Microsoft Internet Security and Acceleration Server 2000 SharePoint Portal Server Deployment Kit

 

Chapter 8

Using Server Publishing Rules to Publish Services and SharePoint Web Sites

 

 

 

 

 

 

 

 

 

Martin Grasdal

Dr. Thomas W Shinder

December 2003

 

 

Table of Contents

 

Abstract 3

Web Publishing Compared to Server Publishing. 4

Overview of Server Publishing. 5

Step-by-Step How To: Creating a Protocol Definition and Server Publishing Rule To Publish a SharePoint Web Site  8

Test Lab Background Information. 8

Creating a Protocol Definition for Inbound HTTP Traffic. 9

Configuring Incoming Web Requests Listener to Remove Potential Port Contention. 14

Creating Server Publishing Rule for SharePoint Web Site. 16

Results of Server Publishing Rule for SharePoint Web Site. 21

Configuring Alternate Portal Access Settings. 23

Summary. 27

 

 

Abstract

Although not a recommended method to publish Web sites, server publishing can provide a flexible alternative to Web publishing rules. Server publishing makes it possible for Web site logs to contain the source IP address of the user connecting to the SharePoint Web site. Because Server Publishing rules bypass the Web Proxy service, it is possible to publish Web sites that use anonymous access at the same time as publishing Web sites where external users must authenticate at the ISA Server 2000 firewall. To resolve problems created by incorrect URLs that are indexed and returned by SharePoint Portal Server’s search service, it is possible to use alternate portal settings to display the correct URLs for external users who connect to the site using a server publishing rule. This chapter explains ISA Server 2000 Server Publishing and shows you how create Server Publishing rules to allow remote access to the SharePoint Web sites. You will also learn how to configure alternate portal access setting for the SharePoint Web site

 

 

This chapter compares the advantages and disadvantages of using server publishing rules to publish SharePoint Web sites, explains how server publishing works, and shows you how to configure server publishing for a SharePoint web site.  In general, the steps for creating a server publishing rule for a SharePoint Web site are as follows:

 

  1. Create a protocol definition for inbound HTTP traffic (this is not a necessary step if you are going to use server publishing for HTTPS traffic).
  2. Ensure Incoming Web Requests listener is not configured to listen on IP address that will be used to publish SharePoint Web site using a Web Publishing rule.
  3. Create a server publishing rule using protocol definition.
  4. Configure SharePoint Portal Web site to use alternate portal access settings for external clients.

Web Publishing Compared to Server Publishing

Web publishing rules are the recommended and optimal method for publishing Web sites.  Web publishing rules have a number of advantages over other methods of publishing internal services.  Web publishing rules provide the ability to:

 

·         Use a single IP address to publish multiple Web sites

·         Bridge HTTPS requests as HTTP requests.

·         Bridge HTTPS requests as HTTP requests.

·         Bridge HTTP or HTTPS requests as FTP requests.

·         Cache Web requests from external clients to increase the apparent speed of Web site and offload work from the internal Web site.

·         Force external clients to authenticate at the ISA Server 2000 firewall using integrated, basic, digest, and digital certificate methods of authentication before requests are forwarded to the internal network.

·         Delegate authentication credentials using basic authentication.

·         Perform link translation to enhance the security and functionality of published Web sites.

·         Use Web application layer filtering to inspect both HTTP and HTTPS traffic before allowing it into the internal network.

 

However, Web publishing rules, which depend on the Web proxy service, can be used only for incoming requests that use HTTP or HTTPS protocols.  FTP can be published using Web publishing rules, but publishing an FTP site using this method relies on protocol redirection that is configured on the Bridging tab of the Web publishing rule.  The incoming request to the ISA Server 2000 firewall is either HTTP or HTTPS, and the Web publishing rule is configured to redirect the request to an internal FTP server using the FTP protocol.

 

To publish protocols other than HTTP or HTTPS, it is necessary to use Server Publishing rules.  For example, if you have an Exchange Server behind the ISA Server 2000 firewall, and you wish to use this server to receive inbound mail from the Internet, you must configure a server publishing rule to accept inbound requests for TCP port 25 (the TCP port used for SMTP) and forward this traffic to the internal Exchange Server. 

 

It is also possible to publish Web sites using server publishing rules, rather than Web publishing rules.  Using server publishing rules to publish internal Web sites is usually not a desirable solution because it means giving up the advantages of Web publishing rules.  However, some administrators feel the need to make this trade off in certain circumstances. 

 

One common reason for using serving publishing to make internal Web sites available is the information that is captured in log files on the Web server.  When Web publishing rules are used, the internal IP address of the ISA Server 2000 firewall is passed to the Web server, not the external IP address of the original request.  This means the log files on the Web server show only the internal IP address of the ISA Server 2000 firewall. 

 

Although the ISA Server log files show the original IP addresses of the external clients and although there are a number of 3rd-party tools available to assist in the analysis of log file information, the accuracy and ease of use of log files on the Web server are often an overriding priority.

 

Another reason for choosing server publishing over Web publishing is the fact that there is no need to install a digital certificate on the ISA Server 2000 firewall to support SSL connections to the Web site.  If organizations are using a digital certificate from a 3rd-party Certification Authority, installing a digital certificate on both the ISA Server 2000 firewall and the Web server could mean extra cost.

 

In the case of SharePoint Portal Server, it may be desirable to use server publishing in combination with Web publishing.  For example, consider a scenario in which you have a single ISA Server 2000 firewall that is used to provide access to distinct Web sites that are used for employees, partners, and the general public respectively.  You want the general public to be able to connect as anonymous users to the published Web sites that are dedicated for public access, but you also want employees and partners to use basic authentication in combination with SSL to connect to other, non-public Web sites.  Furthermore, you want to leverage delegation of basic authentication credentials to provide additional security.  This means that you have to require authentication at the ISA Server 2000 firewall for the Incoming Web Requests listener.  This setting is a global one and affects all configured listeners.  By using server publishing to publish the public Web site, you can bypass the Web proxy service and, hence, allow anonymous users to connect to the public Web site without providing credentials. 

 

Whether the public Web site is another SharePoint Portal site that is dedicated for this purpose or not, you will need to keep in mind that there are a number of security issues associated with allowing anonymous access to it.  In addition, if you use server publishing for creating external access to a SharePoint Web site, you will have to take into account how search results are displayed on the published SharePoint server. 

 

By default, search results will be displayed using unqualified, internal names.  In order for SharePoint “crawled” search results to be displayed appropriately for external clients, you will have to make additional configuration changes on the SharePoint Web site.  Specifically, you will have to add an Alternate Portal Access Setting on the Central Administration pages of the SharePoint Web site.  (Instructions for configuring alternate portal access settings are at the end of this chapter.)

Overview of Server Publishing

Server publishing rules are required when you need to publish protocols other than HTTP and HTTPS.  If you have a mail, DNS, SQL, or other server that you need to publish, you use server publishing rules.  Server publishing rules can also be used as an alternative to Web publishing rules to publish internal Web sites.

 

Server publishing rules differ from Web publishing rules in that they do not use the Web Proxy service.  A server publishing rule for a particular protocol is in its simplest form a reverse NAT mapping.  With a server publishing rule, the ISA Server 2000 firewall maps a port number on an external interface to an internal IP address.  When the ISA Server 2000 firewall receives a request on the external IP address for a specific port, it passes the request to the internal server based on the port number.   So, if you have an internal DNS server that you wish to make available to resolve DNS queries, you create a server publishing rule that maps requests for UDP Port 53 on an external interface of the ISA Server 2000 firewall to the internal IP address of the DNS server.

 

As a necessary condition for creating a Server Publishing rule for a particular protocol or service, there must be a Protocol Definition for the protocol configured on the firewall. Any protocol definition where the primary connection is defined as inbound can be used for a server publishing rule.  ISA Server 2000 firewalls come pre-configured with a number of protocol definitions for commonly used protocols that can be used for server publishing rules. 

 

For example, there are protocol definitions for SMTP (TCP port 25), DNS (TCP and UDP port 53), and HTTPS (TCP port 443) servers.  You must create custom user-defined Protocol Definitions if you wish to use Server Publishing rules to publish other protocols not in this list, such as SQL (TCP port 1433) or HTTP (TCP port 80).

 

By creating or using a Protocol Definition, you can easily publish any protocol that does not require secondary connections on different ports.  It is more difficult to publish more complex protocols that require secondary connections. In these cases you must create an application filter to support publishing the server or install the Firewall client software on the server and place an appropriately configured wspcfg.ini file in the applications executable file’s directory. 

 

Depending on the complexity of the protocol, it is possible to configure the appropriate secondary connection information in the protocol definition.  However, in other cases, it is better (or necessary) to use a protocol-enabling filter to publish the protocol.  ISA Server 2000 ships with a number of protocol-enabling filters.  These include the FTP, RPC, and H.323 application filters. These filters make it possible to use Server Publishing rules to publish FTP sites, to allow Outlook clients to connect to internal Exchange Servers using secure RPC, and to use the Audio and Video communications across the firewall.

 

Server publishing rules can use client address sets to enhance security to limit the source IP addresses of hosts that are allowed to connect to the published service through the use of a client address set.  This is useful if you have to publish a protocol, but wish to allow only a specific set of external hosts access to the service. 

 

For example, if you have a Web server that must communicate with a SQL server that is behind an ISA Server 2000 firewall, you can publish the SQL server using a client address set that limits access to the Web server only and prevents any other host on the perimeter network from contacting the Web server.  Although source IP addresses can be spoofed, if the Web server is in a DMZ that uses a non-routable private IP address, there is a high degree of security in this configuration.

 

When the ISA Server 2000 firewall passes the request to an internal server using a Server Publishing rule, it does not replace the source IP address with the IP address of its internal interface. This configuration sometimes referred to as half NAT.  This has obvious advantages if you want to preserve the source IP address in Web log files.  However, this configuration also requires that the published servers have default gateways that can route to the Internet through the ISA Server 2000 firewall. 

 

In some situations, however, it may be desirable to replace the source IP address with that of the internal interface of the ISA Server 2000 firewall (full NAT). For example, what would happen if the default gateway on the published server causes packets to be forwarded to the Internet using a route that bypasses the internal interface of the ISA Server 2000 firewall? The firewall could not be able to return the responses to the requesting client because it does not know a route to Internet based host.  When full NAT is enabled on the ISA Server 2000 firewall, the published server replies directly to the firewall, rather than its default gateway (if these happen to be different.) This obviates the need to reconfigure your routing infrastructure to support the ISA Server 2000 firewall for Server Publishing Rules.

 

Server publishing rules have other limitations.  Unlike Web publishing rules, it is not possible to publish a service more than once on the same external interface.  For example, if you have two mail servers that you wish to publish, you must have two external IP addresses to publish these mail servers.  In fact, the ISA Server 2000 firewall will give you an error message if you try to configure a duplicate server publishing rule for the same service on the same external interface. 

 

This has consequences for circumstances in which you which to use a combination of Web publishing rules and server publishing rules to publish internal Web sites.  To do this, you need to use multiple IP addresses on the external interface of the ISA Server 2000 firewall and configure the Incoming Web Requests listener in a way that supports both Web Publishing and Server Publishing rules for internal Web sites.

 

You cannot use URLScan and other Web application filters on the ISA Server 2000 firewall to evaluate HTTP traffic before forwarding it to the internal Web site when you use Server Publishing rules instead of Web Publishing rules. Using these filters requires the Web Proxy service, which is bypassed by the Server Publishing rule.  Furthermore, no evaluation of the payload of SSL-encrypted HTTP traffic can be performed before the traffic is forwarded to the internal Web site.  This means extra measures may have to be taken to harden the internal Web servers against a wide range of exploits. 

 

ISA Server 2000 does provide smart application filters for a number of protocols, such as DNS, SMTP, and POP3.  These filters differ from one another in their functionality.  They all provide protection against buffer overflow attacks and other common vulnerabilities specific to them.  However, enabling these filters does not necessarily provide complete protection for each protocol.  For example, the DNS application filter protects the DNS server against some common DNS exploits, but it does not provide protection against cache pollution.  To protect an internal DNS server against this exploit, you must configure the internal DNS server appropriately.

Step-by-Step How To: Creating a Protocol Definition and Server Publishing Rule To Publish a SharePoint Web Site

The following steps show you how to configure a Server Publishing rule to publish a SharePoint Portal 2003 Web site using HTTP.  After configuring a Server Publishing rule, you will have to create alternate portal access settings on the SharePoint server to ensure the proper URLs are returned in search results for external clients.  You will need to create a Protocol Definition for inbound HTTP because ISA Server 2000 does not include this as one of its built-in Protocol Definitions.

Test Lab Background Information

The test lab used to demonstrate this feature in the following steps has a similar configuration to environment used to demonstrate SSL bridging.  For information on the details of that configuration, please see Chapter 6, Using SSL Bridging to Protect SharePoint Web Sites. 

 

In addition to this basic configuration, two IP addresses have been added to the external interface of ISA Server 2000 firewall. One of these IP addresses (192.168.100.24) will be used to publish the SharePoint Web site using Server Publishing rules. Link translation and delegation of basic authentication credentials will be enabled for the Web publishing rule used to publish the SharePoint Site.  Finally, a DNS resource record has been added to the external.net zone file to resolve the FQDN public.external.net to 192.168.100.24, which will be used in the demonstration.

 

The following demonstration creates a server publishing rule for the same SharePoint site that was created to demonstrate Web Publishing rules.  This configuration is used for demonstration purposes only and we do recommended in a production environment because of the reduced security provided by Server Publishing rules in contrast to Web Publishing rules.

Creating a Protocol Definition for Inbound HTTP Traffic

If you are going to use server publishing to publish an SSL-enabled web site, it is not necessary to perform the following steps.  These steps are necessary only when there is no Protocol Definition where the primary connection is defined as inbound for a the initial port used by the protocol. 

 

Perform the following steps to create a Protocol Definition for inbound HTTP traffic:

 

  1. Open the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Policy Elements node and right click on the Protocol Definitions node. Point to New and click Definition.

 

Figure 1 Creating a New Protocol Definition

 


  1. In the Welcome to the New Protocol Definition Wizard page that subsequently appears, enter a descriptive name in the Protocol definition name text box and click Next. 

 

Figure 2 The Welcome to the New Protocol Definition Wizard Page

 


  1. In the Primary Connection Information page, type 80 in the Port number text box, select TCP from the Protocol type drop-down list, select Inbound from the Protocol direction drop-down list, and click Next.

 

Figure 3 Primary Connection Information Page

 


  1. In the Secondary Connections page, select No to indicate that you do want wish to configure secondary connections, and press Next, as in the figure below.

 

Figure 4 Secondary Connections Page

 


  1. Click Finish on the Completing New Protocol Definition Wizard page.

 

Figure 5 Completing the New Protocol Definition Wizard

 

Once you have completed adding the new protocol definition, you should check to ensure that there will be no port contention for TCP Port 80 on the external interface that you will use for the server publishing rule.

Configuring Incoming Web Requests Listener to Remove Potential Port Contention

You can only publish a service once per external interface on the ISA Server 2000 firewall when using Server Publishing rules.  This means you must ensure the Incoming Web Requests listener is configured to avoid possible port contention with the Server Publishing rule. 

 

This step is not necessary if you are not using Web publishing rules and have not previously configured the Incoming Web Requests listener.

 

To verify the proper configuration of the Incoming Web Requests listener,

 

  1. Open the ISA Management console, right click on your server name and click Properties.

 

Figure 6 Context Menu for ISA Server Object

 


  1. In the server Properties dialog box, click on the Incoming Web Requests tab.

 

Figure 7  Incoming Web Requests Tab

 

To properly configure support the co-existence of Web publishing and server publishing rules for HTTP or HTTPS traffic, it is important to have a good understanding of the settings for incoming listeners.  The TCP port, SSL port (when SSL listeners has been enabled), and the Ask unauthenticated users for identification settings are global for all configured listeners.  This means if all the external IP addresses are listed the Identification frame, or if you have selected the radio button to Use the same listener configuration for all IP addresses, then you will not be able to use Server Publishing for inbound HTTP requests on TCP port 80.

 

In order to publish Web sites using both server publishing and Web publishing rules, you must have multiple IP addresses bound to the external interface of the ISA Server 2000 firewall, and you must select the option to Configure listeners individually per IP address. If you don’t have an available IP address to dedicate to a Server Publishing rule, your only other option is to use a non-standard port to publish the server. 

 

  1. Verify the incoming listener configuration; make the appropriate changes (for example, by removing a specific IP address from the listener configuration, and press OK.

Creating Server Publishing Rule for SharePoint Web Site

Once you have verified that there will be no port contention on TCP port 80 for the published server, you can create the server publishing rule.  The steps are as follows:

 

  1. Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Expand the Publishing node and right click on Server Publishing Rules. Point to New and click Rule.

 

Figure 8 Creating a New Server Publishing Rule

 


  1. In the Welcome to the New Server Publishing Rule Wizard page, enter a descriptive name in the Server publishing rule text box, and click Next. 

 

Figure 9 Welcome to the New Server Publishing Rule Wizard

 


  1. In the Address Mapping page, enter the internal IP address of the Web site and the available external IP address on the ISA Server, and click Next. 

 

Figure 10 Address Mapping Page

 

If necessary, you can click Find or Browse to determine the IP address, as in the figure below.

 

Figure 11 Selecting External IP Address

 


  1. On the Protocol Settings page, select the protocol definition you created earlier for inbound HTTP traffic from the Apply the rule to this protocol drop-down box, and click Next. 

 

 

  1. In the Client Type page, select the option to Apply this rule to requests from:  Any request, and click Next.
  2. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Results of Server Publishing Rule for SharePoint Web Site

At this point, the internal SharePoint Web site is available to external clients.  Note that it is possible to connect to the Web site using an IP address or a DNS host name.  So, for example, an external user can connect to the published site using http://<ip-address-of-site> or http://<dns-name>.  The figure below shows a connection to the published SharePoint site using the external IP address of the ISA Server 2000 firewall.

 

Figure 12  Connecting to SharePoint Site Using IP Address

 

It is possible to connect to the published SharePoint using any name, as long as the name resolves to the IP address of the published Web site, either through a DNS resource record or a hosts file entry. 

 

Figure 13 Connecting to SharePoint Site Using FQDN

 

Importantly, a Web publishing rule would not allow you to connect to a published Web site using any name; the name must match the name or names included in the Destination Set used in the Web Publishing rule.  This is one of the many reasons why Web publishing rules provide greater security for internal Web sites than do Server Publishing rules. 

 

Both of the above screen shots reveal a problem from the point of view of the external client.  The search results use URLs containing internal server names that can not be resolved by the external client.  Therefore, if the external client were to try to connect to these resources, the attempt would fail.  From an administrative point of view, the revealing of internal server names in the URLs displayed in the search results is a security weakness.  A great deal of information can be inferred from the internal server names that are used in many organizations, and it is a sound security practice not to let this information become easily accessible. 

 

Because we are using Server Publishing rules and not Web Publishing rules, it is not possible to use the link translation filter to resolve the problem with incorrect URLs being displayed in indexed content that is returned in search results.  However, it is possible to use a feature of SharePoint Server 2003 to mend these URLs for correct display to external clients.

Configuring Alternate Portal Access Settings

Alternate portal access settings provide a mechanism for ensuring that the appropriate URLs are displayed according to the method of accessing the site.  For example, intranet users will see URLs containing internal server names and extranet users will see the URLs containing external published names. Alternate portal access settings can be used with server publishing rules to ensure that the correct URLs are displayed for users who access the site using a server publishing rule. 

 

To configure alternate portal access settings for the published Web site:

 

  1. Open the SharePoint Portal Server Central Administration pages.  This can be accomplished by one of two ways.
    1. Click Start, point to Programs | SharePoint Portal Server, and then click on SharePoint Portal Server Central Administration.
    2. In the Site Settings page for the portal site, in the General Settings section, click on Go to SharePoint Portal server central administration.

 

Figure 14 SharePoint Central Administration Page

 

  1. In the SharePoint Central Administration for <server-name> page, click Configure alternate portal site URLs for intranet, extranet, and custom access.

 

Figure 15 Configure Alternate Portal Access Settings Page

 


  1. In the Configure Alternate Portal Access Settings page, click on Default Web Site in the Mapping Name column, and click Edit.

 

Figure 16 Entering Extranet URL for Alternate Access Setting

 

  1. In the edit page for the alternate access settings, enter a value for the Extranet URL and click OK. 

 

This completes the configuration for the alternate access settings.  Test the settings by connecting to the published site and performing a search (you may first have to re-index content). 

 

The figure below shows the results of the configuration change.

 

 

Although configuring alternate portal access resolves the issue with incorrect URLs being displayed to clients, it does not resolve the problem of search results revealing internal server names.  If an external user connects using a different name that resolves to the same IP address, the internal server names will be revealed in the search results.  It is, therefore, better to use a combination of Web publishing rules, alternate portal access settings, and link translation than it is to use server publishing. 


Summary

Although not a recommended method to publish Web sites, server publishing can provide a flexible alternative to Web publishing rules. Server publishing makes it possible for Web site logs to contain the source IP address. Because Server Publishing rules bypass the Web Proxy service, it is possible to publish Web sites that use anonymous access at the same time as publishing Web sites where external users must authenticate at the ISA Server 2000 firewall. To resolve problems created by incorrect URLs that are indexed and returned by the search service, it is possible to use alternate portal settings to display the correct URLs for external users who connect to the site using a server publishing rule.

 

This chapter explained server publishing and showed you how to server publishing rules as well as how to configure alternate portal access setting for the SharePoint Web site