ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

Some published Web sites may include references to internal names for computers. Because only ISA Server — and not the whole network — is made available to external clients, these references will appear as broken links. ISA Server Feature Pack 1 introduces a link translation feature, so that you can create a dictionary of definitions for internal computer names that map to publicly known names.

On This Page

About Link Translation
Software Requirements
Scenario 1: Publishing Single Server
Scenario 2: Publishing Multiple Sites
Scenario 3: Bridging and Link Translation
Scenario 4: Publishing HTTP and HTTPS on Same Server
Better Securing Web Pages with Translated Links

ISA Server Feature Pack 1 introduces a link translation feature, which allows the publishing of Web sites that contain absolute links.

Link translation is useful when an external user attempts to access a published Web site that contains absolute links to the Web site itself. In this common scenario, simply enabling link translation will allow the user to access the site without experiencing broken links.

Link translation is also useful in more complex publishing scenarios. Consider a scenario where two internal Web servers are published. The Web server computers, internalA and internalB, are accessible by the publicly resolvable names www.wingtiptoys.com and www.woodgrovebank.com. The Web servers include cross-references to the published sites. However, the references are to the internal Web site names — and not to the publicly resolvable site names. Specifically, internalA contains references to internalB.

External users who access internalA, by typing www.wingtiptoys.com, will not be able to follow the links to internalB. By enabling link translation for this scenario and creating a dictionary with entries for each of the Web sites, these internal links can be translated before the page requested by the client is returned.

When a client requests an object from a Web site protected by ISA Server, ISA Server checks whether the request is allowed. If the request is allowed, ISA Server retrieves the requested object from the Web server. Before returning the response to the client, ISA Server performs link translation on the header, regardless of whether the Link Translator Web filter is installed. Specifically, the Content-location (used in various response codes) and Location headers (used mainly with the 301 and 302 response status codes) may contain an absolute URI. However, for example, an original 302 redirect response issued by an internal Web server will include the Web server name and port of an internal Web site, which is usually not accessible to the external client. Therefore, ISA Server needs to translate these to its own external name and port, as known to clients.

If the Link Translator Web filter is installed and enabled, ISA Server checks the Content-type of the response, to determine whether translation should be applied to the body. Link translation for the response body is performed under the following conditions:

  • Only the HTML Documents content group (that is, content type is text/html or text/webviewhtml) is translated by default. Additional content groups are translated, in accordance with link translation dictionary settings.

  • The response is not range 206.

The Link Translator Web filter does the following, to determine the response content type:

  • The filter searches for a Content-type header. If there is a header, the filter translates according to the content type.

  • The filter searches for a Content-location header. If there is a header, the filter translates according to the content location extension.

  • If neither Content-type nor Content-location is present, the filter translates according to the requested file extension.

The Link Translator Web filter performs link translation, in accordance with a default link translation dictionary that is created on a per-rule basis, for each Web publishing rule for which link translation is enabled. You can add more entries to the link translation dictionary, to enhance the default link translation. These additional entries are applied to the response headers, in addition to the response body.

The Link Translator Filter searches for strings as follows:

  1. The filter searches first for the longest search string, and then for shorter strings in descending order, and finally for the default strings.

  2. If the search string is found, the filter checks the character following the string.

  3. If the character is a terminating character, the filter replaces the search string with the replacement string. Refer to the ISA Server Feature Pack 1 on-line help for a full list of terminating characters.

Software Requirements

The ISA Server computer must have:

  • Microsoft Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003, with Service Pack 3

  • ISA Server with Service Pack 1

  • ISA Server Feature Pack 1

The Web server must have either Windows 2000 Server, Windows 2000 Advanced Server, or Windows Server 2003 installed. Internet Information Services (IIS), which you will use to publish the Web site, is included in Windows 2000 Server, Windows 2000 Advanced Server, and Windows Server 2003.

Scenario 1: Publishing Single Server

Pages on an internal Web site may contain absolute links to other Web pages on the same site, including, for example, the names of the internal server on which the pages are located. Some servers (for example, Microsoft SharePoint™ server) create Web pages dynamically and always have absolute links.

In this scenario, an internal Web site, located on a computer with the NetBIOS name IIS_Fabrikam, is published as https://www.fabrikam.com. The internal site contains references to the actual NetBIOS name of the Web server (IIS_fabrikam).

The Web site may also contain other references to names of the Web server, which may be publicly unavailable. In many cases, this may be to an internal alias or to an IP address Follow the procedures detailed in this section to publish sites with these links.

Procedures

You will perform these steps, described in the following sections, to configure this scenario:

  1. Enable the Link Translator Web filter.

  2. Create a destination set that includes www.fabrikam.com.

  3. Create a Web publishing rule to publish the server.

  4. Create a link translation dictionary for the Web publishing rule.

Step 1. Enable Link Translator Web filter

To enable the Link Translator Web filter

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Extensions, and then click Web Filters.

  2. In the details pane, right-click Link Translator Filter, and then click Enable.

  3. Restart the Web Proxy service.

Step 2. Create a destination set for www.fabrikam.com

To create a destination set for www.fabrikam.com

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Policy Elements, right-click Destination Sets, click New, and then click Set.

  2. In Name, type the destination set name. For example, type Fabrikam_Set.

  3. Click Add.

  4. In Destination, type www.fabrikam.com.

Step 3. Create Web publishing rule to publish IIS_Fabrikam

To create a Web publishing rule to publish the server

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, right-click Web Publishing Rules, click New, and then click Rule.

  2. In Web publishing rule name, type the rule name. For example, type Publish IIS_Fabrikam. Then, click Next.

  3. In Apply this rule to, select Specified Destination Set. Then, in Name, select the destination set that you created in the "Step 2. Create a destination set" section. Click Next.

  4. On the Client Type page, select Any request. Then click Next.

  5. On the Rule Action page, select Redirect the request to this internal Web server. Type IIS_Fabrikam.Europe.Fabrikam.com in the text box. Then, click Next, and then click Finish.

  6. In the details pane, right-click the new rule (Publish IIS_Fabrikam), and then click Properties.

  7. On the Link Translation tab, select Perform link translation.

The default dictionary for the rule you just created replaces references for IIS_Fabrikam.Europe.Fabrikam.com on the site with www.fabrikam.com. This entry is created, based on the settings you specified in the Web publishing rule. That is, the default link translation dictionary automatically replaces the name that you specify on the Action page in the Web publishing rule wizard with the name you specify in the destination set.

The default dictionary includes other entries, as well, as detailed in ISA Server Feature Pack 1 online Help.

Step 4. Create link translation dictionary entries for Publish IIS_Fabrikam rule

To create a link translation dictionary

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

  2. In the details pane, right-click the rule that you created in the "Step 3. Create Web publishing rule to publish" section.

  3. On the Link Translation tab, click Add and do the following:

    1. In the upper edit box, type https://IIS_Fabrikam.

    2. In the lower edit box, type https://www.fabrikam.com.

    3. Click OK.

  4. On the Link Translation tab, click Add and do the following:

    1. In the upper edit box, type https://IIS_Fabrikam:80.

    2. In the lower edit box, type https://www.fabrikam.com.

    3. Click OK.

      Note: Follow these guidelines when creating link translation dictionary entries:

      • Be sure that the string to be replaced does not end with a terminating character; be especially careful not to terminate the string with a slash (/)

      • If the external site uses a default port, you do not have to specify the port number in the link translation dictionary entry. However, if the external site does not use a default port number, you must specify the non-standard port.

      • If the internal site uses a default port, translate links both with and without the port number.

      • Add entries for https:// and for https://, if the site includes secure links

This section describes a common scenario, in which the Link Translator Web filter is not required.

In this scenario, a single site is located on an internal Web server, and does not contain any absolute links. When you create a Web publishing rule, you map the site name, as known to the client, to the name of the internal computer. ISA Server redirects client requests to the IIS server and automatically translates the host header in the request. If the response includes a Location or Content-location header, it automatically translates them. For more information on how this translation occurs, see the ISA Server Feature Pack 1 on-line help.

Scenario 2: Publishing Multiple Sites

In this scenario, two internal Web sites, located on IIS_fabrikam and IIS_wingtiptoys, are published as www.fabrikam.com and www.wingtiptoys.com, respectively. Each site contains absolute links to the other site. For example, the site on IIS_fabrikam has links to the site on IIS_wingtiptoys. These links are not translated by the default link translation dictionary, which by default translates only the name of the published server, as specified on the Action tab of the Web publishing rule.

Procedures

To allow external clients to view the pages, you must create Web publishing rules with appropriate link translation dictionaries for both sites. We will assume that the rules and policy elements that you created in the "Scenario 1: Publishing Single Server" section are still valid on ISA Server. We also assume that you enabled the Link Translator Web filter. You will perform these additional steps, described in the following sections, to configure this scenario:

  1. Modify the link translation dictionary for the Publish IIS_Fabrikam Web publishing rule.

  2. Create a destination set named IIS_wingtipstoys, as described in the "Step 2. Create a destination set" section.

  3. Create a Web publishing rule named Publish IIS_wingtiptoys.

  4. Create a link translation dictionary for the Publish IIS_wingtiptoys Web publishing rule.

Step 1. Modify link translation dictionary for the Publish IIS_Fabrikam rule

To create a destination set for www.wingtiptoys.com

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

  2. In the details pane, right-click the rule that you created in the "Step 3. Create Web publishing rule to publish IIS_Fabrikam" section.

  3. On the Link Translation tab, click Add and do the following:

    1. In the upper edit box, type https://IIS_wingtiptopys.

    2. In the lower edit box, type https://www.wingtiptoys.com.

    3. Click OK.

Note: You must also create link translation dictionary entries for links on the Web site that include port numbers or links to secure sites (using HTTPS).

Step 2. Create a destination set for www.wingtiptoys.com

To create a destination set for www.wingtiptoys.com

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Policy Elements, right-click Destination Sets, click New, and then click Set.

  2. In Name, type the destination set name. For example, type Wingtiptoys_Set.

  3. Click Add.

  4. In Destination, type www.wingtiptoys.com.

Step 3. Create a Web publishing rule to publish www.wingtiptoys.com

To create a Web publishing rule to publish the server

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, right-click Web Publishing Rules, click New, and then click Rule

  2. In Web publishing rule name, type the rule name. For example, Publish IIS_Wingtiptoys. Then, click Next.

  3. In Apply this rule to, select Specified Destination Set. Then, in Name, select the Wingtiptoys destination set that you created in the "Step 2. Create a destination set for www.wingtiptoys.com" section. Click Next.

  4. On the Client Type page, select Any request. Then, click Next.

  5. On the Rule Action page, select Redirect the request to this internal Web server. Type IIS_wingtiptoys in the text box. Click Next, and then click Finish.

  6. In the details pane, right-click the new rule (Publish IIS_Wingtiptoys), and then click Properties.

  7. On the Link Translation tab, select Perform link translation.

Step 4. Create a link translation dictionary for Publish IIS_wingtiptoys rule

To create a link translation dictionary

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

  2. In the details pane, right-click the rule that you created in the "Step 3. Create a Web publishing rule to publish www.wingtiptoys.com" section.

  3. On the Link Translation tab, click Add and do the following:

    1. In the upper edit box, type https://fabrikam.

    2. In the lower edit box, type https://www.fabrikam.com.

    3. Click OK.

Note: Again, be sure to create link translation dictionary entries for links on the Web site that include port numbers or links to secure sites (using HTTPS).

This section describes common Web publishing scenarios, which do not require the link translation feature. In these scenarios, properly configuring Web publishing and routing rules will enable you to publish multiple sites.

Publishing Multiple Sites on a Single Server

With IIS Server, you can define several virtual sites on a single server. These sites may be referred to as independent sites, if there are no cross-links between the sites. For example, suppose an internal Web server, named My_internal, has two virtual sites www.fabrikam.com and www.wingtiptoys.com. Clients can access these sites by these names. To protect these Web sites, an ISA Server is installed. The external IP address of the ISA Server is associated with the site names, previously published on the Web server's external IP address.

To implement this scenario, create a Web publishing rule, applicable to a destination set that includes both www.fabrikam.com and www.wingtiptoys.com, which redirects the requests to My_internal. Be sure that Send the original host header to the publishing server instead of the actual one is selected. In this way, when a client requests, for example, www.fabrikam.com, ISA Server intercepts the request and redirects it to the internal computer named My_internal. ISA Server passes the host header included in the request, www.fabrikam.com, to the IIS Server (on My_internal), which maps the request to the www.fabrikam.com virtual Web site.

Publishing Multiple Sites on a Single Server as a Single Site with Multiple Paths

In this scenario, a single Web server called IIS_fabrikam hosts two internal Web sites, called fabrikam_Sales and fabrikam_Marketing. These sites are accessible by clients as www.fabrikam.com\Marketing and www.fabrikam.com\Sales. The name www.fabrikam.com is mapped to an external IP address on ISA Server.

To enable this scenario, you will use a combination of Web publishing and routing rules. Perform the following steps:

  1. Create a Web publishing rule that applies to a destination set that includes a destination www.fabrikam.com with Path set to Sales. Set Action to Redirect the request to this internal Web server, and type fabrikam_Sales in the edit box.

  2. Create another Web publishing rule that applies to a destination set that includes a destination www.fabrikam.com with Path set to Marketing. Set Action to Redirect the request to this internal Web server, and type fabrikam_Marketing in the edit box.

  3. Create a routing rule with the following settings:

    • Applies to two destination sets, fabrikam_Sales and fabrikam_Marketing. Note that the destination set on the routing rule includes names of internal web sites.

    • Action is set to Redirecting them to a hosted site.

    • Hosted site is set to the (internal) IP address of the Web server.

Alternatively, you can edit the host file, located in %windir%\system32\drivers\etc folder, to map the virtual names of the internal sites (fabrikam_Sales and fabrikam_Marketing) to the IP address of the internal Web server.

For example, ISA Server will process incoming client requests for www.fabrikam.com\Sales, as follows:

  1. ISA Server checks the Web publishing rules, to find a rule that allows the request.

  2. The Web publishing rule that allows the request replaces the original host header with the name of the server to which the request should be redirected, specified on the Action tab. In this case, fabrikam_Sales is used.

  3. The routing rule processes the request, considering the fabrikam_Sales as the host header to be matched to the destination set for the routing rule. When the routing rule created above is applied, the request is redirected to the specified IP address (that is, to the Web server).

    If you used the hosts file to map fabrikam_Sales and fabrikam_Marketing to the IP of the web server, the DNS server will redirect requests to the IIS_fabrikam

Publishing Multiple Sites on Multiple Servers

In this scenario, two Web servers called IIS_fabrikamSales and IIS_fabrikamSales host two internal Web sites, called fabrikam_Sales and fabrikam_Marketing. These sites are accessible by clients as www.fabrikam.com\Marketing and www.fabrikam.com\Sales. The name www.fabrikam.com is mapped to an external IP address of the ISA server.

To enable this scenario, you will create Web publishing rules. You will also add virtual directories on the IIS Server. Perform the following steps:

  1. Create a Web publishing rule that applies to a destination set that includes a destination www.fabrikam.com with Path set to Sales. Set Action to Redirect the request to this internal Web server, and type fabrikam_Sales in the edit box.

  2. Create a Web publishing rule that applies to a destination set that includes a destination www.fabrikam.com with Path set to Marketing. Set Action to Redirect the request to this internal Web server, and type fabrikam_Marketing in the edit box.

  3. When requests are redirected by ISA Server to the appropriate Web server, they are redirected as Get /Marketing or Get /Sales. These directories (Sales and Marketing) do not actually exist on the IIS Server. To resolve this, use virtual directories on IIS. Perform the following:

    1. On the Web Server named fabrikam_Sales, create a new virtual directory with the following properties: Alias is set to Sales and Path is set to the home directory of the default Web site (typically, drive:\inetpub\wwwroot).

    2. On the Web server named fabrikam_Marketing, create a new virtual directory with the following properties: Alias is set to Marketing and Path is set to the home directory of the default Web site (typically, drive:\inetpub\wwwroot).

In this way, the applicable Web publishing rule directs the incoming client request to the appropriate Web server. The Web server itself maps the request to the virtual directory.

In an ISA Server bridging scenario, when a client makes an HTTPS request, ISA Server intercepts the request, before forwarding it on to the published IIS server. Then, ISA Server can communicate with the published IIS server, using either FTP, HTTP or HTTPS (SSL). In some cases, the secure connection within the internal network (that is, between the ISA Server computer and the IIS server) is not required. It is sufficient that the client uses secure communication.

ISA Server changes incoming client requests, according to the Web publishing rule configuration. That is, ISA replaces the scheme (protocol) and/or host-header, depending on how bridging and "use original host header" options are configured.

When returning the response, if absolute links exist in headers, ISA Server reverts the changes made to the headers. That is, if the scheme and/or host-header were changed in the request, the scheme and/or server-name in the links in the response headers will be changed back to the original values. However, if absolute links exist in the response body, then the link translator Web filter is required.

In the scenario described here, a client requests data, using HTTPS from www.fabrikam.com. Bridging is configured, with the requests passed from the ISA Server computer to the internal IIS server (IIS_Fabrikam) as HTTP.

Note:

  • Typically, in bridging scenarios, where there are no absolute links on the internal Web site, the Link Translator Web filter is not required. However, even when the client requires HTTPS, the response from the Web server might contain non-secure links. In this case, link translation is required, to map HTTP to HTTPS in the links — thus helping secure communication between the client and ISA Server.

  • Typically, when publishing an FTP server over HTTP, the Link Translator Web filter is not required, unless the FTP pages returned to the client contain absolute links. In this case, be sure that corresponding content groups are enabled for the Link Translator Web filter.

Procedures

You might want to enable external clients to view pages over SSL connections, even when the communication between ISA Server and the IIS Server is HTTP. In this case, you must modify the Web publishing rule to enable link translation. Note that you do not have to modify the default link translation dictionary, as it applies to this scenario. We will assume that the rules and policy elements that you created in the "Scenario 1: Publishing Single Server" section are still valid on ISA Server. You will perform this additional step, described in the following section, to configure this scenario:

  • Modify the Web publishing rule to configure bridging and enable link translation.

Step 1. Modify the Publish IIS_Fabrikam Web publishing rule

To modify the Publish IIS_Fabrikam Web publishing rule

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

  2. In the details pane, right-click the Publish IIS_Fabrikam Web publishing rule, and then click Properties.

  3. On the Bridging tab, verify that HTTP requests (terminate the secure channel at the proxy) is selected.

  4. On the Link Translation tab, click Add and then do the following:

    1. In the upper edit box, type https://IIS_Fabrikam.

    2. In the lower edit box, type https://www.fabrikam.com.

    3. Click OK.

Scenario 4: Publishing HTTP and HTTPS on Same Server

A Web site can contain both secure (HTTPS) and non-secure (HTTP) content. For example, consider a Web site, named IIS_Fabrikam. The site itself is secured, and accessible only using HTTPS. However, images on the site, located in an /images folder, are accessible using HTTP. The site is published as www.fabrikam.com.

When clients connect to the site using SSL, when the link translation is enabled for the Web publishing rule, the absolute links to the images are translated as HTTPS://. You must add entries to the link translation dictionary, to ensure that these absolute links that use HTTP are not translated to HTTPS. In this way, performance is not adversely affected.

Procedures

To allow external clients to use HTTP to view the images, you must modify the link translation dictionary. We will assume that the rules and policy elements that you created in the "Scenario 1: Publishing Single Server" section are still valid on ISA Server. You will perform this additional step, described in the following section, to configure this scenario:

  • Modify the link translation dictionary for the Publish IIS_Fabrikam Web publishing rule.

Step 1. Modify the link translation dictionary for the Publish IIS_Fabrikam Rule

To modify the link translation dictionary for the Publish IIS_Fabrikam

  1. In the console tree of ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the applicable array, click Publishing, and then click Web Publishing Rules.

  2. In the details pane, right-click the Publish IIS_Fabrikam Web publishing rule, and then click Properties.

  3. On the Link Translation tab, click Add and then do the following:

    1. In the upper edit box, type https://IIS_Fabrikam/images.

    2. In the lower edit box, type https://www.fabrikam.com/images.

    3. Click OK.

  4. On the Link Translation tab, click Add and then do the following:

    1. In the upper edit box, type https://IIS_Fabrikam:80/images.

    2. In the lower edit box, type https://www.fabrikam.com/images.

    3. Click OK.

Web pages that include translated links may potentially pose a security risk. To help prevent this security risk, carefully define destination sets on ISA Server, limiting the Web publishing rule to the specific destination sets.

For example, when creating the destination set, do not use wild characters in server names (for example, *.microsoft.com). Instead, list all server names that are mapped to the external IP address on ISA Server (for example, www.microsoft.com and mail.microsoft.com).