Contents
Overview 1
Introduction to Publishing 2
Configuring Web Publishing 10
Configuring Server Publishing 20
Adding an H.323 Gatekeeper 27
Lab A: Configuring Access to
Internal Resources 32
Review 45

Module 7:
Configuring Access to
Internal Resources



Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr.
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels,
Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)

Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart



Module 7: Configuring Access to Internal Resources iii


Instructor Notes
This module provides students with the knowledge and skills to configure
access to selected internal resources.
After completing this module, students will be able to:
Explain the concepts associated with server publishing.
Configure Web publishing.
Configure server publishing.
Add an H.323 Gatekeeper.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials

To teach this module, you need the Microsoft
®
PowerPoint
®
file 2159A_07.ppt.
Preparation Tasks
To prepare for this module, you should:
Read all of the materials for this module.
Complete the lab.
Study the review questions and prepare alternative answers to discuss.
Anticipate questions that students may ask. Write out the questions and provide
the answers.
Read “Checklist: Publishing,” “How To Configure Publishing,” “Controlling
Incoming Requests,” “Configuring Publishing,” “Using H.323 Gatekeeper,”
“Web publishing scenarios,” “Exchange Server publishing Scenarios,” and
“H.323 Gatekeeper deployment scenarios” in ISA Server Help.
Read Module 2, “Installing and Maintaining ISA Server,” Module 3, “Enabling
Secure Internet Access,” Module 4, “Configuring Caching,” and Module 6,
“Configuring the Firewall,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Read Module 14, “Designing a PKI for Business Partners,” in Course 2150,
Designing a Secure Microsoft Windows 2000 Network.
Read Module 5, “Configuring Network Security by Using Public Key
Infrastructure,” in Course 2153, Implementing a Microsoft Windows 2000
Network Infrastructure.
Read the \support\docs\smtpfilter.htm file, the \support\docs\smtpfilter.htm file,
and the \readme.htm file on the ISA Server compact disc.

Presentation:
60 Minutes


Lab:
60 Minutes
iv Module 7: Configuring Access to Internal Resources


Module Strategy
Use the following strategy to present this module:
Introduction to Publishing
Explain that for Web server publishing to work properly, external clients
must be able to resolve the name of a published server to the Internet
Protocol (IP) address of an external network adapter on the Microsoft
Internet Security and Acceleration (ISA) Server 2000 computer. Explain
that a back-to-back perimeter network configuration allows you to control
the traffic that enters the perimeter network separately from the traffic that
enters the internal network. Use the slide graphic to describe the steps that
you use to publish servers on a perimeter network. Explain that Web
publishing rules allow you to specify which port the ISA Server computer
uses to connect to the Web server.
Configuring Web Publishing
Explain that unlike the destination sets that you configure for access
policies, destination sets for publishing rules specify computers in your
internal network to which external clients connect, such as the name or the
IP address of your ISA Server computer. Explain the use of listeners and the
procedure that you use to configure listeners for incoming requests. Mention
that the authentication that you configure for the ISA Server computer is in
addition to any authentication that the published Web server requires.
Describe the use of Secure Sockets Layer (SSL) bridging and the associated
procedures.
Configuring Server Publishing

Explain that you can configure server publishing rules to allow client
connections by using any protocol that you have configured as an incoming
protocol definition. Run the Mail Server Security Wizard to demonstrate the
procedure that you use to publish a mail server. Explain the content filtering
option. Describe the flow of a message during the content filtering process.
Mention that more information about configuring the Simple Mail Transfer
Protocol (SMTP) filter is available in the \support\docs\smtpfilter.htm file
on the ISA Server compact disc.
Adding an H.323 Gatekeeper
Use the animated slide to explain how the H.323 Gatekeeper service works.
Explain that you can use an H.323 Gatekeeper to establish incoming
connections with both SecureNAT clients and Firewall clients, but you do
not have to create a gatekeeper to enable outgoing connections.

Module 7: Configuring Access to Internal Resources v


Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Lab Setup
The following list describes the setup requirements for the lab in this module.

Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Perform a full installation of ISA Server manually.

Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Install the ISA Server administration tools manually.

Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all ISA
Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Install the Firewall Client manually.

Important
vi Module 7: Configuring Access to Internal Resources



Setup Requirement 4
The lab in this module requires that all of the ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Configure the default gateway manually.

Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Configure Internet Explorer manually.

Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Configure IIS manually.


Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet
by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration Server
2000.
Create the rule manually.

Module 7: Configuring Access to Internal Resources vii


Lab Results
Performing the lab in this module introduces the following configuration
changes:
ISA Server is configured with a listener for outgoing Web requests.
Web publishing rules for internal Web servers are created.
The ISA Server computer is published as a Network News Transfer Protocol
(NNTP) server.
The ISA Server client computer is published as an SMTP and Internet Message
Access Protocol (IMAP) server.



Module 7: Configuring Access to Internal Resources 1


Overview


Introduction to Publishing

Configuring Web Publishing

Configuring Server Publishing

Adding an H.323 Gatekeeper

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 enables you to
publish services to the Internet without compromising the security of your
internal network. You can use ISA Server to publish internal servers to make
Web content and e-mail services available to external clients. You publish
servers by configuring server publishing rules to redirect requests from external
clients to a server on your internal network. By publishing servers and routing
requests from Internet clients to an ISA Server computer, you provide an
increased layer of security for your internal servers. You can also use ISA
Server to route incoming multimedia conferencing sessions by adding an H.323
Gatekeeper.
After completing this module, you will be able to:
Explain the concepts associated with server publishing.
Configure Web publishing.
Configure server publishing.

Add an H.323 Gatekeeper.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring access to
internal resources for
remote clients.
2 Module 7: Configuring Access to Internal Resources






Introduction to Publishing

Publishing Overview

Publishing Servers on a Perimeter Network

Guidelines for Using Publishing and Routing

Publishing Rules Overview

*****************************
ILLEGAL FOR NON

-
TRAINER USE
******************************
Publishing servers enables you to provide access to selected resources in a
secure manner. To publish a server, you must create a publishing policy.
Publishing policies define rules for controlling how ISA Server processes
incoming requests. You can create publishing policies for Web servers, mail
servers, and other types of servers.

Topic Objective
To identify the topics related
to publishing servers.
Lead-in
Publishing servers enables
you to provide access to
selected resources in a
secure manner.
Module 7: Configuring Access to Internal Resources 3


Publishing Overview
6
Internet
Internet
192.168.9.1
131.107.3.1
www.nwtraders.msft
External Adapter
Internal Adapter
Web Server

Web Server
Internal Network
Internal Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Publishing a server makes the server on an internal network available to users
that gain access to the network through the Internet. You use Web publishing to
publish a Web server and server publishing to publish any other type of server
that uses Transmission Control Protocol/Internet Protocol (TCP/IP).
When you publish a Web server or other server, users connect to the external
network adapter of the ISA Server computer. The ISA Server computer uses the
internal network adapter to forward the request to the published server on the
internal network. Depending on how you configure the local address table
(LAT) on the ISA Server computer, an internal server can be on a perimeter
network or on a corporate network.
Publishing Web Servers
You can publish a Web server to allow external users on the Internet to
communicate with an internal Web server or a Web server on the perimeter
network through an ISA Server computer. When an external user requests an
object from the Web server, they actually receive the object from the ISA
Server computer. The ISA Server computer ensures that external users do not
reach the internal network directly.
In addition, the Internet Protocol (IP) address of the Web server is not exposed
to external users. Instead, external users communicate with the Web server by
specifying an external IP address of the ISA Server computer. The ISA Server
computer then re-issues the request through its internal network interface. When

the ISA Server computer receives a reply from the internal Web server, it then
changes the packet header and sends the reply to the external user from the ISA
Server computer’s external network interface. Because this process is similar to
the process that ISA Server uses to process requests from internal clients, Web
publishing is sometimes referred to as reverse proxy. Web server publishing
supports the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol-
Secure (HTTP-S), and File Transfer Protocol (FTP) protocols.
Topic Objective
To describe the use of
published servers on an
internal network.
Lead-in
Publishing a server makes
the server on an internal
network available to users
that gain access to the
network through the
Internet.
Delivery Tip
Explain the use of reverse
proxy.
4 Module 7: Configuring Access to Internal Resources



For Web server publishing to work properly, external clients must
be able to resolve the name of a published server to the external IP address on
the ISA Server computer. For example, if the external IP address of the ISA
Server computer is 131.107.3.1 and the Domain Name System (DNS) name of
the published server is www.nwtraders.msft, the DNS on the Internet must

resolve the DNS name www.nwtraders.msft to 131.107.3.1.

Because ISA Server uses the Microsoft Web Proxy service when publishing a
Web server, ISA Server can cache Web objects for clients on the Internet.
Caching in this manner is called reverse caching. Reverse caching improves the
performance for external clients because ISA Server can retrieve Web objects
from its cache instead of from the Web server on the internal network or the
perimeter network.

For more information about Web caching and configuring caching, see
Module 4, “Configuring Caching,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Publishing Other Servers
You can also publish a server that is not a Web server. You can publish any
type of server that uses TCP/IP.
For example, you can make an internal mail server available to external clients
by publishing it. Unlike Web publishing, server publishing does not provide for
reverse caching.
In addition, by publishing a server, external users are not able to see the
structure of the internal network. Because IP addresses on the internal network
are not visible to external users, publishing a server by using ISA Server is also
referred to as secure publishing.
Key Point
For Web server publishing
to work properly, external
clients must be able to
resolve the name of a
published server to the IP
address of an external

network adapter on the ISA
Server computer.
Important
Delivery Tip
Explain the use of reverse
caching.
Note
Module 7: Configuring Access to Internal Resources 5


Publishing Servers on a Back-to-Back Perimeter Network
LAT
Internal
Network
LAT
Perimeter
Network
Web Server
Web Server
SQL Server
SQL Server
Internal Network
Internal Network
Perimeter Network
Perimeter Network
ISA Server
ISA Server
ISA Server
ISA Server
Internet

Internet

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
If your network has a back-to-back perimeter network configuration, you can
use ISA Server to publish servers that are on your perimeter network to the
Internet. You can also publish internal servers to the perimeter network. Using a
back-to-back perimeter network configuration enables you to control the traffic
that enters the perimeter network separately from the traffic that enters the
internal network. By controlling this traffic separately, you do not have any
direct connections from the Internet to your internal network.
To publish servers on a perimeter network:
• On the ISA Server computer that is connected to the Internet, ensure that the
LAT contains the IP addresses of the computers on the perimeter network
and the IP address of the ISA Server computer that is connected to the
internal network.
• Create publishing rules on the ISA Server computer that is connected to the
Internet to make selected servers on the perimeter network, such as a mail
server or a published Web server, available to external clients.
• Include the IP addresses of the computers on only the internal network in
the LAT of the ISA Server computer that is connected to the internal
network.
• Create publishing rules on the ISA Server computer that is connected to the
internal network to make servers on the internal network available to
selected servers on the perimeter network. For example, create a publishing
rule to make a Microsoft SQL Server
™

database that contains inventory data
available to a published Web server on your perimeter network.

Topic Objective
To describe the procedure
that you use to publish
servers on a back-to-back
perimeter network.
Lead-in
If your network has a back-
to-back perimeter network
configuration, you can use
ISA Server to publish
servers on your perimeter
network.
Key Point
A back-to-back perimeter
network configuration
enables you to control the
traffic that enters the
perimeter network
separately from the traffic
that enters the internal
network.
Delivery Tip
Use the slide graphic to
describe the steps that you
use to publish servers on a
perimeter network.
6 Module 7: Configuring Access to Internal Resources




For more information about the LAT, see Module 2, “Installing and
Maintaining ISA Server,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000. For more
information about perimeter networks, see Module 6, “Configuring the
Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.

Note
Module 7: Configuring Access to Internal Resources 7


Guidelines for Using Publishing and Routing
If your network
If your network
Does not have a perimeter
Does not have a perimeter
network
network
Has a back
Has a back
-
-
to
to
-
-
back perimeter

back perimeter
network configuration
network configuration
Has a three
Has a three
-
-
homed perimeter
homed perimeter
network configuration
network configuration
Then use
Then use
Server publishing
Server publishing
Server publishing on both ISA Server computers
Server publishing on both ISA Server computers
Routing and packet filtering between the Internet
Routing and packet filtering between the Internet
and perimeter network; server publishing
and perimeter network; server publishing
between the internal and perimeter networks
between the internal and perimeter networks

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Publishing servers can achieve results similar to configuring ISA Server to

perform routing and packet filtering. However, unlike routing, which routes
Web requests directly to a server, ISA Server intercepts all of the requests of a
published server.
You always use routing to send IP packets between two IP addresses that ISA
Server treats as internal or between two IP addresses that ISA Server treats as
external. You use publishing to enable ISA Server to send packets between an
external network and an internal network.
Use the following guidelines to determine when to use server publishing and
when to use routing and packet filtering.
If your network Then use

Does not have a perimeter network Server publishing
Has a back-to-back perimeter
network configuration
Server publishing on both ISA Server computers
Has a three-homed perimeter
network configuration
Routing and packet filtering between the Internet
and the perimeter network and server publishing
between the internal network and the perimeter
network

Topic Objective
To describe guidelines for
using publishing and
routing.
Lead-in
Publishing servers can
achieve results similar to
enabling routing and packet

filtering.
Key Point
Publishing a server enables
you to apply rules to enforce
strict policies on the
incoming traffic.
8 Module 7: Configuring Access to Internal Resources


Publishing Rules Overview

Web Publishing Rules

Server Publishing Rules

Publishing a server

Publishing a mail server

Rules Available for Each Mode

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
To publish servers, you must configure a publishing policy. Publishing policies
can consist of Web publishing rules and server publishing rules.
Web Publishing Rules
Web publishing rules determine how ISA Server should redirect incoming

requests for an internal Web server that use the HTTP, HTTP-S, or FTP
protocols. When using Web publishing rules, you can also specify which port
the ISA Server computer uses to connect to the Web server. This port can be
different from the port that the client uses to connect to the ISA Server
computer.
Server Publishing Rules
Server publishing rules determine how ISA Server should process incoming
requests for internal servers that use protocols other than the HTTP, HTTP-S, or
FTP, such as protocols used by database servers or mail servers.
Publishing a Server
When you publish a server, ISA Server forwards requests to an internal server
located behind the ISA Server computer. As with Web publishing rules, server
publishing rules determine which requests the ISA Server computer forwards
and which requests it discards. Unlike Web publishing rules, server publishing
rules do not allow you to change the port that the ISA Server computer uses to
connect to the published server.
Topic Objective
To identify the topics related
to publishing rules.
Lead-in
To publish servers, you
must configure a publishing
policy.
Key Point
When using Web publishing
rules, you can specify which
port the ISA Server
computer uses to connect to
the Web server.
Key Point

Server publishing rules do
not allow you to change the
port that the ISA Server
computer uses to connect to
the published server.
Module 7: Configuring Access to Internal Resources 9


Publishing a Mail Server
ISA Server includes the Mail Server Security Wizard that you can use to
publish a mail server. When you complete the Mail Server Security Wizard,
ISA Server creates rules that allow incoming or outgoing mail traffic that uses
one or more of the most common mail protocols. When using the Mail Server
Security Wizard, it is not necessary to know the details of each mail protocol.
ISA Server creates the required rules based on the service that you select in the
wizard.
Publishing a server also enables you to apply rules to enforce strict policies on
the incoming traffic. For example, you can specify a publishing rule that allows
traffic from only a mail server in the perimeter network to be forwarded to your
internal mail server.
Rules Available for Each Mode
The following table lists the publishing policy rules that are available for each
ISA Server installation mode.
Rule type Firewall Cache Integrated

Web publishing rules No Yes Yes
Server publishing rules Yes No Yes

10 Module 7: Configuring Access to Internal Resources







Configuring Web Publishing

Publishing a Web Server

Configuring Listeners for Incoming Web Requests

Redirecting Requests to Other Ports

Establishing Secure Communication

Configuring SSL Bridging

Requiring a Secure Channel

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In addition to enabling secure access to the Internet for internal clients, ISA
Server can provide secure access to internal servers for external clients. To
make internal servers available to external clients, you create a publishing
policy to securely publish your internal servers. The publishing policy consists
of Web publishing rules or server publishing rules that determine how the
internal servers are published. In addition, you can require authentication for

your network and specify Secure Sockets Layer (SSL) encryption when
redirecting incoming requests to ensure secure communication.
Topic Objective
To identify the topics related
to configuring Web
publishing.
Lead-in
ISA Server can make
internal servers accessible
to external clients.
Module 7: Configuring Access to Internal Resources 11


Publishing a Web Server
Internet
Internet
africa.internal.nwtraders.msft
www.nwtraders.msft/africa
europe.internal.nwtraders.msft
Internal Network
Internal Network
ISA Server
ISA Server
www.nwtraders.msft/europe
Africa
Africa
Europe
Europe

*****************************

ILLEGAL FOR NON
-
TRAINER USE
******************************
You can publish Web servers to make internal Web sites accessible to users on
the Internet. To publish a Web server, you must first create a Web publishing
rule. By creating a Web publishing rule, you configure the ISA Server computer
to redirect incoming requests to a Web server on the internal network.
Using Destination Sets
Unlike the destination sets that you configure for access policies, destination
sets for publishing rules specify computers in your internal network that
external clients connect to, such as the name or the IP address of your ISA
Server computer. You can create a specified destination set to use in Web
publishing rules for redirecting requests for sections of a Web site to different
internal servers.
For example, you can create a destination set for www.nwtraders.msft/europe
You would use this destination set in a Web publishing rule to redirect requests
for this section of the Web site to an internal server named
europe.internal.nwtraders.msft. You can then create another destination set for
www.nwtraders.msft/africa. You would use this destination set in a Web
publishing rule to redirect requests for this section of the Web site to an internal
server named africa.internal.nwtraders.msft.
When using a destination set that contains a path after the computer name, the
Web server must contain the same path. For example, if a client requests
www.nwtraders.msft/africa/default.htm, the internal server
africa.internal.nwtraders.msft must contain the path and file /africa/default.htm.

For more information about how to configure destination sets, see
Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.


Topic Objective
To describe the key steps
that you perform to create
Web publishing rules.
Lead-in
You can publish Web
servers to make internal
Web sites accessible to
users on the Internet.
Key Point
Unlike the destination sets
that you configure for
access policies, destination
sets for publishing rules
specify computers in your
internal network that
external clients connect to,
such as the name or the IP
address of your ISA Server
computer.
Note
12 Module 7: Configuring Access to Internal Resources


Creating a New Web Publishing Rule
To create a new Web publishing rule:
• In ISA Management, in the console tree, expand your server or array,
expand Publishing, click Web Publishing Rules, and then in the details
pane, click Create a Web Publishing Rule.

• In the New Web Publishing Rule Wizard, type a name for the rule, and then
click Next.
• On the Destination Sets page, specify a destination set and the associated
information, and then click Next.
• On the Client Type page, specify a client type, and then click Next.

Unlike the rules that you configure for access policies, client sets for
publishing rules typically specify locations outside the internal network,
such as the IP addresses for a business partner. For more information about
how to configure client sets, see Module 3, “Enabling Secure Internet
Access,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.

• On the Rule Action page, click Discard the request to ignore requests that
match the rule conditions or click Redirect the request to this internal
Web server, type the name of the published Web server, and then click
Next.

If your internal Web server hosts multiple Web sites, you may have
to configure how ISA Server handles host headers. For more information
about how to configure ISA Server for advanced Web publishing scenarios,
see the \support\docs\ copublish.htm file on the ISA Server compact disc.

• On the Completing the New Web Publishing Rule Wizard page, review
your choices, and then click Finish.

Changing the Rule Order
ISA Server processes Web publishing rules in the order in which they are listed
in the Web Publishing Rules folder and processes the first rule that applies to a
request. After a match occurs, no further processing is done for that request.

To change the rule order, click a rule, and then on the toolbar, click the Move
Up button or the Move Down button.
ISA Server always contains the default rule, which discards all incoming
requests. Because ISA Server always processes the default rule last, ISA Server
applies this rule to all incoming requests that are not covered by another Web
publishing rule. You cannot modify, delete, or change the order of the default
rule.
Note
Delivery Tip
Explain that the procedure
for redirecting Web requests
will be presented later in this
module.
Note
Module 7: Configuring Access to Internal Resources 13


Configuring Listeners for Incoming Web Requests
LONDON Properties
General
OK Cancel
Edit…
Edit…
Apply
Enable SSL listeners
TCP port: 80
SSL port: 443
Connections
Outgoing Web Requests
Incoming Web Requests

Security
PerformanceAuto Discovery
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server IP Address Display N… Authentic… Server C…
PHOENIX <All internal Integrated
Remove
Remove
Add…
Configure…
Connection settings:
Ask unauthenticated users for identification
CancelOK
Server: LONDON
IP Address: 131.107.3.1
Display Name: PartnerWeb
Use a server certificate to authenticate to web clients
Authentication
Basic with this domain:
Digest with this domain:
Integrated
Client certificate (secure channel only)
Select…
Select domain…
Select domain…
Select domain…
Add/Edit Listeners
Select domain…
Select domain…

Select domain…

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before ISA Server responds to HTTP requests and SSL connection requests on
the external interface of an ISA Server computer, you must configure at least
one listener that determines how ISA Server responds to these requests. A
listener is an ISA Server configuration that defines how the ISA Server
computer listens for incoming or outgoing HTTP requests and SSL requests.
Unless you configure listeners for incoming requests, ISA Server discards all of
the incoming Web requests before applying Web server publishing rules. You
can configure the same listener configuration for all IP addresses, or you can
configure separate listener configurations for different IP addresses.
You can also require authentication for users that gain access to the ISA Server
computer by using a listener. The authentication that you configure for the ISA
Server computer is in addition to any authentication that the published Web
server requires. ISA Server applies rules based on ISA Server authentication.
These rules determine whether and how a request is passed on to the Web
server. The authentication method that you configure for the Web server
determines whether a user is allowed to gain access to content on the Web
server.

The procedure for configuring authentication for incoming requests is
analogous to the procedure for configuring authentication for outgoing requests.
For more information about configuring authentication, see Module 3,
“Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.


Topic Objective
To describe the use of
listeners for incoming Web
requests.
Lead-in
Before ISA Server responds
to HTTP requests and SSL
connection requests on the
external interface of an ISA
Server computer, you must
configure at least one
listener that determines how
the ISA Server computer
responds to these requests.
Delivery Tip
Explain the use of listeners.
Key Points
Unless you configure
listeners for incoming
requests, ISA Server
discards all of the incoming
Web requests before
applying Web server
publishing rules.

The authentication that you
configure for the ISA Server
computer is in addition to
any authentication that the

published Web server
requires.
Note
14 Module 7: Configuring Access to Internal Resources


To configure listeners:
• In ISA Management, in the console tree, right-click your server or array,
and then click Properties.
• In the Properties dialog box for your server or array, on the Incoming Web
Requests tab, perform the following actions.
To Do this

Use the same configuration for
all IP addresses
Click Use the same listener configuration for
all IP addresses, and then click Edit.
To use individual listeners for
each IP address
Click Configure listeners individually per IP
address, and then click Add. In the Add/Edit
Listeners dialog box, select an ISA Server
computer, and then select the IP address of that
computer.

• In the Display Name box, type a display name for the listener.

Perform the following step only if you use user or group restrictions
in your Web publishing rules.


• Under Authentication, select one or more of the check boxes for your
designated authentication methods, and then click OK.
• In the TCP port box, type the port number on which ISA Server will listen
for Web requests. The default port is Transmission Control Protocol (TCP)
port 80.
• To require authentication for gaining access to ISA Server by using a
listener, select the Ask unauthenticated users for identification check
box, and then click OK.


Requiring authentication is impractical when you publish a Web server to
make that Web server publicly available. Most often, a better option is to
configure the appropriate authentication on the Web server. Use authentication
only when publishing Web servers with limited availability, such as a Web
server that is available to only selected business partners.

Note
Tip
Module 7: Configuring Access to Internal Resources 15


Redirecting Requests to Other Ports
PartnerWeb Properties
General
OK Cancel
Use this page to specify whether the request should be discarded or
redirected, and configure the hosted site to which this rule redirects.
Destinations Action Applies To
Discard the request.
Bridging

Redirect the request to this internal Web server (name or IP
address):
London
Apply
Apply
Apply
Browse…
Send the original host header to the publishing server instead of
the actual one (specified above).
Connect to this port when bridging request as HTTP: 80
Connect to this port when bridging request as SSL: 443
Connect to this port when bridging request as FTP: 21
Type the IP
address or DNS
name of the
published server.
Define ports this rule redirects to

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Web publishing rules specify which server should return a requested object to a
client. By default, ISA Server redirects HTTP requests and SSL requests to the
default ports for these services on an internal server. If an internal server uses a
non-standard port for HTTP, SSL, or FTP requests, you can redirect incoming
Web requests to a published server on your internal network.

Some Web servers use non-standard ports to allow a single computer to

run multiple Web sites.

To redirect incoming Web requests to a published server:
• In ISA Management, in the console tree, click Web Publishing Rules.
• In the details pane, click the applicable Web publishing rule, and then click
Configure a Web Publishing Rule.
• In the Properties dialog box for the Web publishing rule, on the Action tab,
click Redirect the request to this internal Web server (name or IP
address), type the IP address or the DNS name, perform the following
actions, and then click OK.
In the Type

Connect to this port when bridging
requests as HTTP box
The port number to use for HTTP
requests. The default HTTP port is 80.
Connect to this port when bridging
requests as SSL box
The port number to use for SSL requests.
The default SSL port is 443.
Connect to this port when bridging
requests as FTP box
The port number to use for FTP requests.
The default FTP port is 21.

Topic Objective
To describe the procedure
that you use to redirect
requests to other ports.
Lead-in

Web publishing rules specify
which server should return a
requested object to a client.
Key Point
You can redirect incoming
Web requests from the ISA
Server computer to a
published server on your
internal network.
Note
16 Module 7: Configuring Access to Internal Resources


Establishing Secure Communication
Select Certificate
Select a certificate form the list of certificates available on the specified
server:
Certificates:
Cancel
OK
OK
Issued To Issued By Expiration Date Friendly Name
vancouver.nam…Northwind Tra… 10/12/2002 Partner Web…
vancouver.nam…Northwind Tra… 10/12/2002 Public Web Site
CancelOK
Server: LONDON
IP Address: 131.107.3.1
Display Name: Partner Web
Use a server certificate to authenticate to web clients
Authentication

Basic with this domain:
Digest with this domain:
Integrated
Client certificate (secure channel only)
Select…
Select domain…
Select domain…
Select domain…
Add/Edit Listeners
Select domain…
Select domain…
Select domain…

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When you redirect incoming Web requests, you must ensure that all network
traffic is secured appropriately. For example, when clients attempt to establish a
secure session with a published Web Server, you must configure ISA Server to
establish this secure connection across the Internet on behalf of the Web server.
When ISA Server receives an SSL request from a client for an object on a
published server, ISA Server establishes a separate SSL channel with the
published server. This type of redirection is called SSL bridging. SSL bridging
ensures that both parts of the connection, the session between the client and the
ISA Server computer and the session between ISA Server and the internal Web
server, are encrypted.
SSL Overview
The SSL protocol enables secure data communication over networks by using

encryption and decryption. Many Web sites use the SSL protocol to obtain
confidential data from users, such as credit card information. Web pages that
use an SSL connection begin with https instead of http. By default, Web servers
receive SSL packets on TCP port 443.
SSL uses server certificates to encrypt traffic between the client and the server.
Clients can also use a server’s certificates to authenticate the identity of the
server before sending confidential information.

For more information about Public Key Infrastructure (PKI), including
how to use and install certificates in Microsoft Windows
®
2000, see Module 14,
“Designing a PKI for Business Partners,” in Course 2150, Designing a Secure
Microsoft Windows 2000 Network, and Module 5, “Configuring Network
Security by Using Public Key Infrastructure,” in Course 2153, Implementing a
Microsoft Windows 2000 Network Infrastructure.

Topic Objective
To describe the procedure
that you use to publish
secure Web sites.
Lead-in
When you redirect incoming
Web requests, you can also
set the protocol that the ISA
Server computer uses to
send requests to the
published Web server.
Key Point
SSL bridging ensures that

both parts of the connection,
the session between the
client and the ISA Server
computer and the session
between ISA Server and the
internal Web server, are
encrypted.
Note
Module 7: Configuring Access to Internal Resources 17


Publishing Secure Web Sites
When you publish a server that uses the SSL protocol to encrypt client requests
to the server, clients connect to the ISA Server computer on port 443. To enable
the ISA Server computer to respond to this request, you must configure the ISA
Server computer to listen on port 443. You must also configure the ISA Server
computer to use a server certificate to impersonate the published server.
To configure the ISA Server computer to listen for incoming SSL requests:
• In ISA Management, in the console tree, right-click your server or array,
and then click Properties.
• In the Properties dialog box for the server or array, on the Incoming Web
Requests tab, ensure that the Enable SSL listeners check box is selected
and that the SSL port number matches the port number that external clients
use to connect to the ISA Server computer. By default, this port is port 443.
• Select the appropriate listener, and then click Edit.
• In the Add/Edit Listeners dialog box, select the Use a server certificate to
authenticate to web clients check box, and then click Select.
• In the Select Certificate dialog box, select the certificate that was issued for
the published Web site, and then click OK three times.



Before you can select a certificate, the certificate must have been
issued for the Web site, and you must have installed this certificate on the ISA
Server computer by using the Certificates Microsoft Management Console
(MMC) snap-in.

Important