Export (0) Print
Expand All

ISA Server 2000 Feature Pack 1

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

In this scenario, you will have a single computer host both ISA Server and Internet Information Services (IIS). You will publish a Web site to the Internet using a Web publishing rule. The Web server can handle both HTTP and HTTPS requests.

On This Page

Hardware Requirements
Software Requirements
Before You Begin
Procedures
Original Host Headers

Hardware Requirements

To publish a Web server on an ISA Server computer, you need one computer with two network adapters. The computer will serve as the ISA Server computer and the Web server. One network adapter will be connected to the Internet, and the second network adapter will be connected to the internal network. To test the setup, you will need a computer that is external to your network, with a connection to the Internet.

Software Requirements

The ISA Server computer must have either Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 and ISA Server with Service Pack 1installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Note: If you plan to publish SSL-secured Web pages, you must install an SSL certificate on the ISA Server computer. For more information, see "Configure bridging for SSL publishing" later in this document, and the document Digital_Certificates_for_ISA.doc.

Before You Begin

To save time during configuring, prepare this information in advance:

  • The IP addresses of the ISA Server computer's internal and external network adapters.

Also, verify that the public name of the Web site is mapped by a public Internet DNS server to the external IP address of ISA Server.

Note: You must have administrator privileges to perform many of these tasks.

Procedures

Use the following steps to publish a Web server located on the ISA Server.

Step 1. Create the Web site using IIS

For details, see the IIS documentation.. Be aware of the location of the Web site. If the site is not the default Web site, you must provide the correct path when creating a Web publishing rule.

Step 2. Configure IIS

ISA Server listens for incoming Web requests on port 80 of the external network adapter, and for incoming SSL requests on port 443. By default, IIS also listens on port 80 on all adapters for incoming Web requests, and port 443 for incoming SSL requests. To avoid this port conflict configure IIS to listen on a port other than port 80, for example, port 8888, and to listen for SSL requests on a port other than port 443, such as port 4444. Take note of these port numbers as you will need them later when configuring a Web publishing rule. Also, you must configure IIS to only listen for incoming web requests on the computer's internal network adapters IP address. Otherwise, IIS will expose an external listening port, bypassing ISA Server.

To configure IIS

  1. Open Internet Service Manager and expand the server node.

  2. Right-click the Default Web Site node and click Properties.

  3. On the Web Site tab:

    • Change the IP address to reflect the address of the internal network adapter.

    • Change the TCP port to a number other than 80, and greater than 1024.

    • (Optional for SSL publishing) Change the SSL port to a number other than 443, and greater than 1024. This field is only enabled if there is an SSL certificate installed on the computer.

  4. Click OK and restart Internet Information Services.

Step 3. Create a destination set

Before creating a destination set, an understanding of destination sets and destination set paths is needed.

About destination sets

The destination set for Web publishing is the public name that an external user specifies to access your Web site, such as www.adatum.com. In Web publishing scenarios, the Web server is protected from direct external access – only ISA Server is exposed to external requests. The destination set represents the ISA Server's external network adapter so that requests for your Web site will find the ISA Server when the name is resolved by a DNS server. The host name provided in the destination set must be resolvable by a DNS server on the Internet to an IP address on the external network adapter of the ISA Server computer.

About destination set paths

You can create several destination sets that specify paths. For example, for a single host name you can specify the paths /update* (any request to /update/ and paths included under it) and /info*. Both of these destination sets will resolve to the same IP address, which is the external network adapter on the ISA Server. You can create Web publishing rules that use the paths of the destination sets to direct requests to different web servers or to different directories on a given Web server. Each rule can use different criteria, such as allowing HTTP access or SSL access depending on path specified in the user's request.

A destination set example

If a user would type http://www.adatum/com/info to reach your site, the destination set to be used to publish the above site through ISA must contain www.adatum.com in the destination section and the path /info in as the specific path of the destination set.

To create a destination set

  1. In the console tree of ISA Management, right-click Destination Sets, point to New, and then click Set.

  2. In the Name field, type a name for the destination set, such as Internal Web Server as Destination.

  3. (Optional) In the Description field, type a description for the destination set.

  4. Click Add and do the following:

    • Click Destination and type the public name that an external user specifies to access your Web site. This is the fully qualified domain name that resolves to an IP address of the external network adapter of the ISA Server computer.

      Cc751014.pwisa01(en-us,TechNet.10).gif

    • (Optional) In the Path field, type a specific path that can be included in requests. You can use this path in Web publishing rules to direct requests to specific parts of the Web site.

  5. Click OK.

Step 4. Create a Web listener for incoming Web requests

Web listeners are the IP addresses on the ISA Server computer that will listen for Web requests from clients. By default, when you install ISA Server, incoming Web request properties are configured so that no IP address listens for requests. You therefore must configure a Web listener to publish a Web site using a Web publishing rule. The incoming Web listener uses port 80 on the external interface of the ISA Server.

To configure a listener for incoming Web requests

  1. In the ISA Management console, expand the Servers and Arrays node.

  2. Right-click the ISA Server computer node, and then click Properties.

  3. On the Incoming Web Requests tab, select Configure listeners individually per IP address.

  4. (Optional) If you want to listen for SSL (HTTPS) requests, select the Enable SSL listeners check box. You will be reminded that you must configure an SSL certificate for the listener, as described later in this procedure.

  5. Click Add.

  6. In the Server list, select the ISA Server computer, which is the server that will listen for incoming Web requests.

  7. In the IP address list, click the Internet Protocol (IP) address on the server that will listen for incoming Web requests. This will be the IP address of the ISA Server network adapter that connects to the Internet.

  8. (Optional) In the Display Name box, type a name to use for this listener.

  9. If you are configuring a listener that will also listen for SSL requests, select Use a server certificate to authenticate to Web clients. Next, click Select and select the appropriate SSL certificate installed on the ISA Server computer.

  10. (Optional) Configure the authentication method for the listener.

  11. Click OK to close the Add/Edit Listeners page. The figure shows the Array Properties page after a listener has been added.

    Cc751014.pwisa02(en-us,TechNet.10).gif

  12. Click OK to close the Array Properties page.

  13. When prompted, restart the Web proxy service.

Step 5. Create a Web publishing rule

Web publishing rules map incoming requests to the Web server on the ISA Server computer.

To create a Web publishing rule

  1. In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule to start the New Web Publishing Rule Wizard.

  2. On the Welcome page, type the name of the rule, such as Publishing Rule for local Web Server, and click Next.

  3. On the Destination Sets page, select Specified Destination Set from the menu. Select the destination set created in Step 3, and click Next.

  4. On the Client Type page, leave the default option, Any request, so that any request from the Internet can reach your Web server, and click Next.

  5. On the Rule Action page, select Redirect this request to this internal Web server (name or IP address) and provide the ISA Server internal IP address.

  6. Leave Send the original host header to the publishing server instead of the actual one (specified above) in its default, unselected condition. For more information, see "Original Host Headers" later in this document. Click Next

  7. In the Connect to this port when bridging request as HTTP field, provide the port used by IIS to publish the Web server, and then click Next.

  8. Check the information on the Summary page, and then click Finish.

Step 6. Configure bridging for SSL publishing

If you are publishing a server that requires secure SSL communication, you must have an SSL certificate installed on your ISA Server computer. In addition, you may also have an SSL certificate installed on the Web server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you have to configure SSL bridging accordingly.

SSL Bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as HTTP requests, as follows:

  • If there is no SSL certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

  • If there is an SSL certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the client-ISA and on the ISA-Web server levels.

In the case of a Web server located on the ISA Server, you will have a single certificate associated with the ISA Server. To modify the SSL bridging configuration for this case:

  1. Click the Web Publishing Rules node.

  2. Double-click the applicable Web publishing rule.

  3. Select the Bridging tab.

  4. In the Redirect HTTP requests as: option, select HTTP requests.

  5. In the Redirect SSL requests as: option, select HTTP requests. This configuration is shown in the figure.

    Cc751014.pwisa03(en-us,TechNet.10).gif

  6. Click OK.

Step 7. Test the Web page

Open an Internet browser on the external computer. In the address field of the browser, type the URL of the Web site or the public IP address of the Web server. If the Web page loads, you have successfully configured the publishing setup. If you are unable to browse to the Web site, review the procedures to verify that all of the prescribed steps were followed. If you are still unable to browse to the Web site, see the document Troubleshooting_Web_Publishing.doc.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than sending the original host header that ISA received. Select Send the original host header to the publishing server instead of the actual one (specified above) on the Rule Action page of the New Web Publishing Rule Wizard if your Web site has specific features that require the original host header, or if you are publishing two Web sites with distinct host names. Alternatively, you could create two destination sets to represent the two Web sites, and use Web publishing rules to direct the requests to the right site.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft