Link Translation Concepts in ISA Server 2006

  • Article

Web pages returned from a Web server published by a Microsoft® Internet Security and Acceleration (ISA) Server 2006 Web publishing rule may include links containing internal names of computers or Web sites and internal paths to Web content. Because external clients cannot resolve these internal names, these links will be broken unless the internal names are replaced by the public names of published Web sites. ISA Server includes a built-in Web filter named Link Translation Filter, which uses mappings to translate internal names in links on Web pages to publicly resolvable names. Each mapping translates an internal URL (or part of a URL) to a public equivalent. For example, a mapping can translate the internal URL https://team to the public URL https://www.team.contoso.com. Link translation mappings are stored in tables called link translation dictionaries.

When link translation is enabled for a Web publishing rule, a default link translation dictionary is automatically created for each public name of the rule that does not contain a wildcard character (*).

ISA Server 2006 includes link translation support for all published Web content, including support for Web publishing rules that publish servers running Microsoft Exchange Server and Microsoft Office SharePoint® Portal Server. Link translation is not applied to rules that publish FTP servers over HTTP.

Types of Mappings

When link translation is enabled for a Web publishing rule, links in content sent from the published Web site to a client are translated according to the following mappings, which are stored in the effective link translation dictionary for the rule:

  • Implicit mappings of the rule. These mappings are added automatically and map the internal name (or IP address) of the server published by the Web publishing rule to the public name (or IP address) of the Web site, or if there are multiple public names, to one of its public names.
  • Local mappings. These mappings are created by the user for the rule and map a string containing an internal host name to a string containing a publicly resolvable host name. The string to be translated must contain at least four characters. A local mapping can override an implicit mapping of the rule. Local mappings are not added automatically to the effective link translation dictionaries of other rules.
  • Implicit mappings of other rules. These mappings are automatically added to the effective link translation dictionary of every Web publishing rule that is defined and enabled and has link translation enabled in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition). These mappings are derived from the implicit mappings defined in each Web publishing rule in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition). In Enterprise Edition, implicit mappings of rules in other arrays can also be added to the effective link translation dictionary.
  • Global mappings. These mappings are created by the user for an array (Enterprise Edition) or the ISA Server computer (Standard Edition) and apply to all Web publishing rules in the local array (Enterprise Edition) or on the ISA Server computer (Standard Edition). These mappings override conflicting implicit mappings of other rules. In Enterprise Edition, they can also be applied to Web publishing rules in other arrays.

Adding Local Mappings

Local mappings can be defined for a Web publishing rule on the Locally Defined Mappings page. This page is opened by clicking Configure on the Link Translations tab on the Properties page for the rule. To create a local mapping, you need to specify a string containing the internal name (or IP address) of a Web site or host and a string containing the publicly resolvable name to which it should be translated. The translated name is typically the public name that can be accessed by external clients, such as the fully qualified domain name (FQDN) or IP address of the ISA Server computer. Note that you cannot define more than one local mapping for a string to be translated in the same rule.

Adding Global Mappings

Global mappings can be defined on the Global Mappings tab of the Link Translation properties. To create a global mapping, you need to specify an internal URL and the public URL to which it should be translated. The internal URL typically contains the name (or IP address) of an internal Web site or host. The translated URL is typically the public name that can be accessed by external clients, such as the FQDN or IP address of the ISA Server computer. The URLs specified in user-defined global mappings must begin with a valid protocol (https:// or https://).

Dictionaries

When link translation is enabled for a Web publishing rule, a default link translation dictionary containing the implicit mappings of the rule is automatically created for the rule. If more than one public name is defined in a Web publishing rule, a dictionary is automatically created for each public name that does not contain a wildcard character (*). An effective link translation dictionary is created when user-defined local and global mappings and implicit mappings defined by other rules are added to the default dictionary.

The implicit mappings created for every Web publishing rule in an array (Enterprise Edition) or on the ISA Server computer (Standard Edition) and the user-defined local mappings are available to all Web publishing rules defined in the same array (Enterprise Edition) or on the ISA Server computer (Standard Edition). When cross-array link translation is enabled for an array (Enterprise Edition), these mappings become available to all Web publishing rules defined in the enterprise.

Whenever a publishing rule is used to return content from a Web site to a client, it uses the mappings in its effective link translation dictionary to translate links on the response page.

The effective link translation dictionary for each Web publishing rule for which link translation is enabled includes the implicit and local mappings of the rule along with the global mappings defined in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition). If cross-array link translation (Enterprise Edition) is enabled for the array in which the rule is defined, the effective dictionary also includes the global mappings defined in all the other arrays in which cross-array link translation is enabled. If there are conflicts, the local mappings and then the global mappings take precedence.

Note that dictionaries with a large number of mappings that are applied to Web content containing many links could detrimentally impact ISA Server performance.

ISA Server 2006 Enterprise Edition introduces cross-array link translation, which enables a rule defined in one array to include implicit and global mappings from other arrays in its effective link translation dictionary. When cross-array link translation is enabled in the enterprise, each array can be configured separately to participate in cross-array link translation. The implicit and global mappings defined in all the arrays configured to participate in cross-array link translation in the enterprise are automatically added to the effective link translation dictionary of each Web publishing rule.

Internal names in the links on the Web pages returned from the Web site published by one rule can be translated if the internal names are used in other Web publishing rules that are defined in another array in the enterprise. For example, consider a scenario in which the array Branch_1 publishes an internal Web site https://weather as https://weather.fabrikam.com, and a page on that site includes a link to https://sports. The internal Web site https://sports is published in the array Branch_2 as https://sports.fabrikam.com. If cross-array link translation is enabled for both arrays, ISA Server will translate the link https://sports to https://sports.fabrikam.com.

Multiple Mappings

ISA Server uses the effective link translation dictionary of the Web publishing rule that allowed the request for Web content to translate links in it before returning it to the client.

When the effective link translation dictionary of a Web publishing rule contains multiple mappings for a search string, ISA Server selects the mapping that it will use to translate the search string and removes the other mappings of that search string from the dictionary so that only one mapping for each search string will remain in the dictionary.

For each search string that has multiple mappings in the effective link translation dictionary of a rule, ISA Server first looks for a local mapping. If a local mapping is found for the search string, ISA Server leaves the applicable mapping in the dictionary and removes all other mappings for the same search string from the dictionary.

If a local mapping that matches the search string is not found, ISA Server looks for a matching implicit mapping derived from the rule (a mapping from the default dictionary of the Web publishing rule). If an implicit mapping is found, ISA Server leaves the applicable mapping in the dictionary and removes all other mappings for the same search string.

If a matching implicit mapping derived from the rule is not found, ISA Server looks for a global mapping for the array (Enterprise Edition) or the ISA Server computer (Standard Edition). If a global mapping is found, ISA Server leaves the applicable mapping in the dictionary and removes all other mappings for the same search string.

If no match is found, ISA Server looks for matching implicit mappings derived from the other Web publishing rules defined in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition). If one match is found, ISA Server leaves the applicable mapping in the dictionary and removes all other mappings for the same search string. If a Web site with the internal name in the search string is published by more than one rule that uses different public names within the same array (Enterprise Edition) or on the ISA Server computer (Standard Edition), more than one mapping should be found. The mapping that will be retained is selected using the following order of precedence:

  1. Mappings with a translated URL that contains a public name of the current Web publishing rule.
  2. Mappings with a translated URL that contains the public name of a Web site that is specified in a Web publishing rule that uses the same Web listener as the current Web publishing rule.
  3. Mappings with a translated URL containing the Domain Name System (DNS) suffix that is closest to the DNS suffix in the public name of the current Web publishing rule (see Determining the Closest DNS Suffix).
  4. Mappings that are derived from a Web publishing rule that is higher on the list of rules in the stored configuration.

In Enterprise Edition, if cross-array link translation is enabled and no match is found among the mappings from the array of the current Web publishing rule, ISA Server looks for matching global mappings from the other arrays with cross-array link translation enabled. If one global mapping is found, ISA Server leaves the applicable mapping in the dictionary and removes all other mappings for the same search string. If several mappings are found, the mapping that will be retained is selected using the following order of precedence:

  1. Mappings to Web sites that are published by rules defined in the preferred array if a preferred array is specified by the user.
  2. Mappings with a translated URL containing the DNS suffix that is closest to the DNS suffix in the public name of the current Web publishing rule (see Determining the Closest DNS Suffix).

If no matching global mapping from another array is found, ISA Server looks for implicit mappings from the other arrays with cross-array link translation enabled. If one mapping is found, the internal URL is translated to the public URL in the applicable mapping. If a Web site with the internal name is published by more than one array in the enterprise or by more than one rule in an array, a mapping should be found for each array or rule and the mapping for translating the internal URL is selected using the following order of precedence:

  1. Mappings defined in the preferred array if a preferred array is specified by the user.
  2. Mappings with the DNS suffix that is closest to the DNS suffix in the public name of the Web site that supplied the content containing the link to be translated.
  3. Mappings from the first array in the alphabetized list of ISA Server arrays in the stored configuration.
  4. Mappings that are derived from a Web publishing rule that is higher on the list of rules defined in an array in the stored configuration.

Determining the Closest DNS Suffix

A DNS suffix can consist of several parts divided by periods. For example, the domain name team.dublin.europe.contoso.com includes the server name team and a DNS suffix that is built from four parts: dublin, europe, contoso, com.

DNS suffix A is considered closer to DNS suffix B if more parts of the DNS suffix, starting from the left, are identical.

For example, the DNS suffix oslo.europe.contoso.com is closer to dublin.europe.contoso.com than it is to atlanta.northamerica.contoso.com.

To determine the mapping with the closest DNS suffix in an enterprise with more than one array (Enterprise Edition), consider a rule in the array Branch_1 that publishes the Web site www.oslo.europe.contoso.com. The content returned from this Web site includes a link to https://contososales, which does not have a mapping in Branch_1. Two other arrays in the enterprise publish https://contososales: Branch_2 publishes https://contososales as https://www.sales.dublin.europe.contoso.com, and Branch_3 publishes https://contososales as https://www.sales.atlanta.northamerica.contoso.com. If all three arrays participate in cross-array link translation, ISA Server will select the closest array, based on the DNS suffix, and will use the mapping of https://contososales to https://www.sales.dublin.europe.contoso.com. This is because the DNS suffix oslo.europe.contoso.com is closer to the suffix in the public name of the Web site that supplied the content.

Translating URLs

When a response is returned to an ISA Server computer, ISA Server searches the response for the strings to be translated that are defined in all the mappings in the effective link translation dictionary of the rule that allowed the request for the Web content before returning it to the client. When a search string is found, ISA Server replaces the search string by the corresponding translated string in the mapping.

ISA Server only translates a complete URL or a part of a URL that is followed by a terminating character, such as a space or a slash. For example, if one of the search strings is https://contoso and the response contains the URL https://contosonews, this URL will not be translated using this mapping because the search string is not followed by a terminating character in the URL.

If more than one search string is found in the same URL, ISA Server will translate the URL using the longest search string. For example, if the effective link translation dictionary of the applicable rule contains mappings with the search strings https://contoso and https://contoso/news, and the response contains the URL https://contoso/news/a.htm, ISA Server will use the mapping for https://contoso/news to translate this URL.

Link translation can be enabled or disabled for each Web publishing rule. When link translation is disabled for a rule, its implicit mappings are not added to the effective link translation dictionaries of other rules in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition).

Link translation can be enabled or disabled for an array (Enterprise Edition) or the ISA Server computer (Standard Edition). By default, link translation is enabled for an array (Enterprise Edition) or the ISA Server computer (Standard Edition).

Link translation can be enabled for a Web publishing rule only if link translation is enabled for the array (Enterprise Edition) or the ISA Server computer (Standard Edition). By default, link translation is enabled for a Web publishing rule when link translation is enabled for the array (Enterprise Edition) or the ISA Server computer (Standard Edition).

Note

Header translation takes place even when link translation is disabled.
Link translation is automatically disabled for Web publishing rules that apply to all Web requests or that have one or more public names containing a wildcard character (*).

By default, cross-array link translation (Enterprise Edition) is disabled in the enterprise. An enterprise administrator can enable cross-array link translation for the enterprise and select the arrays that will participate in cross-array link translation. Only arrays in which link translation is enabled can be selected. By default, no arrays are selected. If link translation is disabled in a specific array and cross-array link translation is enabled in the enterprise, an alert will be issued for that array. A cross-array link translation priority can be set for each array.

Redirection of Unpublished Sites

The user can optionally define a list of URLs of unpublished sites and specify a published URL to which links to these URLs can be redirected on the Link Redirection tab of the Link Translation properties. When link translation is enabled on the General tab, links to the URLs of the unpublished Web sites in content returned from a published Web site will be redirected to the specified published URL if link translation is enabled for the rule that publishes the specified published URL. When the link redirection feature is enabled, users who request an unpublished site are redirected to the specified URL and should not receive an error page.

If this feature is enabled, ISA Server performs another search on the Web content for the unpublished sites after completing the search for the search strings in the effective link translation dictionary of the Web publishing rule that allowed the request for Web content. If the URL of an unpublished site is found, ISA Server replaces the URL by the specified published URL.

Content Types

The user can select the file name extensions and Multipurpose Internet Mail Extensions (MIME) types to which link translation can be applied on the Content Types tab of the Link Translation properties. The content types selected apply to all Web publishing rules for which link translation is enabled. By default, if link translation is enabled, the translation is applied only to Web content that belongs to the HTML Documents content type.

In Enterprise Edition, if you need to translate links in scripts, such as .js files, returned from published Web servers, we recommend that you do not select the Applications content type. Instead, you can create your own content type in the enterprise policy for the applicable file name extensions and MIME types and then select the new content type on the Content Types tab of the Link Translation properties for each array in the enterprise.

Range Requests

If the blocking of range requests is enabled in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition) and link translation is enabled for a rule, range requests for the content types to which the rule applies will be blocked for that rule. If the blocking of range requests is disabled in the array (Enterprise Edition) or on the ISA Server computer (Standard Edition), link translation will not be used for these requests.

Encoding

ISA Server 2006 link translation is basically a sophisticated search and replace engine. The Web content that passes through an ISA Server computer is searched for the mapped strings, and whenever a mapped string is found, the applicable replacement is made. The search engine is not sensitive to the case of ANSI characters in the strings. For the search engine to correctly locate the search strings, it must know their exact representation in the Web content.

The representation is dependent on the following:

  • Character set. The character set specifies which character table to use (and the corresponding encoding) for interpreting the characters. (For example, in UTF-8, the letter "a" is encoded as 0x61.)
  • Character escaping. Character escaping defines whether letters are represented in their standard form or in the form of an escape sequence. (For example, the letter "a" may be represented as %61.)

ISA Server 2006 enhances the ability to locate links to be translated by supporting different character sets and using an improved heuristic for dealing with escaped characters.

ISA Server 2006, however, does not support escaped characters in text encoded with the Universal Character Set.

Character Sets

There are many Web pages that are not encoded in UTF-8. If ISA Server would assume that all Web pages use the UTF-8 character set, the link translation search engine may fail to identify and replace links that are not encoded in UTF-8.

The following is a simple example. A user publishes the Web site https://myserver as https://www.contoso.com. ISA Server 2006 link translation needs to search for https://myserver and replace it with https://www.contoso.com. However, the string https://myserver can be represented in several different ways on a Web page. For example, the character "m" is represented as 0x6D in the UTF-8 character set. However, in UTF-16 encoding, it is represented as 0x006D.

Therefore, ISA Server 2006 uses the UTF-8 character set and allows the user to select one additional character set in each Web publishing rule. For example, the additional character set can be Japanese (Shift-JIS).

Escape Encoding

In many cases, the following characters will not appear in their standard form, but rather in the form of an escape sequence:

  • Non-English letters (high-ASCII characters)
  • Slash mark (/), tilde (~), ampersand (&), question mark (?), equal sign (=), semicolon (;), and other (unsafe or reserved) characters, such as a space.

If one or more characters in the URL are escaped, for example, if an ampersand (&) is represented by %26, a simple link translation search will fail to identify the URL.

The following is a simple example. A user publishes the Web site https://myserver/contoso finance as https://www.contoso.com/contoso finance. ISA Server 2006 link translation needs to search for https://myserver/contoso finance and replace with https://www.contoso.com/contoso finance. However, the string https://myserver/contoso finance can actually be represented in the following escaped form: https://myserver/contoso%20finance. In this case, the space was escaped as %20.

Therefore, ISA Server has a dedicated heuristic for dealing with escaped characters. It is based on searching for common variants of mapped URLs. For example, if ISA Server link translation needs to search for https://myserver?param=a, it will also look for http:%2F%2Fmyserver%3Fparam%3Da. Note that in ISA Server 2004, the heuristic fails in some cases.

ISA Server 2006 improves the search mechanism in the following way:

  • Improving the heuristic for determining the escaped encoded variations so that the majority of the URLs can be found.
  • Allowing the user to specify the exact form of a URL to search for (stating which characters are escaped, for example, http:%2F%2Fmyserver%3Fparam%3Da). This provides a very strong workaround in cases in which the escaping heuristic fails.

Translating Protocols in URLs

Consider a Web page that is returned from a Web server published by one Web publishing rule (Server A) and that contains a link to a Web server published by another Web publishing rule (Server B):

  • If there is only one mapping for Server B with the HTTP protocol or with the HTTPS protocol (according to the Web listener), use the available mapping.
  • If there are mappings for Server B with the HTTP protocol and with the HTTPS protocol:
    • HTTPS links will be translated to HTTPS links.
    • HTTP links will be translated to HTTPS links if a Secure Sockets Layer (SSL) connection was used to access Server A.

Global mappings can be defined as needed.

When ISA Server is configured to direct traffic to a published server over HTTPS, we recommend that the corresponding Web listener be configured to listen only on HTTPS. If you allow users to connect to ISA Server over HTTP, and then direct that traffic over HTTPS to a published server, ISA Server will translate HTTPS links to HTTP, which has security implications. This is an issue for a Web listener that listens only on HTTP, or on HTTP and HTTPS.

When an ISA Server computer sits behind an external SSL accelerator that receives HTTPS requests sent over the Internet from clients, the SSL accelerator terminates the SSL connections initiated by these clients. The SSL accelerator forwards their requests as HTTP requests to the port configured for sending HTTP requests to the ISA Server computer, which then forwards the requests to the published server if the traffic is allowed. If the ISA Server computer needs to generate links that are directed to itself when it performs link translation or redirects clients to authentication forms, ISA Server uses the SSL accelerator port specified for the Web listener used in the Web publishing rule and the FQDN of the SSL accelerator from the Host header in each request to format such links with the HTTPS protocol. For example, if the SSL accelerator port specified for the Web listener is set to 4443, the URL will have the form https://www.contoso.com:4443/path. If the SSL accelerator port specified for the Web listener is set to 443, ISA Server will not include the port number in the URL.

ISA Server 2006 addresses the following scenario. An internal user sends an e-mail message with URLs containing names of internal servers. The recipient accesses the message through an ISA Server computer using Microsoft Office Outlook® Web Access for Exchange Server 2003. The URLs viewed by the recipient contain public names. The recipient forwards or replies to the message.

ISA Server 2006 ensures that the public names remain in the links when the message is forwarded or a reply is sent.

Replies and forwarded Outlook Web Access messages contain the following line:

<!--CURRENT FILE==”IE5” “WIN32” replyforwardnot-->

ISA Server 2006 uses pattern matching to determine if a line like this is present. When such a line is identified, link translation is not performed so that internal recipients will receive URLs with the internal names.

A new COM collection (FPCLinkTranslationPatterns) is introduced in ISA Server 2006. Each element in this collection is a string of either the form A*B or the form A. In the former case, the search pattern is <!--A*B-->, and in the latter case, the search pattern is <!--A-->. When the predefined element is used, ISA Server 2006 searches for a string that starts with <!--CURRENT FILE== and ends with replyforwardnote--> and does not contain < or > in between.

Integration with Exchange Server 2007

ISA Server 2006 will not alter the links in any pages or e-mail messages sent to clients from computers running Microsoft Exchange Server 2007. In particular, the pages reaching an Outlook Web Access client will be identical to the pages provided by the Exchange 2007 computer. However, before sending a page to an Outlook Web Access client, the Exchange 2007 computer performs link translation on the URL in every link on the page. Each altered URL has the form https://<ExchangeServerPublicName>/owa/redir.aspx?URL=<OriginalUrl>. For example, if the public name of the Exchange 2007 computer is mail.contoso.com, the Exchange 2007 computer will translate the URL https://hrweb in a link to https://mail.contoso.com/owa/redir.aspx?URL=https://hrweb before sending the page to an Outlook Web Access client.

When a user clicks this Outlook Web Access link, the browser sends a GET request to the public name of the Exchange 2007 computer. Because the Exchange 2007 computer is published by the ISA Server 2006 computer, the request is received by the ISA Server 2006 computer, which examines the contents of the URL parameter to determine whether it publishes the server specified in the URL (hrweb in this example). If the ISA Server computer does not publish the server, the ISA Server computer will forward the GET request containing the URL https://mail.contoso.com/owa/redir.aspx?URL=https://hrweb to the Exchange 2007 computer. If the ISA Server computer publishes the server, the ISA Server computer will add a second parameter, called TranslatedUrl, before forwarding the GET request to the Exchange 2007 computer. This parameter will contain the public name (or the first of the public names) specified in the ISA Server rule that publishes the server specified in the URL parameter of the GET request. If, for example, the public name of hrweb is hr.contoso.com, the GET request forwarded by the ISA Server 2006 computer will contain the URL https://mail.contoso.com/owa/redir.aspx?URL=https://hrweb?TranslatedUrl=https://hr.contoso.com.

When the GET request reaches the Exchange 2007 computer, it processes the request in one of the following ways:

  • If the URL parameter points to an intranet target that can be proxied, the Exchange 2007 computer will reply with the proxied content.
  • If the URL parameter points to an intranet Microsoft Windows SharePoint Services document or a file on an intranet Microsoft Windows Server® 2003 share, the file will be opened in a separate window.
  • If a URL parameter points to an intranet Windows SharePoint Services document library or an intranet Windows Server 2003 share, the document library or Windows Server 2003 share will open inside Outlook Web Access in a new Documents tab view.
  • If the URL parameter points to a target that cannot be proxied and there is no TranslatedUrl parameter, the Exchange 2007 computer will send an HTTP REDIRECT message to the Outlook Web Access client redirecting it to the original URL.
  • If the URL parameter points to a target that cannot be proxied and the request contains a TranslatedUrl parameter, the Exchange 2007 computer will send an HTTP REDIRECT message to the Outlook Web Access client redirecting it to the URL specified in the TranslatedUrl parameter.

Exchange 2007 uses the TranslatedUrl parameter in two more scenarios:

  • The Outlook Web Access client opens a Windows SharePoint Services document library. If the Windows SharePoint Services site is published by the ISA Server computer, ISA Server 2006 adds the TranslatedUrl parameter. Exchange 2007 sees the parameter and adds a yellow Information Bar in Microsoft Internet Explorer® that points to the public name of the document library.
  • The Outlook Web Access client enters a URL in the Open Location dialog box. If the URL is published by the ISA Server computer, ISA Server 2006 adds the TranslatedUrl parameter. If the Exchange 2007 computer cannot proxy the content, it will redirect the user to the TranslatedUrl parameter exactly as it does when a link to the same URL is clicked inside an Outlook Web Access e-mail message.

Troubleshooting

If you observe unexpected link translation results, you can often determine the cause by examining a report of all the mappings that are applied to the applicable rule. This report is displayed when you click Mappings button on the Link Translations tab on the Properties page for the rule. To solve each problem, add the applicable local or global mapping.