Publishing Multiple Web Sites.







You can make Web Sites on your internal network available by using ISA Server Web and Server Publishing Rules. These rules allow you to redirect requests arriving at the external interface of the ISA Server to an internal Web Server. You never have to directly expose your Internet accessible servers directly to Internet hosts; all requests will be evaluated by the ISA Server before they ever touch your Internet Web servers.

One of the really cool things about ISA Server Web Publishing is that you can configure a single IP address on the external interface and publish multiple sites using that IP address. The ability to publish multiple web sites with a single IP address is helpful for those who have only a single public IP address to expose to the Internet. It is also helpful if you use dynamically assigned IP address.


In this article, we’ll cover the following issues regarding Publishing multiple Web Sites using ISA Server:


Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder


Amazon.com


  • Setting up the Incoming Web Requests Listener
  • Configuring the Supporting Policy Elements
  • Creating the Web Publishing Rules
  • Using Server Publishing Rules for Web Publishing

Setting up the Inbound Web Requests Listener
The first step in setting up your server to publish multiple web sites is to configure the Inbound Web Requests Listener.


To configure the Inbound Web Requests Listener:



  1. Right click your Server or Array and click Properties command.
  2. Click on the Incoming Web Requests tab.



If you have a single IP address bound to the external interface of the ISA Server, or if you use a dynamically assigned IP address, select the Use the same listener configuration for all IP addresses option. If you have multiple IP addresses bound to the external interface of the ISA Server, I recommend you select the Configure listeners individually per IP address option.


You can change the TCP port number incoming HTTP requests are received on. However, I do not recommend that you change it from its default setting of port 80. If you do change it, external users will need to include the port number in the URL when they request resources from your published servers.


If you want to secure communications between the external Web client (browser) and the ISA Server, you can Enable SSL listeners. The default port is 443. Like with the HTTP port number setting, if you change the SLL port number, users will have to include the alternative port number in their HTTPS requests.


You can enable the Ask unauthenticated users for identification option if you want users to authenticate before they access the internal web site. Unless you never intend to publish sites available to the general public you probably should not enable this option. Configure the authentication options at the Web site, not at the Incoming Web Requests listener if you need users to authenticate with a Web Site.


Configuring the Supporting Policy Elements
All ISA Server rules require Policy Elements. The Policy Elements you need to create depend on what type of Rule you want to make, and how you want to configure a particular Rule.


To publish multiple web sites, you need to configure, at the very least, a Destination Set for each of the Web Sites you want to publish.


For example, suppose you want to publish two Web Sites. One site will respond to requests for www.hot-isaserverstuff.com and the other site will respond to requests www.cold-isaserverstuff.com. You need to create two Destination Sets; one for each of these Sites.


To create a Destination Set:



  1. Expand the Policy Elements node in the left pane of the ISA Server Management console.
  2. Right click on the Destination Sets node. Click New and then click Set.

Give the Destination Set a Name and a Description. I find it useful to include in the Description the FQDN(s) that are included in the set, because you’ll see the description information displayed in several of the wizards. To add a Destination to the Set, click the Add button.



To publish the root of the web site and all files and folders in the site, enter the FQDN that external users will use to access the site in the Destination text box.



Do not use an IP address for your destinations. ISA Server admins often try to use IP addresses in their Destination Sets when they have multiple IP addresses bound to the external interface of the ISA Server and do not have DNS names for those addresses. They find out soon enough that when they try to use these Destination Sets, they do not work. Only the IP address based Destination Set at the top of the list works. There is an issue with ISA Server which prevents this from working. However, you may be able to obtain a fix by calling Microsoft PSS.

Since you have to use FQDNs in your Destination Sets, you will have to create DNS entries for these FQDNs. Make sure you register each of these Destinations on a publicly available DNS server if you want external users to access your public sites.

You can get creative with your Destination Sets by using Path statements. For example, you might have two servers on your internal network and you want one of the servers to respond to the URL http://www.corp.com/hot-stuff and the other server to respond to the URL http://www.corp.com/cold-stuff.

Just make two Destination Sets; one with the FQDN of www.corp.com and the path /hot-stuff/* and the other with the FQDN www.corp.com and the path /cold-stuff/*. You can then create two Web Publishing Rules; one for each of these Destination Sets.






Creating the Web Publishing Rules
The next step is to configure the Web Publishing Rules.



  1. Expand the Publishing node in the left pane of the ISA Management console and right click the Web Publishing Rules node. Click New and click Rule.
  2. On the first page you name the rule.




  3. On the Destination Sets page, select the option for Specified Destination Set and then select one of the Destination Sets you created for your Web Sites.




  4. On the Client Type page, select Any Request to allow everyone access to the site.




  5. The Rule Action page is where the money is at. Select the Redirect the request to this internal Web Server (name or IP address) option. If you want to make your life as simple as possible, type in the IP address of the internal server. However, if you do this, you might see the dreaded 14120 error in your Event Logs.



    You have the option of putting in the INTERNAL name of the server in this box, but if you use a FQDN, make sure the ISA Server can resolve the name to an internal IP address. This means setting up DNS correctly on your internal network and the DNS settings on the ISA Server itself. If you’re not sure how to do this, run over to the Learning Zone at www.isaserver.org and check out Jim Harrison’s excellent articles on network preparation and ISA TCP/IP interface configuration.

    If you are publishing OWA sites, or if you are using Host headers rather than multiple IP addresses or ports on an internal Web Server to host multiple sites, then you need to enable the checkbox that sends the original Host Header. Web Publishing is the only place where you can implement port redirection. For example, if you want to publish multiple Web Sites on an internal server, and each of those Web Sites listens on a different port number, you can configure the Web Publishing Rule to redirect a particular Destination Set to a particular port on the internal web server. You configure your port redirection requirements on the Rule Action page as well.


  6. On the last page of the Wizard, check your configuration and click Finish.

Now, repeat the entire process with your second Destination Set, but on the Rule Action page, send the requests to another Web Server or to a different port on the same Web Server. (or, enable sending the original host header if you are using Host Headers to manage multiple sites on the internal Web Server).


Using Server Publishing Rules for Web Publishing

Web Publishing Rules take advantage of the ability of the Web Proxy service to examine application layer HTTP header information and make decisions about routing packets based on that information. The Web Proxy service is quite cool, and if you need to publish Web Sites, you should make it a practice to use Web Publishing Rules to do it.

However, there is one major limitation to using the Web Proxy service to publish Web Sites: the IP address of the internal interface of the ISA server will show up in the log files on the internal web server. If you need information about the source IP address to show up in your Web server logs, you are out of luck with Web Publishing Rules.

One option is to parse the Web Proxy service logs for the destination URL for each of your sites and extract the information you need from there. However, you might not want to do this because it is time consuming or you have an application that works with the web server logs already and you don’t want to move away from that application.

In this case, you will need to use Server Publishing Rules to publish your Web Sites. When you publish a Web Site using Server Publishing Rules, the source IP address remains intact.

However, if you want to publish multiple internal Web Sites, you will need to bind multiple IP addresses on the external interface of the ISA Server. After binding multiple IP addresses to the external interface, you can publish one Web Site for each IP address on the external interface.

There are some disadvantages to using Server Publishing to publishing an internal web site. These include:



  • You must create an HTTP Server Protocol Definition
  • You will not be able to take advantage of the Web Proxy Cache
  • You will not be able perform port redirection
  • You cannot control access by using Destination Sets
  • You cannot take advantage of SSL Bridging

On the other hand, it’s a heck of a lot easier to publish an SSL Web Site using Server Publishing Rules than it is using Web Publishing Rules.


To Publish a Web Site using Server Publishing Rules, expand the Publishing node in the left pane of the ISA Server Management console and right click the Server Publishing Rules node. Click New and then click Rule


On the first page, name the rule.



On the Address Mapping page, type in the IP address of the internal Web Server and the IP address that you want to use on the external interface of the ISA Server.



On the Protocol Settings tab, select the name of the HTTP Server Protocol Definition that you created. On the Client Type page select Any Request to allow everyone access. Confirm your settings and click Finish.


Summary
There are two ways you can publish multiple internal Web Sites using ISP Server. The best way is to use Web Publishing Rules. When you use Web Publishing Rules, you take advantage of the sophisticated features provided by the Web Proxy service. On the other hand, if you require that the source IP address remain intact so that it shows up in the internal web server’s logs, then you will need to use Server Publishing Rules.


Whether you use Web Publishing or Server Publishing Rules, always make sure to test the functionality of your publishing rules after you create them. Always test your rules from a client on an external network. Remember, the entire point of publishing is to make internal resources available to external hosts; the point is not to use the ISA Server to redirect requests for internal resources through the ISA Server for internal network clients.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top