Implementing ISA Server Publishing

Download Report

Transcript Implementing ISA Server Publishing

Implementing ISA Server
Publishing
Introduction
• What Are Web Publishing Rules?
• ISA Server uses Web publishing rules to
make Web sites on protected networks
available to users on other networks, such
as the Internet.
• A Web publishing rule is a firewall rule that
specifies how ISA Server will route
incoming requests to internal Web servers
• Web publishing rules provide:
• Access to Web servers running HTTP
protocol
• HTTP application-layer filtering
• Path mapping
• User authentication
• Content caching
• Support for publishing multiple Web sites
using a single IP address
• Link translation
What Are Server Publishing Rules
• Web publishing and secure Web publishing rules
can grant access only to Web servers using
HTTP or HTTPS.
• To grant access to internal resources using any
other protocol, you must configure server
publishing rules
• Server publishing rules provide:
–
–
–
–
Access to multiple protocols
Application-layer filtering for specified protocols
Support for encryption
IP address logging for the client computer
Considerations for Configuring
DNS for Web and Server
Publishing
Configuring Web Publishing Rules
• Components of a Web Publishing Rule
Configuration:
• Web publishing rules map incoming HTTP or
HTTPS requests to the appropriate Web servers
located on a network protected by ISA Server.
• Web publishing rules determine what incoming
requests for HTTP objects will be accepted by
ISA Server and how ISA Server will respond to
those requests.
How to Configure Web Listeners
• Web listeners are used by Web and
secure Web publishing rules.
• A Web listener is an ISA Server
configuration object that defines how the
ISA Server computer listens for HTTP
requests and SSL requests.
• The Web listener defines the network, IP
address, and the port number on which
ISA Server listens for client connections.
How to Configure Web Listeners
• If the ISA Server computer receives a
HTTP or HTTPS on a network adapter and
no Web listener is configured for the IP
address associated with the network
adapter, ISA Server will discard all the
requests before applying Web server
publishing rules.
How to Configure Web Listeners
• Network:This option specifies the network on which ISA
Server will listen for incoming Web requests
• Port numbers:This option specifies the port number on
which the Web listener will listen for incoming Web
requests
• Client authentication methods:This option specifies
the supported authentication methods if you are going to
require authentication on the Web listener
• Client Connection Settings:This option specifies the
number of concurrent client connections and connection
timeout values for the Web listener.
How to Configure Web Listeners
If you have multiple network adapters or multiple IP addresses
• On the Port Specification page, select the protocol and
port number used by the Web listener
• modify the Web listener settings by doubleclicking the
Web Listener object in the Toolbox
• To configure the client connection options, click Advanced on the
Preferences tab to get to the Advanced Settings dialog box
How Path Mapping Works
• Path mapping can be used in several different scenarios
• For example:
• An organization may have a Web
site:http://www.cohovineyard.com.
• If the entire Web site is located on a single Web server
you can use path mapping to redirect client requests to
different virtual directories on that server.
• The URL http://www.cohovineyard.com/catalog can be
redirected to a virtual directory named CurrentCatalog on
the Web server
• the URL http://www.cohovineyard.com/sales is
redirected to the SalesData virtual directory
• You can also use path mapping to redirect client
requests to multiple internal Web servers.
• For example:
• when users request the URL
http://www.cohovineyard.com/sales,they can be
directed to the Sales virtual directory on one
Web server.
• When users request the URL
http://www.cohovineyard.com/catalog, they are
redirected to a Catalog virtual directory on
another Web server
How to Configure Path Mapping
• ISA Server Management ->Firewall Policy->Web
publishing rule->Tasks->Edit Selected Rule.
How to Configure Link Translation
• Path mapping allows you to redirect client requests from
the ISA Server computer to different locations on one or
more Web servers.
• By using path mapping you can mask a complex internal
Web server configuration and present a simple Web site
view to the Internet.
• Link translation can provide the same end result, but is
used in different situations.
• Link translation is used when the Web pages published
on ISA Server contain links to other Web servers on the
protected network, and those Web servers are not
accessible from the Internet
• Link translation is an ISA Server
configuration object that enables ISA
Server to replace internal server names on
Web pages with server names that are
accessible from the Internet
• Some published Web sites may include
references to internal names of computers
other than the server listed in the Web
publishing rule
Link Translation Levels
• Header link translation
• Translation of links in the body of a returned
Web page
• EX:Web page on a server named Web1 is
accessed through the URL
www.cohovineyard.com may include a reference
to an image using
http://Web1.cohovineyard.com/images/image1.jp
g
• Translation of links to other internal Web
pages
How to Configure Link Translation
• ISA Server Management->Firewall Policy->Web
publishing rule->Link Translation
How to Configure Web Publishing
Rules
• ISA Server Management->Tasks->Publish
A Web Server
Configuring Secure Web Publishing
Rules
• Secure Web publishing provides an additional
layer of security when publishing an internal
Web site by enabling the option to use SSL to
encrypt all network traffic to and from the Web
site.
• Secure Web publishing is critical when securing
Web sites that contain confidential information,
or when the Web site asks clients to submit
confidential information such as credit-card
numbers
Components of a Secure Web
Publishing Rule Configuration
• What Is Secure Sockets Layer?
• Secure Sockets Layer (SSL) is used to
validate the identities of two computers
involved in a connection across a public
network, and to ensure that the data sent
between the two computers is encrypted.
• To do this, SSL uses digital certificates and
public and private keys.
What Is Secure Sockets Layer
•
•
•
•
SSL enables the following features:
Server authentication
Client authentication
Encrypted SSL connections
SSL Configuration Options
• SSL tunneling:
• the SSL connection is set up directly between
the client computer and the Web server
• the ISA Server computer does not encrypt or
decrypt the network packets but merely forwards
encrypted packets between the client and the
Web server.
• ISA Server cannot inspect the content of the
packets because the contents are encrypted as
they pass through theISA Server computer.
• SSL bridging:
• the ISA Server computer acts as the end point
for one or more SSL connections
• The network packets can still be encrypted from
the Web client to the Web server.
• however, in an SSL bridging scenario, the ISA
Server computer will decrypt network traffic from
the client computer and then re-encrypt it before
sending it to the Web server
Enabling SSL on ISA Server
• If you plan to use SSL in an SSL tunneling configuration,
you must install a digital certificate only on the Web
server. The Web server and the client will use this
certificate and the associated keys to create the SSL
connection.
• If you plan to use SSL in a SSL bridging configuration,
you must install a digital certificate on the ISA Server
computer, and possibly, on the Web server.To create an
SSL connection with the client, the ISA Server computer
must have a certificate installed.
• If you require client certificates, you also need install
digital certificates on each client computer.
How to Install Digital Certificates on
ISA Server
• How to Configure a New Secure Web
Publishing Rule
Configuring Server Publishing
Rules
• Web publishing rules are used on ISA
Server to enable access to HTTP and
HTTPS content on internal Web servers.
• Server publishing rules are used to enable
access to internal applications that use
other protocols.
• Server publishing is a secure and flexible
way to publish the content or services
provided by internal servers to the Internet
Components of a Server Publishing
Rule Configuration
• Server publishing rules are used on ISA
Server to map a port number on an
external interface of the ISA Server
computer to the IP address of an internal
server providing a specific service.
• When ISA Server receives a request on
the external IP address for a specific port,
it passes the request to the internal server
defined on the server publishing rule
•
•
•
•
ISA Server performs the following steps:
1.A client computer on the Internet needs to access an
application server on a network protected by the ISA
Server computer. the client computer will perform a
DNS lookup to locate the IP address for the server that
is providing the service
2. ISA Server checks the destination port number and
then uses the server publishing rule to map the
request to an IP address of an internal server.
3. The internal server returns the object to the ISA
Server computer, which passes it on to the requesting
client
How to Configure a Server
Publishing Rule