Allowing External Connections to the ISA Server Outgoing Web Requests Listener

Allowing External Connections to the ISA Server Outgoing Web Requests Listener

By Thomas W Shinder M.D.

Someone asked on the ISAServer.org message boards whether it was possible to allow external network clients access to the Web Proxy service on the ISA Server. He didn’t want to allow access to the Web Proxy service via a Web Publishing Rule. Instead, he wanted external network clients to access the Internet by using the ISA Server as their Web Proxy in the same way that internal Web Proxy clients do.

My typical response to this kind of request is to have the external network clients connect to the ISA Server and the internal network via a VPN connection. The Web browser on the VPN client is then configured to use the internal interface of the ISA Server as its Web Proxy after the VPN client connects. This solution works well, but it does expose your internal network to anyone given VPN access. What if you just wanted to allow users to use your Web Proxy without allow them access to your internal network resources?

The first question that comes to mind is why would you want to allow external users access to the Web Proxy service? One reason would be to allow people to use your ISA Server as an anonymous proxy. I guess if you were trying to help a friend who’s an Internet criminal carry out one of his “jobs”, this is a good configuration as it will allow for anonymous Web Proxy connections (anonymous especially because of the fact that the thug’s activities can’t be traced through the Web Proxy log, although your IP address would show in the victim’s logs and you’d be the one who’s nailed by the authorities). Another reason for doing this is to allow legitimate users to leverage your Web cache and also allow you to monitor their Web browsing while using company computers while they’re off site.

No matter what your motivation might be, you can allow external network users access to your Outgoing Web Requests listener. The only thing you need to do is create a Server Publishing Rule to publish your Outgoing Web Requests listener. You need to address the following issues when you publish the Outgoing Web Requests listener:

Let’s go through the steps together.

All outgoing requests passing through the Web Proxy service have to go through the Outgoing Web Requests listener. You need to make sure the Outgoing Web Request listener is configured correctly before publishing its to external network users:

1. Open the ISA Management console, right click on your server name and then click on Properties.
   
2. On the server Properties dialog box, click on the Outgoing Web Requests tab. Notice the default setting is to Use the same listener configuration for all internal IP addresses. This isn’t the best setting, as it gives you the least amount of flexibility in terms of how you configure your Outgoing Web Requests listeners. You may want to configure your listeners differently depending on what clients access them.
   
3. On the Outgoing Web Requests tab, click on the Configure listeners individually per IP address option. Notice that after you configure this option that there are no listeners. You’ll going to need to add your own listeners after selecting this option.

4. Click on the Add button. In the Add/Edit Listeners dialog box, select your Server name, and then select your IP Address on the internal interface you want to use for the listener. Type in a Display Name so that you can identify this listener among other Outgoing Web Requests listeners you may have configured. Configure your desired authentication options. The default settings enable Integrated authentication. Integrated authentication is no good for your external network clients since they won’t be logged into your domain. Digest authentication can be used, but it requires an Active Directory domain and IE 5.0 or above. User passwords also have to be saved with reversible encryption enabled, which can be a horrendous hassle if you have thousands of users who need to change their passwords to enable the reversible encryption. Basic authentication is the most flexible option, but then your credentials are passed in clear text. This can be a real problem, since anyone who can listen on the wire will be able to capture user names and passwords. You won’t be able to use client certificate authentication to authenticate with the listener, as it doesn’t work with browser clients; that option is used when configured upstream Web Proxy servers. Your most secure option (in terms of protecting user credentials) is probably to allow anonymous connections. Click OK after making your selections.

5. If you want to allow anonymous connections to the Outgoing Web Requests listener, make sure that the Ask unauthenticated users for identification option is not enabled. You have to be careful about this option, because it is a global one. If you require authentication for your external network users, you will also have to force authentication for your internal network users. You don’t have to enable SSL listeners because that only applies when the ISA Server is an upstream server in a Web Proxy chain. Click Apply and select the Save the changes and restart the service(s) option. Then click OK and click OK again.

Do you have to disable the WWW service on the ISA Server? No, but I guarantee that your ISA Server admin life will be easier and you’ll have a more secure configuration. Perform the following steps to disable the IIS Web Publishing Service:

1. Click Start and the point Programs. Point to Administrative Tools and click on Services.
   
2. Scroll down to the World Wide Web Publishing Service and double click on it. Click the Stop button. After the service stops, click the down arrow in the Startup type drop down list box and select Manual. Click Apply and then click OK.

3. Now the WWW service will no longer start automatically after rebooting the server.

The Outgoing Web Requests listener listens on TCP port 8080 by default. There’s no reason to change this, so we’ll create a Protocol Definition for TCP port 8080 inbound. Perform the following steps to create the Protocol Definition:

1. In the ISA Management console, expand your server name and then expand the Policy Elements node. Right click on Protocol Definitions, point to New and click on Definition.
   
2. In the Welcome to the New Protocol Definition Wizard page, type in a name for the rule. Let’s call it Incoming Web Requests and click Next.
   
3. On the Primary Connection Information dialog box, enter 8080 in the Port number text box. The Protocol type is TCP. The Direction is set for Inbound. Click Next.

4. On the Secondary Connections page, select the No option. You don’t need secondary connections when configuring the Outgoing Web Requests Protocol Definition. Click Next.
   
5. Review your settings and click Finish on the Completing the New Protocol Definition Wizard page.

The new Protocol Definition should now appear in the right pane of the console.

You can create the Incoming Web Requests Server Publishing Rule now that you have the Protocol Definition in place. Perform the following steps to create the Server Publishing Rule:

1. In the ISA Management console, expand you server name and then expand the Publishing node. Right click on the Server Publishing Rules node, point to New and click Rule.
   
2. Type the name of the rule on the Welcome to the New Server Publishing Rule Wizard page. Let’s call it Incoming Web Requests listener and click Next.
   
3. On the Address Mapping page, type in the IP address of the internal network server and the IP address on the external interface of the ISA Server you want to use to listen for the incoming requests. Click Next.

4. On the Protocol Settings page, select the Incoming Web Requests Protocol Definition you created earlier from the Apply the rule to this protocol drop down list box. Click Next.

5. On the Client Type page, select the Any request option and click Next.
   
6. Review your settings on the Complete the New Server Publishing Rule Wizard and click Finish.

It goes without saying that you’re using Internet Explorer! Well, you actually don’t have to use Internet Explorer, but you’ll have to figure out how to configure the browser and deal with authentication issues on your own. Just remember that if you’re not using Internet Explorer that the only authentication option available to you is Basic authentication.

Perform the following steps to configure the browser:

1. Open Internet Explorer, click the Tools menu and then click Internet Options.
   
2. Click the Connections tab. You configure the proxy connection based on how you connect to the ISA Server. If you use a dial-up connection, then you need to select the dial up connection in the Dial up settings frame and click the Settings button. (the same thing applies if you use a VPN connection, except that when you use a VPN connection, you can use the internal IP address of the ISA Server for the Proxy server address). If you connect to the Internet using a LAN interface (cable, DSL, etc.), then you would click the LAN Settings button. In this example we’ll assume that we’re connecting from a hotel room that has a high speed LAN connection. Click on the LAN Settings button.

3. In the Local Area Network (LAN) Settings dialog box, select the Use a proxy server checkbox and enter the IP address on the external interface of the ISA Server that you’re using to publish the Incoming Web Requests listener. Remember to enter port 8080. Click OK and click OK again.

4. If you didn’t force authentication, you’ll be able to connect to Web sites immediately without needing to log on. If you forced authentication at the listener, you’ll need to enter your credentials as seen in the figure below. In this example I’ve configured to listener to support Basic credentials only and configured a default domain. I don’t need to enter the domain name in the Enter Network Password dialog box because I configured a default domain in the Basic authentication configuration setup in Incoming Web Request listener.

That’s all there is to it! Note that when you publish the Incoming Web Requests listener that your Web Proxy logs won’t be of any value in determining who make the connection. All connection requests from external network clients will appear to come from the local host. You can see this in the Web Proxy log file entries in the figure below.

You can allow your external network users to access the Web Proxy service on the ISA Server and use your ISA Server as a Web Proxy. You can allow anonymous requests and anonymous proxying, or you can require authentication. You’ll be able to track what sites users visit when you enforce authentication. Users that do not authenticate will be able to use the Web Proxy service completely anonymously. The users remain completely anonymous because they do not authenticate, and the Web Proxy log does not log the users IP address; the only address logged by the Web Proxy service is the localhost address.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=6;t=001247 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom.