http://www.isaserver.org

Isaserver.org Newsletter
August 14th, 2001

In this issue:

**Feature: Publishing Multiple Web Sites
**Tip of the Week
**Mailing List Post of the Week
**Web Board Post of the Week
**ISA Server link of the week
**Ask Dr. Tom
**ISA Server Hero of the Month -- Jim Harrison

===============================
Welcome to the second ISAserver.org newsletter! Each week we will bring you
interesting and helpful information on ISA Server. We want to know what
*you* are interested in hearing about. Please send your suggestions
for future newsletter content to: tshinder@isaserver.org
===============================

**Feature: Publishing Multiple Web Sites**
By Thomas W Shinder, M.D., MCSE, etc.

1. Overview
2. Setting up the Inbound Web Requests Listener
3. Configuring the Supporting Policy Elements
4. Creating the Web Publishing Rules
5. Using Server Publishing Rules for Web Publishing
6. Summary

-----------------------------------------
1. Overview
-----------------------------------------
You can make Web Sites on your internal network available by using ISA
Server Web and Server Publishing Rules. These rules allow you to
redirect requests arriving at the external interface of the ISA Server
to an internal Web Server. By using Publishing Rules, you never have to
directly expose your Internet accessible servers directly to Internet
hosts; all requests will be evaluated by the ISA Server before they ever
touch your servers.

One of the really cool things about ISA Server Web Publishing is that
you can configure a single IP address on the external interface and
publish multiple sites using that IP address. The ability to publish
multiple web sites with a single IP address is helpful for those of you
who have only a single IP address available to expose to the Internet,
or if you must use dynamically assigned IP addresses.

In this article, we'll cover the following issues regarding
Publishing multiple Web Sites using ISA Server:

--Setting up the Incoming Web Requests Listener
--Configuring the Supporting Policy Elements
--Creating the Web Publishing Rules
--Using Server Publishing Rules for Web Publishing

-----------------------------------------
2. Setting up the Inbound Web Requests Listener
-----------------------------------------
The first step in setting up your server to publish multiple web sites
is to configure the Inbound Web Requests Listener.

To configure the Inbound Web Requests Listener, right click your Server
or Array > click Properties > click on the Incoming Web Requests tab.

If you have a single IP address bound to the external interface of the
ISA Server, or if you are using a dynamically assigned IP address,
select the "Use the same listener configuration for all IP addresses"
option. If you have multiple IP addresses bound to the external
interface of the ISA Server, I recommend you select the "Configure
listeners individually per IP address" option.

You can change the port number incoming requests must be sent to.
However, I do not recommend that you change it from its default setting,
which is Port 80. If you do change it, external users will need to
include the port number when they request resources from your published
servers.

If you want to secure communications between the external Web client
(browser) and the ISA Server, you can enable the SSL listener on the
default port 443. Again, if you change the port number, users will have
to include the alternative port number in their requests.

You can enable the option to require authentication with the ISA Server
before users access the internal web site. However, if you are running a
public site, you will not want to enable this option. I recommend that
you do not enable this option at all, unless you never intend to publish
sites available to the general public. If you need users to authenticate
with a Web Site, configure the authentication options at the web site
and not at the Incoming Web Requests Listener.

-----------------------------------------
2. Configuring the Supporting Policy Elements
-----------------------------------------
All ISA Server rules require Policy Elements. The Policy Elements you
need to create depend on what type of Rule you want to make, and how you
want to configure a particular Rule.

To Publish Multiple Web Sites, you need to configure, at the very least,
a Destination Set for each of the Web Sites you want to publish.

For example, suppose you want to publish two Web Sites. One site will
respond to requests for www.hot-isaserverstuff.com and the other site
will respond to requests www.cold-isaserverstuff.com. You need to create
two Destination Sets; one for each of these Sites.

To create a Destination Set, expand the Policy Elements node in the left
pane of the ISA Server Management Console and right click on the
"Destination Sets" node. Click New and then click "Set".

Give the Destination Set a Name and a Description. I find it useful to
include in the Description the FQDN(s) that are included in the set,
because you'll see the description information displayed in several of
the wizards. To add a Destination to the Set, click the "Add" button.

To publish the root of the web site and all files and folders in the
site. enter the FQDN that external users will use to access the site in
the "Destination" text box. In the "Path" text box type "/*" (without
the parentheses).

Do *not* use an IP address for your destinations. ISA Server admins
often try to use IP addresses in their Destination Sets when they have
multiple IP addresses bound to the external interface of the ISA Server.
They find out soon enough that when they try to use these Destination
Sets, they do not work. Only the Destination Set at the top of the list
works. There is an issue with ISA Server which prevents this from
working. However, you may be able to obtain a fix by calling Microsoft
PSS.

Since you have to use FQDNs in your Destination Sets, you will have to
create DNS entries for these FQDNs. Make sure that you register each of
these Destinations on a publicly available DNS server if you want
external users to access your public sites.

You can get creative with your Destination Sets by using Path
statements. For example, you might have two servers on your internal
network and you want one of the servers to respond to the URL
http://www.corp.com/hot-stuff and the other server to respond to the URL
http://www.corp.com/cold-stuff.

Just make two Destination Sets; one with the FQDN of www.corp.com and
the path /hot-stuff/* and the other with the FQDN www.corp.com and the
path /cold-stuff/*. You can then create two Web Publishing Rules; one
for each of these Destination Sets.

-----------------------------------------
3. Creating the Web Publishing Rules
-----------------------------------------
The next step is to configure the Web Publishing Rules. Expand the
"Publishing" node in the left pane of the ISA Management Console and
right click the "Web Publishing Rules" node. Click "New" and click
"Rule".

On the first page you name the rule. On the "Destination Sets" page,
select the option for "Specified Destination Set" and then select one of
the Destination Sets you created for your Web Sites. On the "Client
Type" page, select "Any Request" to allow everyone access to the site.

The "Rule Action" page is where the money is at. Select the "Redirect
the request to this internal Web Server (name or IP address). If you
want to make your life as simple as possible, type in the IP address of
the internal server. However, if you do this, you might see the dreaded
14120 error in your Event Logs.

You have the option of putting in the INTERNAL name of the server in
this box, but if you use a FQDN, make sure the ISA Server can resolve
the name. This means setting up DNS correctly on your internal network
and the DNS settings on the ISA Server itself. If you're not sure how to
do this, run over to the Learning Zone at www.isaserver.org and check
out Jim Harrison's excellent articles on network preparation and ISA
TCP/IP interface configuration.

If you are publishing OWA sites, or if you are using Host headers rather
than multiple IP addresses or ports on an internal Web Server to host
multiple sites, then you need to enable the checkbox that sends the
original Host Header.

Web Publishing is the only place where you can implement port
redirection. For example, if you want to publish multiple Web Sites on
an internal server, and each of those Web Sites listens on a different
port number, you can configure the Web Publishing Rule to redirect a
particular Destination Set to a particular port on the internal web
server. You configure your port redirection requirements on the "Rule
Action" page as well.

On the last page of the Wizard, check your configuration and click
"Finish".

Now, repeat the entire process with your second Destination Set, but on
the "Rule Action" page, send the requests to another Web Server or to a
different port on the same Web Server. (or enable sending the original
host header if you are using Host Headers to manage multiple sites on
the internal Web Server).

-----------------------------------------
4. Using Server Publishing Rules for Web Publishing
-----------------------------------------
The Web Publishing Rules take advantage of the ability of the Web Proxy
service to examine application layer HTTP header information and make
decisions about routing packets based on that information. The Web Proxy
service is quite cool, and if you need to publish Web Sites, you should
make it a practice to use Web Publishing Rules to do it.

However, there is a major limitation to using the Web Proxy service to
publish Web Sites: the IP address of the internal interface of the ISA
server will show up in the log files on the internal web server. If you
need information about the source IP address for the requests to the
internal web server, you might be out of luck.

One option is to parse the Web Proxy service logs for the destination
URL for each of your sites and extract the information you need from
there. However, you might not want to do this because it is time
consuming or you have an application that works with the web server logs
already and you don't want to move away from that application.

In this case, you will need to use Server Publishing Rules to publish
your Web Sites. When you publish a Web Site using Server Publishing
Rules, the source IP address remains intact.

However, if you want to publish multiple internal Web Sites, you will
need to bind multiple IP addresses on the external interface of the ISA
Server. After binding multiple IP addresses to the external interface,
you can publish one Web Site for each IP address on the external
interface.

There are some disadvantages to using Server Publishing to publishing an
internal web site. These include:

*You must create an HTTP Server Protocol Definition
*You will not be able to take advantage of the Web Proxy Cache
*You will not be able perform port redirection
*You cannot control access by using Destination Sets
*You cannot take advantage of SSL Bridging

On the other hand, its a heck of a lot easier to publish an SSL Web Site
using Server Publishing Rules than it is using Web Publishing Rules.

To Publish a Web Site using Server Publishing Rules, expand the
"Publishing" node in the left pane of the ISA Server Management Console
and right click the "Server Publishing Rules" node. Click "New" and then
click "Rule"

On the first page, name the rule. On the "Address Mapping" page, type in
the IP address of the internal Web Server and the IP address that you
want to use on the external interface of the ISA Server. On the Protocol
Settings tab, select the name of the HTTP Server Protocol Definition
that you created. On the "Client Type" page select "Any Request" to
allow everyone access. Confirm your settings and click "Finish".

-----------------------------------------
5. Summary
-----------------------------------------
There are two ways you can publish multiple internal Web Sites using ISP
Server. The best way is to use Web Publishing Rules. When you use Web
Publishing Rules, you take advantage of the sophisticated features
provided by the Web Proxy service. On the other hand, if you require
that the source IP address remain intact so that it shows up in the
internal web server's logs, then you will need to use Server Publishing
Rules.

Whether you use Web Publishing or Server Publishing Rules, always make
sure to test the functionality of your publishing rules after you create
them. Always test your rules from a client on an external network.
Remember, the entire point of publishing is to make internal resources
available to external hosts; the point is *not* to use the ISA Server to
redirect requests for internal resources through the ISA Server for
internal network clients.

==================================
==================================
ADVERTISEMENT
Do you have "Configuring ISA Server 2000: Creating Firewalls With
Windows 2000" by Tom Shinder, Deb Shinder and Martin Grasdal? If not,
you have to grab this must have book on ISA Server!

This book is the *only* book mentioned in the references of the US
National Security Agency's (NSA) recommendations for securing networks
using Microsoft ISA Server 2000!

Tom supports the book on the www.isaserver.org message boards. What
other author gives you this kind of curb service on his book?

If you don't have the book yet, get it now from the link on the front
page of www.isaserver.org. You'll also help support the site that
supports you!

==================================
==================================
**TIP OF THE WEEK**

This week's ISA Server Tip is courtesy of Damir. He adds another arrow
in our quiver for solving the dreaded 14120 error problem. He posted
this tip at http://www.isaserver.org/ubb/Forum14/HTML/000036.html

"I have found a working solution for 14120 error in application log.

The error appears when a client from internal network tries to access
the ISA server computer via an external IP address. Because the external
IP address of ISA is not in the LAT, ISA tries to connect using IP
packet filter and fails, which causes the 14120 error.

First , remove host records in internal the DNS server that refer to the
external IP address of ISA Server. Leave only HOST records that refers
to internal IP. Also, if ISA Serves is as a DNS server, set it to listen
only on the internal IP address.

Second, go to the Properties page of "My Network Places", and then on
"Advanced" menu select "Advanced Settings". On the "Adapter and
Bindings" tab in Connections window, move the LAN connection to the top
and click OK.

This will force your internal clients on the LAN to communicate with ISA
Server only by internal IP address which is the right way.

Of course , it's important to have IP addresses for LAN in LAT of ISA.
I hope this will solve 14120 problems.."

==================================
**MAILING LIST POST OF THE WEEK**

The Mailing List Post of the Week comes from Christian Sommer, who
always posts useful and hard to find tips and tricks when he finds time
to post:

"For file transfers with the MSN-Messenger, you need secondary
connections on Ports 6891-6900 TCP inbound and outbound. This is in
addition to the primary connection that uses TCP port 1863 outbound.

Also you must change the Firewall Client properties on the the ISA:
"Application Settings" new entry.
APP: msmgs
Key: NameResolutionForLocalHost; Value: P"

==================================
**WEB BOARDS POST OF THE WEEK**

The Web Boards Post of the Week comes from James Taylor. James is a
regular contributor to the Web Boards and he has the unique skill of
being able to solve the toughest of problems. In this post he solves the
SecuRemote problem:

"I made my Securemote stuff work.

I logged a session using a sniffer, and noticed topology requests were
made outbound on TCP port 264 with a dynamically assigned source port.
Authentication to the Policy Server was made on UDP 500 with a
dynamically assigned source port, one packet out and one packet in.

I created 2 packet filers, one for TCP 264 outbound, and one for UDP 500
send-recieve.

I created protocol definitions for the above two ports, and then created
a protocol rule that allowed TCP 264 and UDP 500.

I think the difference between my client and your client is that mine
encapsulates the packets with a UDP header to sneak it past NAT
(assuming that what I've been told is correct in that my IKE sessions
are using IPSec to transmit the data). It looks like your client, if it
is using TCP 50 and 51, doesn't, so your stuff won't work. You might
look into that. "

[this post was made in the VPN discussion group on the www.isaserver.org
web boards]

==================================
**ISA Server Link of the Week**

The ISA Server Link of the Week Jaime Pirnie's excellent web page on how
to configure ISA Server to support gamers! Check it out:
http://www.pirnie.org/isaserver/app-ports.shtml

==================================
==================================
ADVERTISEMENT
LANguard Content Filtering & Anti-Virus for ISA Server

Provides content checking and anti-virus of HTTP and FTP downloads and browsing. LANguard will check inbound traffic for viruses, malicious scripts and objectionable material. It also permits quarantining of downloads for approval. In addition, LANguard content filtering allows you to set up rules that can stop unproductive use of the Internet at the workplace.
More info at http://www.gfi.com/isanl.shtml
==================================
==================================

**Ask Dr. Tom**

This question comes from Kenneth Watson:

"I'm in the process of studying for the ISA Server 2000 exam -- 70-227.
What do you recommend to prepare me for the exam?"

Answer:
First off, you know I'm going to tell you to get our book. We go into
all the details you need to understand what's going on with ISA Server,
and where the real-world pitfalls and "gotcha's" might pop up. Plus, if
you have any questions about what you read, you can post them to the Web
Boards and get an answer.

In addition to our book, you should read a study guide dedicated to the
test. While our book will get your ISA Server up and running and tell
you how things actually work, the test will require you to know how
things are supposed to work :-)

I've had the unique opportunity to read all of the ISA Server books that
have been published. To prepare for the exam, I would recommend the
Coriolis Exam Prep book and/or the MS Press Exam Study Guide. Both are
very good and have exercises that will help you if you don't have
extensive experience with ISA Server in a production environment.

If you have the money, or if your company is willing to pay for classes,
I highly recommend that you take the MOC class for ISA Server at a local
CTEC. The MOC for ISA Server is absolutely top notch and was developed
by one of the few real ISA Server prodigies, Joern Wettern. Even if you
can't afford the class, you might want to contact your CTEC and see if
you can purchase a copy of the MOC binder.

==================================
**ISA Server Hero of the Month -- Jim Harrison**

I will announce in each newsletter an "ISA Server Hero of the Month". Our
ISA Server Heroes are posters or authors who go above and beyond the call
of duty. They solve the impossible problems or answer a large number of
questions for other ISA Server warriors. ISA Server Heroes receive a hamper filled with lots of goodies, so get posting today for your free hamper!

This week's ISA Server Hero is Jim Harrison. Jim has been tireless in
his support of the Isaserver.org mailing list. Hardly a question goes by
without him coming up with something useful or informative. Jim has gone
above and beyond the call of duty and therefore is awarded the honor of
Isaserver.org's "ISA Server Hero of the Month" and we bestow upon him all
the rights and priviledges thereof.

Congratulations, Jim! (now you can put this on your resume)

==================================

Copyright(c) isaserver.org August 2001
All Rights Reserved
Disclaimer:
We are not responsible for anything good or bad that might happen to
your systems based on the advise given herein. You must test and retest
the configuration options suggested in this newsletter and validate and
confirm for yourself that they work as you intend.