ISAserver.org Newsletter of August 14th 2001

http://www.isaserver.org

Isaserver.org Newsletter
August 14th, 2001

In this issue:

**Feature: Publishing Multiple Web Sites
**Tip of the Week
**Mailing List Post of the Week
**Web Board Post of the Week
**ISA Server link of the week
**Ask Dr. Tom
**ISA Server Hero of the Month -- Jim Harrison

===============================
Welcome to the second ISAserver.org newsletter! Each week we will bring you
interesting and helpful information on ISA Server. We want to know what
*you* are interested in hearing about. Please send your suggestions
for future newsletter content to: tshinder@isaserver.org
===============================

**Feature: Publishing Multiple Web Sites**
By Thomas W Shinder, M.D., MCSE, etc.

1. Overview
2. Setting up the Inbound Web Requests Listener
3. Configuring the Supporting Policy Elements
4. Creating the Web Publishing Rules
5. Using Server Publishing Rules for Web Publishing
6. Summary

-----------------------------------------
1. Overview
-----------------------------------------
You can make Web Sites on your internal network available by using ISA
Server Web and Server Publishing Rules. These rules allow you to
redirect requests arriving at the external interface of the ISA Server
to an internal Web Server. By using Publishing Rules, you never have to
directly expose your Internet accessible servers directly to Internet
hosts; all requests will be evaluated by the ISA Server before they ever
touch your servers.

One of the really cool things about ISA Server Web Publishing is that
you can configure a single IP address on the external interface and
publish multiple sites using that IP address. The ability to publish
multiple web sites with a single IP address is helpful for those of you
who have only a single IP address available to expose to the Internet,
or if you must use dynamically assigned IP addresses.

In this article, we'll cover the following issues regarding
Publishing multiple Web Sites using ISA Server:

--Setting up the Incoming Web Requests Listener
--Configuring the Supporting Policy Elements
--Creating the Web Publishing Rules
--Using Server Publishing Rules for Web Publishing

-----------------------------------------
2. Setting up the Inbound Web Requests Listener
-----------------------------------------
The first step in setting up your server to publish multiple web sites
is to configure the Inbound Web Requests Listener.

To configure the Inbound Web Requests Listener, right click your Server
or Array > click Properties > click on the Incoming Web Requests tab.

If you have a single IP address bound to the external interface of the
ISA Server, or if you are using a dynamically assigned IP address,
select the "Use the same listener configuration for all IP addresses"
option. If you have multiple IP addresses bound to the external
interface of the ISA Server, I recommend you select the "Configure
listeners individually per IP address" option.

You can change the port number incoming requests must be sent to.
However, I do not recommend that you change it from its default setting,
which is Port 80. If you do change it, external users will need to
include the port number when they request resources from your published
servers.

If you want to secure communications between the external Web client
(browser) and the ISA Server, you can enable the SSL listener on the
default port 443. Again, if you change the port number, users will have
to include the alternative port number in their requests.

You can enable the option to require authentication with the ISA Server
before users access the internal web site. However, if you are running a
public site, you will not want to enable this option. I recommend that
you do not enable this option at all, unless you never intend to publish
sites available to the general public. If you need users to authenticate
with a Web Site, configure the authentication options at the web site
and not at the Incoming Web Requests Listener.

-----------------------------------------
2. Configuring the Supporting Policy Elements
-----------------------------------------
All ISA Server rules require Policy Elements. The Policy Elements you
need to create depend on what type of Rule you want to make, and how you
want to configure a particular Rule.

To Publish Multiple Web Sites, you need to configure, at the very least,
a Destination Set for each of the Web Sites you want to publish.

For example, suppose you want to publish two Web Sites. One site will
respond to requests for www.hot-isaserverstuff.com and the other site
will respond to requests www.cold-isaserverstuff.com. You need to create
two Destination Sets; one for each of these Sites.

To create a Destination Set, expand the Policy Elements node in the left
pane of the ISA Server Management Console and right click on the
"Destination Sets" node. Click New and then click "Set".

Give the Destination Set a Name and a Description. I find it useful to
include in the Description the FQDN(s) that are included in the set,
because you'll see the description information displayed in several of
the wizards. To add a Destination to the Set, click the "Add" button.

To publish the root of the web site and all files and folders in the
site. enter the FQDN that external users will use to access the site in
the "Destination" text box. In the "Path" text box type "/*" (without
the parentheses).

Do *not* use an IP address for your destinations. ISA Server admins
often try to use IP addresses in their Destination Sets when they have
multiple IP addresses bound to the external interface of the ISA Server.
They find out soon enough that when they try to use these Destination
Sets, they do not work. Only the Destination Set at the top of the list
works. There is an issue with ISA Server which prevents this from
working. However, you may be able to obtain a fix by calling Microsoft
PSS.

Since you have to use FQDNs in your Destination Sets, you will have to
create DNS entries for these FQDNs. Make sure that you register each of
these Destinations on a publicly available DNS server if you want
external users to access your public sites.

You can get creative with your Destination Sets by using Path
statements. For example, you might have two servers on your internal
network and you want one of the servers to respond to the URL
http://www.corp.com/hot-stuff and the other server to respond to the URL
http://www.corp.com/cold-stuff.

Just make two Destination Sets; one with the FQDN of www.corp.com and
the path /hot-stuff/* and the other with the FQDN www.corp.com and the
path /cold-stuff/*. You can then create two Web Publishing Rules; one
for each of these Destination Sets.

-----------------------------------------
3. Creating the Web Publishing Rules
-----------------------------------------
The next step is to configure the Web Publishing Rules. Expand the
"Publishing" node in the left pane of the ISA Management Console and
right click the "Web Publishing Rules" node. Click "New" and click
"Rule".

On the first page you name the rule. On the "Destination Sets" page,
select the option for "Specified Destination Set" and then select one of
the Destination Sets you created for your Web Sites. On the "Client
Type" page, select "Any Request" to allow everyone access to the site.

The "Rule Action" page is where the money is at. Select the "Redirect
the request to this internal Web Server (name or IP address). If you
want to make your life as simple as possible, type in the IP address of
the internal server. However, if you do this, you might see the dreaded
14120 error in your Event Logs.

You have the option of putting in the INTERNAL name of the server in
this box, but if you use a FQDN, make sure the ISA Server can resolve
the name. This means setting up DNS correctly on your internal network
and the DNS settings on the ISA Server itself. If you're not sure how to
do this, run over to the Learning Zone at www.isaserver.org and check
out Jim Harrison's excellent articles on network preparation and ISA
TCP/IP interface configuration.

If you are publishing OWA sites, or if you are using Host headers rather
than multiple IP addresses or ports on an internal Web Server to host
multiple sites, then you need to enable the checkbox that sends the
original Host Header.

Web Publishing is the only place where you can implement port
redirection. For example, if you want to publish multiple Web Sites on
an internal server, and each of those Web Sites listens on a different
port number, you can configure the Web Publishing Rule to redirect a
particular Destination Set to a particular port on the internal web
server. You configure your port redirection requirements on the "Rule
Action" page as well.

On the last page of the Wizard, check your configuration and click
"Finish".

Now, repeat the entire process with your second Destination Set, but on
the "Rule Action" page, send the requests to another Web Server or to a
different port on the same Web Server. (or enable sending the original
host header if you are using Host Headers to manage multiple sites on
the internal Web Server).

-----------------------------------------
4. Using Server Publishing Rules for Web Publishing
-----------------------------------------
The Web Publishing Rules take advantage of the ability of the Web Proxy
service to examine application layer HTTP header information and make
decisions about routing packets based on that information. The Web Proxy
service is quite cool, and if you need to publish Web Sites, you should
make it a practice to use Web Publishing Rules to do it.

However, there is a major limitation to using the Web Proxy service to
publish Web Sites: the IP address of the internal interface of the ISA
server will show up in the log files on the internal web server. If you
need information about the source IP address for the requests to the
internal web server, you might be out of luck.

One option is to parse the Web Proxy service logs for the destination
URL for each of your sites and extract the information you need from
there. However, you might not want to do this because it is time
consuming or you have an application that works with the web server logs
already and you don't want to move away from that application.

In this case, you will need to use Server Publishing Rules to publish
your Web Sites. When you publish a Web Site using Server Publishing
Rules, the source IP address remains intact.

However, if you want to publish multiple internal Web Sites, you will
need to bind multiple IP addresses on the external interface of the ISA
Server. After binding multiple IP addresses to the external interface,
you can publish one Web Site for each IP address on the external
interface.

There are some disadvantages to using Server Publishing to publishing an
internal web site. These include:

*You must create an HTTP Server Protocol Definition
*You will not be able to take advantage of the Web Proxy Cache
*You will not be able perform port redirection
*You cannot control access by using Destination Sets
*You cannot take advantage of SSL Bridging

On the other hand, its a heck of a lot easier to publish an SSL Web Site
using Server Publishing Rules than it is using Web Publishing Rules.

To Publish a Web Site using Server Publishing Rules, expand the
"Publishing" node in the left pane of the ISA Server Management Console
and right click the "Server Publishing Rules" node. Click "New" and then
click "Rule"

On the first page, name the rule. On the "Address Mapping" page, type in
the IP address of the internal Web Server and the IP address that you
want to use on the external interface of the ISA Server. On the Protocol
Settings tab, select the name of the HTTP Server Protocol Definition