Configuring ISA Server Hosting Services

Configuring ISA Server for Web Publishing

With ISA Server, you can use the methods below to secure access to an internal Web server:

• Configure protocol filters and packet filers to allow Web protocols to pass through the firewall to the Web server.

• Configure Web publishing rules on the firewall

There are a number of tasks that you need to perform to allow access to the internal Web server through Web publishing rules:

• Configure Web site domain resolution: Here, the public Web server address should be registered in DNS with the ISA server's address used for Web hosting.

• Configure destination sets that specify the ISA servers which are used for Web publishing: The destination sets that you create should contain the external IP Address of the ISA servers that will forward requests to your Web server.

• On the external interface of the firewall, you have to configure a listener.

• You have to configure the necessary client access types.

• Configure the Web publishing rule.

Destination sets, client address sets and rule actions are used to define the conditions and actions of a Web publishing rule:

• The destination sets define that the request received at the specified IP addresses meet the conditions defined in the rule.

• The client address sets include the clients IP addresses that are allowed to request Web objects.

• Rule actions define the actions that occur when a request meets these conditions. A few rule actions are listed here:

  • The request is discarded.

  • The request is redirected to an internal server.

  • The requested object is retrieved from the server cache.

Listeners are used to enable the ISA server to associate ports on the external interface to an internal Web server. The listener informs the ISA Server to monitor the specified IP address for any incoming connections.

The Web publishing rule defines the following important elements:

• The action that should occur when a request is received. It identifies the clients for whom access is allowed.

• The destination that the request should be forwarded to.

You can configure an authentication method to secure access to your Web servers. The authentication methods that you can configure are:

• Require server authentication by using server certificates.

• Basic authentication (client authentication)

• Digest authentication(client authentication)

• Windows Integrated Authentication (client authentication)

When you configure server authentication, clients can securely access the internal Web server; by requesting server authentication through Secure Sockets Layer (SSL) certificates. Here, the ISA server will be identified to clients as the internal Web server. Before you can enable server authentication, you have to install the necessary server certificate on the server.

How to create a destination set for internal servers to publish

1. Open the ISA Management console.

2. If you want the destination set available to all arrays in the enterprise access the Destination Sets folder by expanding the Enterprise node and then the Policy Elements node.

3. If you want to the destination set available to a specific server or array, access the Destination Sets folder located under that server node.

4. Select the Create Destination Set link.

5. The New Destination Set dialog box opens.

6. In the Name box, enter the name of the new destination address set.

7. In the Description box, enter a description for the destination address set.

8. Click the Add button.

9. The Add/Edit Destination dialog box opens.

10. If you want to specify the computer or domain by DNS name, click the Destination option and enter the host name.

11. If you want to define an IP address range, click the IP Addresses option and specify the start IP address and end IP address.

12. If you want to specify a specific directory path or file name, enter this in the Path box.

13. Click OK.

How to configure a listener to monitor for incoming requests

1. Open the ISA Management console.

2. Right-click the ISA server in the console tree, and then select Properties from the shortcut menu.

3. The Server Properties dialog box opens.

4. Click the Incoming Web Requests tab.

1. • If you want to use the same listener for all IP addresses on the ISA server, select the Use The Same Listener Configuration For All IP Addresses option. Select the server and then click the Edit button to access the Add/Edit Listeners dialog box.

   • If you want to configure a listener for each IP address, select the Configure Listener Individually Per IP Address option. If you have selected the Configure Listener Individually Per IP Address option, click the Add button to configure the IP address for the connection. The Add/Edit Listeners dialog box opens.

5. In the Server box, select the server.

6. In the IP Address box, enter the IP address of the external interface.

7. In the Display Name box, enter a display name for the IP address.

8. Specify whether or not a server certificate should be utilized to authenticate the server to Web clients.

9. Change the Authentication method if desired.

10. Click OK in the Add/Edit Listeners dialog box.

11. On the Incoming Web Requests tab, if you want ISA Server to listen for Secure Sockets Layer (SSL) requests, check the Enable SSL Listeners checkbox.

12. If you want to enable Cache Array Routing Protocol (CARP) for reverse caching, select the Resolve Requests Within Array Before Routing checkbox.

13. Click OK.

14. Specify whether your configuration settings should be saved immediately and the Web Proxy and Scheduled Download services should be restarted. To do this, click the Save The Changes And Restart The Service(s) option and click OK. You can alternatively select the Save The Changes But Don't Restart The Services option. If you select this option, you have to restart the services at a later stage for the settings to be effected.

How to configure a Web publishing rule

1. Open the ISA Management console.

2. Locate the Publishing object beneath the server or array and then select the Web Publishing Rules folder.

3. You will see the default Web publishing rule that drops all requests.

4. Right-click Web Publishing Rules and then select New Rule from the shortcut menu.

5. The New Web Publishing Rule Wizard launches.

6. Enter a name for the new Web publishing rule. Click Next.

7. You can leave the default setting of All Destinations selected, or you can specify a preconfigured destination set. Click Next.

8. On the Client Type page, choose a client type:

1. • Any request

   • Specific computers

   • Specific users and groups

Click Next.

9. On the Rule Action page, select the Redirect The Request To This Internal Web Server option.

10. Enter the fully qualified domain name of the Web server.

11. Change the port addresses if necessary, and click Next.

12. Click Finish.

How to configure server certificates

1. Open the ISA Management console.

2. Right-click the ISA server or array in the console tree, and then select Properties from the shortcut menu.

3. The Server Properties dialog box opes.

4. Click the Incoming Web Requests tab.

5. Choose the listener that needs a certificate.

6. Click the Edit button.

7. The Add/Edit Listeners dialog box opens.

8. Select the Use a Server Certificate to Authenticate to Web Clients checkbox.

9. Click the Select button.

10. Select the server certificate that you want to use for server authentication.

11. Click OK.

12. Click OK in the Add/Edit Listeners dialog box.

How to enable CARP (Cache Array Routing Protocol) for reverse caching

1. Open the ISA Management console.

2. Right-click the ISA Server array in the console tree, and then select Properties from the shortcut menu.

3. The Properties dialog box opens.

4. Click the Incoming Web Requests tab.

5. To enable Cache Array Routing Protocol (CARP) for reverse caching, select the Resolve Requests Within Array Before Routing checkbox.

6. Click OK.

How to configure redirecting for incoming Web requests

1. Open the ISA Management console.

2. Navigate to the Routing folder.

3. Right-click the Routing folder and select New Rule from the shortcut menu.

4. The New Routing Rule Wizard launches.

5. In the Name box enter the name of the routing rule.

6. In the Description box, enter a description for the routing rule. Click Next.

7. When the Destination Sets page opens, specify the destination set and then click Next.

8. On the Request Action page, specify the internal server, and HTTP and SSL port to direct the request. Click Next.

9. On the Cache Retrieval Configuration page, you have to define how this routing rule searches for and retrieves objects from the cache. Click Next.

10. On the Cache Content Configuration page, specify whether objects should be stored in the cache. Click Next.

11. Click Finish.

12. Open the Properties page of the new rule.

13. Click the Bridging tab.

14. The default settings are Redirect HTTP requests as HTTP Requests, and Redirect SSL requests as SSL Requests

15. You can choose to Redirect HTTP requests as:

1. • HTTP Requests

   • SSL Requests

16. You can choose to Redirect SSL requests as:

1. • HTTP Requests

   • SSL Requests

17. Select the Require secure channel (SSL) checkbox. You can also enable the Requires 128-bit encryption checkbox.

18. Select the Use a certificate to authentication to the SSL Web Server checkbox and specify the certificate to use.

19. Click OK.

Configuring ISA Server as a Mail Server Proxy

You can configure ISA Server as a mail server proxy for the following mail clients:

• Post Office Protocol 3 (POP3)

• Internet Message Access Protocol 4 (IMAP4)

• Messaging Application Programming Interface (MAPI)

• Network News Transfer Protocol (NNTP)

• Secure NNTP

To provide mail services to external clients, a publishing rule that provides external users access to the internal mail servers has to be configured. You have to define a DNS entry for the mail server that points to the ISA Server to enable clients to resolve the mail server name to the ISA Server computer. The Mail Server Security Wizard is used to publish mail servers. You can use the Mail Server Security Wizard to create server publishing rules and protocol rules.

You can configure a SMTP filter to filter incoming mail. If you have configured a SMTP filter, you can select it when using the Mail Server Security Wizard. The SMTP filter would then examine SMTP traffic on port 25 to determine whether or not the request should be forwarded, dropped, r whether an alert should be generated. When the ISA Server Message screener component is installed, you can configure the SMTP filter to examine messages.

Messages can be filtered by:

• Size

• Name

• Content type

You install the ISA Server Message screener component on the ISA Server computer, by first installing SMTP services on the computer.

To install the ISA Server Message screener component, use the process outlined below:

• Install the SMTP service on the ISA Server computer: To do this;

  1. Click Start, Control Panel, and click Add/Remove Programs.

  2. Click Add/Remove Windows Components when the Add Or Remove Programs dialog box opens.

  3. Click Application Server in the Windows Components dialog box, and then click the Details button.

  4. The Application Server dialog box appears next.

  5. Click the SMTP Service checkbox

  6. Click OK.

• Install the ISA Server Message screener component by using the ISA Server Setup.

• You next have to publish the internal SMTP mail server to the ISA server

• Lastly, you have to configure the SMTP service and the SMTP filter.

How to publish mail servers

1. Open the ISA Management console.

2. Navigate to the Publishing object.

3. Select the Secure Mail Server link.

4. The Mail Server Security Wizard launches.

5. Click Next on the initial screen of the Mail Server Security Wizard.

6. On the Mail Services Selection page, select the protocols that you want to publish.

7. Specify whether to use default authentication or SSL authentication. Click Next.

8. When the External IP address page opens, enter the external IP address of the ISA server and then click Next.

9. On the Internal Mail Server page, enter the IP address of the internal mail server, or alternatively, select the On The Local Host option. The latter option should be selected if the ISA server is also a mail server. Click Next.

10. Click Finish.

How to configure the SMTP service and SMTP filter

1. Open the ISA Management console.

2. Initiate the Mail Server Security Wizard

3. Select the Incoming SMTP mail option and Outgoing SMTP mail option on the Mail Services Selection page.

4. Select the Apply Content Filtering option as well.

5. Close the Mail Server Security Wizard.

6. Open the IIS Manager console on the ISA server.

7. In the console tree, right-click the Default SMTP Virtual Server node, and click Properties from the shortcut menu.

8. The Default SMTP Virtual Server Properties dialog box opens.

9. Click the Access tab.

10. On the Relay Restrictions area of the Access tab, click the Relay button.

11. The Relay Restrictions dialog box opens.

12. Select the All Except the List Below option. Click OK.

13. Click the Delivery tab.

14. Click the Advanced button to configure advanced delivery settings on the Advanced Delivery dialog box.

15. In the Smart Host box, type the name of the mail server. The SMTP Host box is used to route outgoing messages through a specific SMTP host. You can define the smart host by its IP address or fully qualified domain name.

16. Click OK in the Advanced Delivery dialog box.

17. Click OK in the Default SMTP Virtual Server Properties dialog box.

18. To install the ISA Server Message screener component, run the SMTPCred.exe utility on the ISA Server Setup CD-ROM:

1. • Provide the name of the server

   • The time for information retrieval.

   • User credentials for ISA Server.

19. You also have to configure Distributed Component Object Modeling (DCOM) on the ISA server computer. DCOM eables the Server Message screener component to access the ISA server.

20. You can next configure the SMTP filter to reject specific users and domains.

21. You can also configure the SMTP filter to check for attachments. The SMTP filter can be configured to check content, size; and to forward or delete attachments.

Configuring ISA Server for Server Publishing

ISA Server can also be configured to redirect requests for specific services to internal servers. This is done by configuring publishing rules to redirect the requests.

When running the New Server Publishing Rule Wizard, the protocols that you can select to be published are:

• Exchange RPC Server

• Any RPC Server

• FTP Server

• RTFP Server

• PMN – Real Networks Server

• MMS – Windows Media Server

• DNS Query Server

• DNS Zone Transfer

• HTTPS Server

• IMAP4 Server

• IMAPS Server

• Microsoft SQL Server

• NNTP Server

• NNTPS Server

• POP3 Server

• POP3S Server

• SMTP Server

• SMTPS Server

• Telnet Server

While you can use packet filters, the use of publishing rules is considered the more secure option. This is due to application filters being more specific than packet filters. Packet filters are typically used if you want to publish services that reside on the ISA server, or if you want to publish servers that reside on the perimeter network.

When you create the packet filter, there are a number of predefined filter types that you can select:

• DNS lookup

• ICMP all outbound

• ICMP ping response

• ICMP ping query

• ICMP source quench

• ICMP timeout

• ICMP unreachable

• PPTP call

• PPTP receive

• SMTP

• POP3

• Identd

• HTTP server (port 80)

• HTTPS server (port 443)

• NetBIOS (WINS client only)

• NetBIOS (all)

How to configure server publishing rules

1. Open the ISA Management console.

2. Expand the Publishing node, and select Server Publishing Rules.

3. Expand Server Publishing Rules and then select New Rule.

4. The New Server Publishing Rule Wizard launches.

5. Provide a name for the new server publishing rule and then click Next.

6. On the Address Mapping page:

   • Provide the IP address of the internal server.

   • Provide the IP address of the ISA server.

Click Next.

7. On the Protocol Settings page, select the protocol that you want to publish:

   • Exchange RPC Server

   • Any RPC Server

   • FTP Server

   • RTFP Server

   • PMN – Real Networks Server

   • MMS – Windows Media Server

   • DNS Query Server

   • DNS Zone Transfer

   • HTTPS Server

   • IMAP4 Server

   • IMAPS Server

   • Microsoft SQL Server

   • NNTP Server

   • NNTPS Server

   • POP3 Server

   • POP3S Server

   • SMTP Server

   • SMTPS Server

   • Telnet Server

Click Next.

8. On the Client Type page, select between the following options:

   • All requests

   • Client address sets.

Click Next

9. Specify Client Address Sets or Defining New Ones and then click Next.

10. Click Finish.

How to publish servers residing on the perimeter network

1. Open the ISA Management console.

2. Expand the Access Policy folder in the console tree.

3. Right-click the Packet Filters and select New Filter from the shortcut menu.

4. The New IP Packet Filter Wizard launches.

5. Provide a name for the new IP packet filter and click Next.

6. On the Filter Mode page, select the Allow Packet Transmission option and then click Next.

7. On the Filter Type page, you can either select the Custom option, or you can select a predefined filter type. The available predefined filter types are:

10. • DNS lookup

    • ICMP all outbound

    • ICMP ping response

    • ICMP ping query

    • ICMP source quench

    • ICMP timeout

    • ICMP unreachable

    • PPTP call

    • PPTP receive

    • SMTP

    • POP3

    • Identd

    • HTTP server (port 80)

    • HTTPS server (port 443)

    • NetBIOS (WINS client only)

    • NetBIOS (all)

Click Next.

8. On the Local Computer page, enter the IP address for the perimeter network computer and then click Next.

9. On the Remote Computer page, enter the IP addresses of all other computers that the rule should be applied to. Click Next

10. Click Finish.