Contents
Overview 1
Introduction to Publishing 2
Configuring Web Publishing 10
Configuring Server Publishing 20
Adding an H.323 Gatekeeper 27
Lab A: Configuring Access to
Internal Resources 32
Review 45
Module 7:
Configuring Access to
Internal Resources
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 7: Configuring Access to Internal Resources iii Instructor Notes
This module provides students with the knowledge and skills to configure
access to selected internal resources.
After completing this module, students will be able to:
Explain the concepts associated with server publishing.
Configure Web publishing.
Configure server publishing.
Add an H.323 Gatekeeper.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
Lab:
60 Minutes
iv Module 7: Configuring Access to Internal Resources Module Strategy
Use the following strategy to present this module:
Introduction to Publishing
Explain that for Web server publishing to work properly, external clients
must be able to resolve the name of a published server to the Internet
Protocol (IP) address of an external network adapter on the Microsoft
Internet Security and Acceleration (ISA) Server 2000 computer. Explain
that a back-to-back perimeter network configuration allows you to control
the traffic that enters the perimeter network separately from the traffic that
enters the internal network. Use the slide graphic to describe the steps that
you use to publish servers on a perimeter network. Explain that Web
publishing rules allow you to specify which port the ISA Server computer
uses to connect to the Web server.
Configuring Web Publishing
Explain that unlike the destination sets that you configure for access
policies, destination sets for publishing rules specify computers in your
internal network to which external clients connect, such as the name or the
IP address of your ISA Server computer. Explain the use of listeners and the
procedure that you use to configure listeners for incoming requests. Mention
that the authentication that you configure for the ISA Server computer is in
addition to any authentication that the published Web server requires.
Describe the use of Secure Sockets Layer (SSL) bridging and the associated
procedures.
Configuring Server Publishing
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Perform a full installation of ISA Server manually.
Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Install the ISA Server administration tools manually.
Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all ISA
Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Install the Firewall Client manually.
Important
vi Module 7: Configuring Access to Internal Resources
Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet
by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration Server
2000.
Create the rule manually.
Module 7: Configuring Access to Internal Resources vii Lab Results
Performing the lab in this module introduces the following configuration
changes:
ISA Server is configured with a listener for outgoing Web requests.
Web publishing rules for internal Web servers are created.
The ISA Server computer is published as a Network News Transfer Protocol
(NNTP) server.
The ISA Server client computer is published as an SMTP and Internet Message
Access Protocol (IMAP) server.
Module 7: Configuring Access to Internal Resources 1 Overview
Add an H.323 Gatekeeper.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring access to
internal resources for
remote clients.
2 Module 7: Configuring Access to Internal Resources
Introduction to Publishing
Publishing Overview
Publishing Servers on a Perimeter Network
Guidelines for Using Publishing and Routing
Publishing Rules Overview
*****************************
ILLEGAL FOR NON
Web Server
Internal Network
Internal Network
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Publishing a server makes the server on an internal network available to users
that gain access to the network through the Internet. You use Web publishing to
publish a Web server and server publishing to publish any other type of server
that uses Transmission Control Protocol/Internet Protocol (TCP/IP).
When you publish a Web server or other server, users connect to the external
network adapter of the ISA Server computer. The ISA Server computer uses the
internal network adapter to forward the request to the published server on the
internal network. Depending on how you configure the local address table
(LAT) on the ISA Server computer, an internal server can be on a perimeter
network or on a corporate network.
Publishing Web Servers
You can publish a Web server to allow external users on the Internet to
communicate with an internal Web server or a Web server on the perimeter
network through an ISA Server computer. When an external user requests an
object from the Web server, they actually receive the object from the ISA
Server computer. The ISA Server computer ensures that external users do not
reach the internal network directly.
In addition, the Internet Protocol (IP) address of the Web server is not exposed
to external users. Instead, external users communicate with the Web server by
specifying an external IP address of the ISA Server computer. The ISA Server
computer then re-issues the request through its internal network interface. When
resolve the DNS name www.nwtraders.msft to 131.107.3.1.
Because ISA Server uses the Microsoft Web Proxy service when publishing a
Web server, ISA Server can cache Web objects for clients on the Internet.
Caching in this manner is called reverse caching. Reverse caching improves the
performance for external clients because ISA Server can retrieve Web objects
from its cache instead of from the Web server on the internal network or the
perimeter network.
For more information about Web caching and configuring caching, see
Module 4, “Configuring Caching,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Publishing Other Servers
You can also publish a server that is not a Web server. You can publish any
type of server that uses TCP/IP.
For example, you can make an internal mail server available to external clients
by publishing it. Unlike Web publishing, server publishing does not provide for
reverse caching.
In addition, by publishing a server, external users are not able to see the
structure of the internal network. Because IP addresses on the internal network
are not visible to external users, publishing a server by using ISA Server is also
referred to as secure publishing.
Key Point
For Web server publishing
to work properly, external
clients must be able to
resolve the name of a
published server to the IP
address of an external
Internet
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
If your network has a back-to-back perimeter network configuration, you can
use ISA Server to publish servers that are on your perimeter network to the
Internet. You can also publish internal servers to the perimeter network. Using a
back-to-back perimeter network configuration enables you to control the traffic
that enters the perimeter network separately from the traffic that enters the
internal network. By controlling this traffic separately, you do not have any
direct connections from the Internet to your internal network.
To publish servers on a perimeter network:
• On the ISA Server computer that is connected to the Internet, ensure that the
LAT contains the IP addresses of the computers on the perimeter network
and the IP address of the ISA Server computer that is connected to the
internal network.
• Create publishing rules on the ISA Server computer that is connected to the
Internet to make selected servers on the perimeter network, such as a mail
server or a published Web server, available to external clients.
• Include the IP addresses of the computers on only the internal network in
the LAT of the ISA Server computer that is connected to the internal
network.
• Create publishing rules on the ISA Server computer that is connected to the
internal network to make servers on the internal network available to
selected servers on the perimeter network. For example, create a publishing
rule to make a Microsoft SQL Server
™
For more information about the LAT, see Module 2, “Installing and
Maintaining ISA Server,” in Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000. For more
information about perimeter networks, see Module 6, “Configuring the
Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
Note
Module 7: Configuring Access to Internal Resources 7 Guidelines for Using Publishing and Routing
If your network
If your network
Does not have a perimeter
Does not have a perimeter
network
network
Has a back
Has a back
-
-
to
to
-
-
back perimeter
perform routing and packet filtering. However, unlike routing, which routes
Web requests directly to a server, ISA Server intercepts all of the requests of a
published server.
You always use routing to send IP packets between two IP addresses that ISA
Server treats as internal or between two IP addresses that ISA Server treats as
external. You use publishing to enable ISA Server to send packets between an
external network and an internal network.
Use the following guidelines to determine when to use server publishing and
when to use routing and packet filtering.
If your network Then use
Does not have a perimeter network Server publishing
Has a back-to-back perimeter
network configuration
Server publishing on both ISA Server computers
Has a three-homed perimeter
network configuration
Routing and packet filtering between the Internet
and the perimeter network and server publishing
between the internal network and the perimeter
network
Topic Objective
To describe guidelines for
using publishing and
routing.
Lead-in
Publishing servers can
achieve results similar to
enabling routing and packet
requests for an internal Web server that use the HTTP, HTTP-S, or FTP
protocols. When using Web publishing rules, you can also specify which port
the ISA Server computer uses to connect to the Web server. This port can be
different from the port that the client uses to connect to the ISA Server
computer.
Server Publishing Rules
Server publishing rules determine how ISA Server should process incoming
requests for internal servers that use protocols other than the HTTP, HTTP-S, or
FTP, such as protocols used by database servers or mail servers.
Publishing a Server
When you publish a server, ISA Server forwards requests to an internal server
located behind the ISA Server computer. As with Web publishing rules, server
publishing rules determine which requests the ISA Server computer forwards
and which requests it discards. Unlike Web publishing rules, server publishing
rules do not allow you to change the port that the ISA Server computer uses to
connect to the published server.
Topic Objective
To identify the topics related
to publishing rules.
Lead-in
To publish servers, you
must configure a publishing
policy.
Key Point
When using Web publishing
rules, you can specify which
port the ISA Server
computer uses to connect to
the Web server.
Key Point
Configuring Web Publishing
Publishing a Web Server
Configuring Listeners for Incoming Web Requests
Redirecting Requests to Other Ports
Establishing Secure Communication
Configuring SSL Bridging
Requiring a Secure Channel
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In addition to enabling secure access to the Internet for internal clients, ISA
Server can provide secure access to internal servers for external clients. To
make internal servers available to external clients, you create a publishing
policy to securely publish your internal servers. The publishing policy consists
of Web publishing rules or server publishing rules that determine how the
internal servers are published. In addition, you can require authentication for
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can publish Web servers to make internal Web sites accessible to users on
the Internet. To publish a Web server, you must first create a Web publishing
rule. By creating a Web publishing rule, you configure the ISA Server computer
to redirect incoming requests to a Web server on the internal network.
Using Destination Sets
Unlike the destination sets that you configure for access policies, destination
sets for publishing rules specify computers in your internal network that
external clients connect to, such as the name or the IP address of your ISA
Server computer. You can create a specified destination set to use in Web
publishing rules for redirecting requests for sections of a Web site to different
internal servers.
For example, you can create a destination set for www.nwtraders.msft/europe
You would use this destination set in a Web publishing rule to redirect requests
for this section of the Web site to an internal server named
europe.internal.nwtraders.msft. You can then create another destination set for
www.nwtraders.msft/africa. You would use this destination set in a Web
publishing rule to redirect requests for this section of the Web site to an internal
server named africa.internal.nwtraders.msft.
When using a destination set that contains a path after the computer name, the
Web server must contain the same path. For example, if a client requests
www.nwtraders.msft/africa/default.htm, the internal server
africa.internal.nwtraders.msft must contain the path and file /africa/default.htm.
For more information about how to configure destination sets, see
Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.
• In the New Web Publishing Rule Wizard, type a name for the rule, and then
click Next.
• On the Destination Sets page, specify a destination set and the associated
information, and then click Next.
• On the Client Type page, specify a client type, and then click Next.
Unlike the rules that you configure for access policies, client sets for
publishing rules typically specify locations outside the internal network,
such as the IP addresses for a business partner. For more information about
how to configure client sets, see Module 3, “Enabling Secure Internet
Access,” in Course 2159A, Deploying and Managing Microsoft Internet
Security and Acceleration Server 2000.
• On the Rule Action page, click Discard the request to ignore requests that
match the rule conditions or click Redirect the request to this internal
Web server, type the name of the published Web server, and then click
Next.
If your internal Web server hosts multiple Web sites, you may have
to configure how ISA Server handles host headers. For more information
about how to configure ISA Server for advanced Web publishing scenarios,
see the \support\docs\ copublish.htm file on the ISA Server compact disc.
• On the Completing the New Web Publishing Rule Wizard page, review
your choices, and then click Finish.
Changing the Rule Order
ISA Server processes Web publishing rules in the order in which they are listed
in the Web Publishing Rules folder and processes the first rule that applies to a
request. After a match occurs, no further processing is done for that request.
Security
PerformanceAuto Discovery
Identification
Use the same listener configuration for all internal IP addresses.
Configure listeners individually per IP address
Server IP Address Display N… Authentic… Server C…
PHOENIX <All internal Integrated
Remove
Remove
Add…
Configure…
Connection settings:
Ask unauthenticated users for identification
CancelOK
Server: LONDON
IP Address: 131.107.3.1
Display Name: PartnerWeb
Use a server certificate to authenticate to web clients
Authentication
Basic with this domain:
Digest with this domain:
Integrated
Client certificate (secure channel only)
Select…
Select domain…
Select domain…
Select domain…
Add/Edit Listeners
Select domain…
Select domain…
Topic Objective
To describe the use of
listeners for incoming Web
requests.
Lead-in
Before ISA Server responds
to HTTP requests and SSL
connection requests on the
external interface of an ISA
Server computer, you must
configure at least one
listener that determines how
the ISA Server computer
responds to these requests.
Delivery Tip
Explain the use of listeners.
Key Points
Unless you configure
listeners for incoming
requests, ISA Server
discards all of the incoming
Web requests before
applying Web server
publishing rules.
The authentication that you
configure for the ISA Server
computer is in addition to
any authentication that the
• Under Authentication, select one or more of the check boxes for your
designated authentication methods, and then click OK.
• In the TCP port box, type the port number on which ISA Server will listen
for Web requests. The default port is Transmission Control Protocol (TCP)
port 80.
• To require authentication for gaining access to ISA Server by using a
listener, select the Ask unauthenticated users for identification check
box, and then click OK. Requiring authentication is impractical when you publish a Web server to
make that Web server publicly available. Most often, a better option is to
configure the appropriate authentication on the Web server. Use authentication
only when publishing Web servers with limited availability, such as a Web
server that is available to only selected business partners.
Note
Tip
Module 7: Configuring Access to Internal Resources 15 Redirecting Requests to Other Ports
PartnerWeb Properties
General
OK Cancel
Use this page to specify whether the request should be discarded or
redirected, and configure the hosted site to which this rule redirects.
Destinations Action Applies To
Discard the request.
Bridging
run multiple Web sites.
To redirect incoming Web requests to a published server:
• In ISA Management, in the console tree, click Web Publishing Rules.
• In the details pane, click the applicable Web publishing rule, and then click
Configure a Web Publishing Rule.
• In the Properties dialog box for the Web publishing rule, on the Action tab,
click Redirect the request to this internal Web server (name or IP
address), type the IP address or the DNS name, perform the following
actions, and then click OK.
In the Type
Connect to this port when bridging
requests as HTTP box
The port number to use for HTTP
requests. The default HTTP port is 80.
Connect to this port when bridging
requests as SSL box
The port number to use for SSL requests.
The default SSL port is 443.
Connect to this port when bridging
requests as FTP box
The port number to use for FTP requests.
The default FTP port is 21.
Topic Objective
To describe the procedure
that you use to redirect
requests to other ports.
Lead-in
Basic with this domain:
Digest with this domain:
Integrated
Client certificate (secure channel only)
Select…
Select domain…
Select domain…
Select domain…
Add/Edit Listeners
Select domain…
Select domain…
Select domain…
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When you redirect incoming Web requests, you must ensure that all network
traffic is secured appropriately. For example, when clients attempt to establish a
secure session with a published Web Server, you must configure ISA Server to
establish this secure connection across the Internet on behalf of the Web server.
When ISA Server receives an SSL request from a client for an object on a
published server, ISA Server establishes a separate SSL channel with the
published server. This type of redirection is called SSL bridging. SSL bridging
ensures that both parts of the connection, the session between the client and the
ISA Server computer and the session between ISA Server and the internal Web
server, are encrypted.
SSL Overview
The SSL protocol enables secure data communication over networks by using
both parts of the connection,
the session between the
client and the ISA Server
computer and the session
between ISA Server and the
internal Web server, are
encrypted.
Note
Module 7: Configuring Access to Internal Resources 17 Publishing Secure Web Sites
When you publish a server that uses the SSL protocol to encrypt client requests
to the server, clients connect to the ISA Server computer on port 443. To enable
the ISA Server computer to respond to this request, you must configure the ISA
Server computer to listen on port 443. You must also configure the ISA Server
computer to use a server certificate to impersonate the published server.
To configure the ISA Server computer to listen for incoming SSL requests:
• In ISA Management, in the console tree, right-click your server or array,
and then click Properties.
• In the Properties dialog box for the server or array, on the Incoming Web
Requests tab, ensure that the Enable SSL listeners check box is selected
and that the SSL port number matches the port number that external clients
use to connect to the ISA Server computer. By default, this port is port 443.
• Select the appropriate listener, and then click Edit.
• In the Add/Edit Listeners dialog box, select the Use a server certificate to
authenticate to web clients check box, and then click Select.
• In the Select Certificate dialog box, select the certificate that was issued for
the published Web site, and then click OK three times.
Copyright: Tài liệu đại học ©