Microsoft KB Archive/838242

= How to publish a Web server on a perimeter network by using ISA Server 2006 or ISA Server 2004 =

Article ID: 838242

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-





For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 313562.

IN THIS TASK

 * INTRODUCTION
 * Configure the perimeter network addressing
 * Verify the DNS entries
 * Configure the perimeter network
 * Publish the Web server computer
 * Configure the default gateway on the Web server
 * Troubleshooting
 * REFERENCES



INTRODUCTION
This step-by-step article describes how to use Microsoft Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004 to publish a Web server that is on a perimeter network.

back to the top

Configure the perimeter network addressing
To publish a Web server on a perimeter network, you must assign a range of public Internet Protocol (IP) addresses to computers that are on the perimeter network. To assign the IP addresses, use one of the following methods.

Method 1
Use a separate, publicly accessible IP address range for computers that are on the perimeter network.

Method 2
Subnet your public IP address range. Divide the IP addresses between the computers that are on the external network and the computers that are on the perimeter network.

Note You must also reconfigure upstream routers to recognize each subnet as a separate network.

For additional information about how to subnet an IP address range, click the following article number to view the article in the Microsoft Knowledge Base:

269098 How to configure Windows 2000 subnets

Method 3
You can assign a range of private IP addresses to the computers that are connected to the perimeter network.

For example, consider the network configuration where:
 * Your ISP assigns you an IP address for the external interface of the ISA Server computer.
 * You assign the IP address range 192.168.0. /24 to the internal network.
 * You assign the IP address range 192.168.1. /24 to the perimeter network.

In this example, you can define the following network relationships:
 * A routing relationship between the internal network and the perimeter network.
 * A network address translation (NAT) relationship between the internal network and the external network.
 * A network address translation relationship between the perimeter network and the external network.

For additional information about network relationships, see the &quot;Multi-networking overview&quot; topic in ISA Server 2004 Help.

back to the top

Verify the DNS entries
To configure ISA Server behind a NAT router and to use a range of private addresses in the perimeter network, you must configure a publicly-accessible DNS server with the A resource record or with the CNAME resource record of the Web server that resolves to the IP address of the external network interface of the NAT router. In this scenario, you also have to map this IP address to the external network interface of the ISA Server computer.

Note If you do not maintain your own publicly-accessible DNS server, contact your Internet service provider (ISP) for this configuration. For additional information about how to configure a DNS server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

172953 How to install and configure Microsoft DNS Server

308201 How to create a new zone on a DNS server

back to the top

Configure the perimeter network
Configure the perimeter network on the ISA Server computer. To do this, follow these steps:
 * 1) Start the ISA Server Management tool.
 * 2) Expand   where   is the name of your ISA Server computer.
 * 3) Expand Configuration, and then click Networks.
 * 4) Click the Tasks tab, and then click Create a New Network.
 * 5) In the Network name box, type a descriptive name for the perimeter network, and then click Next.
 * 6) Click Perimeter Network, and then click Next.
 * 7) Click Add Adapter, click to select the check box of the network adapter that is connected to the perimeter network, and then click OK.
 * 8) Click Next, and then click Finish.
 * 9) Click Apply to update the firewall policy, and then click OK.

back to the top

Publish the Web server computer
To publish the Web server computer, follow these steps.

Note These steps describe how to publish a Web site that allows for anonymous access. To publish a Web site that requires authentication, or to publish a Web site that requires a Secure Sockets Layer (SSL) connection, modify these steps as appropriate for your requirements.

ISA Server 2006
 Start the ISA Server Management tool. Expand  , where  is the name of the ISA Server computer. Click Firewall Policy, click the Tasks tab, and then click Publish Web Sites. In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next. Leave the Allow option selected, and then click Next. Leave the Publish a single Web site or load balancer option selected, and then click Next. Click Use non-secured connections to connect the published Web server or server farm, and then click Next.

Note For more information about the connection security methods that are available in ISA Server 2006, click the server connection security link.</li> In the Internal site name box, type the internally-accessible name of the Web server, click to select the Use a computer name or IP address to connect to the published server check box, type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box, and then click Next.</li> In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.</li> If you only want to publish a particular folder in the Web site, type that folder name in the Path (optional) box. The full path of the published Web site appears in the Web site box.</li> Click Next.</li> In the Accept requests for list, click This domain name (type below), type the publicly-accessible fully qualified domain name of the Web site in the Public name box, and then click Next.</li> In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps: <ol style="list-style-type: lower-alpha;"> Click New, type a descriptive name for the new Web listener, and then click Next.</li> Click Do not require SSL secured connections with clients, and then click Next.</li> In the Listen for requests from these networks list, click to select the External check box, and then click Next.</li> In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.

Note For more information about the authentication methods that are available in ISA Server 2006, click the authentication settings link.</li> On the Single Sign On Settings page, click Next, and then click Finish.</li></ol> </li> Click Next.</li> In the Select the method used by ISA Server to authenticate to the published Web server list, click No delegation, and client cannot authenticate directly, and then click Next.

Note For more information about the authentication delegation methods that are available in ISA Server 2006, click the authentication delegation link.</li> Leave the default user setting of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.</li> Click Apply to update the firewall policy, and then click OK.</li></ol>

ISA Server 2004
<ol> <li>Start the ISA Server Management tool.</li> <li>Expand   where  is the name of your ISA Server computer.</li> <li>Click Firewall Policy, click the Tasks tab, and then click Publish a Web Server.</li> <li>In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.</li> <li>Leave the Allow option selected, and then click Next.</li> <li>In the Computer name or IP address box, type the IP address of the Web server computer, and then click Next.</li> <li>In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.</li> <li>In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click New, type a descriptive name for the new Web listener, and then click Next.</li> <li>In the Listen for requests from these networks list, click to select the External check box, and then click Next.</li> <li>Leave the Enable HTTP check box selected, click Next, and then click Finish.</li></ol> </li> <li>Click Next, leave the default user set of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.</li> <li>Click Apply to update the firewall policy, and then click OK.</li></ol>

back to the top

Configure the default gateway on the Web server
On the Web server computer, set the default gateway to the IP address of the ISA Server computer's network adapter that connects to the perimeter network. To do this, follow these steps:
 * 1) On the Web server computer, click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Network and Dial-up Connections, right-click the network connection, and then click Properties.
 * 3) In the list of components, double-click Internet Protocol (TCP/IP).
 * 4) In the Default gateway box, type the IP address of the ISA Server computer's perimeter network interface.
 * 5) Click OK two times.

back to the top

Troubleshooting
Verify that the internal network does not contain the IP addresses of computers that are on the perimeter network. To view the internal network:
 * 1) Start the ISA Server Management tool.
 * 2) Expand   where   is the name of your ISA Server computer.
 * 3) Expand Configuration, and then click Networks.
 * 4) Click the Networks tab, right-click Internal, and then click Properties.
 * 5) Click the Addresses tab, and then verify the address range that appears.

back to the top

<div class="references_section">