Publishing A Web Site Using ISA Server Part 2
In the first part of this two part series, we took a look at some of the things you need to do before publishing your server. If you missed the first part, go and read it now by clicking here.
In that article, we covered the importance of taking care of the = following issues:
After these elements are configured, you are ready to publish your = Web Server.
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Publishing a Web Server Located on the ISA Server
Publishing a web site located on the ISA Server entails some special problems you must address before you begin publishing. By default, IIS wants to use Port 80 to listen for inbound web requests. However, since the ISA Server's Web Proxy service uses Port 80 to Listen for inbound web requests, you cannot have both the ISA Server and the IIS WWW Service both listening on the same port.
To solve this problem, you should configure IIS to listen on the internal interface of the ISA Server. This prevents a conflict with the Web Proxy service's Inbound Web Requests Listener. However, if you are publishing Autoconfiguration information on the internal interface of the ISA Server, it will use Port 80 by default. You could change the Port number that ISA Server uses to listen for Autoconfiguration requests and try to make it work that way. However, from our experience with ISA Server, it does not seem to want to work on the internal interface's Port 80. This may be a problem related to the configurations we have worked with, but we have never been able to publish a web site on Port 80 of the internal interface, in spite of the documentation saying this is possible.
So, the first thing you should do is change the IP address and Listening Port number that IIS uses to listen for inbound web requests.
Readying IIS For Publishing
Now that IIS is ready, we can get to the job of Publishing our web site.
Creating a Web Publishing Rule
To create a Web Publishing Rule, we can take advantage of the Web Publishing Wizard. Perform the Following steps to publish your web site.
Now, when we type in the URL www.isa.tzo.com we see the following:
Note that I've changed the default page on the ISA Server that I published. This helps me know what web site and server I am accessing. Changing the default page to give server identification information is a good idea if you're working with a number of publishing rules and servers and you need to get a grip on "which is which". After everything is configured and working correctly, you can change the default page on your IIS web sites to reflect the actual content you want to present to the public or your partners.
Note that you can see the connection request in the ISA Management console, as seen below.
In this example, the domain name for the published server is isa.tzo.com. TZO allows you to dynamically register your domain name if you happen to be stuck with a connection that uses a dynamically assigned IP address. Each time your IP address changes, the TZO client software registers your new IP address with the TZO dynamic DNS server. This is quite helpful for those of you with DHCP assigned IP addresses on your external interface. Another cool thing about TZO is that they assign a wildcard entry for your host name. That means you can use www, mail, ftp, or nntp or any other host name you want, and it will resolve to the external IP address of your ISA Server. Note that if you wish to use the TZO service, you will have to create a packet filter to support the service on the ISA Server.
For more information about TZO and their dynamic DNS service, check out:
Publishing an Internal Server
In the previous example we went over the procedure for publishing a web server located on the ISA Server itself. This time, we'll publish an internal web server; that is, a web server located on our private network. Publishing an internal server is not quite a difficult, because you can use the default Port number of the internal server, if you wish. You can publish multiple sites on the internal web server by placing them on different ports, and then using a different destination set and web publishing rule for each one. Another option supported by ISA Server is to publish multiple sites using different host headers.
Perform the following steps to publish an internal web server:
Confirm that your Web Publishing Rule is configured correctly by typing the URL in the destination set for your server in your browser. You'll see success as we see below!
Publishing a web site using ISA Server is a simple process can be done using the Web Publishing Wizard. While the actual publishing of the site is easy, there are a lot of places that you can mess up if you haven't done the footwork in advance to prepare the site for publishing.
One thing that catches a lot of people is DNS configuration. Remember the Firewall Clients will use the DNS entry on the external interface on the ISA Server, but SecureNAT Clients use the DNS configuration on the SecureNAT client itself. The vast majority of the servers you publish should be configured as SecureNAT clients, so be sure to configure them with a DNS server that can resolve Internet names.
Another thing that often catches people is how destination sets are used in publishing rules. The reason is that we spend most of our time creating destination sets to control outbound access. However, when we configure destination sets to support web publishing, we have to look at it from the other way around. We have to look at the destination from the viewpoint of the person on the Internet making the inbound request. You must use the FQDN that external users will use to access your published web site.
In a future article, I'll cover some issues related to processing path statements, and we'll go through examples of how you publish sites that include path statements. Until then, happy publishing!