implementing isa server publishing. introduction what are web publishing rules? isa server uses web...
TRANSCRIPT
Implementing ISA ServerPublishing
Introduction
• What Are Web Publishing Rules?
• ISA Server uses Web publishing rules to make Web sites on protected networks available to users on other networks, such as the Internet.
• A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers
• Web publishing rules provide:• Access to Web servers running HTTP
protocol• HTTP application-layer filtering• Path mapping• User authentication• Content caching• Support for publishing multiple Web sites
using a single IP address• Link translation
What Are Server Publishing Rules
• Web publishing and secure Web publishing rules can grant access only to Web servers using HTTP or HTTPS.
• To grant access to internal resources using any other protocol, you must configure server publishing rules
• Server publishing rules provide:– Access to multiple protocols– Application-layer filtering for specified protocols– Support for encryption– IP address logging for the client computer
Considerations for Configuring DNS for Web and Server
Publishing
Configuring Web Publishing Rules
• Components of a Web Publishing Rule Configuration:
• Web publishing rules map incoming HTTP or HTTPS requests to the appropriate Web servers located on a network protected by ISA Server.
• Web publishing rules determine what incoming requests for HTTP objects will be accepted by ISA Server and how ISA Server will respond to those requests.
How to Configure Web Listeners
• Web listeners are used by Web and secure Web publishing rules.
• A Web listener is an ISA Server configuration object that defines how the ISA Server computer listens for HTTP requests and SSL requests.
• The Web listener defines the network, IP address, and the port number on which ISA Server listens for client connections.
How to Configure Web Listeners
• If the ISA Server computer receives a HTTP or HTTPS on a network adapter and no Web listener is configured for the IP address associated with the network adapter, ISA Server will discard all the requests before applying Web server publishing rules.
How to Configure Web Listeners
• Network:This option specifies the network on which ISA Server will listen for incoming Web requests
• Port numbers:This option specifies the port number on which the Web listener will listen for incoming Web requests
• Client authentication methods:This option specifies the supported authentication methods if you are going to require authentication on the Web listener
• Client Connection Settings:This option specifies the number of concurrent client connections and connection timeout values for the Web listener.
How to Configure Web Listeners
If you have multiple network adapters or multiple IP addresses
• On the Port Specification page, select the protocol and port number used by the Web listener
• modify the Web listener settings by doubleclicking the Web Listener object in the Toolbox
• To configure the client connection options, click Advanced on the Preferences tab to get to the Advanced Settings dialog box
How Path Mapping Works
• Path mapping can be used in several different scenarios• For example:• An organization may have a Web
site:http://www.cohovineyard.com.• If the entire Web site is located on a single Web server
you can use path mapping to redirect client requests to different virtual directories on that server.
• The URL http://www.cohovineyard.com/catalog can be redirected to a virtual directory named CurrentCatalog on the Web server
• the URL http://www.cohovineyard.com/sales is redirected to the SalesData virtual directory
• You can also use path mapping to redirect client requests to multiple internal Web servers.
• For example:• when users request the URL
http://www.cohovineyard.com/sales,they can be directed to the Sales virtual directory on one Web server.
• When users request the URL http://www.cohovineyard.com/catalog, they are redirected to a Catalog virtual directory on another Web server
How to Configure Path Mapping
• ISA Server Management ->Firewall Policy->Web publishing rule->Tasks->Edit Selected Rule.
How to Configure Link Translation
• Path mapping allows you to redirect client requests from the ISA Server computer to different locations on one or more Web servers.
• By using path mapping you can mask a complex internal Web server configuration and present a simple Web site view to the Internet.
• Link translation can provide the same end result, but is used in different situations.
• Link translation is used when the Web pages published on ISA Server contain links to other Web servers on the protected network, and those Web servers are not accessible from the Internet
• Link translation is an ISA Server configuration object that enables ISA Server to replace internal server names on Web pages with server names that are accessible from the Internet
• Some published Web sites may include references to internal names of computers other than the server listed in the Web publishing rule
Link Translation Levels
• Header link translation• Translation of links in the body of a returned
Web page • EX:Web page on a server named Web1 is
accessed through the URL www.cohovineyard.com may include a reference to an image using http://Web1.cohovineyard.com/images/image1.jpg
• Translation of links to other internal Web pages
How to Configure Link Translation
• ISA Server Management->Firewall Policy->Web publishing rule->Link Translation
How to Configure Web Publishing Rules
• ISA Server Management->Tasks->Publish A Web Server
Configuring Secure Web Publishing Rules
• Secure Web publishing provides an additional layer of security when publishing an internal Web site by enabling the option to use SSL to encrypt all network traffic to and from the Web site.
• Secure Web publishing is critical when securing Web sites that contain confidential information, or when the Web site asks clients to submit confidential information such as credit-card numbers
Components of a Secure Web Publishing Rule Configuration
• What Is Secure Sockets Layer?
• Secure Sockets Layer (SSL) is used to validate the identities of two computers involved in a connection across a public network, and to ensure that the data sent between the two computers is encrypted.
• To do this, SSL uses digital certificates and public and private keys.
What Is Secure Sockets Layer
• SSL enables the following features:
• Server authentication
• Client authentication
• Encrypted SSL connections
SSL Configuration Options
• SSL tunneling:• the SSL connection is set up directly between
the client computer and the Web server• the ISA Server computer does not encrypt or
decrypt the network packets but merely forwards encrypted packets between the client and the Web server.
• ISA Server cannot inspect the content of the packets because the contents are encrypted as they pass through theISA Server computer.
• SSL bridging:• the ISA Server computer acts as the end point
for one or more SSL connections• The network packets can still be encrypted from
the Web client to the Web server.• however, in an SSL bridging scenario, the ISA
Server computer will decrypt network traffic from the client computer and then re-encrypt it before sending it to the Web server
Enabling SSL on ISA Server
• If you plan to use SSL in an SSL tunneling configuration, you must install a digital certificate only on the Web server. The Web server and the client will use this certificate and the associated keys to create the SSL connection.
• If you plan to use SSL in a SSL bridging configuration, you must install a digital certificate on the ISA Server computer, and possibly, on the Web server.To create an SSL connection with the client, the ISA Server computer must have a certificate installed.
• If you require client certificates, you also need install digital certificates on each client computer.
How to Install Digital Certificates on ISA Server
• How to Configure a New Secure Web Publishing Rule
Configuring Server Publishing Rules
• Web publishing rules are used on ISA Server to enable access to HTTP and HTTPS content on internal Web servers.
• Server publishing rules are used to enable access to internal applications that use other protocols.
• Server publishing is a secure and flexible way to publish the content or services provided by internal servers to the Internet
Components of a Server Publishing Rule Configuration
• Server publishing rules are used on ISA Server to map a port number on an external interface of the ISA Server computer to the IP address of an internal server providing a specific service.
• When ISA Server receives a request on the external IP address for a specific port, it passes the request to the internal server defined on the server publishing rule
• ISA Server performs the following steps:• 1.A client computer on the Internet needs to access an
application server on a network protected by the ISA Server computer. the client computer will perform a DNS lookup to locate the IP address for the server that is providing the service
• 2. ISA Server checks the destination port number and then uses the server publishing rule to map the request to an IP address of an internal server.
• 3. The internal server returns the object to the ISA Server computer, which passes it on to the requesting client
How to Configure a Server Publishing Rule