|
Sponsored by: GFI
Software Ltd. & WebTrends
ISAserver.org Newsletter
November 7th, 2001
In this issue:
*Feature: Publish an FTP Site Using Web Publishing
*ISAServer.org Learning Zone Articles of Interest
*Q Articles of the Month
*Mailing List Post of the Month
*Web Board Post of the Month
*ISA Server lnk of the Month
*Ask Dr. Tom
*ISA Server Guru's of the Month -- Shobha Sharma and
Jay Schwartzkopf
| Welcome to the Isaserver.org newsletter!
Each month we will bring you interesting and helpful information
on ISA Server. We want to know what all *you* are interested
in hearing about. Please send your suggestions for future newsletter
content to: tshinder@isaserver.org |
1. Feature: Publish an FTP Server Using Web
Publishing  |
By Thomas W Shinder, M.D., MCSE, etc.
1. Overview
2. Configure the Incoming Web Requests Listener
3. Creating the Destination Set
4. Creating the Web Publishing Rule
5. Summary
1. Overview
If you've been using ISA Server for a while, you probably have
published a Web site or two. When publishing Web Sites, you actually
have two options:
- Use Web Publishing Rules
- Use Server Publishing Rules
You would typically use Web Publishing Rules to publish Web sites
because Web Publishing Rules have several advantages over Server
Publishing rules. These advantages include:
- Reverse Caching of published web sites
- Authentication at the Incoming Web Requests Listener
- Ability to publish multiple Web sites with a single public IP
address
- Port redirection for HTTP requests
- Protocol Redirection
The only advantage that Server Publishing Rules have over Web Publishing
Rules is that when you publish a Web site using Server Publishing
Rules, the actual source IP address appears in the Web server's
log files. If you use Web Publishing, the internal IP address of
the ISA Server will appear in all requests logged at the Web server.
You will have to parse
the Web Proxy log on the ISA Server to get information about client
IP addresses.
The Web Publishing Feature I would like to cover in this edition
of the ISAserver.org newsletter is Web Publishing ability to perform
protocol redirection. A Web Publishing Rule can be used to publish
an internal FTP site. There are several advantages to publishing
an FTP site using a Web publishing rule:
- The content is reversed cached on the ISA Server
- You can use any port number you like on the FTP server
- Users are more accustomed to using browsers than FTP clients
- You can use all authentication methods available on the listener
The last feature is perhaps the most valuable. One of the problems
with the IIS FTP service is that you can only use basic authentication
to authenticate against the IIS FTP site. Because of this authentication
issue, most IIS FTP sites are best configured for anonymous access
only in order to prevent capturing of usernames and passwords.
Web Publishing your FTP server gets around this limitation because
you can authenticate at the Listener, rather than with the site.
The Incoming Web Requests listener can require Basic, Integrated,
Digest or Certificate authentication. In addition, you can secure
the link between the client and the listener using SSL. Thus, not
only are you able to protect user credentials, you are also able
to protect the confidentiality of the data between the client and
server.
Most of the steps required to Web Publish an FTP site are the same
as publishing a Web site.
2. Configure the Incoming Web Requests Listener

The Incoming Web Requests listener is the IP address or interface
on which you want the Web Publishing Rule to accept requests. You
can configure a single listener to listen on all IP addresses on
the external interface of the ISA Server, or you can configure individual
listeners on different IP addresses. The advantage of configuring
individual listeners includes:
- Different authentication methods can be applied to each listener
- Different certificates can be bound to each listener
The second feature is especially important because if you need
to publish multiple web servers or FTP servers on the internal network
using different certificates, then you'll need to configure a separate
listener for each certificate. Only one certificate can be bound
to each listener.
To configure the Incoming Web Requests listener, perform the following
steps:
1. In the ISA Management console, right click on your server or
array name and click Properties
2. Click on the Incoming Web Requests tab. The default setting
is to have the same listener configuration for all IP addresses.
If you want to configure separate listeners, click the Add button.
If you are using the same for all, or if you clicked Add, click
the Edit button.
3. Here you can configure the authentication methods you want to
use. Keep in mind that if you want to use Integrated authentication,
the clients must be using IE. And if you want to use Digest authentication,
then the clients must be using IE 5 or above, and then domain must
be a Win2k domain.
3. Create the Destination Set

One of the big differences between Web Publishing and Server Publishing
Rules is that Web Publishing Rules require a Destination Set. The
Web Proxy service will read the destination in the HTTP header and
attempt to match it with Destination contained in a Destination
Set in your Web Publishing Rules. At this time, I highly recommend
that you use only FQDNs in your Destination Sets and *not* use IP
addresses. If you must use IP addresses, I suggest you call PSS
and obtain a hotfix that might help with publishing sites using
just IP addresses.
To create the Destination Set, perform the following steps:
1. In the ISA Management console, expand your server or array name,
and then expand the Policy Elements node. Right click on the Destination
Sets node and then point to New and the click Set.
2. In the New Destination Set dialog box, give the set a name like
"FTP Server for Blobal.com". In the Description you should include
the FQDN(s) that you will use in the set. This will make your life
easier in the future, trust me. Click the Add button.
3. In the Add/Edit Destination dialog box, select the Destination
option, and then type in the FQDN that *external* users will use
to access your published site. It is important that you use the
FQDN that *external* users will use. For example, if the FTP site
is on a machine that goes by the name of ftp.internal.com on your
internal network you do *not* use ftp.internal.com. You must the
name that the resolves to the IP address of your Incoming Web Requests
listener. So, if users will type in http://ftp.external.com into
their Web browsers to access the site, that is what you should type
in the Destination text box.
4. Click OK and then click OK again.
4. Create the Web Publishing Rule
Now that you have a Destination Set, you can create the Web Publishing
Rule:
1. In the ISA Management console, expand your server or array name
and then expand the Publishing node in the left pane. Right click
on the Web Publishing Rules node and then point to New and then
click Rule.
2. On the first page of the Wizard, type in the name for the rule
and click Next.
3. On the Destination Sets page, select Specified Destination Set
and then select the name of the Destination Set you just created.
Notice that the FQDNs show up in the Description area. Click Next.
4. On the Client Type page, select the appropriate client type
depending on the type of access control you require, then click
Next.
5. On the Rule Action Page, select the Redirect the request to
this internal Web server (name or IP address) option. Type in the
name or IP address of the internal server and choose a port number
to redirect the FTP request. The default is 21, but you can change
it to any port you have configured the FTP server to listen on.
Click Next.
6. On the last page of the Wizard review your settings and click
Finish.
At this point you have published the Web site on that internal
server. In order to publish the FTP site, you need to configure
the rule to redirect HTTP requests as FTP requests.
1. Double click on the rule you just created.
2. In the Properties dialog box, click on the Bridging tab.
3. In the Redirect HTTP requests as frame, select the FTP requests
option. Click Apply and then click OK.
After a few moments (maybe longer if the server is busy), the rule
will take effect. You do not need to restart the server.
5. Summary 
Setting up a Web Publishing Rule to publish FTP sites is easy.
The entire procedure is almost exactly the same as publishing a
Web site, except for the the extra step required to redirect HTTP
requests as FTP requests. With the Web Publishing rule, you have
all the advantages conferred by the Web Proxy service. The only
disadvantage is that you cannot upload to an FTP site using this
method.
| ADVERTISEMENT |
|
FIREWALL SECURITY: FREE TRIAL from WebTrends
WebTrends'Firewall Suite captures every action across your
firewall. This award-winning software identifies and reports
on critical security events, provides immediate alerts and
more than 200 reports for IT managers and security professionals.
Firewall Suite supports more than 35 leading firewall and
proxy servers, including Cisco and Check Point.. Download
it now:
http://www.isaserver.org/pages/WebTrends.htm
|
2 .ISAServer.org Learning Zone articles of
Interest  |
We have a great group of articles in the Learning Zone that will
help you get a handle on your most difficult configuration issues.
Check out some of these:
Configuring SSL Bridging
http://www.isaserver.org/pages/tutorials/SSL%20Bridging.htm
Publishing a Host Using PCAnywhere Behind ISA
http://www.isaserver.org/pages/tutorials/hostpcanywhere.htm
Configuring Network Load Balancing
http://www.isaserver.org/pages/tutorials/network_load_balancing.htm
Configuring ISA Server Interface Settings
http://www.isaserver.org/pages/tutorials/setting_up_machine_before_isa_installtion.htm
Publishing Terminal Services Using the TSAC Client
http://www.isaserver.org/shinder/tutorials/tsac.htm
3 . Q Articles of the Month  |
Just copy and paste the line under the title into your browser
and Go!
ISA Control Service Mspadmin.exe Fails When You Start the MMC
mskb Q306884
Error Message: The Format of the Specified Computer Name Is
Invalid
mskb Q291356
How Internet Security and Acceleration Server Handles the Caching
of
Responses to Requests Received By Web Publishing
mskb Q271272
The ISA Server Response to Client Options Requests Is Limited
to a
Predefined Set
mskb Q304340
|