Microsoft KB Archive/323426

From BetaArchive Wiki

Article ID: 323426

Article Last Modified on 12/3/2007


APPLIES TO

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition


This article was previously published under Q323426

For a Microsoft Windows 2000 version of this article, see 313072.

IN THIS TASK

SUMMARY

You can configure Microsoft Internet Security and Acceleration (ISA) Server to publish a Web server that is on an internal network or to use packet filtering. By configuring ISA Server to use packet filtering, Web requests can pass through to a Web server that is on a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

This step-by-step article describes how to use ISA Server to publish a Web server that is on an internal network.

back to the top

Verify the DNS Entries

To publish your Web server behind the ISA Server firewall, you must configure a Domain Name System (DNS) server that you can access over the Internet with the A resource record, or with the CNAME resource record of the Web server that resolves to the IP address of the ISA Server computer's external network interface.

NOTE: If you do not maintain your own external DNS server, contact your Internet service provider (ISP) for this configuration.

For additional information about how to configure a DNS server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

323417 How To Integrate Windows Server 2003 DNS with an Existing DNS Infrastructure in Windows Server 2003


323418 How To Integrate DNS with an Existing DNS Infrastructure If Active Directory Is Enabled in Windows Server 2003


back to the top

Configure the Web Server Computer as a Network Address Translation (NAT) Client

Verify that the setting for the default gateway on the Web server is set to the IP address of the internal network interface of the ISA Server computer. To do this, follow these steps.

NOTE: If the Web server is not on the same subnet as the ISA Server computer, configure the default gateway to the IP address of a router that connects to the internal network interface of the ISA Server computer.

  1. Log on to the Web server as an administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Network Connections.
  4. Right-click the Local Area Connection icon, and then click Properties.
  5. Click Internet Protocol (TCP/IP) (but do not clear the check box), and then click Properties.
  6. Click the General tab, and then click Advanced.
  7. Under Default Gateways, click Add.
  8. In the Gateway box, type the IP address that is assigned to the internal interface of the ISA Server computer, and then click Add. For example, type 192.168.1.1.
  9. Click OK two times.
  10. Repeat steps 4 through 7 for each local area connection.

back to the top

Configure the ISA Server Computer to Publish an Internal Web Server

If your Web server is on the internal network, configure the ISA Server computer for Web publishing. To do this, use the following methods in the order presented.

Create a Destination Set

  1. Log on to the ISA Server computer as an administrator.
  2. Start ISA Management.
  3. In the console tree, click Server and Arrays, click server name (where server name is the name of the ISA Server computer), click Policy Elements, and then click Destination Sets.
  4. On the View menu, click Taskpad.
  5. In the Configure Destination Sets dialog box, click Create a Destination Set.
  6. In the Name box, type the name that you want. For example, type example.com.
  7. In the Description (optional) box, type a description. For example, type Web and FTP sites.
  8. Click Add.
  9. In the Destination box, type the fully qualified domain name (FQDN) of the Web site. For example, type www.example.com. Click OK.
  10. If you want to publish an FTP site, click Add. Type the FQDN of the FTP server in the Destination box, and then click OK.


NOTE: The FTP server must also have an A resource record or a CNAME resource record on an externally accessible DNS server that directs Internet-based FTP requests to the external interface of the ISA Server computer.

  1. Click OK.


The destination set is displayed in the Available Destination Sets list.

back to the top

Configure the Listener for Incoming Web Requests

Configure the ISA Server computer to "listen" for incoming Web requests:

  1. Log on to the ISA Server computer as an administrator.
  2. Start ISA Management.
  3. In the console tree, click Servers and Arrays, right-click server name (where server name is the name of the ISA Server computer), and then click Properties.
  4. Click the Incoming Web Requests tab.
  5. Click Configure listeners individually per IP address, and then do one of the following:
    • If you want to enable Secure Sockets Layer (SSL) listeners, click to select the Enable SSL listeners check box.


NOTE: To enable SSL listeners, you have to first configure a server certificate.

    • If you want to limit the number of incoming Web requests, click Configure, click Maximum, type the number of incoming connections that you want to permit, and then click OK.
  2. Click Add.
  3. In the Server list, click the name of the ISA Server computer.
  4. In the IP Address list, click the IP address that is assigned to the external interface of the ISA Server computer.
  5. In the Display Name box, type a name for the listener. For example, type Incoming Web Requests.
  6. If you enabled SSL listeners, click to select the Use a server certificate to authenticate to Web clients check box, and then click Select to select the certificate that you want.
  7. Click OK two times.
  8. In the ISA Server Warning dialog box, click Save the changes and restart the service(s), and then click OK.
  9. Quit ISA Management.

back to the top

Create a Web Publishing Rule

  1. Log on to the ISA Server computer as an administrator.
  2. Start ISA Management.
  3. In the console tree, click Server and Arrays, click server name (where server name is the name of the ISA Server computer), click Publishing, and then click Web Publishing Rules.
  4. On the View menu, click Taskpad.
  5. In the Publish Web Servers dialog box, click Create a Web Publishing Rule to start the New Web Publishing Rule Wizard.
  6. In the Web publishing rule name box, type the name that you want. For example, type Default anonymous access rule. Click Next.
  7. In the Apply this rule to list, click Specified destination set.
  8. In the Name list, click the destination set that you created in the "Create a Destination Set" section of this article. For example, click example.com. Click Next.
  9. Click Any request, and then click Next.
  10. Click Redirect the request to this internal Web server (name or IP address), and then do one of the following:
    • Type the IP address of the Web server. For example, type 192.168.1.2.


-or-

    • Type the name of the Web server. For example, type www.example.com.


NOTE: To resolve the host name of the Web server, you have to configure the internal interface of the ISA Server computer with the IP address of a DNS server that is on the internal network.

  1. If you are publishing more than one Web site on a single IP address by using host headers, click to select the Send the original host header to the publishing server instead of the actual one (specified above) check box.
  2. Click Next, and then click Finish.
  3. Quit ISA Management.

back to the top

Configuration Requirements If You Install IIS on the ISA Server Computer

When you publish a Web server on the ISA Server computer itself, you have to make the following additional configurations:

  • Configure Microsoft Internet Information Services (IIS) to use the IP address that is assigned to the internal network interface of the ISA Server computer.


-and-

  • Configure IIS to use a port other than port 80. Port 80 is the default port for Hypertext Transfer Protocol (HTTP) requests.


-and-

  • Configure the ISA Server computer Web Publishing rule to redirect Web requests from the listening port (port 80) to the new IIS port configuration.

back to the top

Configure the IIS IP Address and Port

  1. Log on to the ISA Server computer as an administrator.
  2. Start Internet Services Manager.
  3. In the console tree, click *computer name (where computer name is the name of the computer). For example, click *www.
  4. Right-click the Web site that you want, such as Default Web Site, and then click Properties.
  5. Under Web Site Identification, click Advanced.
  6. Under Multiple identities for this Web Site, click the identity that you want, and then click Edit.

    NOTE: If you use host headers to publish multiple Web sites with only a single IP address, there may be more than one entry.
  7. In the IP Address list, click the IP address that is assigned to the internal interface of the ISA Server computer. For example, click 192.168.1.1.
  8. In the TCP Port box, type an unused port number other than 80. For example, type 81.

    For additional information about port assignments, click the article number below to view the article in the Microsoft Knowledge Base:

    174904 Information About TCP/IP Port Assignments

    To determine the ports that are currently in use (or open), follow these steps:

    1. Click Start, and then click Run.
    2. In the Open box, type cmd, and then click OK.
    3. Type the following command, and then press ENTER:

      netstat -na |more

      In the Local Address column, the port numbers are displayed in the following format, where port is the number of the port that is in use:

      address:port

  9. Click OK three times.
  10. Right-click *server name, and then click Restart IIS.
  11. In the What do you want IIS to do? list, click Restart Internet Services on server name, and then click OK.
  12. After Internet Services restarts, quit the Internet Information Services snap-in.

back to the top

Edit the Web Publishing Rule

  1. Log on to the ISA Server computer as an administrator.
  2. Start ISA Management.
  3. In the console tree, click Server and Arrays, click server name (where server name is the name of the ISA Server computer), click Publishing, and then click Web Publishing Rules.
  4. On the View menu, click Taskpad.
  5. In the Publish Web Servers dialog box, click the rule that you created in the "Create a Web Publishing Rule" section in this article. For example, click Default anonymous access rule.
  6. Click Configure a Web Publishing Rule.
  7. On the Action tab, in the Connect to this port when bridging request as HTTP box, type the port number that you typed in step 8 in the "Configure IIS IP Address and Port" section in this article. For example, type 81.
  8. Click Apply, and then click OK.
  9. Quit ISA Management.

back to the top

Troubleshooting

  • Clients cannot browse to the Web site by using the FQDN of the Web site (for example, www.example.com):
    • Make sure that an externally accessible DNS entry exists for the FQDN of the Web site, and that it resolves to the IP address that is assigned to the external interface of the ISA Server computer.
    • Make sure that the destination set includes the FQDN of the Web server that the external clients request.


NOTE: Configure the destination set from the point of view of a client that is trying to access the resource.

  • ISA Server does not redirect requests to the internal Web server:


If you want to redirect requests to the internal Web server based on host names, make sure that the internal network interface of the ISA Server computer has an entry for an internally accessible DNS server.

back to the top

REFERENCES

For additional help and support with Internet Security and Acceleration (ISA) Server, visit the following Web sites:

http://www.microsoft.com/isaserver


http://www.isaserver.org


Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
back to the top

Glossary

  • Internal network interface: The network adapter in the ISA Server computer that is connected to that portion of the network that is protected by (is located behind) the firewall. Computers in this segment of the network are considered protected by the ISA Server firewall.
  • External network interface: The network adapter in the ISA Server computer that is connected to the Internet or to the portion of the network that is considered unprotected. Computers on this segment of the network are not protected by the ISA Server firewall.
  • Perimeter network: A network that is between an external unprotected network and the internal protected network.

back to the top


Additional query words: kbsecurity

Keywords: kbwebservices kbappservices kbhowtomaster KB323426



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/323426&oldid=178523
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki