Microsoft Internet Security and Acceleration (ISA) Server Publishing FAQ
This frequently asked questions (FAQ) document provides answers to questions commonly asked about publishing Web sites and internal resources through Microsoft® Internet Security and Acceleration (ISA) Server.
Q. How do I provide authentication on my published Web sites?
A. | ISA Server only supports Basic and Anonymous access at the IIS WWW services itself. If you want to enable other authentication modes, you need to configure those for the ISA Server Web Listener. By default after ISA Server installation, Integrated and Anonymous authentication methods are enabled. |
Q. How can I listen for an incoming HTTP request on a custom port on an external interface?
A. | You can change the port configured for the incoming Web listener. In ISA Management, right-click the name of the ISA Server computer or array, and then click Properties. On the Incoming Web Requests tab, in TCP Port, specify the port you want the Web listener to use for incoming HTTP requests. |
Q. I have a Web publishing rule that allows incoming requests to an internal Web server. How can I ensure that the actual IP address of the incoming request is logged and not the private IP address of the ISA Server computer?
A. | To get the original requesting IP address, use server publishing rules instead of Web publishing rules. Using server publishing, you can log the requesting host’s original IP address. In Web publishing, the source IP address in the host header is changed to the IP address of the ISA Server internal interface, when a request is forwarded to the published server by the Web Proxy service. Thus, you cannot log the requesting host’s IP address. |
Q. Why can’t I do an FTP upload from an internal client computer?
A. | For internal clients that need to do an FTP upload to external sites, the client computer must be configured as a SecureNAT client or Firewall client; because Web Proxy clients cannot do FTP uploads. For these clients, you should enable the FTP Access Filter, and create an allow protocol rule for the predefined FTP protocols you want to allow. Note that you configure a SecureNAT client by setting the client computer’s default gateway to the internal IP address of the ISA Server computer. |
Q. When must I use packet filters rather than policy rules?
A. |
There are certain configurations that require the use of packet filters. You must use packet filters if:
|
Q. In what order does ISA Server prioritize incoming request rules?
A. |
When ISA Server processes a request from an external client, it checks IP packet filters, publishing rules, and routing rules to determine if the request is allowed and which internal server should service the request. For an incoming Web request, rules are processed in the following order:
|
Q. How can I set up a terminal server connection through ISA Server to an internal computer?
A. | For instructions, see Microsoft Knowledge Base article 294720. |
Q. What is the difference between SSL tunneling and SSL bridging?
A. |
Secure Sockets Layer (SSL) bridging refers to the ability of ISA Server to encrypt or decrypt client HTTPS requests and pass these requests on to a destination Web server. SSL tunneling allows ISA Server clients to establish a tunnel through the ISA Server computer directly to the Web server with the requested HTTPS object. No SSL processing occurs on the ISA Server computer.
|
Q. When is SSL tunneling used?
A. | SSL tunneling is used when an internal client browser requests an object using HTTPS on port 8080 through the ISA Server computer. The client makes the request, and ISA Server forwards the request to the destination Web server on SSL port 443. ISA Server returns a connection established message to the client, and from that point the client communicates directly with the Web server. |
Q. When is SSL bridging used?
A. |
By default, when an internal client uses HTTPS to request an object from a server on the Internet, ISA Server uses SSL tunneling to establish the connection. However, for clients that support secure communication directly with the ISA Server computer, you can configure routing rules to enable SSL bridging instead, as follows:
Using SSL bridging instead of SSL tunneling for outgoing client requests increases security. The ISA Server computer intercepts the client request and the client does not establish a direct connection with the external Web server. SSL bridging can also be configured for incoming Web requests. When an external client uses HTTPS to request an object from a Web server located on your internal network, the client connects by default to port 443 on the ISA Server computer. The ISA Server computer must be configured to listen for SSL requests on port 443, and have a server certificate to authenticate itself to the external client. ISA Server then decrypts the client request, terminating the SSL connection. A Web publishing rule can be configured to forward this request to the publishing Web server as HTTP, SSL (HTTPS), or FTP. If the Web publishing rule is configured to forward the request as HTTPS, the ISA Server becomes the SSL client and sends a request to port 443 on the publishing server. The publishing server needs a server certificate to authenticate itself to the ISA Server, and optionally, the ISA Server computer might require a client certificate to authenticate itself to the publishing server.
|
Q. What is the difference between Web publishing and server publishing?
A. |
Web publishing entails a more complicated configuration, but includes enhanced security features that server publishing does not provide. The following applies to Web publishing:
The following applies to server publishing:
|
Q. Can I publish a server that does not have a predefined protocol?
A. |
ISA Server provides a number of preconfigured protocol definitions that you can use when creating server publishing rules. Application filters might also include protocol definitions, which cannot be modified. In addition, you can create your own protocol definitions. To do this, you need to specify the following information:
|
Q. How can I configure server publishing if my published server’s default gateway is not the ISA Server computer?
A. | A server published using server publishing is actually a SecureNAT client. So, the ISA Server computer should be configured as the default gateway on the published server. If this is not the case, see Microsoft Knowledge Base article 311777 for a workaround.. |
Q. I am Web publishing a site with SSL, and the SSL connection terminates at the ISA Server external interface. Instead of returning an error to a client who accidentally types “HTTP”, I want to redirect them to HTTPS. How can I do this?
A. |
Download isa_redirects.zip at ISATools, and use the examples and script contained in the zip file. There are two scripts in the zip file:
Read the ISA_Redirect text file included in the zip for instructions on how to use the scripts. Note that once this is configured, it will be the response for all SSL-restricted sites. For related Microsoft Knowledge Base articles, see KB article 821724, and KB 279681.
|
Top of page