ISAserver.org Newsletter of November 7th 2001

Sponsored by: GFI Software Ltd. & WebTrends

ISAserver.org Newsletter
November 7th, 2001

In this issue:

*Feature: Publish an FTP Site Using Web Publishing
*ISAServer.org Learning Zone Articles of Interest
*Q Articles of the Month
*Mailing List Post of the Month
*Web Board Post of the Month
*ISA Server lnk of the Month
*Ask Dr. Tom
*ISA Server Guru's of the Month -- Shobha Sharma and Jay Schwartzkopf

1. Feature: Publish an FTP Server Using Web Publishing

By Thomas W Shinder, M.D., MCSE, etc.

1. Overview
2. Configure the Incoming Web Requests Listener
3. Creating the Destination Set
4. Creating the Web Publishing Rule
5. Summary

1. Overview

If you've been using ISA Server for a while, you probably have published a Web site or two. When publishing Web Sites, you actually have two options:

• Use Web Publishing Rules
• Use Server Publishing Rules

You would typically use Web Publishing Rules to publish Web sites because Web Publishing Rules have several advantages over Server Publishing rules. These advantages include:

• Reverse Caching of published web sites
• Authentication at the Incoming Web Requests Listener
• Ability to publish multiple Web sites with a single public IP address
• Port redirection for HTTP requests
• Protocol Redirection

The only advantage that Server Publishing Rules have over Web Publishing Rules is that when you publish a Web site using Server Publishing Rules, the actual source IP address appears in the Web server's log files. If you use Web Publishing, the internal IP address of the ISA Server will appear in all requests logged at the Web server. You will have to parse
the Web Proxy log on the ISA Server to get information about client IP addresses.

The Web Publishing Feature I would like to cover in this edition of the ISAserver.org newsletter is Web Publishing ability to perform protocol redirection. A Web Publishing Rule can be used to publish an internal FTP site. There are several advantages to publishing an FTP site using a Web publishing rule:

• The content is reversed cached on the ISA Server
• You can use any port number you like on the FTP server
• Users are more accustomed to using browsers than FTP clients
• You can use all authentication methods available on the listener

The last feature is perhaps the most valuable. One of the problems with the IIS FTP service is that you can only use basic authentication to authenticate against the IIS FTP site. Because of this authentication issue, most IIS FTP sites are best configured for anonymous access only in order to prevent capturing of usernames and passwords.

Web Publishing your FTP server gets around this limitation because you can authenticate at the Listener, rather than with the site. The Incoming Web Requests listener can require Basic, Integrated, Digest or Certificate authentication. In addition, you can secure the link between the client and the listener using SSL. Thus, not only are you able to protect user credentials, you are also able to protect the confidentiality of the data between the client and server.

Most of the steps required to Web Publish an FTP site are the same as publishing a Web site.

2. Configure the Incoming Web Requests Listener

The Incoming Web Requests listener is the IP address or interface on which you want the Web Publishing Rule to accept requests. You can configure a single listener to listen on all IP addresses on the external interface of the ISA Server, or you can configure individual listeners on different IP addresses. The advantage of configuring individual listeners includes:

• Different authentication methods can be applied to each listener
• Different certificates can be bound to each listener

The second feature is especially important because if you need to publish multiple web servers or FTP servers on the internal network using different certificates, then you'll need to configure a separate listener for each certificate. Only one certificate can be bound to each listener.

To configure the Incoming Web Requests listener, perform the following steps:

1. In the ISA Management console, right click on your server or array name and click Properties

2. Click on the Incoming Web Requests tab. The default setting is to have the same listener configuration for all IP addresses. If you want to configure separate listeners, click the Add button. If you are using the same for all, or if you clicked Add, click the Edit button.

3. Here you can configure the authentication methods you want to use. Keep in mind that if you want to use Integrated authentication, the clients must be using IE. And if you want to use Digest authentication, then the clients must be using IE 5 or above, and then domain must be a Win2k domain.

3. Create the Destination Set

One of the big differences between Web Publishing and Server Publishing Rules is that Web Publishing Rules require a Destination Set. The Web Proxy service will read the destination in the HTTP header and attempt to match it with Destination contained in a Destination Set in your Web Publishing Rules. At this time, I highly recommend that you use only FQDNs in your Destination Sets and *not* use IP addresses. If you must use IP addresses, I suggest you call PSS and obtain a hotfix that might help with publishing sites using just IP addresses.

To create the Destination Set, perform the following steps:

1. In the ISA Management console, expand your server or array name, and then expand the Policy Elements node. Right click on the Destination Sets node and then point to New and the click Set.

2. In the New Destination Set dialog box, give the set a name like "FTP Server for Blobal.com". In the Description you should include the FQDN(s) that you will use in the set. This will make your life easier in the future, trust me. Click the Add button.

3. In the Add/Edit Destination dialog box, select the Destination option, and then type in the FQDN that *external* users will use to access your published site. It is important that you use the FQDN that *external* users will use. For example, if the FTP site is on a machine that goes by the name of ftp.internal.com on your internal network you do *not* use ftp.internal.com. You must the name that the resolves to the IP address of your Incoming Web Requests listener. So, if users will type in http://ftp.external.com into their Web browsers to access the site, that is what you should type in the Destination text box.

4. Click OK and then click OK again.

Now that you have a Destination Set, you can create the Web Publishing Rule:

1. In the ISA Management console, expand your server or array name and then expand the Publishing node in the left pane. Right click on the Web Publishing Rules node and then point to New and then click Rule.

2. On the first page of the Wizard, type in the name for the rule and click Next.

3. On the Destination Sets page, select Specified Destination Set and then select the name of the Destination Set you just created. Notice that the FQDNs show up in the Description area. Click Next.

4. On the Client Type page, select the appropriate client type depending on the type of access control you require, then click Next.

5. On the Rule Action Page, select the Redirect the request to this internal Web server (name or IP address) option. Type in the name or IP address of the internal server and choose a port number to redirect the FTP request. The default is 21, but you can change it to any port you have configured the FTP server to listen on. Click Next.

6. On the last page of the Wizard review your settings and click Finish.

At this point you have published the Web site on that internal server. In order to publish the FTP site, you need to configure the rule to redirect HTTP requests as FTP requests.

1. Double click on the rule you just created.

2. In the Properties dialog box, click on the Bridging tab.

3. In the Redirect HTTP requests as frame, select the FTP requests option. Click Apply and then click OK.

After a few moments (maybe longer if the server is busy), the rule will take effect. You do not need to restart the server.

5. Summary

Setting up a Web Publishing Rule to publish FTP sites is easy. The entire procedure is almost exactly the same as publishing a Web site, except for the the extra step required to redirect HTTP requests as FTP requests. With the Web Publishing rule, you have all the advantages conferred by the Web Proxy service. The only disadvantage is that you cannot upload to an FTP site using this method.
 

2 .ISAServer.org Learning Zone articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Check out some of these:

Configuring SSL Bridging
http://www.isaserver.org/pages/tutorials/SSL%20Bridging.htm

Publishing a Host Using PCAnywhere Behind ISA
http://www.isaserver.org/pages/tutorials/hostpcanywhere.htm

Configuring Network Load Balancing
http://www.isaserver.org/pages/tutorials/network_load_balancing.htm

Configuring ISA Server Interface Settings
http://www.isaserver.org/pages/tutorials/setting_up_machine_before_isa_installtion.htm

Publishing Terminal Services Using the TSAC Client
http://www.isaserver.org/shinder/tutorials/tsac.htm

 

3 . Q Articles of the Month

Just copy and paste the line under the title into your browser and Go!

ISA Control Service Mspadmin.exe Fails When You Start the MMC
mskb Q306884

Error Message: The Format of the Specified Computer Name Is Invalid
mskb Q291356

How Internet Security and Acceleration Server Handles the Caching of
Responses to Requests Received By Web Publishing
mskb Q271272

The ISA Server Response to Client Options Requests Is Limited to a
Predefined Set
mskb Q304340

 

4. Mailing List Post of the Month

A common problem posters complain of are reports that fail to run. This is often do to corrupted log files. Todd Mathews lends this piece of very helpful advice:

"What I ended up doing was I changed the format to the W3Cextended format (That was the format on one server that was doing the reports). Then I deleted all of the old logfiles that were named like WEBD20011002.log. A few of them I couldn't do anything with because it kept saying they were in-use. I rebooted and deleted the rest of the old logs. The new log(s) will be in the format WEBEXTD20011002.log and I ran a report. Don't know what or which thing might have done it but it seems to be working now."

 

5. Web Boards Post of the Month**

BKing answers the mystery of getting certificates installed on ISA Server in this ace posting:

"I posted a question a few days ago about enabling SSL for web publishing. I was unable to get the ISA server to recognize that there was a certificate to use at the operating system level. After much work, I finally figured it out. Here is how I did it. On the ISA server go to start, run, and type in MMC. From the MMC window choose Add/Remove snapin from the menu bar. Click on the add button, select certificates, click on the add button, select computer account, click on the next button, select local computer, then click finish,
close and OK to work your way back. Expand the certificates tree, right click on personal, and from the menu choose all tasks, import. This will start a wizard to walk you thru installing the certificate. What you have just done is install the certificate for the computer account.

Next, reinstall it so that the web proxy service can see it. To do this, start MMC back up, choose add/remove snapin from the menu, click on the add button, select certificates, click add, this time select service account, click on next, choose local computer, select Microsoft web proxy, then finish, close, OK to work you way back out. Expand the
certificates tree, right click on w3proxy\personal, click on all tasks, import and follow the wizard. Close MMC

At this point, in my experience, the certificates have been "registered" with the OS. Now the ISA server will recognize them. At this point, you need to enable the ISA server to listen for inbound SSL traffic and to publish your web site and accept SSL traffic. Both of these steps are pretty well documented already at this site and at Microsoft's support
site."

 

6. ISA Server Link of the Week

Microsoft is finally coming out with some good stuff on ISA Server on their Web Site. Here's a very cool article on Exchange Server Publishing:

http://www.microsoft.com/isaserver/techinfo/development/ISAandExchange.asp

 

7. Ask Dr. Tom

This question comes from Victor Chu:

"I have been facing a strange problem since I installed ISA server last year. When our users connect to our Ms Exchange2000(internal network) using Ms Outlook Express(thru Internet) to send mail to recipients with external e-mail address (Yahoo!, Hotmail, etc.), the sending of those message were unsuccessful and Outlook Express returned an error like this: "The message cannot be send because one of the following recipients' address has been rejected: somebody@hotmail.com", although the Outlook Express users were successfully authenticated by the Exchange server. This problem does not occur when the users are inside our internal corporate network or when they send mail to our domain's users (e.g. someone@internal.com). For you info, the Outlook Express users configured their outgoing mail server as an SMTP server that requires authentication. I really appreciate it if you could offer some advice or clue for me to solve this problem. Please don't hesitate to contact me if you need further info."

Answer:
It sounds like the Exchange Server does not want to relay mail from the external network clients. I would check the Relay configuration on the Exchange server and see if there is something that is preventing these external network clients from Relaying through the server. The error message indicates that the server doesn't find a user by that name in the Exchange user list and isn't able to forward the request.

 

8. ISA Server Guru's of the Month -- Shobha Sharma and Jay Schwartzkopf

This month we have two ISA Server gurus we would like to honor. First, Shobha Sharma is presented with this honor because of her contributions on the ISAserver.org mail list and her excellent article "Configuring Network Load Balancing" which is published in the Learning Zone.

Our second ISA Server Guru is Jay Schwartzkopf for an excellent piece on creating a VPN from a DMZ to the internal network. This article was a true work of art and earns Jay a hallowed place in the ISA Server Guru Hall of Fame!