properties of the Web publishing rule, select the Users tab.
Select Forward Basic authentication credentials (Basic delegation).
Click OK to close the Web publishing rule properties dialog box.

Configuring HTTP policy

ISA Server is an application-layer firewall, and applies a Web filter to HTTP traffic. Because ISA Server can examine HTTP requests, applications that are tunneled through HTTP can be blocked, depending on how you configure the HTTP Web filter. This additional protection offers you the ability to reduce the vulnerability of published servers to malicious requests.

The HTTP Web filter also provides granular control over the HTTP requests allowed by your firewall policy.

You can configure HTTP policy, which encompasses the following settings:

Request header maximum length
Request payload length
Configure URL protection
Block executables
Allow or block methods
Specify actions for specific file extensions
Deny specific headers
Modify Server and Via headers
Block specific signatures

To configure HTTP policy, follow this procedure.

In the properties of the Web publishing rule, select the Traffic tab.
Click Filtering and select Configure HTTP to open the Configure HTTP policy for rule dialog box.
Select the appropriate tab and configure the policy settings.

Publishing a Web Server Walk-through Procedure 5: Test the Web Publishing Configuration

On a computer in the External network (any computer outside of your corporate networks with a connection to the Internet), open Internet Explorer, and type the URL of the website, such as http://www.fabrikam.com/news. Verify that you reach the intended page on the published Web server.

Note:
The URL of the website must resolve to the IP address of the external network adapter of the ISA Server computer for the request to be received by the ISA Server computer.

Publishing a Web Server Walk-through Procedure 6: View Website Access Information in the ISA Server Log

ISA Server will log the requests that match the Web publishing rule. Perform the following steps to view the information in the log.

In the Microsoft ISA Server Management console tree, select Monitoring.
In the Monitoring details pane, select Logging.
Create a filter so that you receive only the log information regarding website access attempts. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has three default conditions, specifying that log information from both the firewall and the Web Proxy should be provided, that the log time is Live, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query.
From the list of entries, select Log Time. From the Condition drop-down menu, select Last 24 Hours, and then click Update.
From the list of entries, select Log Record Type. From the Value drop-down menu, select Web Proxy Filter, and then click Update.
You can add another expression by selecting an item from the Filter by drop-down menu, and then providing a Condition and Value. For example, to limit the log to display access to your published Web servers, in addition to the expression Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, which you modified in Step 5, you can add Filter by: Service, Condition: Equals, and Value: Reverse Proxy.
After you have created an expression, click Add To List to add it to the query list, and then click Start Query to start the query. The Start Query command is also available in the task pane on the Tasks tab.

Appendix A: Using the New Web Publishing Rule Wizard

This procedure describes the New Web Publishing Rule Wizard in general terms. You would use the properties of the design phase in creating your rule.

Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
On the task pane, in the Tasks tab, click Publish a Web Server, to start the New Web Publishing Rule wizard.
On the Welcome page, in the Web publishing rule name field, type a name for the rule, such as Publish internal Web server, and click Next.
On the Select Rule Action page, ensure that the default Allow is selected, which will allow requests to reach your Web server according to the conditions set by the rule. Click Next.
On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the website that you want to publish. This can be the computer name or the IP address of the computer. In this example, the computer is called Internal_IIS. Verify that Forward the original host header is not selected. This is its default condition. (For more information, see Original Host Headers in this document). In Folder, you can specify the website folder that you want to publish, such as News. If you leave this field blank, you will be publishing the entire site. The use of the folder field is described later in this document. Click Next.

On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Web server. In Accepts requests for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your website. If you select This domain name and provide a specific domain name, such as www.fabrikam.com, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer, only requests for http://www.fabrikam.com will be forwarded to the Web server. If you specify a folder in Path, such as News, that would also be required in the request: http://www.fabrikam.com/news. The required request format is shown in Site. Click Next.

Note:
If you will be publishing under more than one domain name, such as www.fabrikam.com and www.adatum.com, you should specify the domain name in this step (do not select Any domain name), so that separate Web publishing rules for the two domains will route requests to the correct sites. Publication of multiple domain names is described in Publishing two Web server folders to two domain names in this document.

Note:

If you will be publishing under more than one domain name, such as www.fabrikam.com and www.adatum.com, you should specify the domain name in this step (do not select Any domain name), so that separate Web publishing rules for the two domains will route requests to the correct sites. Publication of multiple domain names is described in Publishing two Web server folders to two domain names in this document.

On the Select Web Listener page, specify the Web listener that will listen for Web page requests that should be redirected to your Web server, and then click Next. If you have not defined a Web listener, click New and follow these steps to create a new listener.
1. On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for internal Web publishing, and then click Next.
2. On the IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapters of ISA Server. Therefore, select External, and then click Next.
3. On the Port Specification page, make sure the HTTP port is set to 80 (default setting). If you want to receive HTTPS requests, select Enable SSL, make sure the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. This requires that you have a digital certificate installed on the ISA Server computer. For more information about certificates, see Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink/?LinkId=20794). Click Next.
4. On the Completing the New Web Listener Wizard page, review the settings, and click Finish. On the Select Web Listener page, click Next.
On the User Sets page, make sure the default, All users, is displayed. This will allow any computer in the External network to access the published Web pages. Note that to restrict access to specific users, use the Remove button to remove All users, and the Add button to access the Add Users dialog box. Click Next.
On the Completing the New Web Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and click Finish.
In the ISA Server details pane, click Apply to apply the changes you have made.

Appendix B: Creating Rule Elements

Follow this general procedure to create a rule element.

Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.
In the task pane, select the Toolbox tab.
Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element.
At the top of the list of elements, click New.
Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created.
Click Apply in the details pane to apply changes. If you prefer, you can click Apply after you have created your Web publishing rules, that is, after you have made all of your changes, rather than after each change. It will take a few moments for the changes to be applied.