ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

In this scenario, you will publish a Web server that is on an internal network through the ISA Server computer, using a Web publishing rule. The Web server can handle both HTTP and HTTPS requests.

On This Page

Hardware Requirements
Software Requirements
Procedures
Original Host Headers

Hardware Requirements

To publish an internal Web server, you need two computers and a connection to the Internet. One computer will serve as the Web server, and will be located inside the corporate network, which will be protected by the ISA Server computer. To test the setup, you will need a computer that is external to your network, with a connection to the Internet.

Software Requirements

The ISA Server computer must have Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 and ISA Server with Service Pack 1 installed. The Web server must have either Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Note: If you plan to publish SSL-secured Web pages, you must install an SSL certificate on the ISA Server computer. For more information, see "Configure bridging for SSL publishing" later in this document, and the document Digital_Certificates_for_ISA.doc.

Before You Begin

To save time during configuration, prepare this information in advance:

  • The IP addresses of the ISA Server computer's internal and external network adapters.

  • The IP address of the Web server.

Also, verify that the public name of the Web site is mapped by a public Internet DNS server to the external IP address of ISA Server.

Note: You must have administrator privileges to perform many of these tasks.

Procedures

Use the following steps to publish an internal Web server.

Step 1. Create the Web site using IIS

For details, see IIS documentation. Be aware of the location of the Web site. If the site is not the default Web site on your Web server, you must provide the correct path when creating a Web publishing rule.

Step 2. Create a destination set

Before creating a destination set, an understanding of destination sets and destination set paths is needed.

About destination sets

The destination set for Web publishing is the public name that an external user specifies to access your Web site, such as www.adatum.com. In Web publishing scenarios, the Web server is protected from direct external access – only ISA Server is exposed to external requests. The destination set represents the ISA Server's external network adapter so that requests for your Web site will find the ISA Server when the name is resolved by a DNS server. The host name provided in the destination set must be resolvable by a DNS server on the Internet to an IP address on the external network adapter of the ISA Server computer.

About destination set paths

You can create several destination sets that specify paths. For example, for a single host name you can specify the paths /update* (any request to /update/ and paths included under it) and /info*. Both of these destination sets will resolve to the same IP address, which is the external network adapter on the ISA Server. You can create Web publishing rules that use the paths of the destination sets to direct requests to different web servers or to different directories on a given Web server. Each rule can use different criteria, such as allowing HTTP access or SSL access depending on path specified in the user's request.

A destination set example

If a user would type https://www.adatum.com/info to reach your site, the destination set to be used to publish the above site through ISA must contain www.adatum.com in the destination section and the path /info in as the specific path of the destination set.

To create a destination set

  1. In the console tree of ISA Management, right-click Destination Sets, point to New, and then click Set.

  2. In the Name field, type a name for the destination set, such as Destination to Allow Publishing of Internal Web Server.

  3. (Optional) In the Description field, type a description for the destination set.

  4. Click Add and do the following:

    • Click Destination and type the public name that an external user specifies to access your Web site. This is the fully qualified domain name that resolves to an IP address of the external network adapter of the ISA Server computer.

      Cc768054.piw01(en-us,TechNet.10).gif

    • (Optional) In the Path field, type a specific path that can be included in requests. You can use this path in Web publishing rules to direct requests to specific parts of the Web site.

    • Click OK.

Step 3. Create a Web listener for incoming Web requests

Web listeners are the IP addresses on the ISA Server computer that will listen for Web requests from clients. By default, when you install ISA Server, incoming Web request properties are configured so that no IP address listens for requests. You therefore must configure a Web listener to publish a Web site using a Web publishing rule.

Note: The inbound Web request listener uses port 80 on the external interface of the ISA Server. If you have IIS running on the ISA Server machine, keep in mind that by default, IIS uses port 80 on all network interfaces. You will need to stop IIS or change its default listening port to avoid port conflict. This situation is described in the document Publishing a Web Server Located on the ISA Server.

To configure a listener for incoming Web requests

  1. In the ISA Management console, expand the Servers and Arrays node.

  2. Right-click the ISA Server computer node, and then click Properties.

  3. On the Incoming Web Requests tab, select Configure listeners individually per IP address.

  4. (Optional) If you want to listen for SSL (HTTPS) requests, select the Enable SSL listeners check box. You will be reminded that you have to configure an SSL certificate for the listener, as described later in this procedure.

  5. Click Add.

  6. In the Server list, select the ISA Server computer, which is the server that will listen for incoming Web requests.

  7. In the IP address list, click the Internet Protocol (IP) address on the server that will listen for incoming Web requests. This will be the IP address of the ISA Server network adapter that connects to the Internet.

  8. (Optional) In the Display Name box, type a name to use for this listener.

  9. If you are configuring a listener that will also listen for SSL requests, select Use a server certificate to authenticate to Web clients. Next, click Select and select the appropriate SSL certificate installed on the ISA Server computer.

  10. (Optional) Configure the authentication method for the listener.

  11. Click OK to close the Add/Edit Listeners page. The figure shows the Array Properties page after a listener has been added.

    Cc768054.piw02(en-us,TechNet.10).gif

  12. Click OK to close the Array Properties page.

  13. When prompted, restart the Web proxy service.

Step 4. Create a Web publishing rule

Web publishing rules map incoming requests to the Web server behind the ISA Server computer.

To create a Web publishing rule

  1. In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule to start the New Web Publishing Rule Wizard.

  2. On the Welcome page, type the name of the rule, such as Publishing Rule for Internal Web Server, and click Next.

  3. On the Destination Sets page, select Specified Destination Set from the menu. Select the destination set created in Step 3, and click Next.

  4. On the Client Type page, leave the default option, Any request, so that any request from the Internet can reach your Web server, and click Next.

  5. On the Rule Action page, select Redirect this request to this internal Web server (name or IP address) and provide the name or IP address of the Web server. In general it is preferable to use the IP address rather than the name, as this avoids potential internal DNS server issues. If you are using bridging to SSL (as described in the next section), you must redirect requests to the Web server using the name which will match the public name of the certificate on the Web server.

  6. Leave Send the original host header to the publishing server instead of the actual one (specified above) in its default, unselected condition. For more information, see "Original Host Headers" later in this document. Click Next.

  7. Check the information on the Summary page, and then click Finish.

Step 5. Configure bridging for publishing

If you are publishing a server that requires secure SSL communication, you must have an SSL certificate installed on your ISA Server computer. In addition, you may also have an SSL certificate installed on the Web server. In either case, to ensure that SSL requests are sent from the ISA Server computer to the Web server using the appropriate protocol, you have to configure SSL bridging accordingly.

SSL Bridging is a property for each Web publishing rule. SSL bridging determines whether SSL requests received by the ISA Server computer are passed to the Web server as SSL requests or as HTTP requests, as follows:

  • If there is no SSL certificate installed on the Web server, pass SSL and HTTP requests to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP.

  • If there is an SSL certificate installed on the Web server, pass SSL requests to the internal Web server as SSL requests, and HTTP requests as HTTP requests. In this case, SSL-secured communication takes place on both the client-ISA and on the ISA-Web server levels.

If your Web server has an SSL certificate, and you want ISA Server to listen for SSL requests without purchasing an additional certificate, you have to export the certificate from the Web server and import it to the ISA Server computer. For more information, see HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server (https://go.microsoft.com/fwlink/?LinkID=10713).

To modify the SSL bridging configuration

  1. Click the Web Publishing Rules node.

  2. Double-click the applicable Web publishing rule.

  3. Select the Bridging tab.

  4. For the first two redirection options, select the appropriate redirection:

  • If you are using the ISA Server SSL certificate to handle SSL requests, in Redirect HTTP requests as: and Redirect SSL requests as: select HTTP requests, and then click OK. This configuration is shown in the figure.

    Cc768054.piw03(en-us,TechNet.10).gif

  • If you want to continue to use an existing SSL certificate on the Web server as well as the certificate on the ISA Server, in Redirect HTTP requests as: select HTTP requests and in Redirect SSL requests as: select SSL requests, and then click OK.

Note: There are two other options available on the SSL bridging tab:

  • Require secure channel (SSL) for published site will reject HTTP requests that are received by ISA Server. This option also provides the possibility of returning 128-bit encryption for HTTPS requests.

  • Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server

Step 6. Test the Web page

Open an Internet browser on the external computer. In the address field of the browser, type the URL of the Web site or the public IP address of the Web site, which is the external IP address of the ISA Server. If the Web page loads, you have successfully configured the publishing setup. If you are unable to browse to the Web site, review the procedures to verify that all of the prescribed steps were followed. If you are still unable to browse to the Web site, see the document Troubleshooting_Web_Publishing.doc.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than sending the original host header that ISA received. Select Send the original host header to the publishing server instead of the actual one (specified above) on the Rule Action page of the New Web Publishing Rule Wizard if your Web site has specific features that require the original host header, or if you are publishing two Web sites with distinct host names. Alternatively, you could create two destination sets to represent the two Web sites, and use Web publishing rules to direct the requests to the right site.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.