publishing web servers using isa server 2004 enterprise edition

7/29/2019 Publishing Web Servers Using ISA Server 2004 Enterprise Edition

1/16

TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 >Technical Library

Publishing Web Servers Using ISA Server 2004 Enterprise EditionMicrosoft Internet Security and Acceleration (ISA) Server 2004

Published: April 5, 2005

On This Page

Introduction

Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition uses Web publishing

rules to handle issues associated with publishing Web content to the Internet, without compromising

Internal network security. Web publishing rules determine how ISA Server intercepts incoming requests for

Hypertext Transfer Protocol (HTTP) objects on an internal Web server and how ISA Server responds on

behalf of the Web server. Requests are forwarded downstream to an internal Web server, located behind

the ISA Server array. If possible, the request is serviced from the ISA Server cache.

Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server array.

Web Publishing and Server Publishing

You can use publishing to make content available to groups of users or to all users, typically from an

Internal network or perimeter network (also known as a DMZ, demilitarized zone, or screened subnet).

Choose Web publishing or server publishing based on what content you are publishing. Web publishing rules

are configured to make HTTP and HTTPS content available on Web servers, such as servers running Internet

Information Services (IIS). Server publishing rules are configured to make content available using other

protocols. Server publishing publishes an entire server through a protocol, and enables you to restrict

access to specific computers or networks. You cannot publish HTTP content using server publishing rules.

Web publishing provides you detailed control over access to content. Web publishing rules are rich in

features, including the following:

Web ListenersAll incoming Web requests must be received by a Web listener. A Web listener may be used in multiple Web

publishing rules.

Introduction

Scenarios

Solutions

Appendix A: Using the New Web Publishing Rule Wizard

Appendix B: Creating Rule Elements

More Information

Mapping requests to specific internal paths. You can limit the portions of your servers that can beaccessed.

Restricting access to specific users, computers, or networks. You can restrict access, to furtherimprove security.

Requiring user authentication. User authentication can be passed through to the Web server,eliminating the need to reauthenticate at the Web server.

Providing link translation. You can handle links to internal servers.

Providing SSL bridging. You can encrypt traffic between the ISA Server array and the Web server.

Page 1 of 16Publishing Web Servers Using ISA Server 2004 Enterprise Edition

21. 1. 2007http://www.microsoft.com/technet/isa/2004/plan/publishing_web_servers_ee.mspx?pf...


2/16

When you configure a Web listener, you are specifying:

Selecting Web Listener Networks (IP Addresses)

The Web listener network, or networks, that you select depend on the networks from which clients will

connect to the published Web server. For example, if the Web site you are publishing allows client requests

from the Internet (External network), you should select the External network for the Web listener. By

selecting the External network, you are selecting the IP addresses on the ISA Server computer that are

associated with the External network adapter. If you do not limit the IP addresses, all the IP addresses

associated with the selected network adapter will be included in the listener configuration. If you are using

ISA Server integrated Network Load Balancing (NLB), read the important note that follows.

Specifying the Listener Port

By default, ISA Server listens on port 80 for HTTP requests. However, if connecting clients are expected to

use a different port, you should change the port number accordingly. You can also enable the Web listener

to listen for Secure Sockets Layer (SSL) requests. (The default is port 443.) If you choose SSL, an

appropriate certificate must first be installed on each member of the ISA Server array. You must select a

server certificate to be used by the Web listener, so that the ISA Server array member can authenticate

itself to the client.

Defining Client Authentication Methods

After defining a Web listener, you can edit the Web listener properties to define authentication methods for

Web requests. Note that you can configure Integrated Windows authentication on the ISA Server computer

or on the Web server, but not both. If you choose to authenticate only on the Web server, ISA Server uses

pass-through authentication (Kerberos cannot be used.) For more information see KB article 886996.

Important

You may want to publish your Web sites using Network Load Balancing (NLB) in your ISA Server array. For

the most effective use of NLB, your Web listener should listen on the NLB virtual IP address. If you

configure your Web listener to listen on all of the IP addresses for the network adapters, it will listen on the

virtual IP address, which will distribute requests using NLB, and on the dedicated IP addresses of the

network adapters, which will not make use of NLB. The procedure for configuring NLB is described in

Publishing a Web Server Walk-through Procedure 3: Configure Network Load Balancing in this document.

The procedure for selecting the virtual IP address in a Web listener is described in Appendix A: Using the

New Web Publishing Rule Wizard in this document.

Original Host Headers

By default, ISA Server substitutes a host header that it uses to refer to the internal Web server, rather than

sending the original host header that ISA Server received. If your Web site has specific features that require

the original host header, select Forward the original host header instead of the actual one on the

Define Website to Publish page of the New Web Publishing Rule Wizard.

Rule Elements

An ISA Server rule element is an object that you can use to refine ISA Server rules. For example, a subnet

rule element represents a subnet within a network. You can create a rule that applies only to a subnet, or a

rule that applies to a whole network exclusive of the subnet.

Another example of a rule element is a user set, representing a group of users. By creating a user set and

making use of it in an ISA Server rule, you can create a rule that applies only to that set of users.

You can see the rule elements that are available to you by expanding the ISA Server array node, clicking

Firewall Policy, and selecting the Toolbox tab in the task pane. There are five types of rule elements:

The network corresponding to the Internet Protocol (IP) addresses on the ISA Server array that will listenfor incoming Web requests. The Web listener can listen on all the IP addresses associated with a network

or on specific IP addresses.

The port number that will listen for incoming Web requests on the selected network IP addresses.

Client authentication methods (optional).

Protocols. This rule element type contains protocols that you can use to limit the applicability of accessrules. For example, you can allow or deny access on one or more protocols, rather than on all protocols.

Users. In this rule element type, you can create a user set to which a rule will be explicitly applied, or




3/16

You may want to use rule elements in your Web publishing rules, to make the rules more specific. Creation

of rule elements is described in Appendix B: Creating Rule Elements in this document.

If the enterprise administrator has created rule elements on the enterprise level, these will also be available

to you on the array level, so that you can use those rule elements in Web publishing.

Network Load Balancing

You can use the Network Load Balancing (NLB) functionality of ISA Server to configure and manage the NLB

functionality of Microsoft Windows Server 2003 running on ISA Server arrays. Network Load Balancing

allows all of the computers in a cluster to be addressed by the same set of cluster IP addresses, but also

maintains their existing unique, dedicated IP addresses.

Network Load Balancing provides high availability and scalability of servers using a cluster of two or more

host computers working together. Clients access the cluster using either an IP address or a set of

addresses. The clients are unable to distinguish the cluster from a single server. Server applications do not

identify that they are running in a cluster. However, an NLB cluster differs significantly from a single host

running a single server application because it can provide uninterrupted service even if a cluster host fails.

The cluster can also respond more quickly to client requests than to a single host.

You can configure NLB on the External network of an ISA Server Enterprise Edition array, so that client

requests from the Internet are distributed among the array computers. The procedure for configuring NLB

through ISA Server is described in Publishing a Web Server Walk-through Procedure 3: Configure Network

Load Balancing in this document.

When you configure NLB through ISA Server, NLB is integrated with ISA Server functionality. This providesimportant functionality that is not available in Windows NLB alone:

When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional

network adapter, for intra-array communication. We recommend that these network adapters be physically

connected to each other (for example, through a single switch), and not to other network segments, to

ensure that they receive only intra-array communication. You should then configure intra-array

communication to use the IP address of the new adapter on each server.

Top of page

Scenarios

This document describes several Internet Security and Acceleration (ISA) Server 2004 Web publishing

which can be excluded from a rule.

Content Types. This rule element type provides common content types to which you may want to applya rule.

Schedules. In this rule element type, you can designate hours of the week during which the rule applies.

Network Objects. In this rule element type, you can create sets of computers to which a rule will apply,

or which will be excluded from a rule.

NLB configuration is performed through ISA Server Management.

ISA Server provides NLB health monitoring, and discontinues NLB on a particular computer asnecessitated by its status. This prevents the continued functioning of NLB when the state of the computer

does not allow the passage of traffic. For example, if there is a failure of the network adapter on the

computer, or if you stop the Microsoft Firewall service, ISA Server stops NLB-directed traffic from passing

though that computer. When the issue is resolved, ISA Server will again allow NLB traffic to pass through

that computer.

ISA Server works with Windows NLB to automatically configure bidirectional affinity, and does so formultiple networks. This guarantees that traffic is handled in both directions by the same array server.

Note

When you configure NLB through ISA Server, it is automatically configured in unicast mode and with

single affinity. Single affinity ensures that all network traffic from a particular client is directed to the

same host.




4/16

scenarios:

Top of page

Solutions

The solutions described in this document start with publishing an internal Web server or perimeter Web

server, and progress to publishing specific folders, and publishing multiple Web servers behind an Internet

Security and Acceleration (ISA) Server 2004 array.

Network Topology

The following sections describe the network topologies when:

Internal Web Server

To publish a Web server on an Internal network, you need, at a minimum:

Perimeter Web Server

To publish a Web server on a perimeter network you need, at a minimum:

Publishing a Web Server Walk-through

This walk-through guides you through the steps necessary to publish a Web server.

Publish a Web server that is located in your Internal network or perimeter network.

Publish specific folders to differing public names.

Publish two Web servers with different domain names.

Publishing a Web server on an Internal network.

Publishing a Web server on a perimeter network.

A connection to the Internet.

At least one computer to serve as the computer running ISA Server services (the ISA Server array), anda computer to serve as the Configuration Storage server. You can install the Configuration Storage server

and ISA Server services on the same computer. We recommend that in a production environment, the

Configuration Storage server be installed on a computer that will be behind the ISA Server array. The

computer running ISA Server services must have at least two network adapters. One adapter will be

connected to the External network (representing the Internet), and one adapter will be connected to the

Internal network. If you are using ISA Server integrated NLB on the ISA Server array, you will also

require a network adapter on each computer running ISA Server services, for intra-array communication.

A computer that will be the Web server, located in the Internal network.

To test the setup, a computer that is external to your network, with a connection to the Internet.

A connection to the Internet.

At least one computer to serve as the computer running ISA Server services (the ISA Server array), anda computer to serve as the Configuration Storage server. You can install the Configuration Storage server

and ISA Server services on the same computer. We recommend that in a production environment, the

Configuration Storage server be installed on a computer that will be behind the ISA Server array. Thecomputer running ISA Server services must have at least three network adapters. One adapter will be

connected to the External network (representing the Internet), one adapter will be connected to the

perimeter network, and one adapter will be connected to the Internal network. If you are using ISA

Server integrated NLB on the ISA Server array, you will also require a network adapter on each computer

running ISA Server services, for intra-array communication.

A computer that will be the Web server, located in the perimeter network.

If you want your perimeter Web server to retrieve data from a data server on the Internal network, youneed a computer to serve as the data server.

To test the setup, a computer that is external to your network, with a connection to the Internet.




5/16

Publishing a Web Server Walk-through Procedure 1: Back Up Your Current Configuration

We recommend that you back up your array configuration before making any changes. If the changes you

make result in behavior that you did not expect, you can revert to the previous, backup configuration. To

back up the complete configuration of your ISA Server array to an .xml document, follow this procedure:

1. Open Microsoft ISA Server Management.

2. Expand Arrays, right-click the array through which you are going to publish the Web server, and

then click Export (Back up) to start the Export Wizard.

3. On the Welcome page, click Next.

4. On the Export Preferences page, you can select the following options:

You can choose to export confidential information. If you do, it will be encrypted during export. Ifyou want to export confidential information, select Export confidential information and provide

a password.

You can choose to export user permission settings, by selecting Export user permissionsettings. User permission settings contain the security roles of ISA Server users, for example,

indicating who has administrative rights.

5. Click Next.

6. On the Export File Location page, provide the location and name of the file to which you want to

save the configuration. Choose a meaningful name, and consider including the date in the name of

the file, such as Cleveland Array ISA Backup 15 October 2004. Click Next.

7. On the Completing the Export Wizard page, click Finish.

8. When the export has completed, click OK.

Note

Because the .xml document is being used as a backup, a copy of it should be saved on another

computer in case of catastrophic failure.

Publishing a Web Server Walk-through Procedure 2: Configure Intra-Array Communication

When you use ISA Server integrated NLB, you must configure the ISA Server array for intra-array

communication.

Add a network adapter to each computer running ISA Server services, for intra-array communication. We

recommend that these network adapters be physically connected to each other (for example, through a

single switch), and not to other network segments, to ensure that they receive only intra-array

communication.

Configuring intra-array communication on each server

To configure intra-array communication to use the IP address of the new adapter on each server, follow

these steps:

1. In ISA Server Management, expand the array, expand Configuration, and click Servers.

2. For each server in the array, right click the server and select Properties (or select Configure

Selected Server in the task pane on the Tasks tab).

3. On the Communication tab, under Use this IP address for communication between array

members, select the IP address of the network adapter over which intra-array communication will

take place.

4. Click OK.

5. After you configure all of the servers, click Apply in the details pane to apply your changes.

Creating an intra-array network

To create an ISA Server network that includes only the addresses of the new network adapters (an intra-




6/16

array network), follow these steps:

1. In ISA Server Management, expand the array, expand Configuration, and click Networks.

2. In the details pane, select the Networks tab.

3. On the task pane, in the Tasks tab, click Create a New Network.

4. On the Welcome page, type a name for the network, and then click Next.

5. On the Network Type page, select Internal Network, and click Next.

6. On the Network Addresses page, click Add Adapter to open the Select Network Adapters

dialog box. Select the network adapter that is used for intra-array communication. Click OK, and

click Next.

7. On the Completing the New Network Wizard page, review the settings, and click Finish.

8. In the details pane, click Apply to apply your changes.

Publishing a Web Server Walk-through Procedure 3: Configure Network Load Balancing

Follow this procedure to configure Network Load Balancing (NLB) for an array. NLB will be automatically

configured in unicast mode and single affinity. Single affinity ensures that all network traffic from aparticular client be directed to the same host. This procedure takes place on a computer in an ISA Server

array, logged on as an array or enterprise administrator.

To configure NLB on an ISA Server array, follow these steps:

1. On one of the ISA Server array members, expand Arrays, expand the array on which you are going

to configure NLB, expand Configuration, and click Networks.

2. In the details pane, verify that the Networks tab is selected.

3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration to start

the Network Load Balancing Wizard. On the Welcome page, click Next.

4. On the Select Load Balanced Networks page, select the networks for which NLB will be enabled.We recommend enabling NLB on at least the External and Internal networks. Do not click Next.

5. Before you click Next, you have to set the virtual IP address for each network. To set the virtual IP

address, select a network, and then click Set Virtual IP. In the Set Virtual IP Address dialog box,

provide the IP address and subnet mask for the virtual IP address you will use. Note that this IP

address must be a valid static IP address (that cannot be assigned by your DHCP server), and must

belong to the network you are configuring. Click Next.

6. On the summary page, click Finish. You will receive a notice that you must restart the Microsoft

Firewall service.

7. In the details pane, click Apply. You will receive an ISA Server warning, prompting you to restart

the Firewall service. Select Save the changes and restart the services, and then click OK.

Publishing a Web Server Walk-through Procedure 4: Create the Web Site

Create the Web site or sites on the internal or perimeter computer using Internet Information Services

(IIS). For details, see the IIS documentation. Be aware of the location of the Web site. If the site is not the

default Web site on your Web server, you must provide the correct path when creating a Web publishing

rule.

Publishing a Web Server Walk-through Procedure 5: Design and Create Web PublishingRules

You will use Web publishing rules to publish Web servers. The following are some examples of possible Web

publishing scenarios, and the rules needed for the solution. For specifics on how to use the New Web

Publishing Rule Wizard, see Appendix A: Using the New Web Publishing Rule Wizard in this document. You

can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to openthe rule properties dialog box.

Publishing a Web server on an Internal network or a perimeter network

To publish a Web server on the Internal network or a perimeter network, create a Web publishing rule using




7/16


8/16

Public Name This rule applies to Select All requests. If you are publishing more

than one Web site on the

same Web listener, you

should specify Requests

for the following

websites (and specify the

published site name) so

that another rule canpublish a server or directory

using the same listener.

When you specify

Requests for the

following websites,only

requests for the name you

provide will match the rule.

This also may reduce the

amount of traffic handled

by the listener.

Paths External Path

Internal Path

Specify External: /*

Specify Internal: /*

The path /* is generic,

indicating that all folders

are published under their

own names on the Internet.

An example of specific

folder publication is

provided later in this

document.

Bridging Specify the type of

server

Select Web server or

FTP server.

For details, see SSL

bridging in this document.

Users This rule applies to

requests from the

following user sets

Select All Users. Limits access to a specific

set of users.

Users Exceptions None. You may define user sets to

which this rule will not

apply.

Users Forward Basic

authentication

credentials (Basic

delegation)

Select whether to

forward Basic

authentication

credentials.

For details, see Allowing

delegation of Basic

authentication in this

document.

Schedule Schedule Select Always. You could limit the hours

during which the Web site is

available by creating aschedule and applying it to

this rule. A schedule is a

rule element, which is

described in Rule Elements

earlier in this document.

Link Translation Replace absolute links

in Web pages

Select whether to

replace absolute links,

and make dictionary

entries if needed.

Link translation will only

work if you specify

Requests for the

following websites (and

specify the published site

name) on the Public Name

tab. For details, see

Configuring link translation

in this document.




9/16

Publishing Web server folders on the Internal or perimeter network to one domain name

You can publish specific folders on a Web server on the Internal network or on a perimeter network. In this

scenario, both folders are published to the same domain. For example, you want to publish the \news

folder to www.fabrikam.com/news, and the \updates folder to www.fabrikam.com/updates. To do

this, follow these steps:

1. Create a Web publishing rule as described in the previous scenario, with the same properties. You do

not have to specify any folders when creating the rule, because the New Web Publishing Rule Wizard

does not provide the granularity you require for this scenario.

2. After you create the rule, in the Firewall Policy details pane, double-click the rule to display its

properties, and select the Paths tab.

3. Select the default path displayed ( to Internal Path /*) and click Remove.

4. Click Add to add new paths through the Path mapping dialog box.

5. Specify the folder that you want to publish on the Web site. This is the name of the folder on your

Web server.

6. In External Path, either:

Select Same as published folder if you want the URL that users type to be the same foldername in their browsers. For example, if your internal folder name is /news and you select Same

as published folder, users would type http://www.fabrikam.com/news to access that

folder.

Select The following folder to specify a different name for the folder as accessed from theInternet. For example, you may have a folder on the Web server named news03032003 that

you want to publish to www.fabrikam.com/news. In that case, select The following folder

and provide the name news.

7. In the ISA Server details pane, click Apply to apply the changes.

Publishing two Web server folders to two domain names

You can publish specific folders on a Web server on the Internal network or on a perimeter network to two

different domain names. For example, you want to publish the \news folder to www.fabrikam.com, and

the \updates folder to www.adatum.com. To do this, you will create two Web publishing rules, one for

each domain name. To do this, follow these steps:

1. Create a Web publishing rule for the www.fabrikam.com site using the New Web Publishing Rule

Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document,

with the changes described in the next steps

2. On the Define Website to Publish page, in Computer name or IP address, specify the Web

server computer that hosts the Web site that you want to publish. This can be the computer name or

the IP address of the Internal network or perimeter network Web server. Verify that Forward the

original host header is not selected. This is the default condition. For more information, see

Original Host Headers in this document. In Path, you can specify the Web site folder that you want

to publish, such as News. Click Next.

Note

To publish all of the subfolders under News to www.fabrikam.com, you would provide the folder

as News/*

3. On the Public Name Details page, verify that This domain name is selected, and provide the

domain name, such as www.fabrikam.com.

4. Complete the wizard.

5. Create a second Web publishing rule, this time for the www.adatum.com site, using the New Web

Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in




10/16

this document, with the changes described in the following steps.


server computer that hosts the Web site that you want to publish. This can be the computer name or

the IP address of the Internal network or perimeter network Web server. Verify that Forward the

original host header is not selected. This is the default condition. For more information, see

Original Host Headers in this document. In Folder, you can specify the Web site folder that you want

to publish, such as Update (or Update/*, to include its subfolders). Click Next.

7. On the Public Name Details page, verify that This domain name is selected, and provide the

domain name, such as www.adatum.com.

8. Complete the wizard.

9. In the ISA Server details pane, click Apply to apply the changes.

Publishing a Web Server Walk-through Procedure 6: Set Web Publishing Options

Web publishing in ISA Server has many options that enable you to adjust your Web publishing rule to meet

your needs. Several of those options are described in the sections that follow. Whenever you make changes

to a Web publishing rule, you must click Apply in the ISA Server details pane to apply the changes.

Accessing Web publishing properties

The following steps describe how to access the Web publishing properties:

1. Open Microsoft ISA Server Management and click Firewall Policy.

2. Double-click the Web publishing rule to open its properties. Alternatively, select the rule, and in the

task pane on the Tasks tab, click Edit Selected Rule.

SSL bridging

If you are publishing a server that requires Secure Sockets Layer (SSL) communication, you must have a

digital certificate installed on each member of the ISA Server array. In addition, you may have a digital

certificate installed on the Web server. To ensure that HTTPS requests are sent from the ISA Server array to

the Web server using the appropriate protocol, you must configure SSL bridging accordingly.

SSL bridging is a property for each Web publishing rule. SSL bridging determines whether HTTPS requestsreceived by the ISA Server array are passed to the Web server as HTTPS requests or as HTTP requests, as

follows:

If your Web server has a digital certificate, and you want ISA Server to listen for HTTPS requests without

purchasing an additional certificate, you must export the certificate from the Web server and import it to

each member of the ISA Server array. For more information, see Digital Certificates for ISA Server 2004

(http://go.microsoft.com/fwlink?linkid=20794). To modify the SSL bridging configuration, perform the

following steps:

If there is no digital certificate installed on the Web server, SSL and HTTP requests are passed to theWeb server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues

internally as HTTP.

If there is a digital certificate installed on the Web server, HTTPS requests are passed to the internal Webserver as HTTPS requests, and HTTP requests are passed as HTTP requests. In this case, SSL-secured

communication takes place from both the external client to the ISA Server array and from the ISA Server

array to the Web server.

Important

We recommend that you install digital certificates on both the Web server and the ISA Server array, and

pass HTTPS requests as HTTPS. This is a more secure configuration.

1. In the properties of the Web publishing rule, select the Bridging tab.

2. Ensure that Web server is selected.

3. Select Redirect requests to HTTP port or Redirect requests to SSL port:

If you are using the ISA Server digital certificate to handle HTTPS requests (no digital certificateinstalled on the Web server), select Redirect requests to HTTP port, and then click OK.




11/16

If you want to continue to use an existing digital certificate on the Web server as well as thecertificate on the ISA Server array, select Redirect requests to SSL port, ensure that the

default port number 443 is appropriate to your network, and then click OK.

4. Click OK to close the Web publishing rule properties dialog box.

Note

The option Use a certificate to authenticate to the SSL Web server enables you to specify the

client certificate that ISA Server will use to authenticate itself to the Web server.

A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the

Web publishing rule To tab does not match the name on the digital (SSL) certificate. This will result in the

Web client receiving a 500 Internal Server Error page.

This problem can be resolved using one of the following approaches:

Creating additional path mappings

In the Web publishing solution, you created a single path mapping, from http://www.fabrikam.com/news to

the \news folder on the Internal network or perimeter network Web server. You can add additional path

mappings, such as http://www.fabrikam.com/archives to the \archives folder on the Web server. To add

additional path mappings, follow this procedure:

Obtain a new certificate that matches the name on the server.

Change the server name on the Web publishing rule To tab to match the name on the certificate, andconfigure the local DNS server to map that name to the internal Web server.

Change the server name on the Web publishing rule To tab to match the name on the certificate. Oneach member of the ISA Server array, in the file %WINDIR%\system32\drivers\etc\hosts, add a mappingfrom the server name to the IP address of the internal Web server.

1. In the properties of the Web publishing rule, select the Paths tab.

2. Select the default path displayed ( to Internal Path /*) and click Remove.

3. Click Add to add new paths in the Path mapping dialog box.

4. Provide the name of the internal folder, for example, archives. If you leave the default External

Path option, Same as published folder, the public name will be the same as the private name,

archives. However, if you want your internal folder to be published to a different external name,

you should select The following folder and provide the public name. With this selection, you can

publish the \archives folder to http://www.fabrikam.com/Old. Click OK.


6. In the Firewall Policy details pane, click Apply to apply the changes.

Configuring link translation

Some published Web sites may include references to internal names of computers. Because only ISA Server

and not the whole network is made available to external clients, these references could appear asbroken links. ISA Server includes a link translation feature with several levels of functionality, so that you

can provide the appropriate level of link connectivity:

Header link translation. This is an inherent part of any Web publishing rule, in which a link returned ina header to the client is translated to an externally recognizable URL. When the user accesses the link, it

is recognized by the Web publishing rule, and forwarded to the internal server. This form of link

translation is always active in any Web publishing rule. Note that this translation works only within the

definition of the Web publishing rule. If a link refers to another internal server or a different port number

than those specified in the rule, the link will not be translated unless a dictionary entry is made, as

described later in this document.

Translation of links in the body of a returned Web page. This functions in the same manner as theheader link translation, but includes links returned in the body of Web pages, not just in the header. Note

that this translation works only within the definition of the Web publishing rule. If a link refers to another

internal server or a different port number than those specified in the rule, the link will not be translated

unless a dictionary entry is made, as described later in this document. To enable this functionality,




12/16

For example, consider a scenario where two internal Web servers are published. The Web server computers,Internal_IIS_A and Internal_IIS_B, are accessible by their publicly resolvable names www.wingtiptoys.com

and www.woodgrovebank.com. The Web servers include cross-references to the published sites. However,

the references are to the internal Web site names and not the publicly resolvable site names. Specifically,

Internal_IIS_A contains references to Internal_IIS_B.

External users who access Internal_IIS_A by typing www.wingtiptoys.com will not be able to follow the links

to Internal_IIS_B. By enabling link translation and creating a dictionary with entries for each of the Web

sites, these internal links can be resolved before the page requested by the client is returned.

Important

ISA Server cannot translate relative links. This will affect links that begin with /, such as /sports, in a

situation where you are using path mappings and the external path is not the same as the internal path.

To make entries in the link translation dictionary, perform the following steps:

perform the following steps:

1. In the properties of the Web publishing rule, select the Link Translation tab.

2. Select Replace absolute links in Web pages to enable link translation.

You can also configure the content types to which link translation will be applied. This configuration will

apply to all of the Web publishing rules that use link translation. (It cannot be configured per rule.) To

configure the content types, perform the following steps:


2. Click Content Types, to open the Link Translation dialog box Content Types tab.

3. Select the content types to which link translation will apply, and then click OK.

Translation of links to other internal Web pages. Link translation works only for links to the Webserver specified in the Web publishing rule. If you want links to other internal or perimeter Web servers

to also be translated (so that the links are recognized by their respective Web publishing rules), you must

provide information about how to translate each link. This information is stored by ISA Server in a link

dictionary.


2. Select Replace absolute links in Web pages to enable link translation.

3. Click Add to open the Add/Edit Dictionary Item dialog box.

4. In Replace this text, provide the internal link text, such as Internal_IIS_B. In With this text,

provide the external link, such as www.woodgrovebank.com. Click OK.


Allowing delegation of Basic authentication

ISA Server can handle user authentication when the request arrives at the external listener, and then pass

the authentication information to the Web server so that the user does not have to supply credentials again.

To do so, perform the following procedure:

1. In the properties of the Web publishing rule, select the Users tab.

2. Select Forward Basic authentication credentials (Basic delegation).


Configuring HTTP policy

ISA Server is an application-layer firewall, and applies a Web filter to HTTP traffic. Because ISA Server can

examine HTTP requests, applications that are tunneled through HTTP can be blocked, depending on how you

configure the HTTP Web filter. This additional protection offers you the ability to reduce the vulnerability ofpublished servers to malicious requests.

The HTTP Web filter also provides granular control over the HTTP requests allowed by your firewall policy.




13/16

You can configure HTTP policy, which encompasses the following settings:

For more information, see HTTP Filtering in ISA Server 2004 (http://www.microsoft.com).

To configure HTTP policy, follow this procedure:

Request header maximum length

Request payload length

Configure URL protection

Block executables

Allow or block methods

Specify actions for specific file extensions

Deny specific headers

Modify Server and Via headers

Block specific signatures

1. In the properties of the Web publishing rule, select the Traffic tab.

2. Click Filtering and select Configure HTTP to open the Configure HTTP policy for rule dialog box.

3. Select the appropriate tab and configure the policy settings.

Publishing a Web Server Walk-through Procedure 7: Test the Web PublishingConfiguration

On a computer in the External network (any computer outside of your corporate networks with a connection

to the Internet), open Internet Explorer, and type the URL of the Web site, such as

http://www.fabrikam.com/news. Verify that you reach the intended page on the published Web server.

Note

The URL of the Web site must resolve to the IP address used by the Web listener of the ISA Server array forthe request to be received by the array.

Publishing a Web Server Walk-through Procedure 8: View Web Site Access Information inthe ISA Server Log

ISA Server will log the requests that match the Web publishing rule. To view the information in

the log, perform the following steps :

1. In the Microsoft ISA Server Management console tree, select Monitoring.

2. In the Monitoring details pane, select Logging.

3. Create a filter so that you receive only the log information regarding Web site access attempts. In

the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has

three default conditions, specifying that log information from both the firewall and the Web Proxyshould be provided, that the log time is Live, and that connection status should not be provided. You

can edit these conditions, and add additional conditions to limit the information retrieved during the

query.

4. From the list of entries, select Log Time. From the Condition drop-down menu, select Last 24

Hours, and then click Update.

5. From the list of entries, select Log Record Type. From the Value drop-down menu, select Web

Proxy Filter, and then click Update.

6. You can add another expression by selecting an item from the Filter by drop-down menu, and then

providing a Condition and Value. For example, to limit the log to display access to your published

Web servers, in addition to the expression Filter by: Log Record Type, Condition: Equals, Value:Web Proxy Filter, which you modified in Step 5, you can add Filter by: Service, Condition:

Equals, and Value: Reverse Proxy.




14/16

Top of page

Appendix A: Using the New Web Publishing Rule Wizard

This procedure describes the New Web Publishing Rule Wizard in general terms. You would use theproperties of the design phase in creating your rule. To use the New Web Publishing Rule Wizard, follow

these steps:

7. After you have created an expression, click Add To List to add it to the query list, and then click

Start Query to start the query. The Start Query command is also available in the task pane on the

Tasks tab.

1. Open Microsoft ISA Server Management, expand the ISA Server array node, and click Firewall

Policy.

2. In the task pane, on the Tasks tab, click Publish a Web Server, to start the New Web Publishing

Rule wizard.

3. On the Welcome page, in the Web publishing rule name field, type a name for the rule, such as

Publish internal Web server, and click Next.

4. On the Select Rule Action page, ensure that the default Allow is selected, which will allow

requests to reach your Web server according to the conditions set by the rule. Click Next.


server computer that hosts the Web site that you want to publish. This can be the computer name

or the IP address of the computer. In this example, the computer is called Internal_IIS. Verify

that Forward the original host header is not selected. This is the default condition. (For more

information, see Original Host Headers in this document). In Path, you can specify the Web site

folder that you want to publish, such as News. If you leave this field blank, you will be publishing

the entire site. The use of the Path field is described later in this document. Click Next.

6. On the Public Name Details page, provide information regarding what requests will be received

by the ISA Server array and forwarded to the Web server. In Accepts requests for, if you select

Any domain name, any request that is resolved to the IP address of the external Web listener of

the ISA Server array will be forwarded to your Web site. If you select This domain name and

provide a specific domain name, such as www.fabrikam.com, assuming that domain is resolved

to the IP address of the external Web listener of the ISA Server array, only requests for

http://www.fabrikam.com will be forwarded to the Web server. If you specify a folder in Path,

such as News, that would also be required in the request: http://www.fabrikam.com/news.

The required request format is shown in Site. Click Next.

Note

If you will be publishing under more than one domain name, such as www.fabrikam.com and

www.adatum.com, you should specify the domain name in this step (do not select Any domain

name), so that separate Web publishing rules for the two domains will route requests to the correct

sites. Publication of multiple domain names is described in Publishing two Web server folders to two

domain names in this document.

7. On the Select Web Listener page, specify the Web listener that will listen for Web page requests

that should be redirected to your Web server, and then click Next. If you have not defined a Web

listener, click New and follow these steps to create a new listener:

1. On the Welcome page of the New Web Listener Wizard, type the name of the new listener,

such as Listener on External network for internal Web publishing, and then click

Next.

2. On the IP Addresses page, select the network that will listen for Web requests. Because

you want ISA Server to receive requests from the External network (the Internet), the

listener should be one or more IP addresses on the External network adapters of ISA Server.

Therefore, select External. Do not click Next.

3. Before you click Next, on the IP Addresses page, click the Address button to open the

External Network Listener IP Selection dialog box. The default selection is to listen on




15/16

Top of page

Appendix B: Creating Rule ElementsTo create a rule element, follow this general procedure:

all IP addresses on the network. This will include both dedicated IP addresses and virtual IP

addresses on the External network, where NLB is enabled. We recommend that you select

Default IP address(es) for network adapter(s) on this network. This will select the

default virtual IP address if NLB is enabled, and will select the default IP addresses on the

network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB,

and have created more than one virtual IP address, you should select Specified IP

addresses on the ISA Server computer in the selected network , and then select the

specific virtual IP address in the Available IP Addresses list.

4. Click OK to close the External Network Listener IP Selection dialog box, and on the IP

Addresses page, click Next.

5. On the Port Specification page, the TCP port is set to 80 (default setting). If you want to

receive HTTPS requests, select Enable SSL, verify that the SSL port is set to 443 (default

setting), and provide the certificate name in the Certificate field. This requires that you

have a digital certificate installed on each member of the ISA Server array. For more

information about certificates, see Digital Certificates for ISA Server 2004

(http://www.microsoft.com). Click Next.

6. On the Completing the New Web Listener Wizard page, review the settings, and click

Finish. On the Select Web Listener page, click Next.

8. On the User Sets page, make sure the default, All Users, is displayed. This will allow any

computer in the External network to access the published Web pages. Note that to restrict access to

specific users, use the Remove button to remove All Users, and the Add button to access the

Add Users dialog box. Click Next.

9. On the Completing the New Web Publishing Rule Wizard page, scroll through the rule

configuration to make sure that you have configured the rule correctly, and click Finish.

10. In the ISA Server details pane, click Apply to apply the changes you have made.




16/16

Top of page

More Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance Page

(http://www.microsoft.com).

Do you have comments about this document? Send feedback.

1. Open Microsoft ISA Server Management, expand Arrays, expand the ISA Server array node, and

click Firewall Policy.

2. In the task pane, select the Toolbox tab.

3. Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types,

Schedules, or Network Objects) for that element.

4. At the top of the list of elements, click New.

5. Provide the information required. When you have completed the information and clicked OK in the

dialog box, your new rule element will be created.

6. Click Apply in the details pane to apply changes. If you prefer, you can click Apply after you have

created your Web publishing rules (after you have made all of your changes, rather than after each

change). It will take a few moments for the changes to be applied.

Note

You can also create enterprise level rule elements that can be used in the creation of enterprise

policy. Follow the same procedure, but in the Enterprise node, under Enterprise Policies.

Top of page

Manage Your Profile

2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement


publishing web servers using isa server 2004 enterprise edition

Documents