Lesson 2 Publishing Web Servers Securely

By publishing a Web server behind ISA Server, the ISA Server receives requests on behalf of the internal Web server. When a client on the Internet requests an object from a publishing Web server, the request is actually sent to an external address on the ISA Server computer. Web publishing rules configured on the ISA Server computer then forward the requests to the internal Web server. The publishing Web server requires no special configuration.

To create a new publishing rule, use the New Web Publishing Rule wizard. This wizard is started from the Web Publishing Rules folder located below the Publishing node. You modify an existing Web publishing rule from the rule''''s Properties dialog box in ISA Management.

After this lesson, you will be able to



Publish an internal network Web server behind ISA Server

Publish a Web server securely on the ISA Server computer


Estimated lesson time: 45 minutes


Web Publishing Rules

ISA Server uses Web publishing rules to alleviate concerns about publishing Web content to the Internet and, as a result, compromising internal network security. Web publishing rules determine how ISA Server should intercept incoming Hypertext Transfer Protocol (HTTP) requests on an internal Web server and how ISA Server should respond on behalf of the Web server. When a rule determines that a request be forwarded instead of dropped, the request is sent downstream to an internal Web server located behind the ISA Server computer. If possible, the request is serviced from the ISA Server cache.

To enhance security, do not enable directory browsing on the publishing Web server. Likewise, do not configure the Web server for digest or basic authentication. These authentication methods can expose the Web server''''s internal name or IP address to the external user.

Destination Sets and Client Sets

When configuring Web publishing rules, such as by using the New Web Publishing Rule wizard (shown in Figure 6.3), you are given the option to specify a destination set for the Web publishing rule. For Web publishing rules, destination sets usually include a domain name whose IP address maps to your ISA Server computer. A path may also be included in a destination set if you want your publishing rule to apply directory-specific or file-specific actions to Web requests. (For example, you may want to direct a Web requests for http://www.microsoft.com/example to one particular server and a Web request for http://www.microsoft.com/marketing to another internal server.) Client address sets usually include addresses of clients located on the Internet, as opposed to clients located on your internal corporate network. Client address sets ease administration by allowing you to group clients that are granted or denied access to a Web publishing server.

Destination sets and client address sets are created and administered from folders below the Policy Elements node.

Figure 6.3 Publishing the hosted destination set

Follow these steps to create a Web publishing rule:

In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule.

In the New Web Publishing Rule wizard, type the name of the rule, and then click Next.

On the Destination Sets screen, select a destination set that includes the IP address of the server that you are publishing, then click Next.

On the Client Type screen, select whether the rule applies to all users or to specific client address sets or users, then click Next.

On the Rule Action screen, specify how client requests should be directed.

For array members, if enterprise policy settings are configured so that publishing is not allowed, you will not be able to create a Web publishing rule.

Web Publishing Rule Actions

As shown in Figure 6.4, Web publishing rule actions are configured on the Rule Action screen of the New Web Publishing Rule wizard. Rule actions for Web publishing rules either discard HTTP requests targeted for specific destination sets or redirect those requests to an alternate site, usually to a Web server on your corporate network.

Figure 6.4 Redirecting Web requests to an internal server

Follow these steps to configure an action for an existing Web publishing rule:



In the console tree of ISA Management, click Web Publishing Rules.
On the View menu, click Advanced.
In the details pane, right-click the applicable Web publishing rule, and then click Properties.
On the Action tab, do one of the following:
To refuse requests, click the Discard The Request radio button.
To forward requests to the server or servers used for Internet publishing, click Redirect The Request To This Internal Web Server (Name Or IP Address) radio button.


If you clicked the Redirect The Requests To This Internal Web Server (Name Or IP Address) radio button, do the following:
Type an IP address or a domain name to which requests should be redirected.
In Connect To This Port When Bridging Request As HTTP, type the port to use for HTTP requests. By default, the HTTP port is configured to 80.
In Connect To This Port When Bridging Request As SSL, type the port to use for Secure Hypertext Transfer Protocol (S-HTTP) requests. By default, the S-HTTP port is configured to 443.
In Connect To This Port When Bridging Request As FTP, type the port to use for Transmission Control Protocol (TCP) requests. By default, the FTP port is configured to 21.


SSL and HTTP Bridging

By accessing the Bridging tab of a Web publishing rule''''s properties, as shown in Figure 6.5, you can configure how incoming HTTP requests should be redirected—whether as HTTP requests, as Secure Sockets Layer (SSL) requests, or as FTP requests. If the request is redirected as an SSL request, the packets are encrypted.

You can also bridge SSL communication. That is, if the initial communication uses SSL, after ISA Server passes the request to the internal Web server, the communication can be redirected using HTTP, SSL, or FTP. If requests are redirected as SSL requests, ISA Server re-encrypts the packets before passing them on to the Web server. That is, a new secure channel is established for the communication with the SSL Web server.

When you configure HTTP or SSL requests to be passed on as an FTP request to the Web server, ISA Server redirects the requests to the internal Web server using FTP. If you configure bridging in this way, you can specify which port should be used when bridging FTP requests.

Finally, if the internal Web server requires a client certificate, you can configure ISA Server to authenticate with a specific client-side certificate.

Figure 6.5 Configuring bridging properties for a Web publishing rule

Rule Order

For each incoming Web request, Web publishing rules are processed in order. When a rule matches a request, the request is routed and cached accordingly. If no rule matches the request, ISA Server processes the default rule, which discards the request. If you have created two or more Web publishing rules in addition to the default rule, you may change the order of those rules at any time.

Default Web Publishing Rule

When you install ISA Server, it configures a default Web publishing rule. The default rule is configured so that all requests are discarded. The default Web publishing rule is last in the order. You cannot modify or delete the default Web publishing rule.

Follow these steps to change the order of a Web publishing rule:



In the console tree of ISA Management, click Web Publishing Rules.

On the View menu, click Advanced.

In the details pane, right-click the rule whose order you want to change, and then click Move Up or Move Down.

Repeat as necessary to arrange the rules in the desired order.

You cannot change the position of the default rule.

Sample Web Publishing Rule

Suppose you want to publish two internal Web servers in the domain example.microsoft.com, one called Dev and the other called Mktg. Though the IP address of the example.microsoft.com domain corresponds to the external interface of the ISA Server computer, you would like the internal server Mktg to respond when a client requests example.microsoft.com/Marketing, and the internal server Dev to respond when a client requests example.microsoft.com/Development.

To achieve this goal, you first create two destination sets. The first destination set, called Marketing, should include the computer example.microsoft.com and the path /Marketing/*. The second destination set, called Development, should include the computer example.microsoft.com and the path /Development/*.

Next, create two Web publishing rules that redirect requests to the appropriate internal Web servers. Configure the first Web publishing rule with the following parameters:

Destination Set configured to the Marketing destination set

Applies To set to Any User, Group, Or Client Computer

For the rule action, Redirect To A Hosted Site and Mktg specified as the host

When a client requests an object on example.microsoft.com/Marketing, ISA Server retrieves the request from Mktg/Marketing.

Configure the second Web publishing rule with the following parameters:

Destination Set configured to the Development destination set

Applies To set to Any User, Group, Or Client Computer

For the rule action, Redirect To A Hosted Site and Dev specified as the host

When a client requests an object on example.microsoft.com/Development, ISA Server retrieves the request from Dev/Development.

Publishing a Web Server on the Local Network


Follow these steps to publish an internal Web server behind the ISA Server firewall:



Verify that the DNS server maps the fully qualified domain name to the external IP address of the ISA Server computer. Internet clients use the domain name to request content.
Configure the ISA Server incoming Web request properties. The IP address should include the IP address of the external interface.
Create a destination set called Marketing, which should include the computer example.microsoft.com and the path \Marketing\*.
Create a destination set called Development, which should include the computer example.microsoft.com and the path \Development\*.
Configure a Web publishing rule with the following parameters:
Destination Set configured to the Marketing destination set
Applies To set to Any User, Group, Or Client Computer
For rule action, Redirect To A Hosted Site selected, and Mktg specified as the host


Configure the second Web publishing rule with the following parameters:
Destination Set configured to the Development destination set
Applies To set to Any User, Group, Or Client Computer
For rule action, Redirect To A Hosted Site selected, and Dev specified as the host


Publishing a Web Server Hosted on the ISA Server Computer

By default, Web servers like ISA Server listen on port 80 for incoming requests. This means that hosting a Web server on the ISA Server computer will lead to a conflict if the default HTTP port settings are not changed. To avoid such a conflict, configure the Web server so that it listens on a port other than 80. Then, modify the ISA Server Web publishing rule so that ISA Server forwards the requests to the appropriate port on the Web server.

For example, you can configure the Web server to listen on port 9999. Then, create a Web publishing rule with the following parameters:

Destination Set configured to a destination set that includes the IP address of the ISA Server computer

For rule action, Route Requests To An Alternate Site selected

Site configured to the host name of the Web server

Port set to 9999


Using Packet Filters to Publish a Web Server on the ISA Server Computer

Another way to publish a Web server located on the ISA Server computer is by configuring packet filters. In this way, ISA Server allows the Web server to listen on port 80 for the incoming Web requests.

There is no conflict for outgoing Web requests, as ISA Server listens on port 8080 and the Web server listens for requests from internal clients on port 80. However, be sure that the automatic discovery feature of ISA Server is not configured to listen on port 80 when you publish a Web server on the ISA Server computer; this will lead to a conflict from Web requests from internal clients. Also, since port 80 is used by Internet Information Service (IIS), do not create Web publishing rules when using the method described here to publish the Web server located on the ISA Server computer.

Follow these steps to publish a Web server on the ISA Server computer by using an IP packet filter:



Enable packet filtering if it is not already enabled.
Create an IP packet filter with the following parameters specified in the New IP Packet Filter wizard:
On the Servers screen, select Only This Server and select the local computer.
On the Filter Mode screen, select Allow Packet Transmission.
On the Filter Type screen, select Custom.
For the IP Protocol setting, select TCP.
For the Direction setting, select Inbound.
For the Local Port setting, select Fixed port, and then type 80.
For the Remote Port setting, select Any Port.
On the Local Computer screen, select This ISA Server''''s External IP Address.
On the Remote Computers screen, select All Remote Computers.


Disable automatic discovery if it is enabled, or reconfigure automatic discovery to listen on a port other than 80. This setting can be configured on the Auto Discovery tab of the array''''s properties.

Practice: Publishing a Web Server on the ISA Server Computer

Exercise 1: Configuring Incoming Web Request Properties

In this exercise, you enable the ISA Server to listen for incoming Web requests on port 80.

Log on to Server1 as Administrator.
Establish a dial-up connection with your ISP by double-clicking the Internet Connection you have assigned to the ISA Server computer. Complete this step from the Network And Dial-up Connections window.
Open ISA Management.
Right-click the MyArray node, and then click Properties.

The MyArray Properties dialog box appears.

Click the Incoming Web Requests tab.
In the Identification area, select the Use The Same Listener Configuration For All IP Addresses radio button.
Verify that the TCP Port text box is set to 80, and then click OK.

An ISA Server Warning message box appears.

Verify that the Save The Changes But Don''''t Restart The Service(s) radio button is selected, and then click OK.

Exercise 2: Creating a Destination Set for the Web Server

In the following exercise, you create a destination set corresponding to the external IP address assigned to Server1. Complete this exercise on Server1.

In ISA Management, expand the Policy Elements node.
Right-click the Destination Sets folder, point to New and then click Set.

The New Destination Set dialog box appears.

In the Name text box, type External Interface.
Click Add.

The Add/Edit Destination dialog box appears.

Click the IP Addresses radio button.
In the From text box, type the IP address currently assigned by your ISP to the external interface on Server1. If you don''''t know the current IP address, open a command prompt and type ipconfig to determine the address of the external interface. Note that this destination set is valid only for the current dial-up session.
Click OK.

The destination IP address appears in the Include These Destinations box of the New Destination Set dialog box.

Click OK.

Exercise 3: Preparing the Web Site

In this exercise, you create a Web site on the ISA Server computer and configure the Web server to listen for Web requests on port 9999.

Exercise 4: Creating a Web Publishing Rule

In this exercise, you create a Web Publishing Rule to direct Web requests destined for the external interface on the ISA Server computer toward the internal Web server hosted on the same computer.

While you are still logged on to Server1 as Administrator, open ISA Management.
In the console tree, expand the Publishing node.
Right-click the Web Publishing Rules folder, point to New, and then click Rule.

The New Web Publishing Rule wizard appears.

In the Web Publishing Rule Name text box, type Local Web Server, and then click Next.

The Destination Sets screen appears.

In the Apply This Rule To drop-down list box, select Specified Destination Set.

The Name drop-down list box appears.

In the Name drop-down list box, select External Interface, and then click Next.

The Client Type screen appears.

Click Next.

The Rule Action screen appears.

Select the Redirect The Request To This Internal Web Server (Name Or IP Address) radio button.
In the text box associated with this option, type 192.168.0.1.
In the Connect To This Port When Bridging Request As HTTP text box, select and replace the default of 80 by typing 9999.
Click Next.

The Completing The New Web Publishing Rule Wizard screen appears.

Click Finish.
Stop and restart the Web Proxy and Firewall services in ISA Management before proceeding to the next exercise.

Exercise 5: Testing the Configuration

In this exercise, you test the Web publishing configuration from Server2 by connecting to the external IP address of Server1 in a Web browser.

Log on to Server2 as Administrator.

Open Internet Explorer.

In the Address text box, type the external IP address assigned by your ISP to Server1, and press Enter.

You see a sample Web page and a welcome message. Because you have connected to the internal Web server through an external IP address and from behind the ISA Server firewall, you know that you have securely published the Default Web Site to the Internet.

Lesson Summary

Through Web publishing rules, ISA Server responds to client requests on behalf of publishing Web servers. When an Internet client makes a Web request to an external IP address on the ISA Server computer, the request is forwarded to the Web publishing server specified in the Web publishing rule matching the request. Web publishing rules thus determine how ISA Server should intercept incoming Web requests.

For Web publishing rules, destination sets usually include a domain name (whose IP address maps to your ISA Server computer) and a path. Client address sets usually include IP addresses of clients located on the Internet. Rule actions for Web publishing rules either discard HTTP requests targeted for specific destination sets or redirect those requests to an alternate site, usually to a Web server on your corporate network. When you create a Web publishing rule, you can also configure how incoming HTTP and SSL requests should be redirected—whether as HTTP, SSL, or FTP requests. This process is known as bridging.

To publish a Web server hosted on the ISA Server computer, configure the Web server so that it listens on a port other than 80. Then, modify the ISA Server Web publishing rule so that ISA Server forwards the requests to the appropriate port on the Web server.