ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

In this scenario, you will create a Web site on a Web server that has a private IP address and is located in a back-to-back perimeter network. The Web server will handle both HTTP and HTTPS requests.

A perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) is a small network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network while preventing access to the internal corporate network.

This scenario describes a back-to-back perimeter network. In a back-to-back perimeter network, two ISA Server computers are hooked up to each other. One ISA Server computer is also connected to the Internet and the other is also connected to the local network. The perimeter network resides between the two servers. Both ISA Server computers are set up in integrated or firewall mode.

The figure illustrates this perimeter network:

Cc751013.pwbb01(en-us,TechNet.10).gif

On This Page

Hardware Requirements
Software Requirements
Before You Begin
Procedures
Original Host Headers
Additional Configuration Options
Allow access from the internal network to the Internet
Allow Perimeter Web Server Access to Internal Data Servers

Hardware Requirements

To publish a Web server in a back-to-back perimeter network scenario, you need four computers, a hub, and a connection to the Internet.

Two computers will serve as the ISA Server computers. Each ISA Server computer must have two network adapters.

  • ISA Server computer 1: One adapter will be connected to the Internet and one adapter will be connected to the hub/perimeter network.

  • ISA Server computer 2: One adapter will be connected to the computer representing the internal network (or to the real internal network) and one adapter will be connected to the hub/perimeter network.

One computer will be the Web server located in the perimeter network. It is recommended that this computer have a private IP address. This computer must connect to the hub.

One computer will represent the internal network. If not a test scenario, the internal network adapter can be connected to the actual internal network. To test the setup, you will also need a computer that is external to your network, with a connection to the Internet.

Software Requirements

The ISA Server computer must have Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 and ISA Server with Service Pack 1 installed. The Web server must have either Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Note: If you plan to publish SSL-secured Web pages, you must install an SSL certificate on the ISA Server computer. For more information, see "Configure bridging for SSL publishing" later in this document, and the document Digital_Certificates_for_ISA.doc.

Before You Begin

To save time during configuration, prepare this information in advance:

  • The IP address of ISA Server computer 1's perimeter network adapter (the adapter that is connected to the hub).

  • The external IP address of ISA Server computer 1 (the address of the network adapter that is connected to the Internet).

  • The IP address of ISA Server computer 2's perimeter network adapter (the adapter that is connected to the hub).

  • The IP address of ISA Server computer 2's internal network adapter (the adapter that is connected to the internal network).

  • The private IP address of the Web server on the perimeter network.

Also, verify that the public name of the Web site is mapped by a public Internet DNS server to the external IP address of ISA Server.

Note: You must have administrator privileges to perform many of these tasks.

Procedures

Use the following steps to publish a Web server on a back-to-back perimeter network.

Step 1. Create the Web site using IIS

For details, see IIS documentation.

Step 2. Configure the LAT on ISA Server computer 1

Configure the local address table (LAT) on the ISA Server computer connected to the Internet (ISA Server computer 1) to include the IP address of the ISA Server connected to the corporate network and the private IP address of the Web server in the perimeter network. For information on how to make changes to the LAT, see the product documentation.

Step 3. Configure the LAT on ISA Server computer 2

Configure the LAT on the ISA Server computer that is connected to the corporate network (ISA Server computer 2) to include the IP addresses of the computers in the corporate network. This is most easily done during the installation of ISA Server software on the computer. If you have to make adjustments to the LAT, follow the instructions in the ISA Server product documentation. It is important that the Web server in the perimeter network not be included in the LAT of this ISA Server computer. This isolates the perimeter network from your internal network.

Step 4. Create a destination set

Before creating a destination set, an understanding of destination sets and destination set paths is needed.

About destination sets

The destination set for Web publishing is the public name that an external user specifies to access your Web site, such as www.adatum.com. In Web publishing scenarios, the Web server is protected from direct external access – only the ISA Server computer that is connected to the Internet (ISA Server computer 1) is exposed to external requests. The Web publishing destination set represents the ISA Server's external network adapter so that requests for your Web site will find the ISA Server when the name is resolved by a DNS server. The host name provided in the destination set must be resolvable by a DNS server on the Internet to an IP address on the external network adapter of the ISA Server computer that is connected to the Internet.

About destination set paths

You can create several destination sets that specify paths. For example, for a single host name you can specify the paths /update* (any request to /update/ and paths included under it) and /info*. Both of these destination sets will resolve to the same IP address, which is the external network adapter on the ISA Server. You can create Web publishing rules that use the paths of the destination sets to direct requests to different web servers or to different directories on a given Web server. Each rule can use different criteria, such as allowing HTTP access or SSL access depending on path specified in the user's request.

A destination set example

If a user would type https://www.adatum.com/info to reach your site, the destination set to be used to publish the above site through ISA must contain www.adatum.com in the destination section and the path /info in as the specific path of the destination set.

Perform this step on ISA Server computer 1, which is connected to the Internet and to the perimeter network.

To create a destination set

  1. In the console tree of ISA Management, right-click Destination Sets, point to New, and then click Set.

  2. In the Name field, type a name for the destination set, such as Destination to Allow Publishing of Perimeter Web Server.

  3. (Optional) In the Description field, type a description for the destination set.

  4. Click Add and do the following:

    • Click Destination and type the public name that an external user specifies to access your Web site. This is the fully qualified domain name that resolves to an IP address of the external network adapter of the ISA Server computer.

      Cc751013.pwbb02(en-us,TechNet.10).gif

    • (Optional) In the Path field, type a specific path that can be included in requests. You can use this path in Web publishing rules to direct requests to specific parts of the Web site.

  5. Click OK.

Step 5. Create a Web listener for incoming Web requests

Web listeners are the IP addresses on the ISA Server computer that will listen for Web requests from clients. By default, when you install ISA Server, incoming Web request properties are configured so that no IP address listens for requests. You therefore must configure a Web listener to publish a Web site using a Web publishing rule.

Perform this step on ISA Server computer 1, which is connected to the Internet and to the perimeter network.

To configure a listener for incoming Web requests

  1. In the ISA Management console, expand the Servers and Arrays node.

  2. Right-click the ISA Server computer node, and then click Properties.

  3. On the Incoming Web Requests tab, select Configure listeners individually per IP address.

  4. (Optional) If you want to listen for SSL (HTTPS) requests, select the Enable SSL listeners check box. You will be reminded that you have to configure an SSL certificate for the listener, as described later in this procedure.

  5. Click Add.

  6. In the Server list, select the ISA Server computer, which is the server that will listen for incoming Web requests.

  7. In the IP address list, click the Internet Protocol (IP) address on the server that will listen for incoming Web requests. This is the IP address of the ISA Server network adapter that connects to the Internet.

  8. (Optional) In the Display Name box, type a name to use for this listener.

  9. If you are configuring a listener that will also listen for SSL requests, select Use a server certificate to authenticate to Web clients. Next, click Select and select the appropriate SSL certificate installed on ISA Server computer 1.

  10. (Optional) Configure the authentication method for the listener.

  11. Click OK to close the Add/Edit Listeners page. The figure shows the Array Properties page after a listener has been added.

    Cc751013.pwbb03(en-us,TechNet.10).gif

  12. Click OK to close the Array Properties page.

  13. When prompted, restart the Web proxy service.

Step 6. Create a Web publishing rule

Web publishing rules map incoming requests to the Web server behind the ISA Server computer. Create the Web publishing rule on ISA Server computer 1, which is connected to the Internet and to the perimeter network

To create a Web publishing rule

  1. In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule to start the New Web Publishing Rule Wizard.

  2. On the Welcome page, type the name of the rule, such as Publishing Rule for Perimeter Web Server, and click Next.

  3. On the Destination Sets page, select Specified Destination Set from the menu. Select the destination set created in Step 4, and click Next.

  4. On the Client Type page, leave the default option, Any request, so that any request from the Internet can reach your Web server, and click Next.

  5. On the Rule Action page, select Redirect this request to this internal Web server (name or IP address) and provide the name or IP address of the Web server in the perimeter network. In general it is preferable to use the IP address rather than the name, as this avoids potential internal DNS server issues.

  6. Leave Send the original host header to the publishing server instead of the actual one (specified above) in its default, unselected condition. For more information, see "Original Host Headers" later in this document. Click Next.

  7. Check the information on the Summary page, and then click Finish.

Step 7. Configure bridging for SSL publishing

If you are publishing a server that requires secure SSL communication, you must have an SSL certificate installed on your ISA Server computer. In addition, you may also have an SSL certificate installed on the Web server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you have to configure SSL bridging accordingly.

SSL Bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as HTTP requests, as follows:

  • If there is no SSL certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

  • If there is an SSL certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the client-ISA and on the ISA-Web server levels.

If your Web server has an SSL certificate, and you want ISA Server to listen for SSL requests without purchasing an additional certificate, you have to export the certificate from the Web server and import it to the ISA Server computer. For more information, see HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server (https://go.microsoft.com/fwlink/?LinkID=10713).

To modify the SSL bridging configuration

  1. Click the Web Publishing Rules node.

  2. Double-click the applicable Web publishing rule.

  3. Select the Bridging tab.

  4. For the first two redirection options, select the appropriate redirection:

    • If you are using the ISA Server SSL certificate to handle SSL requests, in Redirect HTTP requests as: and Redirect SSL requests as: select HTTP requests, and then click OK. This configuration is shown in the figure.

      Cc751013.pwbb04(en-us,TechNet.10).gif

    • If you want to continue to use an existing SSL certificate on the Web server as well as the certificate on the ISA Server, in Redirect HTTP requests as: select HTTP requests and in Redirect SSL requests as: select SSL requests, and then click OK.

Note: There are two other options available on the SSL bridging tab:

  • Require secure channel (SSL) for published site will reject HTTP requests that are received by ISA Server. This option also provides the possibility of requiring 128-bit encryption for HTTPS requests

  • Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server

Step 8. Test the Web page

Open an Internet browser on the external computer. In the address field of the browser, type the URL of the Web site or the public IP address of the Web server, which is the external IP address of the ISA Server computer. If the Web page loads, you have successfully configured the publishing setup. If you are unable to browse to the Web site, review the procedures to verify that all of the prescribed steps were followed. If you are still unable to browse to the Web site, see the document Troubleshooting_Web_Publishing.doc.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than sending the original host header that ISA received. Select Send the original host header to the publishing server instead of the actual one (specified above) on the Rule Action page of the New Web Publishing Rule Wizard if your Web site has specific features that require the original host header, or if you are publishing two Web sites with distinct host names. Alternatively, you could create two destination sets to represent the two Web sites, and use Web publishing rules to direct the requests to the right site.

Additional Configuration Options

In addition to the basic back-to-back perimeter network configuration, you may want to:

  • Allow access from the internal network to the Internet.

  • Allow perimeter Web server access to internal data servers.

Allow access from the internal network to the Internet

Because the internal network is separated from the Internet by two ISA Server computers, you must create site and content rules and protocol rules on both ISA Server computers to ensure that there is access from the internal network to the Internet. You will represent the internal network using a client address set. You also will configure ISA Server computer 1 as the default gateway for ISA Server computer 2.

Step A-1. Create a site and content rule

Create a site and content rule on ISA Server computer 2, which is connected to the internal network.

To create a site and content rule for the internal ISA Server computer

  1. In the console tree of ISA Management, right-click Site and Content Rules, point to New, and then click Rule to start the New Site and Content Rule Wizard.

  2. On the Welcome page, provide a name for the rule, such as Allow site and content for internal clients, and then click Next.

  3. On the Rule Action page, select Allow, and then click Next.

  4. On the Rule Configuration page, select Allow access based on destination, and then click Next.

  5. On the Destination Sets page, verify that All destinations is selected, and then click Next.

  6. Check the information on the Summary page, and then click Finish.

Step A-2. Create a protocol rule

Create a protocol rule on ISA Server computer 2.

To create a protocol rule for the internal ISA Server computer

  1. In the console tree of ISA Management, right-click Protocol Rules, point to New, and then click Rule to start the New Protocol Rule Wizard.

  2. On the Welcome page, provide a name for the rule, such as Allow protocols for internal clients, and then click Next.

  3. On the Rule Action page, confirm that Allow is selected, and then click Next.

  4. On the Protocol page, confirm that All IP traffic is selected, and then click Next. You can also limit access to certain protocols by choosing Selected Protocols, and then selecting specific protocols from the menu.

  5. On the Schedule page, confirm that Always is selected, and then click Next. You can also limit access to specific hours of the day by selecting a schedule other than Always from the menu. For more information about creating and using schedules, see the ISA Server documentation.

  6. On the Client Type page, select Any request, and then click Next.

  7. Check the information on the Summary page, and then click Finish.

    The ISA Server computer 1 does not "see" the internal corporate network; it only sees ISA Server computer 2 and the Web server. You therefore have to create:

    • A client address set on ISA Server computer 1, representing ISA Server computer 2.

    • A site and content rule on ISA Server computer 1, allowing access for ISA Server computer 2.

    • A protocol rule on ISA Server computer 1, allowing protocol use by ISA Server computer 2.

Step A-3. Create a client address set

Create a client address set representing ISA Server computer 2. Perform this procedure on ISA Server computer 1.

To create a client address set

  1. In the console tree of ISA Management, right-click Client Address Sets, point to New, and then click Set.

  2. On the Client Set dialog box, provide a name for the client address set, such as ISA Server computer 2. You can also provide a description for the set (optional).

  3. Click Add.

  4. In the Add/Edit IP Addresses dialog box, provide the IP address of the external network adapter on ISA Server computer 2 in both the From and To fields, and then click OK.

  5. Click OK in the Client Set dialog box.

Step A-4. Create a site and content rule

Create a site and content rule for the allowing access from ISA Server computer 2 (internal) to ISA Server computer 1 (external). Perform this procedure on ISA Server computer 1.

To create a site and content rule

  1. In the console tree of ISA Management, right-click Site and Content Rules, point to New, and then click Rule to start the New Site and Content Rule Wizard.

  2. On the Welcome page, provide a name for the rule, such as Allow site and content for internal clients behind ISA Server computer 2, and then click Next.

  3. On the Rule Action page, select Allow, and then click Next.

  4. On the Rule Configuration page, select Allow some clients access to all external sites, and then click Next.

  5. On the Client Type page, select Specific Computer (client address sets), and then click Next.

  6. On the Client Sets page, click Add.

  7. On the Add Client Sets page, select the client address set that represents ISA Server computer 2, click Add, and then click OK.

  8. Click Next.

  9. Check the information on the Summary page, and then click Finish.

Step A-5. Create a protocol rule

Create a protocol rule on ISA Server computer 1 to allow protocol use by ISA Server computer 2.

To create a protocol rule

  1. In the console tree of ISA Management, right-click Protocol Rules, point to New, and then click Rule to start the New Protocol Rule Wizard.

  2. On the Welcome page, provide a name for the rule, such as Allow protocols for internal clients, and then click Next.

  3. On the Rule Action page confirm that Allow is selected, and then click Next.

  4. On the Protocol page, confirm that All IP traffic is selected, and then click Next. You can also limit access to certain protocols by choosing Selected Protocols, and then selecting specific protocols from the menu.

  5. On the Schedule page, confirm that Always is selected, and then click Next. You can also limit access to specific hours of the day by selecting a schedule other than Always from the menu. For more information about creating and using schedules, see the ISA Server documentation.

  6. On the Client Type page, select Specific Computer (client address sets), and then click Next.

  7. On the Client Sets page, click Add.

  8. On the Add Client Sets page, select the client address set that represents ISA Server computer 2, click Add, and then click OK.

  9. Click Next.

  10. Check the information on the Summary page, and then click Finish.

Step A-6. Configure the default gateway

Configure ISA Server computer 1 as the default gateway for ISA Server computer 2. Perform this procedure on ISA Server computer 2.

To configure the default gateway for ISA Server computer 2

  1. On ISA Server computer 2, open Network and Dial-up connections (Start -> Settings -> Control Panel -> Network and Dial-up Connections).

  2. Right-click Local Area Connection and select Properties.

  3. Click the Internet Protocol (TCP/IP) item to highlight it, and then click Properties to display its properties.

  4. In the Default Gateway field, type the IP address of the ISA Server computer 1 internal network adapter. This is the adapter that connects ISA Server computer 1 to the hub, and thereby to the internal network.

  5. Click OK to close the Internet Protocol (TCP/IP) Properties page.

  6. Click OK to close the Local Area Connection Properties page.

Step A-7. Test internal client access to the Internet

Open an Internet browser on an internal (corporate network) computer and browse to a Web site permitted by your ISA policy. If the Web page loads, you have configured the chaining correctly.

Allow Perimeter Web Server Access to Internal Data Servers

Your Web servers may require access to data servers on the internal network. To allow this, publish your internal data server using a server publishing rule on ISA Server computer 2.

Step B-1. Create a client address set

You can use a client address that will define a group of computers (such as the Web servers) that will have access to the data servers. The client address set will be recognized by the Server publishing rule only if IP packet filtering is enabled. Otherwise, the server publishing rule will apply to all clients. The procedure for enabling IP packet filtering is included in this step.

Perform this step on ISA Server computer 2, which is connected to the perimeter network and the internal network.

To create a client address set

  1. In the console tree of ISA Management, right-click Client Address Sets, point to New, and then click Set.

  2. In the Name field, type a name for the set, such as Perimeter Web Server (access to data server).

  3. (Optional) In the Description field, type a description for the set.

  4. Click Add.

  5. In the From field, type the IP address of the Web server.

  6. (Optional) If you have more than one Web server that requires access to the data server, you can input an IP address in the To field, which creates a range of IP addresses for the client address set. If you have several Web servers that don't fall into a range of addresses, click Add to add each address separately.

  7. Click OK.

  8. In the Access Policy node of ISA Management, right-click IP Packet Filters.

  9. On the IP Packet Filters Properties dialog box, select Enable Packet Filtering, then click OK.

Step B-2. Create a server publishing rule

ISA Server uses server publishing to process incoming requests to internal servers. Perform this step on ISA Server computer 2.

To create a server publishing rule

  1. In the console tree of ISA Management, right-click Server Publishing Rules, point to New, and then click Rule.

  2. In the Server Publishing Rule Name field, type a name for the rule, such as Publish Data Server to Perimeter Web Server, and then click Next.

  3. On the Address Mapping page, enter the IP address of the internal server and the IP address of the external network adapter of ISA Server computer 2, and then click Next.

  4. On the Protocol Settings page, select the protocol appropriate for communication with the data server.

  5. On the Client Type page, select Specific Computers, and then click Next.

  6. On the Client Sets page, specify the client set you create in step B-1.

  7. Check the information on the Summary page, and then click Finish.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.