Module 7: Configuring Access to Internal Resources
Download
Report
Transcript Module 7: Configuring Access to Internal Resources
Module 7:
Configuring Access to
Internal Resources
Overview
Introduction to Publishing
Configuring Web Publishing
Configuring Server Publishing
Adding an H.323 Gatekeeper
Microsoft® Internet Security and Acceleration (ISA)
Server 2000 enables you to publish services to the
Internet without compromising the security of your
internal network. You can use ISA Server to publish
internal servers to make Web content and e-mail
services available to external clients. You publish
servers by configuring server publishing rules to
redirect requests from external clients to a server on
your internal network. By publishing servers and
routing requests from Internet clients to an ISA Server
computer, you provide an increased layer of security for
your internal servers. You can also use ISA Server to
route incoming multimedia conferencing sessions by
adding an H.323 Gatekeeper.
After completing this module, you will be able to:
Explain the concepts associated with server publishing.
Configure Web publishing.
Configure server publishing.
Add an H.323 Gatekeeper.
Introduction to Publishing
Publishing Overview
Publishing Servers on a Perimeter Network
Guidelines for Using Publishing and Routing
Publishing Rules Overview
Publishing servers enables you to provide access to
selected resources in a secure manner. To publish a
server, you must create a publishing policy. Publishing
policies define rules for controlling how ISA Server
processes incoming requests. You can create
publishing policies for Web servers, mail servers, and
other types of servers.
Publishing Overview
Internal Network
External Adapter
Internet
Internal Adapter
131.107.3.1
192.168.9.1
6
Web Server
www.nwtraders.msft
Publishing a server makes the server on an internal
network available to users that gain access to the
network through the Internet. You use Web publishing to
publish a Web server and server publishing to publish
any other type of server that uses Transmission Control
Protocol/Internet Protocol (TCP/IP).
When you publish a Web server or other server, users
connect to the external network adapter of the ISA
Server computer. The ISA Server computer uses the
internal network adapter to forward the request to the
published server on the internal network. Depending on
how you configure the local address table (LAT) on the
ISA Server computer, an internal server can be on a
perimeter network or on a corporate network.
Publishing Web Servers
You can publish a Web server to allow external users on the
Internet to communicate with an internal Web server or a Web
server on the perimeter network through an ISA Server computer.
When an external user requests an object from the Web server, they
actually receive the object from the ISA Server computer. The ISA
Server computer ensures that external users do not reach the
internal network directly.
In addition, the Internet Protocol (IP) address of the Web server is
not exposed to external users. Instead, external users communicate
with the Web server by specifying an external IP address of the ISA
Server computer. The ISA Server computer then re-issues the
request through its internal network interface. When the ISA Server
computer receives a reply from the internal Web server, it then
changes the packet header and sends the reply to the external user
from the ISA Server computer's external network interface. Because
this process is similar to the process that ISA Server uses to
process requests from internal clients, Web publishing is
sometimes referred to as reverse proxy. Web server publishing
supports the Hypertext Transfer Protocol (HTTP), Hypertext
Transfer Protocol-Secure (HTTP-S), and File Transfer Protocol (FTP)
protocols.
Important:
For Web server publishing to work properly, external
clients must be able to resolve the name of a published
server to the external IP address on the ISA Server
computer. For example, if the external IP address of the
ISA Server computer is 131.107.3.1 and the Domain
Name System (DNS) name of the published server is
www.nwtraders.msft, the DNS on the Internet
must resolve the DNS name www.nwtraders.msft
to 131.107.3.1.
Because ISA Server uses the Microsoft Web Proxy
service when publishing a Web server, ISA Server can
cache Web objects for clients on the Internet. Caching
in this manner is called reverse caching. Reverse
caching improves the performance for external clients
because ISA Server can retrieve Web objects from its
cache instead of from the Web server on the internal
network or the perimeter network.
Note:
For more information about Web caching and
configuring caching, see Module 4, "Configuring
Caching," in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server
2000.
Publishing Other Servers
You can also publish a server that is not a Web server.
You can publish any type of server that uses TCP/IP.
For example, you can make an internal mail server
available to external clients by publishing it. Unlike Web
publishing, server publishing does not provide for
reverse caching.
In addition, by publishing a server, external users are
not able to see the structure of the internal network.
Because IP addresses on the internal network are not
visible to external users, publishing a server by using
ISA Server is also referred to as secure publishing.
Publishing Servers on a Back-to-Back Perimeter
Network
LAT
Perimeter
Network
Web Server
Internet
ISA Server
ISA Server
Perimeter Network
SQL Server
LAT
Internal
Network
Internal Network
If your network has a back-to-back perimeter network
configuration, you can use ISA Server to publish
servers that are on your perimeter network to the
Internet. You can also publish internal servers to the
perimeter network. Using a back-to-back perimeter
network configuration enables you to control the traffic
that enters the perimeter network separately from the
traffic that enters the internal network. By controlling
this traffic separately, you do not have any direct
connections from the Internet to your internal network.
To publish servers on a perimeter network:
On the ISA Server computer that is connected to the Internet, ensure
that the LAT contains the IP addresses of the computers on the
perimeter network and the IP address of the ISA Server computer that
is connected to the internal network.
Create publishing rules on the ISA Server computer that is connected
to the Internet to make selected servers on the perimeter network,
such as a mail server or a published Web server, available to external
clients.
Include the IP addresses of the computers on only the internal
network in the LAT of the ISA Server computer that is connected to
the internal network.
Create publishing rules on the ISA Server computer that is connected
to the internal network to make servers on the internal network
available to selected servers on the perimeter network. For example,
create a publishing rule to make a Microsoft SQL Server™ database
that contains inventory data available to a published Web server on
your perimeter network.
Note:
For more information about the LAT, see Module 2,
"Installing and Maintaining ISA Server," in Course
2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000. For more
information about perimeter networks, see Module 6,
"Configuring the Firewall," in Course 2159A, Deploying
and Managing Microsoft Internet Security and
Acceleration Server 2000.
Guidelines for Using Publishing and Routing
If your network
Then use
Does not have a perimeter
network
Server publishing
Has a back-to-back perimeter
network configuration
Server publishing on both ISA Server computers
Has a three-homed perimeter
network configuration
Routing and packet filtering between the Internet
and perimeter network; server publishing
between the internal and perimeter networks
Publishing servers can achieve results similar to
configuring ISA Server to perform routing and packet
filtering. However, unlike routing, which routes Web
requests directly to a server, ISA Server intercepts all of
the requests of a published server.
You always use routing to send IP packets between two
IP addresses that ISA Server treats as internal or
between two IP addresses that ISA Server treats as
external. You use publishing to enable ISA Server to
send packets between an external network and an
internal network.
Use the following guidelines to determine when to use server
publishing and when to use routing and packet filtering.
If your network
Does not have a perimeter
network
Has a back-to-back
perimeter network
configuration
Then use
Server publishing
Has a three-homed
perimeter network
configuration
Routing and packet filtering between the
Internet and the perimeter network and
server publishing between the internal
network and the perimeter network
Server publishing on both ISA Server
computers
Publishing Rules Overview
Web Publishing Rules
Server Publishing Rules
Publishing a server
Publishing a mail server
Rules Available for Each Mode
To publish servers, you must configure a publishing
policy. Publishing policies can consist of Web
publishing rules and server publishing rules.
Web Publishing Rules
Web publishing rules determine how ISA Server should
redirect incoming requests for an internal Web server
that use the HTTP, HTTP-S, or FTP protocols. When
using Web publishing rules, you can also specify which
port the ISA Server computer uses to connect to the
Web server. This port can be different from the port that
the client uses to connect to the ISA Server computer.
Server Publishing Rules
Server publishing rules determine how ISA Server
should process incoming requests for internal servers
that use protocols other than the HTTP, HTTP-S, or FTP,
such as protocols used by database servers or mail
servers.
Publishing a Server
When you publish a server, ISA Server forwards
requests to an internal server located behind the ISA
Server computer. As with Web publishing rules, server
publishing rules determine which requests the ISA
Server computer forwards and which requests it
discards. Unlike Web publishing rules, server
publishing rules do not allow you to change the port
that the ISA Server computer uses to connect to the
published server.
Publishing a Mail Server
ISA Server includes the Mail Server Security Wizard that you can
use to publish a mail server. When you complete the Mail Server
Security Wizard, ISA Server creates rules that allow incoming or
outgoing mail traffic that uses one or more of the most common
mail protocols. When using the Mail Server Security Wizard, it is not
necessary to know the details of each mail protocol. ISA Server
creates the required rules based on the service that you select in
the wizard.
Publishing a server also enables you to apply rules to enforce strict
policies on the incoming traffic. For example, you can specify a
publishing rule that allows traffic from only a mail server in the
perimeter network to be forwarded to your internal mail server.
Rules Available for Each Mode
The following table lists the publishing policy rules that are available
for each ISA Server installation mode.
Rule type
Firewall
Cache
Integrated
Web publishing
rules
No
Yes
Yes
No
Yes
Server
Yes
publishing rules
Configuring Web Publishing
Publishing a Web Server
Configuring Listeners for Incoming Web Requests
Redirecting Requests to Other Ports
Establishing Secure Communication
Configuring SSL Bridging
Requiring a Secure Channel
In addition to enabling secure access to the Internet for
internal clients, ISA Server can provide secure access to
internal servers for external clients. To make internal
servers available to external clients, you create a
publishing policy to securely publish your internal
servers. The publishing policy consists of Web
publishing rules or server publishing rules that
determine how the internal servers are published. In
addition, you can require authentication for your
network and specify Secure Sockets Layer (SSL)
encryption when redirecting incoming requests to
ensure secure communication.
Publishing a Web Server
www.nwtraders.msft/africa
www.nwtraders.msft/europe
Internet
ISA Server
Europe
europe.internal.nwtraders.msft
Africa
africa.internal.nwtraders.msft
Internal Network
You can publish Web servers to make internal Web sites
accessible to users on the Internet. To publish a Web
server, you must first create a Web publishing rule. By
creating a Web publishing rule, you configure the ISA
Server computer to redirect incoming requests to a Web
server on the internal network.
Using Destination Sets
Unlike the destination sets that you configure for access policies,
destination sets for publishing rules specify computers in your
internal network that external clients connect to, such as the name
or the IP address of your ISA Server computer. You can create a
specified destination set to use in Web publishing rules for
redirecting requests for sections of a Web site to different internal
servers.
For example, you can create a destination set for
www.nwtraders.msft/europe. You would use this
destination set in a Web publishing rule to redirect requests for this
section of the Web site to an internal server named
europe.internal.nwtraders.msft. You can then create
another destination set for www.nwtraders.msft/africa.
You would use this destination set in a Web publishing rule to
redirect requests for this section of the Web site to an internal
server named africa.internal.nwtraders.msft.
When using a destination set that contains a path after
the computer name, the Web server must contain the
same path. For example, if a client requests
www.nwtraders.msft/africa/default.htm,
the internal server
africa.internal.nwtraders.msft must
contain the path and file /africa/default.htm.
Note:
For more information about how to configure destination
sets, see Module 3, "Enabling Secure Internet Access," in
Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.
Creating a New Web Publishing Rule
To create a new Web publishing rule:
In ISA Management, in the console tree, expand your server or
array, expand Publishing, click Web Publishing Rules, and then in
the details pane, click Create a Web Publishing Rule.
In the New Web Publishing Rule Wizard, type a name for the rule,
and then click Next.
On the Destination Sets page, specify a destination set and the
associated information, and then click Next.
On the Client Type page, specify a client type, and then click Next.
Note:
Unlike the rules that you configure for access policies, client sets for
publishing rules typically specify locations outside the internal network,
such as the IP addresses for a business partner. For more information
about how to configure client sets, see Module 3, "Enabling Secure
Internet Access," in Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.
On the Rule Action page, click Discard the request to
ignore requests that match the rule conditions or click
Redirect the request to this internal Web server, type the
name of the published Web server, and then click Next.
Note:
If your internal Web server hosts multiple Web sites, you may have
to configure how ISA Server handles host headers. For more
information about how to configure ISA Server for advanced Web
publishing scenarios, see the \support\docs\ copublish.htm file on
the ISA Server compact disc.
On the Completing the New Web Publishing Rule
Wizard page, review your choices, and then click Finish.
Changing the Rule Order
ISA Server processes Web publishing rules in the order
in which they are listed in the Web Publishing Rules
folder and processes the first rule that applies to a
request. After a match occurs, no further processing is
done for that request.
To change the rule order, click a rule, and then on the
toolbar, click the Move Up button or the Move Down
button.
ISA Server always contains the default rule, which
discards all incoming requests. Because ISA Server
always processes the default rule last, ISA Server
applies this rule to all incoming requests that are not
covered by another Web publishing rule. You cannot
modify, delete, or change the order of the default rule.
Configuring Listeners for Incoming Web Requests
LONDON Properties
General
Incoming Web Requests
Outgoing Web Requests
Auto Discovery Performance
Security
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server
IP Address Display N… Authentic…
PHOENIX <All internal
Integrated
Remove
Add…
TCP port:
80
SSL port:
443
Server C…
Edit…
Server:
LONDON
IP Address:
131.107.3.1
Display Name:
PartnerWeb
Use a server certificate to authenticate to web clients
Select…
Authentication
Basic with this domain:
Enable SSL listeners
Connections
Connection settings:
Ask unauthenticated users for identification
Add/Edit Listeners
Select domain…
Digest with this domain:
Configure…
Select domain…
Integrated
Client certificate (secure channel only)
OK
OK
Cancel
Apply
Cancel
Before ISA Server responds to HTTP requests and SSL
connection requests on the external interface of an ISA
Server computer, you must configure at least one
listener that determines how ISA Server responds to
these requests. A listener is an ISA Server configuration
that defines how the ISA Server computer listens for
incoming or outgoing HTTP requests and SSL requests.
Unless you configure listeners for incoming requests,
ISA Server discards all of the incoming Web requests
before applying Web server publishing rules. You can
configure the same listener configuration for all IP
addresses, or you can configure separate listener
configurations for different IP addresses.
You can also require authentication for users that gain access to
the ISA Server computer by using a listener. The authentication that
you configure for the ISA Server computer is in addition to any
authentication that the published Web server requires. ISA Server
applies rules based on ISA Server authentication. These rules
determine whether and how a request is passed on to the Web
server. The authentication method that you configure for the Web
server determines whether a user is allowed to gain access to
content on the Web server.
Note:
The procedure for configuring authentication for incoming requests
is analogous to the procedure for configuring authentication for
outgoing requests. For more information about configuring
authentication, see Module 3, "Enabling Secure Internet Access," in
Course 2159A, Deploying and Managing Microsoft Internet Security
and Acceleration Server 2000.
To configure listeners:
In ISA Management, in the console tree, right-click your
server or array, and then click Properties.
In the Properties dialog box for your server or array, on the Incoming
Web Requests tab, perform the following actions.
To
Do this
Use the same configuration Click Use the same listener configuration
for all IP addresses
for all IP addresses, and then click Edit.
To use individual listeners
for each IP address
Click Configure listeners individually per
IP address, and then click Add. In the
Add/Edit Listeners dialog box, select an
ISA Server computer, and then select the
IP address of that computer.
In the Display Name box, type a display name for the listener.
Note:
Perform the following step only if you use user or group restrictions in your
Web publishing rules.
Under Authentication, select one or more of the check boxes for your
designated authentication methods, and then click OK.
In the TCP port box, type the port number on which ISA Server will listen for
Web requests. The default port is Transmission Control Protocol (TCP) port
80.
To require authentication for gaining access to ISA Server by using a listener,
select the Ask unauthenticated users for identification check box, and then
click OK.
Tip:
Requiring authentication is impractical when you publish a Web server to
make that Web server publicly available. Most often, a better option is to
configure the appropriate authentication on the Web server. Use
authentication only when publishing Web servers with limited availability,
such as a Web server that is available to only selected business partners.
Redirecting Requests to Other Ports
PartnerWeb Properties
General Destinations Action Bridging Applies To
Use this page to specify whether the request should be discarded or
redirected, and configure the hosted site to which this rule redirects.
Discard the request.
Type the IP
address or DNS
name of the
published server.
Redirect the request to this internal Web server (name or IP
address):
Browse…
London
Send the original host header to the publishing server instead of
the actual one (specified above).
Define ports this rule redirects to
Connect to this port when bridging request as HTTP:
80
Connect to this port when bridging request as SSL:
443
Connect to this port when bridging request as FTP:
21
OK
Cancel
Apply
Web publishing rules specify which server should
return a requested object to a client. By default, ISA
Server redirects HTTP requests and SSL requests to the
default ports for these services on an internal server. If
an internal server uses a non-standard port for HTTP,
SSL, or FTP requests, you can redirect incoming Web
requests to a published server on your internal network.
Note:
Some Web servers use non-standard ports to allow a
single computer to run multiple Web sites.
To redirect incoming Web requests to a published
server:
In ISA Management, in the console tree, click Web
Publishing Rules.
In the details pane, click the applicable Web publishing
rule, and then click Configure a Web Publishing Rule.
In the Properties dialog box for the Web publishing rule,
on the Action tab, click Redirect the request to this
internal Web server (name or IP address), type the IP
address or the DNS name, perform the following actions,
and then click OK.
In the
Type
Connect to this port when
bridging requests as HTTP box
The port number to use for HTTP
requests. The default HTTP port is
80.
Connect to this port when
bridging . requests as SSL box
The port number to use for SSL
requests. The default SSL port is
443.
Connect to this port when
bridging requests as FTP box
The port number to use for FTP
requests. The default FTP port is
21.
Establishing Secure Communication
Add/Edit Listeners
Server:
LONDON
IP Address:
131.107.3.1
Display Name:
Partner Web
Use a server certificate to authenticate to web clients
Select…
Authentication
Basic with this domain:
Select Certificate
Select domain…
Digest with this domain:
Select domain…
vancouver.nam… Northwind Tra…
vancouver.nam… Northwind Tra…
Integrated
Client certificate (secure channel only)
OK
Select a certificate form the list of certificates available on the specified
server:
Certificates:
Issued To
Issued By
Expiration Date Friendly Name
10/12/2002
10/12/2002
Partner Web…
Public Web Site
Cancel
OK
Cancel
When you redirect incoming Web requests, you must
ensure that all network traffic is secured appropriately.
For example, when clients attempt to establish a secure
session with a published Web Server, you must
configure ISA Server to establish this secure connection
across the Internet on behalf of the Web server.
When ISA Server receives an SSL request from a client
for an object on a published server, ISA Server
establishes a separate SSL channel with the published
server. This type of redirection is called SSL bridging.
SSL bridging ensures that both parts of the connection,
the session between the client and the ISA Server
computer and the session between ISA Server and the
internal Web server, are encrypted.
SSL Overview
The SSL protocol enables secure data communication
over networks by using encryption and decryption.
Many Web sites use the SSL protocol to obtain
confidential data from users, such as credit card
information. Web pages that use an SSL connection
begin with https instead ofhttp. By default, Web servers
receive SSL packets on TCP port 443.
SSL uses server certificates to encrypt traffic between
the client and the server. Clients can also use a server's
certificates to authenticate the identity of the server
before sending confidential information.
Note:
For more information about Public Key Infrastructure
(PKI), including how to use and install certificates in
Microsoft Windows® 2000, see Module 14, "Designing a
PKI for Business Partners," in Course 2150, Designing a
Secure Microsoft Windows 2000 Network, and Module 5,
"Configuring Network Security by Using Public Key
Infrastructure," in Course 2153, Implementing a
Microsoft Windows 2000 Network Infrastructure.
Publishing Secure Web Sites
When you publish a server that uses the SSL protocol to
encrypt client requests to the server, clients connect to
the ISA Server computer on port 443. To enable the ISA
Server computer to respond to this request, you must
configure the ISA Server computer to listen on port 443.
You must also configure the ISA Server computer to use
a server certificate to impersonate the published server.
To configure the ISA Server computer to listen for incoming SSL
requests:
In ISA Management, in the console tree, right-click your server or
array, and then click Properties.
In the Properties dialog box for the server or array, on the Incoming
Web Requests tab, ensure that the Enable SSL listeners check box
is selected and that the SSL port number matches the port number
that external clients use to connect to the ISA Server computer. By
default, this port is port 443.
Select the appropriate listener, and then click Edit.
In the Add/Edit Listeners dialog box, select the Use a server
certificate to authenticate to web clients check box, and then click
Select.
In the Select Certificate dialog box, select the certificate that was
issued for the published Web site, and then click OK three times.
Important:
Before you can select a certificate, the certificate must
have been issued for the Web site, and you must have
installed this certificate on the ISA Server computer by
using the Certificates Microsoft Management Console
(MMC) snap-in.
Configuring SSL Bridging
PartnerWeb Properties
General Destinations Action Bridging Applies To
Redirect HTTP requests as:
HTTP requests
SSL requests (establish a secure channel to the site)
FTP requests
Select to redirect
SSL requests as
HTTP requests.
Redirect SSL requests as:
HTTP requests (terminate the secure channel at the proxy)
SSL requests (establish a secure channel to the site)
FTP requests
Require secure channel (SSL) for published site
Select to
authenticate the ISA
Server by using a
certificate.
Require 128-bit encryption
Use a certificate to authenticate to the SSL Web server
Select…
OK
Cancel
Apply
After the ISA Server computer has received a Web
request, it provides one endpoint of the SSL connection.
ISA Server then establishes a separate connection to
the published Web server. By default, ISA Server uses
SSL for this connection.
Note:
If you are not concerned about the security of the
communications channel between ISA Server and the
internal Web server, or if the internal Web server does
not support SSL, you can change the communication
protocol that ISA Server uses to connect to the Web
server.
To configure SSL bridging:
In ISA Management, in the console tree, expand your
server or array, and then click Web Publishing Rules.
In the details pane, click the applicable Web publishing
rule, and then click Configure a Web Publishing Rule.
On the Bridging tab, under Redirect SSL requests as,
select whether to redirect SSL requests as HTTP, SSL, or
FTP requests.
If you redirect by using SSL and the published Web server
is configured to require certificates for authenticating client
requests, select the Use a certificate to authenticate to the
SSL Web server check box, click Select, select the client
certificate, and then click OK.
Requiring a Secure Channel
PartnerWeb Properties
General Destinations Action
Bridging
Applies To
Redirect HTTP requests as:
HTTP requests
SSL requests (establish a secure channel to the site)
FTP requests
Redirect SSL requests as:
HTTP requests (terminate the secure channel at the proxy)
SSL requests (establish a secure channel to the site)
Select to require a
secure channel for
Web requests.
FTP requests
Require secure channel (SSL) for published site
Select for a higher
level of security.
Require 128-bit encryption
Use a certificate to authenticate to the SSL Web server
Select…
OK
Cancel
Cancel
For increased security, you can configure ISA Server to
require a secure SSL channel for all Web requests for
the published Web server. When you select this option,
the Web publishing rule allows only connections that
clients make to the port that you configured for SSL
connections and denies connection requests that
clients make to the TCP port.
To require a secure channel:
In ISA Management, in the console tree, expand your server or
array, and then click Web Publishing Rules.
In the details pane, click the applicable Web publishing rule, and
then click Configure a Web Publishing Rule.
On the Bridging tab, select the Require secure channel (SSL) for
published site check box.
For high security sites or to ensure a higher level of encryption,
select the Require 128-bit encryption check box, and then click OK.
Important:
128-bit encryption requires you to install the Microsoft Windows
2000 High Encryption Pack on the ISA Server computer. You can
download the Windows 2000 High Encryption Pack at
http://windowsupdate.microsoft.com
Configuring Server Publishing
Publishing a Server
Publishing a Mail Server
Configuring the Message Screener
When you publish a server, server publishing rules
direct incoming requests from external clients to
internal servers. ISA Server uses server publishing rules
to process incoming requests to internal servers, such
as Simple Mail Transfer Protocol (SMTP) servers, FTP
servers, or Structured Query Language (SQL) servers.
ISA Server forwards the requests to an internal server,
which is located behind the ISA Server computer.
ISA Server includes the Mail Server Security Wizard,
which you can use to host and secure a mail server
located behind an ISA Server computer. The wizard
configures ISA Server rules to securely publish internal
mail services to your external users. If you install and
enable the SMTP filter, you can apply content filtering
for all incoming mail.
Important:
To enable publishing of an internal server, you must
configure that server as a SecureNAT client. For
information about configuring SecureNAT clients, see
Module 2, "Installing and Maintaining ISA Server," in
Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.
Publishing a Server
Start
Name the Rule
Specify Address Mapping
Select a Protocol Setting
Select a Client Type
Finish
You can configure server publishing rules for protocols
other than HTTP, HTTP-S, and FTP. Server publishing
rules gram access, as specified, to internet users to the
specified published server. You can configure a server
publishing rule to allow client connections by using any
protocol that you have configured in an incoming
protocol definition.
To create a new server publishing rule:
In ISA Management, in the console tree, expand your server or
array, double-click Publishing, and then click Server Publishing
Rules.
In the details pane, click Publish a Server.
In the New Server Publishing Rule Wizard, type a name for the rule,
and then click Next.
On the Address Mapping page, specify the IP address of the internal
server and the external server as follows, and then click Nest:
• IP address of internal server. Type the address to which the ISA
Server computer forwards all incoming requests.
• External IP address on ISA Server. Type the external address of
the ISA Server computer that the external clients connect to when
they establish a session with the published server.
On the Protocol Settings page, select a protocol to which the rule
applies, and then click Next.
You can select from all of the protocol definitions that are configured
on the ISA Server computer with the direction configured as inbound.
Note:
For more information about configuring protocol definitions, see Module 3,
"Enabling Secure Internet Access," in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.
On the Client Type page, select a client type, and then click Next.
On the Complete the New Server Publishing Rule Wizard page,
review your choices, and then click Finish.
Publishing a Mail Server
Mail Server Security Wizard
Mail Services Selection
Select the mail services that you would like to publish to your external users
Publish these mail services:
Select to apply
content filtering to
incoming SMTP traffic.
Default
Authentication
SSL
Authentication
Incoming SMTP
Apply content filtering
Outgoing SMTP
Incoming Microsoft Exchange/Outlook
Incoming POP3
Incoming IMAP4
Incoming NNTP
< Back
Next >
Cancel
The Mail Server Security Wizard allows you to choose
default authentication or SSL authentication for clients
to gain access to the mail services. You can also choose
to apply content filtering to incoming SMTP traffic.
To run the Mail Server Security Wizard:
In ISA Management, in the console tree, expand your
server or array, expand Publishing, and then in the
details pane, click Secure Mail Server.
Follow the on-screen instructions to complete the wizard.
Configuring Content Filtering
The Mail Server Security Wizard gives you an option to apply
content filtering of incoming SMTP traffic. If you choose this option,
ISA Server enables the SMTP application filter and processes
messages based on the SMTP commands that you configured in
the SMTP filter.
After you enable the SMTP filter, you can configure advanced
content filtering, such as filtering by attachment type. To enable
advanced content screening, you must install and configure the
Message Screener, an optional ISA Server component. You must
install this component on a computer that runs Internet Information
Services (IIS) with the optional SMTP Server component. The
configuration steps that are required depend on whether you run
the Message Screener on the ISA Server computer or on another
computer on your internal network. It is recommended that you run
the Message Screener on a separate computer unless there is only
light SMTP traffic.
Using Content Filtering
When you have configured all components, the
following process takes place:
ISA Server forwards all incoming SMTP messages to the
SMTP server. The SMTP Server can be running on the
ISA Server computer or on another computer on your
network.
The Message Screener retrieves the filter settings that
you configured for the SMPT filter from the ISA Server
computer.
The Message Screener processes messages according
to the settings that you configured and then forwards or
delivers all messages that it does not drop or hold
because of a rule. For example, the SMTP server may
forward all messages to a Microsoft Exchange Server
computer that acts as the main mail server for your
organization. Users can then retrieve messages from
that server.
Note:
For more information about how to configure content
filtering after you have enabled the Message Screener,
see Module 6, "Configuring the Firewall," in Course
2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
Configuring the Message Screener
Running the Message Screener on the ISA Server
Computer
Running the Message Screener on a Separate Computer
You can run the Message Screener on an ISA Server
computer or on another computer.
Running the Message Screener on the ISA Server
Computer
To run the Message Screener on the ISA Server computer:
On the ISA Server computer, install or configure MS, including the
SMTP Service component.
In HS. configure the Default SMTP Virtual Server to use only the
internal IP address of the ISA Server computer.
In IIS, configure the Default SMTP Virtual Server to accept incoming
mail from all domains and to forward all mail to your internal mail
server, such as an Exchange Server computer.
Note:
For maximum security, it is recommended that you use Microsoft
Exchange 2000 Server as the mail server for your organization.
Install the Message Screener on the ISA Server
computer by running the ISA Server Setup program.
Create a server publishing rule or use the Secure Mail
Server Security Wizard to publish the SMTP server by
specifying the internal IP address of the ISA Server
computer.
Enable the SMTP filter.
Tip:
For information about configuring the SMTP filter, see
the Advanced Filter Configuration instructions in the
\support\docs\smtpfilter.htm file on the ISA Server
compact disc.
Running the Message Screener on a Separate
Computer
To run the Message Screener on a computer separate
from the ISA Server computer:
On the designated computer, install IIS, including the
SMTP Service component. The Message Screener
requires IIS and the SMTP Service on the computer on
which it is running.
In IIS, configure the Default SMTP Virtual Server to accept
incoming mail from all domains and to forward all mail to
your internal mail server that is running Exchange Server.
Note:
For maximum security, it is recommended that you use
Exchange 2000 Server as the mail server for your
organization.
Install the Message Screener on the SMTP server. To install the Message
Screener, perform a custom installation of ISA Server. Do not install any
other ISA Server components on the computer running the SMTP server
unless they are required for other purposes.
On the SMTP server, run the SMTPCred.exe utility that is included in the
\isa\i386 directory on the ISA Server compact disc, and then enter the
following information:
The name of the ISA Server computer.
The interval at which the Message Screener will retrieve configuration
information from the ISA Server computer.
The credentials of a user account that is valid on the ISA Server computer.
This account must be a valid user account, but it does not require any
special privileges.
Note:
You must run SMTPCred.exe only if ISA Server is running as a stand-alone
server or if the Message Screener does not belong to the same Active
Directory™ directory service forest as the ISA Server computer.
Create a server publishing rule or use the Secure Mail
Server Security Wizard to publish the SMTP server.
Configure Distributed Component Object Modeling
(DCOM) on the ISA Server computer to allow the
Message Screener to gain access to the ISA Server
computer.
Note:
For details about how to configure DCOM for ISA Server,
see the Advanced Filter Configuration instructions in
the \support\docs\smtpfilter.htm file on the ISA Server
compact disc.
Adding an H.323 Gatekeeper
H.323 Overview
How the H.323 Gatekeeper Works
Adding and Configuring an H.323 Gatekeeper
The Microsoft H.323 Gatekeeper service of ISA Server allows you to
configure incoming connections and routing for the applications
that use the H.323 protocol. Applications that use the H.323
protocol provide multimedia communications services to registered
clients. These services include data conferencing and Internet
telephony. Microsoft NetMeeting® is one example of an application
that uses the H.323 protocol.
Note:
The H.323 protocol is a standard approved by the International
Telecommunication Union (ITU) that defines how packet-based,
multimedia data is transmitted across networks. For more
information about the H.323 protocol, see the International
Telecommunication Union Web site at http://www.itu.int/ For more
information about NetMeeting, see the Microsoft Web site at
http://www.microsoft.com/windows/netmeeting/
H.323 Overview
Internet
H.323
Gateway
The H.323 standard defines:
How connections are established
How two devices initiate communications with each
other
How data is transmitted over a network
How audio and video codec components encode
and decode input/output
Client
Client
The H.323 protocol is an ITU standard that specifies
how terminals, equipment, and services for multimedia
communicate over networks that do not provide a
guaranteed quality of service, such as the Internet.
H.323 terminals and equipment can carry real-time
video, voice streams, data streams, or any combination
of these elements. Devices that use the H.323 protocol
for audio and video enable you to connect to and
communicate with other people over the Internet, just as
people that use different types of telephones can
communicate over the public switched telephone
network (PSTN).
The H.323 standard defines:
How connections are established.
How two devices initiate communication with each
other, or capability negotiation.
How data is transmitted over a network.
How audio and video compressor/decompressor
(codec) components encode and decode input/output.
Note:
Codec components can be implemented in software, in
hardware, or in a combination of both.
How the H.323 Gatekeeper Works
DNS
SRV
_Q931_tcp.contoso.msft
24.0.0.10
SRV
_Q931_tcp.nwtraders.msft
136.0.0.1
3
Gatekeeper
24.0.0.10
2
Internet
4
5
[email protected]
10.0.0.9
ISA H.323 Gateway
136.0.0.1
[email protected]
192.168.0.10
1
Origination Endpoint
Destination Endpoint
Every H.323 transaction has two endpoints, an
origination endpoint and a destination endpoint. An
endpoint can be an H.323 client, such as a client
computer running NetMeeting, or a proxy server, such
as an ISA Server computer. The gatekeepers control
access to the network, allowing or denying calls and
controlling the bandwidth of the call. Gatekeepers also
help with address resolution, which is the process of
converting e-mail addresses into appropriate network
addresses.
For example, a client computer running NetMeeting uses the H.323
Gatekeeper service on the ISA Server computer to find and connect with a
user in another organization as follows:
A user, [email protected], opens NetMeeting and places a call to
another user, [email protected].
NetMeeting queries DNS on the Internet to find a gatekeeper for
contoso.msft.
DNS finds the appropriate service location (SRV) resource record and then
returns the IP address of the gatekeeper at contoso.msft to John's
computer.
The NetMeeting on John's computer calls the gatekeeper for contoso.msft.
If [email protected] is a valid user and is registered on the contoso.msft
gatekeeper, the gatekeeper routes the incoming connection to Susan.
Note:
In the example, the gatekeeper at contoso.msft has the ability to perform IP
address translation because 192.168.0.10 is on a private network. The
gatekeeper acts as a proxy for [email protected] and transparently
handles all address translations that are required to maintain the
connection.
Adding and Configuring an H.323 Gatekeeper
ISA Management
Action View
Add gatekeeper…
View
Gatekeeper
celeration Server
Help
Monitoring
Server
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Extensions
Application Filters
Web Filters
Network Configuration
Client Configuration
H323 Gatekeepers
Status
LONDON
Normal
Add Gatekeeper
Select a computer running H.323 Gatekeeper that you want to add
Gatekeeper computer:
This computer
Another computer
OK
Cancel
Description
You can add an H.323 Gatekeeper when you want to
enable incoming connections for applications that use
the H.323 protocol or if you want to configure detailed
routing rules for H.323-based applications. You can use
an H.323 Gatekeeper to establish incoming connections
with both SecureNAT clients and Firewall clients. You do
not have to create a gatekeeper to enable outgoing
connections that use the H.323 protocol.
If you choose Full Installation while installing ISA
Server, the H.323 Gatekeeper Service is automatically
installed. You can also add the H.323 Gatekeeper
Service by performing a custom installation.
Adding an H.323 Gatekeeper
To add an H.323 Gatekeeper after installing ISA Server:
In ISA Management, in the console tree, right-click H323 Gatekeepers,
and then click Add gatekeeper.
In the Add Gatekeeper dialog box, choose one of the following options,
and then click OK.
To
Specify that the H.323 Gatekeeper
should run on the local computer
Do this
Click This computer.
Specify that the H.323 Gatekeeper
should run on a remote computer
Click Another computer, and then
type the DNS name of the remote
computer.
Configuring the H.323 Application Filter
After you create the H.323 Gatekeeper, you also must
configure the H.323 filter to allow incoming calls.
Note:
For more information about how to configure the H.323
filter, see Module 6, "Configuring the Firewall Service,"
in Course 2159A, Deploying and Managing Microsoft
Internet Security and Acceleration Server 2000.
Creating a DNS SRV Record
To allow clients on the Internet to locate the H.323
Gatekeeper for a lookup zone, such as contoso.msft,
add a record to the DNS zone with the following
properties:
Record Type: SRV
Serv/ce:Q931
Protocol: TCP
Port Number: 1720
Host name: Fully qualified domain name (FQDN) of the
H.323 Gatekeeper computer
Configuring Call Routing
After you have added an H.323 Gatekeeper, you can
configure call routing rules to determine how to route
the calls that the gatekeeper receives.
Note:
For more information about call routing, see "Call
routing rules" in ISA Server Help.
Configuring Applications to Use a Gatekeeper
After you have installed an H.323 Gatekeeper, you must
configure H.323 applications to register the users with a
gatekeeper so that the gatekeeper can correctly route
incoming calls. The settings that you must configure
depend on the H.323 application.
Note:
For more information about configuring NetMeeting, see
NetMeeting Help and see the NetMeeting Resource Kit
at http://www.microsoft.com/windows/
NetMeeting/Corp/reskit/default.asp
Lab A: Configuring Access to Internal Resources
Review
Introduction to Publishing
Configuring Web Publishing
Configuring Server Publishing
Adding an H.323 Gatekeeper