ISA Server allows you to make internal resources, such a web servers, email servers and FTP servers, available to Internet users. This process of making internal services available to users on an external network is called “Publishing”. When you Publish a service on your internal, private network, you allows selective access to external users. The actual procedure for publishing a service is very easy, as it is wizard driven. However, before you publish, you have to make sure a couple of infrastructure issues and ISA Server components are set up before you successfully publish your site. In this article we’ll look at the preparations you need to make before publishing a web site. Prior to publishing your site, you need to deal with the following issues:
Let’s look at each of these issues and how to handle them before beginning the actual publishing of our web site. |
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder |
DNS EntriesUsers on the Internet will access your published web site via a Fully Qualified Domain Name (FQDN), such as www.isaserver.org. That FQDN must be translated to an IP address before the user can connect to your site. This is the job of a DNS Server. Before you publish your site, you must have a DNS entry for your site on a publicly available DNS server. Most people will have DNS entries handled by their ISP. You do have the option of hosting your own public DNS Servers. If you are managing your own public DNS servers (and you must have two, although some people cheat and report two IP addresses on the same server), you need to include a Host (A) entry for the internal web server you wish to publihs. For example, if you are managing your own DNS, and have a zone for “domain.com”, you must create a Host (A) record for “www”, if you wish people to access your internal web server www.domain.com. Your site may also be accessible via multiple names, such as ftp.domain.com, www.domain.com, and mail.domain.com. You can enter multiple Host (A) entries; one for each host name, or you can make a single Host (A) entry and use CNAME (alias) records for the other names. The CNAME approach is a bit easier to manage if you change your IP address from time to time. Alternatively, you could forget about DNS entries, and make everyone connect to your web site via an IP address. While this is doable, most people can hardly remember their own phone number, much less a 12 digit IP address. Destination SetsOnce you’ve got the DNS issues handled, you’re ready to create a destination set for your site. A destination set is used by ISA Server to identify which site is requested by the external user. Remember, when working with destination sets and publishing, you are looking at it from the vantage point of the external user, not the internal user. The destination for the external user is going to the FQDN of your site. Let’s say we want to create a destination set for our site. The internal server we want to publish will answer to the names mail.domain.com and www.domain.com. We can create a single destination set that contains all three of these destinations. Then we can use this destination set in our publishing rule.
After creating the destination set, it will appear in the right pane of the ISA Management console. When the ISA Server receives a request for one of these destinations, it will actually examine the headers in the request and see if it has the destination listed in the header included in a destination set for a published server. ISA Client ConfigurationThe server you want to publish should be configured as a SecureNAT client. This is a departure from how it was done in Proxy Server 2.0, where the only way you could publish a server was by making the server a Winsock Proxy client and then hammering away at a wspcfg.ini file. ISA Server allows you to escape that pain by configuring published servers as SecureNAT clients. SecureNAT client configuration is easy. The only thing you need to do is set the default gateway on the server to an address that routes Internet bound requests to the internal interface of the ISA Server. If the published server is on the same logical network ID as the internal interface of the ISA Server, you can set the default gateway to be the IP address of the internal interface of the ISA Server. If the server to be published is on a logical network ID removed from the internal network interface of the ISA server, then you must configure the default gateway on the server to be a router interface that will route packets destined for the Internet to the internal interface of the ISA Server. If you are working with a routed network, you must make sure that the routing table on the ISA Server is properly configured before even setting up ISA Server. Remember that packets need to know the path from the ISA Server to all subnets on the internal network, and all the subnets need to know the path to the internal interface of the ISA Server. In order for the ISA Server to know the paths to the internal network IDs, you must configure the routing table on the ISA Server with the appropriate gateway address(es) for each of the internal network IDs. You must configure the routing table, because you cannot configure a default gateway on the internal interface. Windows 2000 supports a single network adapter with a default gateway, and that adapter must be the external interface of the ISA Server. Some services may not work correctly using SecureNAT. You’ll see this if you plan on publishing certain Internet enabled multiplayer games. In this case, you’ll need to configure the server as a Firewall Client and then configure a wspcfg.ini file on that server. If that sounds too painful, you can place the game server on a DMZ segment and create packet filters to allow the required ports (typically ‘all open’ when dealing with a non-secure game server). ISA Server Inbound Request Listener The ISA Server listens to incoming web requests on what is called the inbound request Listener. By default, the inbound web request Listener uses port 80 on the external interface of the ISA Server. You can change this if you like, but then everyone that needs to connect to your web site will have to include the port number is their request. If you want to make your site easy to access, don’t change the default port number setting. Note that the requests accepted by the Inbound Request Listener are intercepted by the Web Proxy Service. You will have to add the inbound Listener for the IP address(es) that you want the ISA Server to listen on.
ConclusionYou can publish services located on your internal network using the publishing wizards included with ISA Server. This includes a special publishing wizard that is dedicated to publishing web sites on the internal network. The wizard makes it easy to publish these internal web sites. However, there is some footwork you need to take care of before actually publishing the site. In this article we covered some of the key preparatory elements that need to be completed before publishing your web site. In the second part of this two part series on web publishing, we’ll go over the actual steps you perform when publishing a web site, and examine some of the standard and non-standard procedures you can carry out to publish your site. See you then! |