Tài liệu 53Module 7: Configuring Access to Internal Resources pptx

Module Strategy Use the following strategy to present this module: Introduction to Publishing Explain that for Web server publishing to work properly, external clients must be able to re

Contents

Overview 1

Configuring Server Publishing 20

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr

Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,

Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner

Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner

Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry

Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann

CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams

Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge and skills to configure

access to selected internal resources

After completing this module, students will be able to:

Explain the concepts associated with server publishing

Configure Web publishing

Configure server publishing

Add an H.323 Gatekeeper

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft® PowerPoint® file 2159A_07.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the lab

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read “Checklist: Publishing,” “How To Configure Publishing,” “Controlling Incoming Requests,” “Configuring Publishing,” “Using H.323 Gatekeeper,”

“Web publishing scenarios,” “Exchange Server publishing Scenarios,” and

“H.323 Gatekeeper deployment scenarios” in ISA Server Help

Read Module 2, “Installing and Maintaining ISA Server,” Module 3, “Enabling Secure Internet Access,” Module 4, “Configuring Caching,” and Module 6,

“Configuring the Firewall,” in Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

Read Module 14, “Designing a PKI for Business Partners,” in Course 2150,

Designing a Secure Microsoft Windows 2000 Network

Read Module 5, “Configuring Network Security by Using Public Key

Infrastructure,” in Course 2153, Implementing a Microsoft Windows 2000

Module Strategy

Use the following strategy to present this module:

Introduction to Publishing Explain that for Web server publishing to work properly, external clients must be able to resolve the name of a published server to the Internet Protocol (IP) address of an external network adapter on the Microsoft Internet Security and Acceleration (ISA) Server 2000 computer Explain that a back-to-back perimeter network configuration allows you to control the traffic that enters the perimeter network separately from the traffic that enters the internal network Use the slide graphic to describe the steps that you use to publish servers on a perimeter network Explain that Web publishing rules allow you to specify which port the ISA Server computer uses to connect to the Web server

Configuring Web Publishing Explain that unlike the destination sets that you configure for access policies, destination sets for publishing rules specify computers in your internal network to which external clients connect, such as the name or the

IP address of your ISA Server computer Explain the use of listeners and the procedure that you use to configure listeners for incoming requests Mention that the authentication that you configure for the ISA Server computer is in addition to any authentication that the published Web server requires Describe the use of Secure Sockets Layer (SSL) bridging and the associated procedures

Configuring Server Publishing Explain that you can configure server publishing rules to allow client connections by using any protocol that you have configured as an incoming protocol definition Run the Mail Server Security Wizard to demonstrate the procedure that you use to publish a mail server Explain the content filtering option Describe the flow of a message during the content filtering process Mention that more information about configuring the Simple Mail Transfer Protocol (SMTP) filter is available in the \support\docs\smtpfilter.htm file

on the ISA Server compact disc

Adding an H.323 Gatekeeper Use the animated slide to explain how the H.323 Gatekeeper service works Explain that you can use an H.323 Gatekeeper to establish incoming connections with both SecureNAT clients and Firewall clients, but you do

not have to create a gatekeeper to enable outgoing connections

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Server 2000

Install the Firewall Client manually

Important

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Server 2000

Configure the default gateway manually

Setup Requirement 5

The lab in this module requires that Microsoft Internet Explorer be configured

on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and Acceleration

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,

Deploying and Managing Microsoft Internet Security and Acceleration Server

2000

Create the rule manually

Lab Results

Performing the lab in this module introduces the following configuration changes:

ISA Server is configured with a listener for outgoing Web requests

Web publishing rules for internal Web servers are created

The ISA Server computer is published as a Network News Transfer Protocol (NNTP) server

The ISA Server client computer is published as an SMTP and Internet Message Access Protocol (IMAP) server

Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Microsoft® Internet Security and Acceleration (ISA) Server 2000 enables you to publish services to the Internet without compromising the security of your internal network You can use ISA Server to publish internal servers to make Web content and e-mail services available to external clients You publish servers by configuring server publishing rules to redirect requests from external clients to a server on your internal network By publishing servers and routing requests from Internet clients to an ISA Server computer, you provide an increased layer of security for your internal servers You can also use ISA Server to route incoming multimedia conferencing sessions by adding an H.323 Gatekeeper

After completing this module, you will be able to:

Explain the concepts associated with server publishing

Configure Web publishing

Configure server publishing

In this module, you will learn

about configuring access to

internal resources for

remote clients

Introduction to Publishing

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Publishing servers enables you to provide access to selected resources in a secure manner To publish a server, you must create a publishing policy

Publishing policies define rules for controlling how ISA Server processes

incoming requests You can create publishing policies for Web servers, mail servers, and other types of servers

Topic Objective

To identify the topics related

to publishing servers

Lead-in

Publishing servers enables

you to provide access to

selected resources in a

secure manner

Publishing Overview

6

Internet

192.168.9.1 131.107.3.1

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Publishing a server makes the server on an internal network available to users

that gain access to the network through the Internet You use Web publishing to publish a Web server and server publishing to publish any other type of server

that uses Transmission Control Protocol/Internet Protocol (TCP/IP)

When you publish a Web server or other server, users connect to the external network adapter of the ISA Server computer The ISA Server computer uses the internal network adapter to forward the request to the published server on the internal network Depending on how you configure the local address table (LAT) on the ISA Server computer, an internal server can be on a perimeter network or on a corporate network

Publishing Web Servers

You can publish a Web server to allow external users on the Internet to communicate with an internal Web server or a Web server on the perimeter network through an ISA Server computer When an external user requests an object from the Web server, they actually receive the object from the ISA Server computer The ISA Server computer ensures that external users do not reach the internal network directly

In addition, the Internet Protocol (IP) address of the Web server is not exposed

to external users Instead, external users communicate with the Web server by specifying an external IP address of the ISA Server computer The ISA Server computer then re-issues the request through its internal network interface When the ISA Server computer receives a reply from the internal Web server, it then changes the packet header and sends the reply to the external user from the ISA Server computer’s external network interface Because this process is similar to the process that ISA Server uses to process requests from internal clients, Web

publishing is sometimes referred to as reverse proxy Web server publishing

supports the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Secure (HTTP-S), and File Transfer Protocol (FTP) protocols

Publishing a server makes

the server on an internal

network available to users

that gain access to the

network through the

Internet

Delivery Tip

Explain the use of reverse

proxy

For Web server publishing to work properly, external clients must

be able to resolve the name of a published server to the external IP address on the ISA Server computer For example, if the external IP address of the ISA Server computer is 131.107.3.1 and the Domain Name System (DNS) name of the published server is www.nwtraders.msft, the DNS on the Internet must resolve the DNS name www.nwtraders.msft to 131.107.3.1

Because ISA Server uses the Microsoft Web Proxy service when publishing a Web server, ISA Server can cache Web objects for clients on the Internet

Caching in this manner is called reverse caching Reverse caching improves the

performance for external clients because ISA Server can retrieve Web objects from its cache instead of from the Web server on the internal network or the perimeter network

For more information about Web caching and configuring caching, see

Module 4, “Configuring Caching,” in Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

Publishing Other Servers

You can also publish a server that is not a Web server You can publish any type of server that uses TCP/IP

For example, you can make an internal mail server available to external clients

by publishing it Unlike Web publishing, server publishing does not provide for reverse caching

In addition, by publishing a server, external users are not able to see the structure of the internal network Because IP addresses on the internal network are not visible to external users, publishing a server by using ISA Server is also

referred to as secure publishing

Key Point

For Web server publishing

to work properly, external

clients must be able to

resolve the name of a

published server to the IP

Publishing Servers on a Back-to-Back Perimeter Network

LAT Internal Network

LAT Perimeter Network

Web Server

SQL Server

Internal Network Perimeter Network

ISA Server

ISA Server Internet

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

If your network has a back-to-back perimeter network configuration, you can use ISA Server to publish servers that are on your perimeter network to the Internet You can also publish internal servers to the perimeter network Using a back-to-back perimeter network configuration enables you to control the traffic that enters the perimeter network separately from the traffic that enters the internal network By controlling this traffic separately, you do not have any direct connections from the Internet to your internal network

To publish servers on a perimeter network:

• On the ISA Server computer that is connected to the Internet, ensure that the LAT contains the IP addresses of the computers on the perimeter network and the IP address of the ISA Server computer that is connected to the internal network

• Create publishing rules on the ISA Server computer that is connected to the Internet to make selected servers on the perimeter network, such as a mail server or a published Web server, available to external clients

• Include the IP addresses of the computers on only the internal network in the LAT of the ISA Server computer that is connected to the internal network

• Create publishing rules on the ISA Server computer that is connected to the internal network to make servers on the internal network available to selected servers on the perimeter network For example, create a publishing rule to make a Microsoft SQL Server™ database that contains inventory data available to a published Web server on your perimeter network

Topic Objective

To describe the procedure

that you use to publish

servers on a back-to-back

perimeter network

Lead-in

If your network has a

back-to-back perimeter network

configuration, you can use

ISA Server to publish

servers on your perimeter

network

Key Point

A back-to-back perimeter

network configuration

enables you to control the

traffic that enters the

perimeter network

separately from the traffic

that enters the internal

network

Delivery Tip

Use the slide graphic to

describe the steps that you

use to publish servers on a

perimeter network

For more information about the LAT, see Module 2, “Installing and

Maintaining ISA Server,” in Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000 For more

information about perimeter networks, see Module 6, “Configuring the

Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet

Security and Acceleration Server 2000

Note

Guidelines for Using Publishing and Routing

Server publishing on both ISA Server computers

Routing and packet filtering between the Internet and perimeter network; server publishing between the internal and perimeter networks

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Publishing servers can achieve results similar to configuring ISA Server to perform routing and packet filtering However, unlike routing, which routes Web requests directly to a server, ISA Server intercepts all of the requests of a published server

You always use routing to send IP packets between two IP addresses that ISA Server treats as internal or between two IP addresses that ISA Server treats as external You use publishing to enable ISA Server to send packets between an external network and an internal network

Use the following guidelines to determine when to use server publishing and when to use routing and packet filtering

Does not have a perimeter network Server publishing Has a back-to-back perimeter

network configuration

Server publishing on both ISA Server computers

Has a three-homed perimeter network configuration

Routing and packet filtering between the Internet and the perimeter network and server publishing between the internal network and the perimeter network

Topic Objective

To describe guidelines for

using publishing and

routing

Lead-in

Publishing servers can

achieve results similar to

enabling routing and packet

filtering

Key Point

Publishing a server enables

you to apply rules to enforce

strict policies on the

incoming traffic

Publishing Rules Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

To publish servers, you must configure a publishing policy Publishing policies can consist of Web publishing rules and server publishing rules

Web Publishing Rules

Web publishing rules determine how ISA Server should redirect incoming requests for an internal Web server that use the HTTP, HTTP-S, or FTP protocols When using Web publishing rules, you can also specify which port the ISA Server computer uses to connect to the Web server This port can be different from the port that the client uses to connect to the ISA Server computer

Server Publishing Rules

Server publishing rules determine how ISA Server should process incoming requests for internal servers that use protocols other than the HTTP, HTTP-S, or FTP, such as protocols used by database servers or mail servers

Publishing a Server

When you publish a server, ISA Server forwards requests to an internal server located behind the ISA Server computer As with Web publishing rules, server publishing rules determine which requests the ISA Server computer forwards and which requests it discards Unlike Web publishing rules, server publishing rules do not allow you to change the port that the ISA Server computer uses to connect to the published server

Topic Objective

To identify the topics related

to publishing rules

Lead-in

To publish servers, you

must configure a publishing

policy

Key Point

When using Web publishing

rules, you can specify which

port the ISA Server

computer uses to connect to

the Web server

Key Point

Server publishing rules do

not allow you to change the

port that the ISA Server

computer uses to connect to

the published server

Publishing a Mail Server

ISA Server includes the Mail Server Security Wizard that you can use to publish a mail server When you complete the Mail Server Security Wizard, ISA Server creates rules that allow incoming or outgoing mail traffic that uses one or more of the most common mail protocols When using the Mail Server Security Wizard, it is not necessary to know the details of each mail protocol ISA Server creates the required rules based on the service that you select in the wizard

Publishing a server also enables you to apply rules to enforce strict policies on the incoming traffic For example, you can specify a publishing rule that allows traffic from only a mail server in the perimeter network to be forwarded to your internal mail server

Rules Available for Each Mode

The following table lists the publishing policy rules that are available for each ISA Server installation mode

Configuring Web Publishing

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In addition to enabling secure access to the Internet for internal clients, ISA Server can provide secure access to internal servers for external clients To make internal servers available to external clients, you create a publishing policy to securely publish your internal servers The publishing policy consists

of Web publishing rules or server publishing rules that determine how the internal servers are published In addition, you can require authentication for your network and specify Secure Sockets Layer (SSL) encryption when redirecting incoming requests to ensure secure communication

ISA Server can make

internal servers accessible

to external clients

Publishing a Web Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can publish Web servers to make internal Web sites accessible to users on the Internet To publish a Web server, you must first create a Web publishing rule By creating a Web publishing rule, you configure the ISA Server computer

to redirect incoming requests to a Web server on the internal network

Using Destination Sets

Unlike the destination sets that you configure for access policies, destination sets for publishing rules specify computers in your internal network that external clients connect to, such as the name or the IP address of your ISA Server computer You can create a specified destination set to use in Web publishing rules for redirecting requests for sections of a Web site to different internal servers

For example, you can create a destination set for www.nwtraders.msft/europe You would use this destination set in a Web publishing rule to redirect requests for this section of the Web site to an internal server named

europe.internal.nwtraders.msft You can then create another destination set for www.nwtraders.msft/africa You would use this destination set in a Web publishing rule to redirect requests for this section of the Web site to an internal server named africa.internal.nwtraders.msft

When using a destination set that contains a path after the computer name, the Web server must contain the same path For example, if a client requests www.nwtraders.msft/africa/default.htm, the internal server

africa.internal.nwtraders.msft must contain the path and file /africa/default.htm

For more information about how to configure destination sets, see

Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and

Managing Microsoft Internet Security and Acceleration Server 2000

Topic Objective

To describe the key steps

that you perform to create

Web publishing rules

Lead-in

You can publish Web

servers to make internal

Web sites accessible to

users on the Internet

Key Point

Unlike the destination sets

that you configure for

access policies, destination

sets for publishing rules

specify computers in your

internal network that

external clients connect to,

such as the name or the IP

address of your ISA Server

computer

Note

Creating a New Web Publishing Rule

To create a new Web publishing rule:

• In ISA Management, in the console tree, expand your server or array,

expand Publishing, click Web Publishing Rules, and then in the details pane, click Create a Web Publishing Rule

• In the New Web Publishing Rule Wizard, type a name for the rule, and then click Next

• On the Destination Sets page, specify a destination set and the associated information, and then click Next

• On the Client Type page, specify a client type, and then click Next

Unlike the rules that you configure for access policies, client sets for publishing rules typically specify locations outside the internal network, such as the IP addresses for a business partner For more information about how to configure client sets, see Module 3, “Enabling Secure Internet

Access,” in Course 2159A, Deploying and Managing Microsoft Internet

Security and Acceleration Server 2000

• On the Rule Action page, click Discard the request to ignore requests that

match the rule conditions or click Redirect the request to this internal Web server, type the name of the published Web server, and then click Next

If your internal Web server hosts multiple Web sites, you may have

to configure how ISA Server handles host headers For more information about how to configure ISA Server for advanced Web publishing scenarios, see the \support\docs\ copublish.htm file on the ISA Server compact disc

• On the Completing the New Web Publishing Rule Wizard page, review your choices, and then click Finish

Changing the Rule Order

ISA Server processes Web publishing rules in the order in which they are listed

in the Web Publishing Rules folder and processes the first rule that applies to a request After a match occurs, no further processing is done for that request

To change the rule order, click a rule, and then on the toolbar, click the Move

Up button or the Move Down button

ISA Server always contains the default rule, which discards all incoming requests Because ISA Server always processes the default rule last, ISA Server applies this rule to all incoming requests that are not covered by another Web publishing rule You cannot modify, delete, or change the order of the default rule

Note

Delivery Tip

Explain that the procedure

for redirecting Web requests

will be presented later in this

module

Note

Configuring Listeners for Incoming Web Requests

SSL port: 443 Connections

Outgoing Web Requests Incoming Web Requests Auto Discovery Performance Security Identification

Use the same listener configuration for all internal IP addresses.

Configure listeners individually per IP address Server IP Address Display N… Authentic… Server C…

PHOENIX <All internal Integrated

Use a server certificate to authenticate to web clients Authentication

Basic with this domain:

Digest with this domain:

Integrated Client certificate (secure channel only)

Select…

Select domain…

Add/Edit Listeners

Select domain…

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before ISA Server responds to HTTP requests and SSL connection requests on the external interface of an ISA Server computer, you must configure at least one listener that determines how ISA Server responds to these requests A

listener is an ISA Server configuration that defines how the ISA Server

computer listens for incoming or outgoing HTTP requests and SSL requests

Unless you configure listeners for incoming requests, ISA Server discards all of the incoming Web requests before applying Web server publishing rules You can configure the same listener configuration for all IP addresses, or you can configure separate listener configurations for different IP addresses

You can also require authentication for users that gain access to the ISA Server computer by using a listener The authentication that you configure for the ISA Server computer is in addition to any authentication that the published Web server requires ISA Server applies rules based on ISA Server authentication These rules determine whether and how a request is passed on to the Web server The authentication method that you configure for the Web server determines whether a user is allowed to gain access to content on the Web server

The procedure for configuring authentication for incoming requests is analogous to the procedure for configuring authentication for outgoing requests For more information about configuring authentication, see Module 3,

“Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

Topic Objective

To describe the use of

listeners for incoming Web

requests

Lead-in

Before ISA Server responds

to HTTP requests and SSL

connection requests on the

external interface of an ISA

Server computer, you must

configure at least one

listener that determines how

the ISA Server computer

responds to these requests

Delivery Tip

Explain the use of listeners

Key Points

Unless you configure

listeners for incoming

requests, ISA Server

discards all of the incoming

Web requests before

applying Web server

publishing rules

The authentication that you

configure for the ISA Server

computer is in addition to

any authentication that the

published Web server

requires

Note

To configure listeners:

• In ISA Management, in the console tree, right-click your server or array,

and then click Properties

• In the Properties dialog box for your server or array, on the Incoming Web

Requests tab, perform the following actions

Use the same configuration for all IP addresses

Click Use the same listener configuration for

all IP addresses, and then click Edit

To use individual listeners for each IP address

Click Configure listeners individually per IP

address, and then click Add In the Add/Edit Listeners dialog box, select an ISA Server

computer, and then select the IP address of that computer

• In the Display Name box, type a display name for the listener

Perform the following step only if you use user or group restrictions

in your Web publishing rules

• Under Authentication, select one or more of the check boxes for your designated authentication methods, and then click OK

• In the TCP port box, type the port number on which ISA Server will listen

for Web requests The default port is Transmission Control Protocol (TCP) port 80

• To require authentication for gaining access to ISA Server by using a

listener, select the Ask unauthenticated users for identification check box, and then click OK

Requiring authentication is impractical when you publish a Web server to make that Web server publicly available Most often, a better option is to configure the appropriate authentication on the Web server Use authentication only when publishing Web servers with limited availability, such as a Web server that is available to only selected business partners

Note

Tip

Redirecting Requests to Other Ports

Destinations Action Applies To

Discard the request.

Type the IP address or DNS name of the published server

Define ports this rule redirects to

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Web publishing rules specify which server should return a requested object to a client By default, ISA Server redirects HTTP requests and SSL requests to the default ports for these services on an internal server If an internal server uses a non-standard port for HTTP, SSL, or FTP requests, you can redirect incoming Web requests to a published server on your internal network

Some Web servers use non-standard ports to allow a single computer to run multiple Web sites

To redirect incoming Web requests to a published server:

• In ISA Management, in the console tree, click Web Publishing Rules

• In the details pane, click the applicable Web publishing rule, and then click

Configure a Web Publishing Rule

• In the Properties dialog box for the Web publishing rule, on the Action tab, click Redirect the request to this internal Web server (name or IP address), type the IP address or the DNS name, perform the following actions, and then click OK

To describe the procedure

that you use to redirect

requests to other ports

Lead-in

Web publishing rules specify

which server should return a

requested object to a client

Key Point

You can redirect incoming

Web requests from the ISA

Server computer to a

published server on your

internal network

Note

Establishing Secure Communication

Use a server certificate to authenticate to web clients Authentication

Basic with this domain:

Digest with this domain:

Integrated Client certificate (secure channel only)

Select…

Select domain…

Add/Edit Listeners

Select domain…

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When you redirect incoming Web requests, you must ensure that all network traffic is secured appropriately For example, when clients attempt to establish a secure session with a published Web Server, you must configure ISA Server to establish this secure connection across the Internet on behalf of the Web server

When ISA Server receives an SSL request from a client for an object on a published server, ISA Server establishes a separate SSL channel with the

published server This type of redirection is called SSL bridging SSL bridging

ensures that both parts of the connection, the session between the client and the ISA Server computer and the session between ISA Server and the internal Web server, are encrypted

SSL Overview

The SSL protocol enables secure data communication over networks by using encryption and decryption Many Web sites use the SSL protocol to obtain confidential data from users, such as credit card information Web pages that

use an SSL connection begin with https instead of http By default, Web servers

receive SSL packets on TCP port 443

SSL uses server certificates to encrypt traffic between the client and the server Clients can also use a server’s certificates to authenticate the identity of the server before sending confidential information

For more information about Public Key Infrastructure (PKI), including how to use and install certificates in Microsoft Windows® 2000, see Module 14,

“Designing a PKI for Business Partners,” in Course 2150, Designing a Secure

Microsoft Windows 2000 Network, and Module 5, “Configuring Network

Security by Using Public Key Infrastructure,” in Course 2153, Implementing a

Microsoft Windows 2000 Network Infrastructure

Topic Objective

To describe the procedure

that you use to publish

secure Web sites

Lead-in

When you redirect incoming

Web requests, you can also

set the protocol that the ISA

Server computer uses to

send requests to the

published Web server

Key Point

SSL bridging ensures that

both parts of the connection,

the session between the

client and the ISA Server

computer and the session

between ISA Server and the

internal Web server, are

encrypted

Note

Publishing Secure Web Sites

When you publish a server that uses the SSL protocol to encrypt client requests

to the server, clients connect to the ISA Server computer on port 443 To enable the ISA Server computer to respond to this request, you must configure the ISA Server computer to listen on port 443 You must also configure the ISA Server computer to use a server certificate to impersonate the published server

To configure the ISA Server computer to listen for incoming SSL requests:

• In ISA Management, in the console tree, right-click your server or array,

and then click Properties

• In the Properties dialog box for the server or array, on the Incoming Web Requests tab, ensure that the Enable SSL listeners check box is selected

and that the SSL port number matches the port number that external clients use to connect to the ISA Server computer By default, this port is port 443

• Select the appropriate listener, and then click Edit

• In the Add/Edit Listeners dialog box, select the Use a server certificate to

authenticate to web clients check box, and then click Select

• In the Select Certificate dialog box, select the certificate that was issued for

the published Web site, and then click OK three times

Before you can select a certificate, the certificate must have been issued for the Web site, and you must have installed this certificate on the ISA Server computer by using the Certificates Microsoft Management Console (MMC) snap-in

Important

Redirect SSL requests as:

HTTP requests (terminate the secure channel at the proxy) SSL requests (establish a secure channel to the site) FTP requests

Require secure channel (SSL) for published site

Require 128-bit encryption

Select to authenticate the ISA Server by using a certificate.

Select to redirect SSL requests as HTTP requests.

General Destinations Action Bridging Applies To

Use a certificate to authenticate to the SSL Web server

Select…

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

After the ISA Server computer has received a Web request, it provides one endpoint of the SSL connection ISA Server then establishes a separate connection to the published Web server By default, ISA Server uses SSL for this connection

If you are not concerned about the security of the communications channel between ISA Server and the internal Web server, or if the internal Web server does not support SSL, you can change the communication protocol that ISA Server uses to connect to the Web server

To configure SSL bridging:

• In ISA Management, in the console tree, expand your server or array, and

then click Web Publishing Rules

• In the details pane, click the applicable Web publishing rule, and then click

Configure a Web Publishing Rule

• On the Bridging tab, under Redirect SSL requests as, select whether to redirect SSL requests as HTTP, SSL, or FTP requests

• If you redirect by using SSL and the published Web server is configured to

require certificates for authenticating client requests, select the Use a certificate to authenticate to the SSL Web server check box, click Select, select the client certificate, and then click OK

Topic Objective

To describe the procedure

that you use to configure

SSL bridging

Lead-in

After the ISA Server

computer has received a

Web request, it provides

one endpoint of the SSL

connection

Note

Requiring a Secure Channel

PartnerWeb Properties

General

OK Cancel

Destinations Action Applies To

Redirect HTTP requests as:

Bridging

HTTP requests SSL requests (establish a secure channel to the site) FTP requests

Cancel Select…

Redirect SSL requests as:

HTTP requests (terminate the secure channel at the proxy) SSL requests (establish a secure channel to the site) FTP requests

Require secure channel (SSL) for published site Require 128-bit encryption

Use a certificate to authenticate to the SSL Web server

Select for a higher level of security.

Select to require a secure channel for Web requests.

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

For increased security, you can configure ISA Server to require a secure SSL channel for all Web requests for the published Web server When you select this option, the Web publishing rule allows only connections that clients make

to the port that you configured for SSL connections and denies connection requests that clients make to the TCP port

To require a secure channel:

• In ISA Management, in the console tree, expand your server or array, and

then click Web Publishing Rules

• In the details pane, click the applicable Web publishing rule, and then click

Configure a Web Publishing Rule

• On the Bridging tab, select the Require secure channel (SSL) for

published site check box

• For high security sites or to ensure a higher level of encryption, select the

Require 128-bit encryption check box, and then click OK

128-bit encryption requires you to install the Microsoft Windows

2000 High Encryption Pack on the ISA Server computer You can download the Windows 2000 High Encryption Pack at

http://windowsupdate.microsoft.com

Topic Objective

To describe the procedure

that you use to configure a

secure channel

Lead-in

You can configure ISA

Server to require a secure

SSL channel for all Web

requests for the published

Web server

Important