|You can make Web Sites on your internal network available by using ISA Server Web and Server Publishing Rules. These rules allow you to redirect requests arriving at the external interface of the ISA Server to an internal Web Server. You never have to directly expose your Internet accessible servers directly to Internet hosts; all requests will be evaluated by the ISA Server before they ever touch your Internet Web servers.|
One of the really cool things about ISA Server Web Publishing is that you can configure a single IP address on the external interface and publish multiple sites using that IP address. The ability to publish multiple web sites with a single IP address is helpful for those who have only a single public IP address to expose to the Internet. It is also helpful if you use dynamically assigned IP address.
In this article, we’ll cover the following issues regarding Publishing multiple Web Sites using ISA Server:
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Setting up the Inbound Web Requests Listener
To configure the Inbound Web Requests Listener:
If you have a single IP address bound to the external interface of the ISA Server, or if you use a dynamically assigned IP address, select the Use the same listener configuration for all IP addresses option. If you have multiple IP addresses bound to the external interface of the ISA Server, I recommend you select the Configure listeners individually per IP address option.
You can change the TCP port number incoming HTTP requests are received on. However, I do not recommend that you change it from its default setting of port 80. If you do change it, external users will need to include the port number in the URL when they request resources from your published servers.
If you want to secure communications between the external Web client (browser) and the ISA Server, you can Enable SSL listeners. The default port is 443. Like with the HTTP port number setting, if you change the SLL port number, users will have to include the alternative port number in their HTTPS requests.
You can enable the Ask unauthenticated users for identification option if you want users to authenticate before they access the internal web site. Unless you never intend to publish sites available to the general public you probably should not enable this option. Configure the authentication options at the Web site, not at the Incoming Web Requests listener if you need users to authenticate with a Web Site.
Configuring the Supporting Policy Elements
To publish multiple web sites, you need to configure, at the very least, a Destination Set for each of the Web Sites you want to publish.
For example, suppose you want to publish two Web Sites. One site will respond to requests for www.hot-isaserverstuff.com and the other site will respond to requests www.cold-isaserverstuff.com. You need to create two Destination Sets; one for each of these Sites.
To create a Destination Set:
Give the Destination Set a Name and a Description. I find it useful to include in the Description the FQDN(s) that are included in the set, because you’ll see the description information displayed in several of the wizards. To add a Destination to the Set, click the Add button.
To publish the root of the web site and all files and folders in the site, enter the FQDN that external users will use to access the site in the Destination text box.
Do not use an IP address for your destinations. ISA Server admins often try to use IP addresses in their Destination Sets when they have multiple IP addresses bound to the external interface of the ISA Server and do not have DNS names for those addresses. They find out soon enough that when they try to use these Destination Sets, they do not work. Only the IP address based Destination Set at the top of the list works. There is an issue with ISA Server which prevents this from working. However, you may be able to obtain a fix by calling Microsoft PSS.
Creating the Web Publishing Rules
Now, repeat the entire process with your second Destination Set, but on the Rule Action page, send the requests to another Web Server or to a different port on the same Web Server. (or, enable sending the original host header if you are using Host Headers to manage multiple sites on the internal Web Server).
Using Server Publishing Rules for Web Publishing
On the other hand, it’s a heck of a lot easier to publish an SSL Web Site using Server Publishing Rules than it is using Web Publishing Rules.
To Publish a Web Site using Server Publishing Rules, expand the Publishing node in the left pane of the ISA Server Management console and right click the Server Publishing Rules node. Click New and then click Rule
On the first page, name the rule.
On the Address Mapping page, type in the IP address of the internal Web Server and the IP address that you want to use on the external interface of the ISA Server.
On the Protocol Settings tab, select the name of the HTTP Server Protocol Definition that you created. On the Client Type page select Any Request to allow everyone access. Confirm your settings and click Finish.
Whether you use Web Publishing or Server Publishing Rules, always make sure to test the functionality of your publishing rules after you create them. Always test your rules from a client on an external network. Remember, the entire point of publishing is to make internal resources available to external hosts; the point is not to use the ISA Server to redirect requests for internal resources through the ISA Server for internal network clients.