Chapter 6 ISA SERVER HOSTING ROLES 183 I NTRODUCTION I can remember when Web servers were not placed behind the cor- porate firewall. The rationale was that to do so would compromise the security of the internal network. Companies risked site attacks and possible downtime rather than create potential chinks in their firewall armor. The Internet was a simpler beast then, and few were fielding Business to Business (B2B) or Business to Consumer (B2C) sites. Things have changed. Now, no Web master worth her salt would dream of leaving her baby bare and exposed. The challenge then becomes, how do I protect the Web site, or other exposed servers, allow access to it, and yet not allow hackers entrance into my inter- nal network? There are four potential answers: á First, a Web server sits on the internal network behind the fire- wall. The firewall is configured to “host” the Web site, or act as the decontamination chamber, so to speak, for all commu- nications between the Web server and the rest of the world. á Second, a separate arrangement, where the Web server sits behind a firewall but is not connected to anyone’s private net- work. The hosting methodology explained in this chapter will be as useful in this scenario as it is in the first. á Third, while the Web server sits on the internal network behind the firewall, instead of hosting, appropriate ports are opened on the firewall to allow traffic to flow to the Web site. á Finally, a separate perimeter or demilitarized zone (DMZ) is created to act as the network for all Internet accessible hosts. A three-pronged approach (the firewall has three NIC cards) or a separate, internal firewall is used to protect the internal net- work. This approach, and the one mentioned previously, are covered in more detail in Chapter 10, “Firewall Configuration.” 09 mcse CH06 6/5/01 12:02 PM Page 183 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 184 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES The best approach, in many cases this will be to host the server using ISA Hosting services. To learn how to do see the following sec- tions of this chapter: á Configuring ISA Server for Web Publishing á Configuring ISA Server for Server Proxy á Configuring ISA Server for Server Publishing C ONFIGURING ISA S ERVER FOR W EB P UBLISHING Configure ISA Server for Web publishing. Most security experts would agree: To protect a public Web server, place it behind the firewall, and allow access in the most secure man- ner to prevent unauthorized and malicious access. ISA Server offers two ways to do this: Either configure packet filters and protocol rules, which allow access to the Web server by permitting Web pro- tocols through the firewall and directing them to the Web server, or configure Web publishing rules on the firewall. To configure packet filters and protocol rules to allow access to an internal Web server, see Chapter 10. However, to follow a more secure process, configure Web publishing rules. To allow access to the internal server via Web publishing, perform the actions listed in Table 6.1. 09 mcse CH06 6/5/01 12:02 PM Page 184 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 6 ISA SERVER HOSTING ROLES 185 TABLE 6.1 C ONFIGURE W EB P UBLISHING Action Instructions Mandatory? Configure Web site Assure that the public Web server Yes domain resolution. address is registered in DNS with the address of the ISA server that will perform the Web hosting. Configure destination The destination set includes the No sets to identify the ISA external IP address or names of Servers that will be ISA Servers that will route the configured for request to the internal Web server. publishing. Figure 6.1 illustrates this configuration. You can choose to use more general terms instead of explicitly identifying the firewall. Configure a listener See Step by Step 6.1. Yes on the external interface of the firewall. Configure client Client types include ranges of IP No access types to restrict addresses and specific user access. accounts. Create a Web Follow Step by Step 6.2. Yes publishing rule. ISA Web Server Internet 206.66.66.71 Peachweaver.com is at Ò208.43.67.12Ó DNS Where is www.peachweaver.com? 208.43.67.12 192.168.2.10 192.168 Destination set = 208.43.67.12 FIGURE 6.1 Identifying the destination set. 09 mcse CH06 6/5/01 12:02 PM Page 185 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 186 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES Configuring Destination Sets When the Web publishing rule is created, you use the defined desti- nation sets, client address sets, and rule actions to set its parameters, conditions, and actions. Destination sets indicate that a request for Web services received at these IP addresses meet that condition in the rule. Client address sets are composed of the address of clients who may be allowed to make requests for Web objects. Rule actions define what happens if these conditions are met. Possibilities include: á The request is discarded (configure to explicitly prevent all access to internal Web servers, or more likely to explicitly deny access to people(s) identified in client address sets). á The request is redirected to an internal server. á The requested object is retrieved from the server cache. Configuring Listeners Listeners are the specifications that allow ISA server to link ports on a particular external interface with the internal Web server. The “listener” identifies which network interface (IP address) is the active location identified as the source for Web access to the external world. STEP BY STEP 6.1 Configuring a Listener for the Web Site 1. Open the Property page for the ISA Server by right-click- ing on the Server in the Management console and select- ing Properties. 2. Select the Incoming Web Requests tab (see Figure 6.2). 3. If desired, click the radio button Configure Listeners Individually per IP Address. 4. Click Add. 5. Choose the server from the Server drop-down box. TIP The Destination Is Not the Web Server! When configuring destination sets for Web publishing rules, it is impor- tant to understand that you are identifying the destination of the request from the perspective of the client. In this case, the client is on the public network, therefore, the destination is the external address of the ISA server(s), which will reroute the request. A common mistake is to configure destination sets with the internal Web server addresses. This will not work. EXAM FIGURE 6.2 Identifying the Web listener. 09 mcse CH06 6/5/01 12:02 PM Page 186 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 6 ISA SERVER HOSTING ROLES 187 6. Choose the external IP address to listen on from the IP Address drop-down box. 7. Enter a friendly name for a display name. 8. Configure to use server certificates (optional). 9. Configure Authentication (optional). 10. Click OK. 11. Review your choices and click OK. 12. Select whether to save changes and restart the service, or save changes but not start the service (see Figure 6.3). Changes will not take place until the service is restarted. 13. Click OK. Creating Web Publishing Rules After the elements (listeners, destinations, and Web servers) are pre- sent, a Web publishing rule can be created to specify what action will be taken if a request is made. The rule identifies the clients that can access the site, the destination for the request (the IP address of the external interface where the “listener” sits), and the clients that might use it. STEP BY STEP 6.2 Configuring Web Publishing Rules 1. Navigate in the ISA Management console to Servers and Arrays\name\Publishing\Web Publishing Rules. 2. Note that the default Web publishing rule discards all requests. 3. Right-click on the Web Publishing Rules folder and select New Rule. FIGURE 6.3 Saving changes. continues 09 mcse CH06 6/5/01 12:02 PM Page 187 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 188 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 4. Enter a name for the rule and click Next. 5. Select a preconfigured destination set or leave the default All Destinations in place. Click Next. 6. Specify the client type. Client type can be used to selec- tively allow Web site access by business partners, telecom- muters, or traveling employees. The choices are • Any request • Specific computers (client address sets) • Specific users and groups 7. Click Next. 8. Indicate the rule action (see Figure 6.4). 9. Click Next. 10. Review configuration and click Finish. Enabling CARP Cache Array Routing Protocol (CARP) can be enabled for outgoing and incoming Web requests. Outgoing Web requests are cached by CARP by default. You can, however, configure CARP to cache incoming Web requests. This process allows more efficient handling of frequent requests and removes the strain from busy Web servers. You saw this feature for a single server when configuring the cache retrieval configuration step of the routing rule for the Web publish- ing steps in Step by Step 6.2. In arrays, you want CARP configured to act the same way. To enable incoming CARP, open the Property pages for the array and on the Incoming Web Requests page, check the box labeled Resolve Requests Within Array Before Routing. Members of the array can be configured to have different loads so that requests can be spread more heavily on servers with more disk resources, for example. For more information on configuring CARP see Chapter 11 “Manage ISA Server in the Enterprise.” FIGURE 6.4 Selecting a rule action. continued 09 mcse CH06 6/5/01 12:02 PM Page 188 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 6 ISA SERVER HOSTING ROLES 189 Configuring Server Certificates and Authentication Methods To secure access to internal Web servers, authentication methods can be configured. Authentication methods include: á Requiring server authentication via server certificates á Basic authentication á Digest authentication á Windows Integrated Authentication The last three types of authentication are client authentication and were defined in Chapter 5, “Outbound Internet Access.” Authentication of outbound access can restrict, control, and make auditable employee access to the Internet. Authentication of inbound access establishes credentials for users who want to access internal resources. These users might be employees who are traveling or who work from home, business partners who require access to internal servers, and customers who must establish identity before accessing specific data on internal Web sites. Server authentication, on the other hand, can be used by the ISA Server to identify itself as the internal Web server. Clients seeking secure access to internal Web sites will request server authentication via Secure Sockets Layer (SSL) certificates. To prove its identity, the ISA Server must be able to fulfill this request. To configure the ISA Server to use certificates for Web requests follow Step by Step 6.3. STEP BY STEP 6.3 Configuring Server Certificates 1. In the ISA Server Management console, right-click the array or server and click Properties. 2. Select the Incoming Web Requests tab. 3. Select the listener that requires a certificate. 4. Click Edit to display the listener properties. NOTE Certificates Certificates are encrypted digital identification. They provide the capabil- ity to perform secure communications between to computers. SSL certificates are used primarily by Web servers to prove their identity to clients. Because the ISA Server often sits between the Web server and the client, he must be able to perform server authentication using SSL and participate in a secured (encrypted) communication with the requesting client. continues 09 mcse CH06 6/5/01 12:02 PM Page 189 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 190 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES 5. In the “Add/Edit Listeners” dialog box, check Use a Server Certificate to Authenticate to Web Clients. 6. Click Select. 7. Select the server certificate to use. (Server certificates must be previously installed on the server in the server certifi- cate store. For instructions on how to do so, please ask the party from whom the certificate is received. In many cases, it may be a simple button click after the certificate is received. In others, it requires using the Certificates snap-in. 8. Click OK twice. 9. Select Save the Changes and restart the service(s). Click OK. Redirecting HTTP and SSL Requests When the ISA Server serves as the endpoint for the external client connection, you might need to configure SSL so the server can authenticate to the client. You must also configure what will happen to the client communication once its received. This is done by con- figuring a Routing Rule. Routing rules determine where incoming and outgoing requests are redirected. Step by Step 6.4 explains how to configure a rule to redirect HTTP and/or SSL requests. continued 09 mcse CH06 6/5/01 12:02 PM Page 190 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 6 ISA SERVER HOSTING ROLES 191 STEP BY STEP 6.4 Redirecting Incoming Web Requests 1. Navigate to Internet Security and Acceleration Server\Servers and Arrays\name\Network Configuration\Routing. 2. Create a new rule or modify an existing rule. 3. If creating a new rule, use the New Routing Rule Wizard\Request Action page to indicate the internal server, HTTP, and SSL port to direct the request to (see Figure 6.5). Edited rules display these choices on the Action page. 4. If creating a new rule, use the New Routing Rule Wizard\Cache Retrieval Configuration page to select the conditions under which requests will be routed to the Web server. (see Figure 6.6) Edited rules display these choices on the Cache tab. 5. If creating a new rule, use the New Routing Rule\Cache Content Configuration page to indicate the conditions under which caching will occur. Edited rules display these choices on the Cache tab. 6. Click Finish. 7. Double-click the rule to open its property pages. 8. Select the Bridging tab (see Figure 6.7). 9. By default, both Redirect HTTP Requests as HTTP Requests and Redirect SSL Requests as SSL Requests are selected. Additional choices can be made. Table 6.2 explains the ramifications. 10. Click OK to close the Properties page. FIGURE 6.5 Redirecting HTTP and SSL requests. FIGURE 6.6 Select when to request object from Web server. 09 mcse CH06 6/5/01 12:02 PM Page 191 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 192 Part II CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES TABLE 6.2 SSL B RIDGING C HOICES Redirection Choice Description Redirect HTTP HTTP requests No mystery here. requests as: SSL request Use this choice to secure HTTP communications between the ISA Server and the internal Web server (see Figure 6.8). Redirect SSL HTTP request The SSL secure channel ends at the requests as: ISA Server. Communications between the ISA Server and the Web server would be unencrypted (see Figure 6.9). SSL request While the SSL channel terminates at the ISA Server (the client con- versation is secured between itself and the ISA Server.), this option requires a new SSL channel be established between the ISA Server and the Web server (see Figure 6.10). Require secure No conversation will take place if channel (SSL) SSL cannot be established. Requires 128-bit The ISA Server must have the high encryption encryption pack for Windows 2000 installed in order to use this fea- ture. Use a certificate If an SSL channel is required to authentication between the ISA Server and the to the SSL Web Web server, check this box and Server identify the certificate to be used. FIGURE 6.7 Specifying bridging requirements. ISA Web Server Internet HTTP SSL Redirect HTTP Requests as SSL FIGURE 6.8 Redirect HTTP as SSL. 09 mcse CH06 6/5/01 12:02 PM Page 192 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Exchange RPC Server • Any RPC Server • FTP Server • RTFP Server • PMN – Real Networks Server • MMS – Windows Media Server FIGURE 6.16 Identifying the server address mapping • DNS Query Server • DNS Zone Transfer • HTTPS Server • IMAP4 Server • IMAPS Server • Microsoft SQL Server • NNTP Server • NNTPS Server • POP3 Server • POP3S Server • SMTP Server • SMTPS Server • Telnet Server 5 On the New Server Publishing...09 mcse CH06 6/5/01 12:02 PM Page 193 Chapter 6 ISA ISA SERVER HOSTING ROLES Web Server Internet HTTP SSL FIGURE 6.9 Redirect SSL Requests as HTTP Redirect SSL as HTTP ISA Web Server Internet SSL SSL FIGURE 6.10 Redirect SSL as SSL Redirect SSL Requests as SSL CONFIGURING ISA SERVER SERVER PROXY FOR Configure ISA Server for server proxy ISA Server can act as a mail server proxy if configured... mail server name to the ISA Server computer, a DNS entry for the mail server should be made that points to the ISA Server MAPI clients, HTTP clients, POP3, and IMAP4 clients can then resolve the address of the ISA Server The Mail Server Security Wizard The Mail Server Security Wizard enables you to easily configure the ISA Server to proxy requests for e-mail server access As a result, it creates server. .. watermark 09 mcse CH06 6/5/01 12:02 PM Page 197 Chapter 6 ISA SERVER HOSTING ROLES 7 Configure the SMTP filter to check for attachments (see Figure 6.15) and keywords; size, name of type of content to hold, delete, or forward to the administrator CONFIGURING ISA SERVER SERVER PUBLISHING FOR Configure ISA Server for server publishing Besides publishing internal mail servers and Web servers, ISA server can... authentication is required (see Figure 6.11) Click Next 3 On the Mail Server Security Wizard \ISA Servers External IP address, enter the ISA Server s IP address and click next 4 On the Mail Server Security Wizard\Internal Mail Server, enter the IP address of the mail server or select On the Local Host if the mail server is located on the ISA server Click Next 5 Review the configuration, and then click Finish... the IP address of the external address of the ISA Server See the section, “Configuring ISA Server for Server Proxy.” 5 A, C Reverse caching is not available in firewall mode so D is wrong E-mail is never cached on the ISA Server so B is wrong See the section, “Configuring ISA Server for Server Proxy.” 6 A, B, C The SMTP service will be running on the mail server See the section, “Content Filtering.” Please... server 4 Install the ISA Server Message screener 5 If the ISA Server computer is a standalone installation on a standalone Windows 2000 Server or the Message Screener is installed on a computer that is not a member of the same AD forest as the ISA computer, you must: • Run the SMTPCred.exe utility from the ISA Server installation CD-ROM\i386 folder and enter the name of the ISA Server, the time for... to remove this watermark 193 09 mcse CH06 EXAM TIP 194 6/5/01 Par t II 12:02 PM Page 194 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES What’s Special About Mail Servers That Reside on the ISA Server? If the mail server resides on the ISA Server computer, packet filters, not protocol rules, are configured It is easiest to complete this configuration by using the Mail Server Security Wizard DNS and... remove this watermark 09 mcse CH06 196 6/5/01 Par t II 12:02 PM Page 196 CONFIGURING AND TROUBLESHOOTING ISA SERVER SERVICES STEP BY STEP 6.6 Configuring the SMTP Service and Filter 1 Run the ISA Mail Server Security Wizard and specify the use of Incoming SMTP mail and Outgoing SMTP mail 2 When running the ISA Mail Server Security Wizard, select Apply Content Filtering 3 On the ISA Server, use the IIS console,... ISA Server computer You can do so by using Control Panel\Add Remove Programs The SMTP service running on the ISA Server acts as a virtual server It can be used to filter content received on port 25 on the external interface of the ISA Server, and then relay the mail to the internally published SMTP mail server To set up the message screener requires four steps: á Installing the SMTP service on the ISA . HTTPS Server • IMAP4 Server • IMAPS Server • Microsoft SQL Server • NNTP Server • NNTPS Server • POP3 Server • POP3S Server • SMTP Server • SMTPS Server. Chapter 6 ISA SERVER HOSTING ROLES 193 C ONFIGURING ISA S ERVER FOR S ERVER P ROXY Configure ISA Server for server proxy. ISA Server can act as a mail server