If you would like to read the other parts in this article series please go to:
- Creating and Configuring Non-SSL Web Publishing Rules (Part 1)
- Creating and Configuring Non-SSL Web Publishing Rules (Part 3)
In the first part of this series on how to publish non-SSL Web sites, we began by starting the Web Publishing Rule Wizard. We finished up with the first part of the series at a point where we begin to configure the Web listener for the rule. A Web listener is an ISA Firewall software configuration that is used to accept incoming connections to the ISA Firewall’s Web proxy filter. A Web listener is similar to a Web proxy listener, except that a Web listener is used for incoming connections that are evaluated by Web Publishing Rules and a Web proxy listener is used by Access Rules for outgoing connections.
A Web listener does much more than just accept the incoming connection. Once the incoming connection is accepted by the Web listener, the Web listener enforces authentication requirements on the connection. In addition to enforcing authentication, the Web listener controls how many connections are allowed on the listener, and what IP addresses the listener will accept connections on, and for what protocols (either HTTP, SSL, or both).
This week we’ll continue with our Web publishing story by drilling down on the Web listener.
The Select Web Listener Page and Creating an HTTP Web Listener
You assign a Web listener to the Web Publishing Rule on the Select Web Listener page. A Web listener is a Network Object you use in Web Publishing Rules. The Web listener “listens” on an interface or a specific IP address that you choose for incoming connections to the port you define.
For example, if you create a Web publishing rule that allows HTTP public access to the www.msfirewall.org site, you would create a Web listener that listens on the external interface of the ISA firewall using the IP address that external users resolve www.msfirewall.org to. Of course, if you have multiple IP addresses bound to the external interface of the ISA Firewall, there’s no reason why you can’t have the name resolve to all the IP addresses bound to the external interface, or even a subset of those addresses.
We assume in the above example that the external interface of the ISA firewall has a public address bound to it. The situation is slightly different if you have a NAT device (such as a pix) in front of the ISA firewall. In that case, external clients would resolve the name www.msfirewall.org to the public address on the NAT device that is mapped to the IP address used on the Web listener on the ISA firewall.
You have two options on the Select Web Listener page if there are listeners already configured on the ISA firewall:
The Edit button allows you to configure existing Web listeners and the New button allows you to create a new Web listener. In this example there are no listeners yet created on the ISA firewall, so we’ll click the New button.
On the Welcome to the New Web Listener Wizard page, enter a name for the Web listener in the Web listener name text box. In this example, we’ll name the Web listener HTTP Listener (since we only have a single IP address bound to the external interface; if there were multiple addresses, we could add the number in the last octet to the listener definition to make it easier to identify). Click Next.
On the IP Addresses page you select the ISA Firewall Networks or IP addresses on those Networks that you want the listener to listen on. Recall that each interface on the ISA firewall represents an ISA Firewall Network and all IP addresses reachable from that interface are considered part of that ISA Firewall Network. The Web listener can listen on any Network defined on the ISA firewall.
For example, you might want to publish servers to clients on the VPN clients network. You can do that by selecting the VPN Clients network as one of the ISA Firewall Networks this listener uses to accept incoming connections.
In this example, we want to accept incoming connections from Internet users, so we’ll select the External network by putting a checkmark in its checkbox. At this point the Web listener will accept connection requests to all IP addresses bound to the external interface of the ISA firewall. I recommend that if you have multiple IP addresses bound to an interface that you configure the Web listener to use only one of those addresses. This provides you greater flexibility because you can create a separate listener for each IP address and customize the properties of each listener. If you allow the listener the listener to listen on all IP addresses on the interface, then a single set of listener properties will be assigned to all Web Publishing Rules using that single Web listener. That is to say, if you configure the Web listener to listen on all addresses, you cannot create additional listeners for the same protocol.
Click the Addresses button on the IP Addresses page.
Figure 1: The IP Addresses page
On the Network Listener IP Selection page you have three options:
- All IP addresses on the ISA Server computer that are in the selected network
- The default IP address on the ISA Server computer in the selected network
- Specified IP addresses on the ISA Server computer in the selected network
The All IP addresses on the ISA Server computer that are in the selected network setting is the default and is the same as just checking the checkbox on the previous page without making any customizations. This option allows the listener to listen on all addresses bound to the interface representing the Network you selected. Avoid this option if you have more than one IP address bound to the external interface of the ISA Firewall.
The The default IP address on the ISA Server computer in the selected network option allows the listener to accept connections to the primary IP address bound to the Network interface. The primary address is the first address on the list of addresses bound to the NIC. This is also the IP address that is used for connections leaving that interface.
The Specified IP addresses on the ISA Server computer in the selected network option allows you to select the specific IP addresses you want the listener to use. The available IP addresses for the Network appear in the Available IP addresses section. You select the IP address you want the Web listener to use and click the Add button; it then appears in the Selected IP Addresses section.
The example in figure 2 demonstrates the Network centric nature of the ISA firewall. Before we selected an address, both 172.16.0.1 and 192.168.1.70 were in the Available IP Addresses list. These two addresses are actually bound to two different adapters. The 192.168.1.70 address is bound to the external interface (the one with the default gateway configured on it) and the 172.16.0.1 address is bound to a DMZ interface on the ISA firewall. The reason why both these addresses are included is that the default External Network includes all IP addresses that are not defined as part of a Network. Since we haven’t yet defined the DMZ Network, the address bound to the DMZ interface is part of the default External network, even though that address isn’t actually bound to the official “external” interface, that being defined as the interface with the default gateway configured on it.
We’ll select the IP address bound to the external interface of the ISA firewall and click OK. Then click Next on the IP Addresses page.
Figure 2: The External Network Listener IP Selection dialog box
The Port Specification page allows you to define the TCP port on which the Web listener accepts incoming connections. The default port is TCP port 80. You can change this port to any port you like, as long as it does collide with a socket already in use on the ISA firewall.
You also have the option to enable an SSL listening port on the Web listener. We recommend that you configure your HTTP and SSL listeners separately. This is a new feature in the 2004 and 2006 ISA firewall. In ISA Server 2000, you could not create separate HTTP and SSL listeners. I should say at this time that the 2006 ISA Firewall has a much more sophisticated interface for SSL support.
In this example we’ll use the default port and click Next. Note that you have the option to change the default port, so that if for some reason you want external users to use an alternate port (such as when they’ve been using a Webmail application that uses an alternate port) you can configure that port here.
Figure 3: The Port Specification page
A socket is a combination of a transport protocol (TCP or UDP) and IP address and a port number. Only one process can bind itself to a socket. If another process on the ISA firewall is using the same socket that you want to use for your Web listener, then you will need to disable the process using the socket, or choose another port number for the Web listener to use. This is a common problem for ISA firewall administrator who attempt to publish Web resources located on the ISA firewall itself. As I’ve mentioned on an a million other occasions, you should never run services on the ISA firewall other than the ISA firewall services, services that the ISA firewall depends upon, and add-on services that enhance the ISA firewall’s stateful packet and application layer inspection features.
Click Finish on the Completing the New Web Listener Wizard page. The details of the Web listener appears on the Listener properties page. We can now click the Edit button to customize several aspects of the Web listener.
Click the Edit button and then click the Preferences tab. Here you can configure the Authentication and Advanced properties for the listener.
Figure 4: The Preferences tab
Click on the Authentication button and you’ll see the authentication options available for the Web listener in the Authentication dialog box. The default authentication method is Integrated. Table 1 describes each of the available authentication methods available for Web listeners and a short description of the important characteristics of each authentication method.
Supported by all Web clients and servers
User names and passwords are encoded (Base64) by not encrypted. Easy to obtain with any network analyzer
Use SSL to secure basic authentication
Supports delegation of basic authentication
(ISA 2006 can delegate as NTLM and Kerberos)
Credentials sent as one-way hash
Web browser must support HTTP 1.1
Requires domain controller to store password using reversible encryption
WDigest encryption also supported (Windows Server 2003 only)
User name and domain name case sensitive
When both ISA firewall and DC are Windows Server 2003 WDigst is used by default
Windows NT 4.0 user accounts do not support Digest authentication
NTLM, Kerberos and Negotiate authentication mechanisms
User name and password hashed before sending
Logged on user credentials automatically sent to ISA firewall
If logged on user not authenticated, log on dialog box appears (typical remote access scenario)
Log on dialog box continues to appear until valid credentials are entered or CANCEL is selected
RADIUS both authenticates and authorizes
RADIUS users must enter credentials in DOMAIN\User format
ISA firewall uses MD5 hash of the shared secret to authenticate with RADIUS server to encrypt user name, password and characteristics of the connection
Recommend use of IPSec to secure channel between ISA firewall and RADIUS server
RADIUS servers configured on the ISA firewall are used for all rules and objects that use RADIUS authentication. You cannot configure separate RADIUS servers for VPN and Web listener authentication.
Often degrades performance
Two factor authentication
Physical token and PIN (personal ID number) required
RSA ACE/Agent runs on ISA firewall
RSA ACE/Agent passes credentials to RSA/ACE server
Cookie placed on user’s browser after successful authentication; cookie is held in memory and not written to disk. Cookie removed from memory when browser closed
Use SSL to secure connection between Web browser and ISA firewall when using SecurID authentication
Refer to ISA Server 2004 Help for details of configuration
Used to publish Outlook Web Access (OWA)
ISA firewall generates log on form
Cookie sent to browser when authentication successful
Credential information not cached on client browser
Users must reauthenticate if browser is closed, leave the OWA Web site
Can’t set session time out limits
SSL connection between browser and ISA firewall recommended
Can change password during session, but must reauthenticate after password change
Users authenticate by presenting User Certificates
Most secure form of authentication
Figure 5: The Authentication dialog box
The authentication option you select applies only if you limit access to the Web Publishing rule to a user or group. If you allow All Users access to the Web Publishing Rule, then the authentication option is ignored. These authentication options apply only to authentication performed by the ISA firewall itself, not to authentication that may be required by the published Web site. However, authentication delegation settings on the ISA Firewall must match the supported authentication protocols on the Web site published by the ISA Firewall.
All authentication methods except for RADIUS authentication require that the ISA firewall be a member of a domain. The is not a significant issue unless you have a back to back firewall configuration where the front-end firewall is an ISA firewall (the back-end firewall can be any kind of firewall you like, including ISA firewalls). If the ISA firewall is on the front-end and you want to authenticate users at the front-end server, then I recommend that you use only RADIUS authentication. When the ISA firewall is on the back-end, I always recommend that you make the firewall a member of the Active Directory domain so that you can leverage the many security advantages inherent in domain membership.
If you are using ISA 2006, I recommend that you avoid RADIUS in almost all instances and use LDAP authentication when the ISA Firewall is not a domain member.
Put a checkmark in the Require all users to authenticate checkbox if you require authentication for all Web Publishing Rules that will use this listener.
You would click the RADIUS Servers button to select or add a RADIUS server for RADIUS authentication.
You would click the Select Domain button to set a default domain if you choose Basic authentication.
You would click the Configure button to the right of Configure OWA forms-based authentication to customize the cookie parameters for the OWA connection. We will discuss this issue in more detail later in this chapter.
Click OK to close the Authentication dialog box. Click the Advanced button in the HTTP Listener Properties dialog box. This brings up the Advanced Settings dialog box. In the Advanced Settings dialog box you set the Number of connections you want to support on the listener and the idle connection timeout for the listener. Click OK to close the Advanced Settings dialog box.
Figure 6: The Advanced Settings dialog box
Click OK to close the HTTP Listener Properties dialog box and click Next on the Select Web Listener page.
In this article on how to publish non-SSL Web sites I went over the configuration of a Web listener. Web listener configuration is a critical aspect of any Web Publishing Rule and you need to get it right for your Web Publishing Rules to work correctly. In the next article, we’ll finish up the series by finishing the Web Publishing Rule Wizard and examine the Properties of the Web Publishing Rule. See you then! – Tom.
If you would like to read the other parts in this article series please go to: