SUMMARY

You can configure Microsoft Internet Security and Acceleration (ISA) Server to publish a Web server that is on an internal network or to use packet filtering. By configuring ISA Server to use packet filtering, Web requests can pass through to a Web server that is on a perimeter network, which is also known as a demilitarized zone (DMZ).

This step-by-step article describes how to use ISA Server to publish a Web server that is on an internal network.

Verify the DNS entries

To publish your Web server behind the ISA Server firewall, you must configure a DNS server that you can access from the Internet with the A resource record, or with the CNAME resource record of the Web server that resolves to the IP address of the ISA Server computer's external network interface.

Note If you do not maintain your own external DNS server, contact your Internet service provider (ISP) for this configuration. For more information about how to configure a DNS server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Configure the Web server computer as a Network Address Translation (NAT) client

Verify that the setting for the default gateway on the Web server is set to the IP address of the internal network interface of the ISA Server computer:

Note If the Web server is not on the same subnet as the ISA Server computer, configure the default gateway to the IP address of a router that connects to the internal network interface of the ISA Server computer.

1. Log on to the Web server as an administrator.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Network and Dial-up Connections.
4. Right-click the Local Area Connection icon, and then click Properties.
5. Click Internet Protocol (TCP/IP) (but do not clear the check box), and then click Properties.
6. In the Default gateway box, type the IP address that is assigned to the internal interface of the ISA Server computer. For example, 192.168.1.1.
   

Note Assign an IP address and a subnet mask that is on the internal network to the Web server.

Warning Do not perform step 6 on more than one network adapter. If you do so, you will create multiple default gateways.

1. Click OK, and then click OK.
2. Repeat steps 4 through 7 for each local area connection.

Configure the ISA Server computer to publish an internal Web server

If your Web server is on the internal network, configure the ISA Server computer for Web publishing:

Determine if Internet Information Services (IIS) is already running on server 1

Click Start, point to Programs, point to Administrative Tools, and click Internet Services Manager. If this option does not exist, IIS is probably not installed. If IIS is installed, see the "Configuration Requirements If IIS Is Installed on this Computer" section of this article.

Create a Destination Set

1. Log on to the ISA Server computer as an administrator.
2. Start ISA Management.
3. In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Policy Elements, and then click Destination Sets.
4. On the View menu, click Taskpad.
5. In the Configure Destination Set pane, click Create a Destination Set.
6. In the Name box, type the name that you want. For example, example.com.
7. In the Description (optional) box, type a description. For example, Web and FTP sites.
8. Click Add.
9. In the Destination box, type the fully qualified domain name (FQDN) of the Web site. For example, www.example.com. Click OK.
10. If you want to publish an FTP site, click Add. Type the FQDN of the FTP server in the Destination box, and then click OK.
    

Note The FTP server must also have an A resource record or a CNAME resource record on an externally accessible DNS server that directs Internet-based FTP requests to the external interface of the ISA Server computer.

1. Click OK.
   

The destination set is displayed in the Available Destination Sets list.

Configure the listener for incoming Web requests

Configure the ISA Server computer to "listen" for incoming Web requests:

1. Log on to the ISA Server computer as an administrator.
2. Start ISA Management.
3. In the console tree, click Servers and Arrays, right-click server name where server name is the name of the ISA Server computer, and then click Properties.
4. Click the Incoming Web Requests tab.
5. Click Configure listeners individually per IP address, and then:
   • If you want to enable Secure Sockets Layer (SSL) listeners, click to select the Enable SSL listeners check box.
     

Note To enable SSL listeners, you have to first configure a server certificate.

1. • If you want to limit the number of incoming Web requests, click Configure, click Maximum, type the number of incoming connections that you want to allow, and then click OK.
2. Click Add.
3. In the Server list, click the name of the ISA Server computer.
4. In the IP Address list, click the IP address that is assigned to the external interface of the ISA Server computer.
5. In the Display Name box, type a name for the listener. For example, Incoming Web Requests.
6. If you enabled SSL listeners, click to select the Use a server certificate to authenticate to Web clients check box, and then click Select to select the certificate that you want.
7. Click OK, and then click OK.
8. On the ISA Server Warning dialog box, click Save the changes and restart the service(s), and then click OK.
9. Quit ISA Management.

Create a Web publishing rule

1. Log on to the ISA Server computer as an administrator.
2. Start ISA Management.
3. In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Publishing, and then click Web Publishing Rules.
4. On the View menu, click Taskpad.
5. In the Publish Web Servers dialog box, click Create a Web Publishing Rule to start the New Web Publishing Rule Wizard.
6. In the Web publishing rule name box, type the name that you want. For example, Default anonymous access rule. Click Next.
7. In the Apply this rule to list, click Specified destination set.
8. In the Name list, click the destination set that you created in the "Create a Destination Set" section of this article. For example, example.com. Click Next.
9. Click Any request, and then click Next.
10. Click Redirect the request to this internal Web server (name or IP address), and then do one of the following actions:
    • Type the IP address of the Web server. For example, 192.168.1.2.
    • Type the name of the Web server. For example, www.example.com.
      

Note To resolve the host name of the Web server, you have to configure the internal interface of the ISA Server computer with the IP address of a DNS server that is on the internal network.

1. If you are publishing more than one Web site on a single IP address by using host headers, click to select the Send the original host header to the publishing server instead of the actual one (specified above) check box.
2. Click Next, and then click Finish.
3. Quit ISA Management.

Configuration requirements If IIS is installed on this computer

When you publish a Web server on the ISA Server computer itself, you have to make the following additional configurations:

• Configure Internet Information Services (IIS) to use the IP address that is assigned to the internal network interface of the ISA Server computer.
• To make sure that IIS is listening only on the address that you specified, follow these steps to disable socket pooling:
  1. Open a command prompt, and then make sure you are in the X:\Inetpub\Adminscripts folder, where X is the IIS installation drive.

  2. Run the following command:

     cscript adsutil.vbs set w3svc/disablesocketpooling true

     The command replies with:

     disablesocketpooling : (BOOLEAN) True

  3. Stop and then restart the IISAdmin Service.
  4. Restart the WWW Service.

  For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  238131 How to disable socket pooling

• Configure IIS to use a port other than port 80. Port 80 is the default port for Hypertext Transfer Protocol (HTTP) requests.
• Configure the ISA Server computer Web Publishing rule to redirect Web requests from the listening port (port 80) to the new IIS port configuration.

Configure the IIS IP address and port

1. Log on to the ISA Server computer as an administrator.
2. Start Internet Services Manager.
3. In the console tree, click *computer name where computer name is the name of the computer. For example, *www.
4. Right-click the Web site that you want, such as Default Web Site, and then click Properties.
5. Under Web Site Identification, click Advanced.
6. Under Multiple identities for this Web Site, click the identity that you want, and then click Edit.
   
   Note If you use host headers to publish multiple Web sites with only a single IP address, there may be more than one entry.
7. In the IP Address list, click the IP address that is assigned to the internal interface of the ISA Server computer. For example, 192.168.1.1.
8. In the TCP Port box, type an unused port number other than 80. For example, 81. For more information about port assignments, click the following article number to view the article in the Microsoft Knowledge Base:

   174904 Information about TCP/IP port assignments

   To determine the ports that are currently in use (open):

   1. Click Start, and then click Run.
   2. In the Open box, type cmd, and then click OK.
   3. Type the following command, and then press ENTER:

      netstat -na |more

      In the Local Address column, the port numbers are displayed in the following format where port is the number of the port that is in use:

      address:port

9. Click OK, click OK, and then click OK.
10. Right-click *server name, and then click Restart IIS.
11. In the What do you want IIS to do? list, click Restart Internet Services on server name, and then click OK.
12. After the Internet Services restarts, quit the Internet Information Services snap-in.

Edit the Web publishing rule

1. Log on to the ISA Server computer as an administrator.
2. Start ISA Management.
3. In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Publishing, and then click Web Publishing Rules.
4. On the View menu, click Taskpad.
5. In the Publish Web Servers dialog box, click the rule that you created in the "Create a Web Publishing Rule" section in this article. For example, Default anonymous access rule.
6. Click Configure a Web Publishing Rule.
7. On the Action tab, in the Connect to this port when bridging request as HTTP box, type the port number that you typed in step 8 in the "Configure IIS IP Address and Port" section in this article. For example, 81.
8. Click Apply, and then click OK.
9. Quit ISA Management.

Troubleshooting

• Clients cannot browse to the Web site by using the FQDN of the Web site. For example, www.example.com.
  • Ensure that an externally accessible DNS entry exists for the FQDN of the Web site, and that it resolves to the IP address that is assigned to the external interface of the ISA Server computer.
  • Ensure that the destination set includes the FQDN of the Web server that the external clients request.
    

Note Configure the destination set from the point of view of a client that is attempting to access the resource.

• ISA Server does not redirect requests to the internal Web server.
  

If you want to redirect requests to the internal Web server based on host names, ensure that the internal network interface of the ISA Server computer has an entry for an internally accessible DNS server.