Articles | Authors | Books | Certification | Discussion List | Events | FAQs | Gaming | Hardware | Links | Message Boards | Newsletter | RSS Feed | Shinder Section | Software
Site Search 
  

Articles & Tutorials
Certification
Configuration - Alt. Products & Platforms
Configuration - General
Configuration - Security
General
General Guides and Articles
Installation & Planning
Miscellaneous
Non-ISAserver.org Tutorials
Publishing
Authors
Books
Hardware
Links
Message Boards
Newsletter Signup
RSS Feed
Software
Featured Product
Featured Book

Order today
Amazon.com
TechGenix Sites

Exchange Server

Networking

Network Security

Network Software Directory

Faxing Solutions
 

ISAserver.org Newsletter of November 7th 2001


Sponsored by: GFI Software Ltd. & WebTrends

ISAserver.org Newsletter
November 7th, 2001

In this issue:

*Feature: Publish an FTP Site Using Web Publishing
*ISAServer.org Learning Zone Articles of Interest
*Q Articles of the Month
*Mailing List Post of the Month
*Web Board Post of the Month
*ISA Server lnk of the Month
*Ask Dr. Tom
*ISA Server Guru's of the Month -- Shobha Sharma and Jay Schwartzkopf

Welcome to the Isaserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. Feature: Publish an FTP Server Using Web Publishing

By Thomas W Shinder, M.D., MCSE, etc.

1. Overview
2. Configure the Incoming Web Requests Listener
3. Creating the Destination Set
4. Creating the Web Publishing Rule
5. Summary

1. Overview

If you've been using ISA Server for a while, you probably have published a Web site or two. When publishing Web Sites, you actually have two options:

  • Use Web Publishing Rules
  • Use Server Publishing Rules

You would typically use Web Publishing Rules to publish Web sites because Web Publishing Rules have several advantages over Server Publishing rules. These advantages include:

  • Reverse Caching of published web sites
  • Authentication at the Incoming Web Requests Listener
  • Ability to publish multiple Web sites with a single public IP address
  • Port redirection for HTTP requests
  • Protocol Redirection

The only advantage that Server Publishing Rules have over Web Publishing Rules is that when you publish a Web site using Server Publishing Rules, the actual source IP address appears in the Web server's log files. If you use Web Publishing, the internal IP address of the ISA Server will appear in all requests logged at the Web server. You will have to parse
the Web Proxy log on the ISA Server to get information about client IP addresses.

The Web Publishing Feature I would like to cover in this edition of the ISAserver.org newsletter is Web Publishing ability to perform protocol redirection. A Web Publishing Rule can be used to publish an internal FTP site. There are several advantages to publishing an FTP site using a Web publishing rule:

  • The content is reversed cached on the ISA Server
  • You can use any port number you like on the FTP server
  • Users are more accustomed to using browsers than FTP clients
  • You can use all authentication methods available on the listener

The last feature is perhaps the most valuable. One of the problems with the IIS FTP service is that you can only use basic authentication to authenticate against the IIS FTP site. Because of this authentication issue, most IIS FTP sites are best configured for anonymous access only in order to prevent capturing of usernames and passwords.

Web Publishing your FTP server gets around this limitation because you can authenticate at the Listener, rather than with the site. The Incoming Web Requests listener can require Basic, Integrated, Digest or Certificate authentication. In addition, you can secure the link between the client and the listener using SSL. Thus, not only are you able to protect user credentials, you are also able to protect the confidentiality of the data between the client and server.

Most of the steps required to Web Publish an FTP site are the same as publishing a Web site.

2. Configure the Incoming Web Requests Listener

The Incoming Web Requests listener is the IP address or interface on which you want the Web Publishing Rule to accept requests. You can configure a single listener to listen on all IP addresses on the external interface of the ISA Server, or you can configure individual listeners on different IP addresses. The advantage of configuring individual listeners includes:

  • Different authentication methods can be applied to each listener
  • Different certificates can be bound to each listener

The second feature is especially important because if you need to publish multiple web servers or FTP servers on the internal network using different certificates, then you'll need to configure a separate listener for each certificate. Only one certificate can be bound to each listener.

To configure the Incoming Web Requests listener, perform the following steps:

1. In the ISA Management console, right click on your server or array name and click Properties

2. Click on the Incoming Web Requests tab. The default setting is to have the same listener configuration for all IP addresses. If you want to configure separate listeners, click the Add button. If you are using the same for all, or if you clicked Add, click the Edit button.

3. Here you can configure the authentication methods you want to use. Keep in mind that if you want to use Integrated authentication, the clients must be using IE. And if you want to use Digest authentication, then the clients must be using IE 5 or above, and then domain must be a Win2k domain.

3. Create the Destination Set

One of the big differences between Web Publishing and Server Publishing Rules is that Web Publishing Rules require a Destination Set. The Web Proxy service will read the destination in the HTTP header and attempt to match it with Destination contained in a Destination Set in your Web Publishing Rules. At this time, I highly recommend that you use only FQDNs in your Destination Sets and *not* use IP addresses. If you must use IP addresses, I suggest you call PSS and obtain a hotfix that might help with publishing sites using just IP addresses.

To create the Destination Set, perform the following steps:

1. In the ISA Management console, expand your server or array name, and then expand the Policy Elements node. Right click on the Destination Sets node and then point to New and the click Set.

2. In the New Destination Set dialog box, give the set a name like "FTP Server for Blobal.com". In the Description you should include the FQDN(s) that you will use in the set. This will make your life easier in the future, trust me. Click the Add button.

3. In the Add/Edit Destination dialog box, select the Destination option, and then type in the FQDN that *external* users will use to access your published site. It is important that you use the FQDN that *external* users will use. For example, if the FTP site is on a machine that goes by the name of ftp.internal.com on your internal network you do *not* use ftp.internal.com. You must the name that the resolves to the IP address of your Incoming Web Requests listener. So, if users will type in http://ftp.external.com into their Web browsers to access the site, that is what you should type in the Destination text box.

4. Click OK and then click OK again.

4. Create the Web Publishing Rule

Now that you have a Destination Set, you can create the Web Publishing Rule:

1. In the ISA Management console, expand your server or array name and then expand the Publishing node in the left pane. Right click on the Web Publishing Rules node and then point to New and then click Rule.

2. On the first page of the Wizard, type in the name for the rule and click Next.

3. On the Destination Sets page, select Specified Destination Set and then select the name of the Destination Set you just created. Notice that the FQDNs show up in the Description area. Click Next.

4. On the Client Type page, select the appropriate client type depending on the type of access control you require, then click Next.

5. On the Rule Action Page, select the Redirect the request to this internal Web server (name or IP address) option. Type in the name or IP address of the internal server and choose a port number to redirect the FTP request. The default is 21, but you can change it to any port you have configured the FTP server to listen on. Click Next.

6. On the last page of the Wizard review your settings and click Finish.

At this point you have published the Web site on that internal server. In order to publish the FTP site, you need to configure the rule to redirect HTTP requests as FTP requests.

1. Double click on the rule you just created.

2. In the Properties dialog box, click on the Bridging tab.

3. In the Redirect HTTP requests as frame, select the FTP requests option. Click Apply and then click OK.

After a few moments (maybe longer if the server is busy), the rule will take effect. You do not need to restart the server.

5. Summary

Setting up a Web Publishing Rule to publish FTP sites is easy. The entire procedure is almost exactly the same as publishing a Web site, except for the the extra step required to redirect HTTP requests as FTP requests. With the Web Publishing rule, you have all the advantages conferred by the Web Proxy service. The only disadvantage is that you cannot upload to an FTP site using this method.
 

ADVERTISEMENT

FIREWALL SECURITY: FREE TRIAL from WebTrends

WebTrends'Firewall Suite captures every action across your firewall. This award-winning software identifies and reports on critical security events, provides immediate alerts and more than 200 reports for IT managers and security professionals.

Firewall Suite supports more than 35 leading firewall and proxy servers, including Cisco and Check Point.. Download it now:
http://www.isaserver.org/pages/WebTrends.htm

 

2 .ISAServer.org Learning Zone articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Check out some of these:

Configuring SSL Bridging
http://www.isaserver.org/pages/tutorials/SSL%20Bridging.htm

Publishing a Host Using PCAnywhere Behind ISA
http://www.isaserver.org/pages/tutorials/hostpcanywhere.htm

Configuring Network Load Balancing
http://www.isaserver.org/pages/tutorials/network_load_balancing.htm

Configuring ISA Server Interface Settings
http://www.isaserver.org/pages/tutorials/setting_up_machine_before_isa_installtion.htm

Publishing Terminal Services Using the TSAC Client
http://www.isaserver.org/shinder/tutorials/tsac.htm

 

3 . Q Articles of the Month

Just copy and paste the line under the title into your browser and Go!

ISA Control Service Mspadmin.exe Fails When You Start the MMC
mskb Q306884

Error Message: The Format of the Specified Computer Name Is Invalid
mskb Q291356

How Internet Security and Acceleration Server Handles the Caching of
Responses to Requests Received By Web Publishing
mskb Q271272

The ISA Server Response to Client Options Requests Is Limited to a
Predefined Set
mskb Q304340