Publishing Multiple Web Roots with a Path Statement, Part 1

 

Publishing Multiple Web Roots with a Path Statement, Part 1


By Thomas W Shinder M.D.


I don’t think a day passes without someone posting on the newsgroups, web boards, mailing list, or mailing to me personally, a question about how to publish the root of multiple Web sites based on a path statement. This subject comes up because this was a feature available in Proxy 2.0, but has since disappeared with ISA Server. I meant to cover this issue in detail in our ISA Server and Beyond book, but we ran out of time and pages. This series of articles on how to publish a Web root based on a path statement should be printed and kept near your copy of ISA Server and Beyond as an official supplement.


Get the Book!


What do I mean by publishing a Web root via a path statement? Suppose you have the domain name mydomain.com. You want to publish three difference sites on the internal network. However, you want to use the same FQDN for all three sites and redirect the request to the root of each Web site based on the path listed after the FQDN.


For example, suppose you have:



  • www.mydomain.com/north
  • www.mydomain.com/south
  • www.mydomain.com/west

When users access www.mydomain.com/north, you want the request to be redirected by the ISA Server’s Web Proxy service to the root of a Web site on the internal network at http://192.168.1.1. When users request www.mydomain.com/south, you want the request to be redirected by the ISA Server’s Web Proxy service to the root of a Web site on the internal network at http://192.168.1.2. And when users request www.mydomain.com/west, you want the request to be redirected by the ISA Server’s Web Proxy service to the root of a Web site on the internal network at http://192.168.1.1.


I’ve read a great number of comments from ISAServer.org members that you could easily do this sort of thing with Proxy Server 2.0. Unfortunately, things aren’t quite as straightforward with ISA Server. The problem is that the ISA Server forwards the request to the same path included in the original request.


For example, when the user sends a request for www.mydomain.com/north, the ISA Server will forward the request to http://192.168.1.1/north. There’s no “built-in” way for the ISA Server Web Publishing Rules to redirect the request www.mydomain.com/north to http://192.168.1.1/


There are several ways you can get around this problem. In this article we’ll examine how you can use Web Publishing Rules and a different IP address for each Web site on the internal network. In future articles we’ll take a look at how you can user Server Publishing Rules and Host Headers at the Web site to deal with this problem.


===========================


The Web Publishing Scenario


===========================


In the scenario I’ll cover in this article, we want to publish three Web sites that are located on a single Web server on the internal network. This internal network Web server is running IIS 5.0, and I’ve created three Web sites that listen on different IP addresses. We want to publish the root of each of these sites based on the path contained in the external user’s request.


The URLs are:



  • http://www.internal.net/web10
  • http://www.internal.net/web11
  • http://www.internal.net/web12

When the Web Proxy service detects www.internal.net/web10 in the incoming request, we want it to forward the request to a site called Web10 at 10.0.0.10


When the Web Proxy service detects www.internal.net/web11 in the incoming request, we want it to forward the request to a site called Web10 at 10.0.0.11


When the Web Proxy service detects www.internal.net/web12 in the incoming request, we want it to forward the request to a site called Web10 at 10.0.0.12


The basic setup, along with other elements of our multiple site publishing solution, are shown in the figure below.



You need to perform the following procedures to get the root of all three sites published using a path statement:



  • Install ISA Server
  • Configure the Incoming Web Requests listener
  • Create the “primary” and “redirect” Destination Sets
  • Create the “primary” and “redirect” Web Publishing Rules
  • Create the Web sites on the Web Server
  • Create the DNS entries

  • Installing the ISA Server is covered in detail in the Configuring ISA Server 2000: Building Firewalls with Windows 2000, so we won’t go over installing ISA Server in this article. You can install ISA Server in Web caching, Firewall or Integrated modes, because all three of these modes allow you to create Web Publishing Rules. In part 1 of this article I’ll go over configuring the Incoming Web Requests listener, creating the Destination Sets and creating the Web Publishing Rules. I’ll cover creating and configuring the Web sites and the DNS entries in part 2.


    Get the New Book!


    ===========================


    Configuring the Incoming Web Requests Listener


    ===========================


    The Web Proxy service uses the Incoming Web Request listener to accept HTTP requests. These requests are then forwarded to the Web Proxy service, after which the Web Proxy services exposes them to Web Publishing Rules to determine how the incoming requests should be forwarded. There are no Incoming Web Requests listeners configured by default, so the first thing you need to do to make sure your Web Publishing Rules work is to create the listener.



    1. Open the ISA Management console, right click your server name and then click the Properties command.
    2. In the server Properties dialog box, click on the Incoming Web Requests tab.
    3. On the Incoming Web Request tab, you’ll see something like what appears in the figure below. Notice that there are no listeners configured. Make sure you select the Configure listeners individually per IP address option, and then click the Add button.



    1. In the Add/Edit Listeners dialog box, select your Server name, then select the IP Address on the external interface of the ISA Server that resolves to the FQDN you plan to use. For example, if www.mydomain.com resolves to 192.168.10.1 (the private network ID is being used for an example only; you will be using public addresses for your listeners), then you should select 192.168.10.1 in the IP Address list. The IP address used by the Incoming Web Requests listener must match the IP address used by your FQDN. You should also include a Display Name to help you identify the listener. In this example I’m using L1 to indicate that this is listener is using the IP address that has the value 1 in the Z octet of the IP address. Click OK.



    1. You’ll see the new listener in the Incoming Web Requests tab. Make sure TCP port 80 is being used and that YOU DISABLE THE IIS 5.0 WWW SERVICE ON THE ISA SERVER to prevent socket contention. Do not force authentication on the Incoming Web Requests listener. Leave the Ask unauthenticated users for identification checkbox UNCHECKED. Click Apply, then select the Save the change and restart the services option and click OK. Click OK in the server Properties dialog box.


    The Incoming Web Requests listener is now configured to listen on the IP address you selected on the external interface of the ISA Server. It is imperative that you disable the IIS 5.0 WWW service on the ISA Server. The only exception to this rule is if you are already an ISA Server expert and you know the complications introduced by running the Web server on the ISA Server itself, and you know how to deal with these issues based on your reading of Configuring ISA Server 2000: Building Firewalls with Windows 2000 and ISA Server and Beyond.


    Get the New Book!


    ===========================


    Create the Destination Sets


    ===========================


    In order to publish the root of all three sites using the same FQDN and a different path, you need to create six Destination Sets. Each Destination Set contains a single entry. These entries are:


    Primary Connections:


    www.internal.net/web10


    www.internal.net/web11


    www.internal.net/web12


     


    Redirects:


    www10.internal.net


    www.11.internal.net


    www.12.internal.net


    Why do you need to create six Destination Sets? Three of the Destination Sets are used for the “primary” connection and three of the Destination Sets are used for the redirected connection. The users will enter the URL into their browsers that creates the primary connection. After the user creates the primary connection (with the path), the Web server will return to the client a URL that the client should go to obtain the content.


    For example, when the user types www.internal.net/web10 into the browser, the request arrives at the Incoming Web Request listener and is passed by the Web Proxy service to the Web Publishing Rules. The Web Publishing Rule says to redirect the request to http://10.0.0.10/web10 on the internal network (actually, the rule says to pass the request to http://10.0.0.10, but the ISA Server always preserves the path when it performs the redirect).


    The Web server then sends to the client a redirect to http://www10.internal.net. The browser then automatically issues a request for www10.internal.net which arrives at the Incoming Web Requests listener and is passed by the Web Proxy service to the Web Publishing Rules. The Web Publishing Rule that uses the www10.internal.net in its Destination Set forwards the request to http://10.0.0.10



    Let’s go through the procedure on how to create the Destination Sets for the primary and redirect for the first Web site, Web10.



    1. Open the ISA Management console and expand your server name and then expand the Policy Elements node.
    2. Right click on the Destination Sets node, point to New and click on Set.
    3. Type in a name for the Destination Set in the New Destination Set dialog box. We’ll call this one Web10 – Primary to indicate that this Destination Set is to be used for the primary connection to Web10. Type in a Description too, so that you know exactly the purpose of the Destination Set. Click on the Add button.



    1. In the Add/Edit Destination dialog box, select the Destination option button and type in the FQDN users will use to access the site. In this example we’ll use the FQDN www.internal.net. Type in the path you want to use for the redirect to the root. Note the asterisk (*) at the end of the path, /web10*. This allows the rule that uses this Destination Set to accept requests that have /web10 and anything else after web10 in the URL. Click OK.



    1. Click OK in the New Destination Set dialog box.

    Now create the Destination Set for the redirect:



    1. Right click on the Destination Sets node, point to New and click on Set.
    2. Type in a name for the Destination Set in the New Destination Set dialog box. This is the Destination Set used for the redirect to Web10, so we’ll call it www10 – Redirect. Type in a Description too, so that you know exactly the purpose of the Destination Set. Click on the Add button.



    1. In the Add/Edit Destination dialog box, type in the FQDN you will use for the redirect. This is the FQDN that the Web site will return to the Web client after the primary connection is completed. It can be any FQDN you want, as long as you have an Incoming Web Request listener configured to listen on the IP address the FQDN resolves to. I find it easiest to just change the host name and leave the domain name the same. You don’t need to include a path statement, since you want to redirect to the root of the Web. The client will also have access the rest of the site too, since you don’t have a path statement limiting access to a particular directory on the site. Click OK.



    1. Click OK in the New Destination Set dialog box.

    Now that the Destination Sets are configured, we can use them in the Web Publishing Rules. We only went through the procedure for the first two Destination Sets required to publish the root of the first of our three sites. You need to repeat the procedure two more times to create the Destination Sets for the primary and redirect for the other two sites.


    ===========================


    Create the Web Publishing Rules


    ===========================


    Now you need to create six Web Publishing Rules – one Web Publishing Rule for each of the Destination Sets you created. There are actually three pairs of Web Publishing Rules. Each pair contains a rule that allows the primary and the redirect connection. Let’s go through the procedure for creating the Rule for the primary connection for the first Web site Web10.



    1. Open the ISA Management console, expand your server name and then expand the Publishing node.
    2. Right click on the Web Publishing Rules node, point to New and click Rule.
    3. On the Welcome to the New Web Publishing Rule Wizard page, type in the name of the rule. In this example, we’ll call it Web10 – Primary and click Next.



    1. On the Destination Sets page, select the Specified destination set option in the Apply this rule to drop down list box. In the Name drop down list box, select the name of the Destination Set you created for the Primary connection for your first Web site. In this example, the Destination Set Web10 – Primary is the set we want to use for the primary connection to Web10. Click Next.



    1. On the Client Type page, select the client type appropriate for your environment. In this example we’ll select Any request and click Next.
    2. On the Rule Action page, type in the name or IP address of the server on the internal network that you want to redirect the primary connection request to. Make sure you select the Redirect the request to this internal Web server (name or IP address) option and then type the name or IP address in the text box below that. Be careful about including a name; the ISA Server must be able to resolve that name you put in the text box to the IP address used by the site on the internal network. If it resolves to the IP address used by the Incoming Web Requests listener, you’ll end up with the Web Proxy loop. In this example, Web10 is listening on 10.0.0.10, so we’ll enter that into the text box. Click Next.



    1. Review your settings and click Finish on the Completing the New Web Publishing Rule Wizard page.

    The next step is to create the Web Publishing Rule for the redirect. Then create the Web Publishing Rules for the primary and redirect connections for the other two Web sites.


    Get the Book!


    ===========================


    Summary


    ===========================


    In this article we went over the initial procedures required to publish multiple Web sites using the same FQDN but redirected based on the path statement. We went over the concept of the primary and redirect connections, and then created the Incoming Web Requests listener, the Destination Sets, and the Web Publishing Rules. In part two of this article I’ll show you how to create and configure the Web sites and the Host (A) records required to make things work.


    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=001383 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top