ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

In this scenario, you will publish a Web server that has a public IP address and is located in a perimeter network. The Web server will handle both HTTP and HTTPS requests.

A perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) is a small network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network while preventing access to the internal corporate network.

This scenario describes a three-homed perimeter network. In a three-homed perimeter network, the ISA Server computer has three network adapters:

  • One adapter connects to the internal corporate network.

  • One adapter connects to the corporate network's servers, which are located in the perimeter network. The Internet Protocol (IP) addresses of the perimeter network must not be in the local address table (LAT).

  • One adapter connects to the Internet.

The figure illustrates this perimeter network scenario.

Cc751015.pwth01(en-us,TechNet.10).gif

On This Page

Hardware Configuration
Software Requirements
Before You Begin
Procedures

Hardware Configuration

To publish a Web server in a three-homed perimeter network scenario, you need:

  • A connection to the Internet.

  • A computer to serve as the ISA Server computer. The ISA Server computer must have three network adapters. One adapter will be connected to the Internet; one adapter will be connected to the perimeter network; and one adapter will be connected to the internal network.

  • A computer that will be the Web server located in the perimeter network.

  • To test the setup, a computer that is external to your network, with a connection to the Internet.

Software Requirements

The ISA Server computer must have Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 and ISA Server with Service Pack 1 installed. The Web server must have either Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Note: If you plan to publish secure Web pages using SSL, you must install an SSL certificate on the perimeter Web server. For information on installing SSL certificates, see the document Digital_Certificates_for_ISA.doc

A public IP address is needed for the Web server computer.

Before You Begin

To save time during configuration, prepare this information in advance:

  • The IP address of the ISA Server perimeter network adapter.

  • The external IP address of the ISA Server computer (the address of the adapter that is connected to the Internet).

  • The public IP address of the Web server on the perimeter network.

Note: You must have administrator privileges to perform many of these tasks.

Procedures

Use the following steps to publish a Web server on a perimeter network.

Step 1. Create the Web site using IIS

For details, see IIS documentation.

Step 2. Enable packet filtering and IP routing

In a three-homed perimeter network you cannot use Web publishing rules to allow access to the Web server. Instead, you will enable packet filtering and IP routing (optional), and create a packet filter that specifically allows packets to pass to and from the perimeter network.

  1. In the console tree of ISA Management, right-click IP Packet Filters.

  2. Click Properties.

  3. On the General tab, select Enable packet filtering.

  4. (Optional) Select Enable IP routing. This enables routing for secondary connections. For important security information about IP routing, see the note that follows.

  5. (Optional) You may want to enable intrusion detection, filtering of IP fragments, filtering of IP options, or logging of packets from allow filters. For more information about these options, see the ISA Server documentation.

  6. Click OK.

Note: Enable both routing and packet filtering. If routing is enabled and packet filtering is not enabled, routing through the ISA Server will occur without firewall protection.

Step 3. Create an allow packet filter

An allow packet filter will allow HTTP or HTTPS communication to and from the ISA Server computer and the Web server. To allow both HTTP and HTTPS communication, you will have to create two packet filters.

  1. In the console tree of ISA Management, right-click IP Packet Filters, point to New, and then click Filter to start the New IP Packet Filter Wizard.

  2. Provide a name for the packet filter, such as Packet Filter for Perimeter Web Server, and click Next.

  3. On the Filter Mode page, verify that the Allow packet transmission option is selected by default. Click Next.

  4. On the Filter Type page, select Predefined, and from the list of predefined protocols, select HTTP server (port 80), and click Next.

  5. On the Local Computer page, select This computer (on the perimeter network), and provide the public IP address of the Web server on the perimeter network, and then click Next.

  6. On the Remote Computers page, select All remote computers, and then click Next.

  7. Check the information on the summary page, and then click Finish.

If you will also publish secure pages using SSL, define a second filter by repeating the preceding procedure. On the Filter Type page, select Predefined, and from the list of predefined protocols, select HTTPS server (port 443).

Step 4. Configure ISA Server as the default gateway on the Web server

This procedure takes place on the Web server, and establishes the ISA Server perimeter network adapter as the default gateway for the Web server.

  1. On the Web server, open Network and Dial-up connections (Start -> Settings -> Control Panel -> Network and Dial-up Connections).

  2. Right-click Local Area Connection, and then select Properties.

  3. Click the Internet Protocol (TCP/IP) item to highlight it, and then click Properties to display its properties.

  4. In the Default Gateway field, type the IP address of the ISA Server perimeter network adapter. This is the adapter through which the Web server connects to the ISA Server computer.

  5. Click OK to close the Internet Protocol (TCP/IP) Properties page.

  6. Click OK to close the Local Area Connection Properties page.

  7. Click Close to close the Local Area Connection Status page.

Step 5. Test the Web page

Open an Internet browser on the external computer. In the address field of the browser, type the URL of the Web site or the public IP address of the Web server. If the Web page loads, you have successfully configured the publishing setup. If you are unable to browse to the Web site, review the procedures to verify that all of the prescribed steps were followed. If you are still unable to browse to the Web site, see the document Troubleshooting_Web_Publishing.doc.