350 likes | 368 Views
Implementing ISA Server Publishing with Web and Server Publishing Rules to grant access to HTTP and HTTPS resources, configuring DNS, setting up Web Listeners, and managing path mapping and link translation for enhanced network security and functionality.
E N D
Introduction • What Are Web Publishing Rules? • ISA Server uses Web publishing rules to make Web sites on protected networks availableto users on other networks, such as the Internet. • A Web publishing rule is a firewallrule that specifies how ISA Server will route incoming requests to internal Webservers
Web publishing rules provide: • Access to Web servers running HTTP protocol • HTTP application-layer filtering • Path mapping • User authentication • Content caching • Support for publishing multiple Web sites using a single IP address • Link translation
What Are Server Publishing Rules • Web publishing and secure Web publishing rules can grant access only to Web serversusing HTTP or HTTPS. • To grant access to internal resources using any other protocol,you must configure server publishing rules • Server publishing rules provide: • Access to multiple protocols • Application-layer filtering for specified protocols • Support for encryption • IP address logging for the client computer
Considerations for Configuring DNS for Web and Server Publishing
Configuring Web Publishing Rules • Components of a Web Publishing Rule Configuration: • Web publishing rules map incoming HTTP or HTTPS requests to the appropriate Webservers located on a network protected by ISA Server. • Web publishing rules determinewhat incoming requests for HTTP objects will be accepted by ISA Server and howISA Server will respond to those requests.
How to Configure Web Listeners • Web listeners are used by Web and secure Web publishing rules. • A Web listener is anISA Server configuration object that defines how the ISA Server computer listens forHTTP requests and SSL requests. • The Web listener defines the network, IP address, andthe port number on which ISA Server listens for client connections.
How to Configure Web Listeners • If the ISA Server computerreceives a HTTP or HTTPS on a network adapter and no Web listener is configuredfor the IP address associated with the network adapter, ISA Server will discard allthe requests before applying Web server publishing rules.
How to Configure Web Listeners • Network:This option specifies the network on which ISA Server will listen forincoming Web requests • Port numbers:This option specifies the port number on which the Web listenerwill listen for incoming Web requests • Client authentication methods:This option specifies the supported authenticationmethods if you are going to require authentication on the Web listener • Client Connection Settings:This option specifies the number of concurrentclient connections and connection timeout values for the Web listener.
If you have multiple network adapters or multiple IP addresses
On the Port Specification page, select the protocol and port number used by theWeb listener
modify the Web listener settings by doubleclickingthe Web Listener object in the Toolbox
To configure the client connection options, click Advanced on the Preferences tab toget to the Advanced Settings dialog box
How Path Mapping Works • Path mapping can be used in several different scenarios • For example: • An organizationmay have a Web site:http://www.cohovineyard.com. • If the entire Web site is located on a single Web serveryoucan use path mapping to redirect client requests to different virtual directories on thatserver. • The URL http://www.cohovineyard.com/catalog can be redirected to a virtualdirectory named CurrentCatalog on the Web server • the URL http://www.cohovineyard.com/sales is redirected to the SalesData virtual directory
You can also use path mapping to redirect client requests to multiple internal Webservers. • For example: • when users request the URL http://www.cohovineyard.com/sales,they can be directed to the Sales virtual directory on one Web server. • When users request the URL http://www.cohovineyard.com/catalog, they are redirected to a Catalog virtual directory on another Web server
How to Configure Path Mapping • ISA Server Management ->Firewall Policy->Web publishing rule->Tasks->Edit Selected Rule.
How to Configure Link Translation • Path mapping allows you to redirect client requests from the ISA Server computer todifferent locations on one or more Web servers. • By using path mapping you can maska complex internal Web server configuration and present a simple Web site view to theInternet. • Link translation can provide the same end result, but is used in different situations. • Link translation is used when the Web pages published on ISA Server contain links to other Web servers on the protected network, and those Web servers are not accessible from the Internet
Link translation is an ISA Server configuration object that enables ISA Server to replaceinternal server names on Web pages with server names that are accessible from theInternet • Some published Web sites may include references to internal names of computersother than the server listed in the Web publishing rule
Link Translation Levels • Header link translation • Translation of links in the body of a returned Web page • EX:Web page on a server named Web1 is accessed through the URL www.cohovineyard.commay include a referenceto an image using http://Web1.cohovineyard.com/images/image1.jpg • Translation of links to other internal Web pages
How to Configure Link Translation • ISA Server Management->Firewall Policy->Web publishing rule->Link Translation
How to Configure Web Publishing Rules • ISA Server Management->Tasks->Publish A Web Server
Configuring Secure Web Publishing Rules • Secure Web publishing provides an additional layer of security when publishing aninternal Web site by enabling the option to use SSL to encrypt all network traffic to andfrom the Web site. • Secure Web publishing is critical when securing Web sites that containconfidential information, or when the Web site asks clients to submit confidentialinformation such as credit-card numbers
Components of a Secure Web Publishing Rule Configuration • What Is Secure Sockets Layer? • Secure Sockets Layer (SSL) is used to validate the identities of two computers involvedin a connection across a public network, and to ensure that the data sent between thetwo computers is encrypted. • To do this, SSL uses digital certificates and public and privatekeys.
What Is Secure Sockets Layer • SSL enables the following features: • Server authentication • Client authentication • Encrypted SSL connections
SSL Configuration Options • SSL tunneling: • the SSL connection is set up directly betweenthe client computer and the Web server • the ISA Server computerdoes not encrypt or decrypt the network packets but merely forwards encryptedpackets between the client and the Web server. • ISA Server cannot inspect the contentof the packets because the contents are encrypted as they pass through theISA Server computer.
SSL bridging: • the ISA Server computer acts as the end pointfor one or more SSL connections • The network packets can still be encrypted fromthe Web client to the Web server. • however, in an SSL bridging scenario, theISA Server computer will decrypt network traffic from the client computer andthen re-encrypt it before sending it to the Web server
Enabling SSL on ISA Server • If you plan to use SSL in an SSL tunneling configuration, you must install a digitalcertificate only on the Web server. The Web server and the client will use this certificateand the associated keys to create the SSL connection. • If you plan to use SSL in a SSL bridging configuration, you must install a digitalcertificate on the ISA Server computer, and possibly, on the Web server.To createan SSL connection with the client, the ISA Server computer must have a certificateinstalled. • If you require client certificates, you also need install digital certificates on eachclient computer.
How to Install Digital Certificates on ISA Server • How to Configure a New Secure Web Publishing Rule
Configuring Server Publishing Rules • Web publishing rules are used on ISA Server to enable access to HTTP and HTTPS contenton internal Web servers. • Server publishing rules are used to enable access to internalapplications that use other protocols. • Server publishing is a secure and flexible wayto publish the content or services provided by internal servers to the Internet
Components of a Server Publishing Rule Configuration • Server publishing rules are used on ISA Server to map a port number on an externalinterface of the ISA Server computer to the IP address of an internal server providinga specific service. • When ISA Server receives a request on the external IP address for aspecific port, it passes the request to the internal server defined on the serverpublishing rule
ISA Server performs the following steps: • 1.A client computer on the Internet needs to access an application server on a networkprotected by the ISA Server computer. the client computer will perform a DNS lookup to locate the IP address for the server that is providing the service • 2. ISA Server checks the destination port number and then uses the server publishing rule to map the request to an IP address of an internal server. • 3. The internal server returns the object to the ISA Server computer, which passes it on to the requesting client