لطفا منتظر باشید ...
Lesson 1 Publishing Servers Securely
ISA Server uses server publishing to process incoming requests to internal servers. Requests are forwarded downstream to an internal server that is located behind the ISA Server computer.
Server publishing is configured through server publishing rules. You create a server publishing rule by using the New Server Publishing Rule wizard in the ISA Management console. You modify an existing server publishing rule from the properties dialog box of the rule created in the console.
After this lesson, you will be able to
Publish an internal network server behind ISA Server
Publish a server securely on the ISA Server computer
Publish a server securely on a perimeter network
Estimated lesson time: 35 minutes
Publishing Policy Rules
You can use ISA Server to configure a publishing policy, which consists of server publishing rules and Web publishing rules. Server publishing rules filter all incoming requests and then map these requests to the appropriate servers that are protected by the ISA Server services. Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server.
When you install ISA Server, you specify the installation mode: Firewall, Cache, or Integrated. The installation mode you choose affects which publishing policy rule types are available, as shown in Table 6.1.
Table 6.1 Publishing Rule Availability
| Rule type | Firewall | Cache | Integrated |
|---|---|---|---|
| Web publishing rules | No | Yes | Yes |
| Server publishing rules | Yes | No | Yes |
Server Publishing Rules
Server publishing allows computers on your internal network to securely publish services to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the Internet Protocol (IP) address that is published is the external IP address of the ISA Server computer. A remote user requesting published services, files or objects communicates directly with the ISA Server computer—whose name or IP address is specified by the requester. After this, the ISA Server computer makes the request on behalf of the user to the appropriate publishing server on your internal network. External users thus communicate with protected publishing servers indirectly through ISA Server.
Server publishing rules essentially filter all requests through the ISA Server computer and then map those requests to the appropriate servers behind the ISA Server computer. These rules grant access dynamically (only as needed) from Internet users to the appropriate publishing server.
The publishing server is a secure network address translation (SecureNAT) client: it does not need to have Firewall Client installed and enabled. Because the publishing server is treated as a SecureNAT client, no special configuration of the publishing server is required after the server publishing rule is created on the ISA Server computer. Note that the IP address assigned to the ISA Server's internal network interface card (NIC) must be configured as the default gateway on the publishing server.
How Server Publishing Works
ISA Server takes these steps to fulfill requests for internal servers:
A client computer on the Internet requests an object from an IP address known as that of the publishing server. This IP address, however, is actually associated with the ISA Server computer—it is the IP address of the external interface card belonging to the ISA Server computer.
The ISA Server computer processes the request, mapping the IP address to an internal IP address of an internal server. It then makes the request to the internal server on behalf of the external client.
The internal server returns the object to the ISA Server computer, which passes it on to the requesting client.
Follow these steps to create a server publishing rule:
In the console tree of ISA Management, expand the Publishing node, right-click the Server Publishing Rules folder, point to New, and then click Rule.
In the New Server Publishing Rule wizard, type the name of the server publishing rule, and then click Next.
On the Address Mapping screen (shown in Figure 6.1), type the IP address of the internal server that is being published. Also, type the external IP address of the ISA Server.
Figure 6.1 Address mapping for server publishing
On the Protocol Settings screen (shown in Figure 6.2), select the server protocol to which the rule applies.
Figure 6.2 Selecting a protocol for server publishing
On the Client Type screen, specify whether the rule applies to all clients or to a specific client address set.
For array members, if enterprise policy settings are configured so that publishing is not allowed, you will not be able to create a server publishing rule.
Server Publishing Rule Actions
A rule action refers to the action applied to a request by a given rule. You can configure the rule action of a new server publishing rule in the Address Mapping and Protocol Setting screens of the New Server Publishing Rule wizard. You can modify the rule action of an existing rule on the Action tab of the rule's properties, which you can access in ISA Management. In either case, when you configure the action of a server publishing rule, you specify the following:
IP address of the ISA Server. This is the address made available to external clients. When external clients communicate with the publishing server, they actually are communicating with this IP address.
IP address of the publishing server. All requests arriving to the IP address specified on the ISA Server are forwarded to this IP address.
Mapped server protocol. The data passed to the internal server depends on which protocol you specify here. You can select from all protocol definitions configured on the ISA Server with, at minimum, an Inbound direction. Protocol definitions are listed and configured in the Protocol Definitions folder of the Policy Elements node.
Sample Rule Action
Suppose you want to allow external clients access to an SMTP server, whose IP address is 111.111.111.111, and which listens on port 25. You create a server publishing rule with the following parameters:
Internal server IP address set to 111.111.111.111
External address on ISA Server set to an IP address on the external interface card belonging to the ISA Server computer
Mapped server protocol set to SMTP Server
Follow these steps to modify the action for an existing server publishing rule:
In the console tree of ISA Management, open the Publishing node and click the Server Publishing Rules folder.
On the View menu, click Advanced.
In the details pane, right-click the appropriate server publishing rule, and then click Properties.
On the Action tab, in the IP Address Of Internal Server text box, type the address of the internal server that you want to make available to external users.
In the External IP Address On ISA Server text box, type an IP address on one of the ISA Server computer's external interface cards that will be accessed by external clients.
In the Mapped Server Protocol drop-down list box, click a protocol definition that can be used by external clients to access the computer.
Client Address Sets
When you configure a server publishing rule to apply to a client address set, you limit the action of the server publishing rule to apply only to the set of requesting computers you specify. These sets are not defined in the server publishing rule itself but in the Policy Elements node in ISA Management.
Follow these steps to configure clients for an existing server publishing rule:
In the console tree of ISA Management, expand the Publishing node and click the Server Publishing Rules folder.
On the View menu, click Advanced.
In the details pane, right-click the applicable rule, and then click Properties.
To specify clients for the rule, on the Applies To tab, do one of the following:
Click the Any Request radio button.
Click the Client Address Sets Specified Below radio button.
If you clicked the Client Address Sets Specified Below radio button, do the following:
To add clients to the Applies To Requests Coming From area, click the accompanying Add button.
To add clients to the Exceptions area, click the accompanying Add button.
For server publishing rules, client address sets typically include addresses of computers on the Internet.
Server Publishing Rules and IP Packet Filters
Server publishing rules and IP packet filters both open specific ports for communication between the local network and the Internet. In most situations, you use server publishing rules to make internal servers accessible to external clients.
However, in some cases, such as the following, you must use IP packet filters instead of publishing rules:
When you are publishing servers that are located on a perimeter network, to make the servers accessible to external clients
When you are publishing services that are located on the ISA Server computer itself
Publishing Servers on a Perimeter Network
You configure server publishing rules to allow external clients access to servers situated on the local network. For example, you might want to publish an internal FTP server. In this case, you would simply create a server publishing rule with the following configuration:
IP address of the internal server set to the IP address of the FTP server
External IP address on ISA Server set to an IP address on the external interface card belonging to the ISA Server computer
The FTP Server protocol selected
Client type set to Any User, Group, Or Client Computer to allow all external clients access to the FTP server
Suppose, however, that the server you want to publish is located on a peri-meter network, rather than on the local network. In this case, you must use IP packet filters to open a port on the server. For example, suppose you want to publish an FTP server located on the perimeter network. Create an IP packet filter from the New IP Packet Filter wizard with the following configuration:
On the Servers screen, set the filter for all ISA Server computers in the array
On the Filter Mode screen, select to create the filter to allow packet transmission
On the Filter Type screen, select a custom filter
On the Filter Settings screen, configure the following settings:
IP Protocol to TCP
Direction to Both
Local Port Fixed to 21
Remote Port to All Ports
On the Local Computer screen, select the option to specify a computer on the perimeter network and then type the IP address of the FTP server
On the Remote Computers screen, select the option that specifies all remote computers
Server on the Same Computer as ISA Server
Another case that requires an IP packet filter instead of a publishing rule to publish a server is when the publishing server is located on the same computer as ISA Server. If you want to allow communication through to the specific port used by the publishing server, you must create an IP packet filter and not server publishing rules. For example, ISA Server includes a preconfigured IP packet filter, named DNS Filter, which allows DNS queries on the ISA Server computer itself.
Practice: Publishing an Internal Server
In this exercise, you create a publishing rule that allows all FTP requests to be forwarded through ISA Server to Server2. Complete this exercise on Server1.
Verify that Server1 is connected to the Internet through the dial-up connection. If it isn't connected, establish a connection to the Internet now.
Open the ISA Management console.
In the console tree, expand MyArray, and then navigate to the Publishing node.
Expand the Publishing node.
Right-click the Server Publishing Rules folder, point to New, and then click Rule.The New Server Publishing Rule wizard appears.
In the Server Publishing Rule Name text box, type FTP Server, and then click Next.The Address Mapping screen appears.
In the IP Address Of Internal Server text box, type 192.168.0.2.
Click the Browse button.A message box appears, displaying the external address of your ISA Server computer.
Verify that the external IP address is selected, and then click OK.The computer's external IP address appears in the External IP Address On ISA Server text box. Note that this rule is valid only for the current Internet session since your IP address might change every time you dial into your Internet Service Provider (ISP).
Enter the external IP address here:
Click Next.The Protocol Settings screen appears.
In the Apply The Rule To This Protocol drop-down list box, select FTP Server, and then click Next.The Client Type screen appears.
Leave the default set to Any Request, and then click Next.The Complete The New Server Publishing Rule Wizard screen appears.
Click Finish.
Restart the ISA Server services in ISA Management before proceeding to Exercise 2.
Exercise 2: Verifying the FTP Server Connection
In this exercise, you establish an FTP connection to the external IP address of your ISA Server computer. Though your published FTP server is configured on an internal server (Server2) and not on the ISA Server computer itself, the new server publishing rule created in Exercise 1 allows the FTP server to appear as if it is hosted on Server1.
Log on to Server1 as Administrator.
Point to Start and then Run. The Run dialog box appears.
In the Open box, type cmd and click OK to open a command prompt.A command prompt appears.
At the command prompt, type ftp <external IP address>, where <external IP address> is the external IP address of the ISA Server computer assigned to you by your ISP and upon which your publishing rule was based in Exercise 1. You recorded this number in step 10 of Exercise 1.
Press Enter.On the console screen, you will receive a message indicating that you are connected to the FTP Server and prompting you to enter your user name. This message shows that the new publishing rule has allowed you to connect from the Internet to the FTP service configured on Server2.
Type anonymous.You will receive a message indicating that anonymous access is allowed and prompting you for a password.
Enter an empty password by pressing the Enter key.The FTP prompt appears.
At the FTP prompt, type quit.You will return to the command prompt.
Close the command prompt window.
Lesson Summary
Through the use of server publishing rules, ISA Server processes incoming requests to internal servers, such as SMTP servers, FTP servers, and database servers. Server publishing allows virtually any computer on your internal network to publish to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. Like site and content rules and protocol rules, server publishing rules open TCP ports for service requests dynamically, or only as needed.
When a server is published by ISA Server, the IP address of the published server that is visible to the outside world is actually the IP address or addresses of the ISA Server computer. Server publishing rules then map incoming requests from the ISA Server computer to the appropriate server on the local network. ISA Server makes the request to this local server on behalf of the external client, and then responds to the external client on behalf of the local server. To create a server publishing rule, you use the New Server Publishing Rule wizard. You modify an existing server publishing rule from the rule's Properties dialog box in ISA Management.
If you want to publish a server on a perimeter network, or if you want to publish a server on the ISA Server computer itself, you must configure IP packet filters in ISA Server instead of publishing rules.
