CHAPTER 6

                                   SECURE SERVER PUBLISHING

 

 

 

If your network contains servers that publish to the Internet, such as Web servers,

FTP servers, or database servers, you need to allow external clients access to those

servers without compromising the security of your network.

 

 

Lesson 1:  Publishing Servers Securely

 

ISA Server uses server publishing to process incoming requests to internal servers.  Requests

are forwarded downstream to an internal server that is located behind the ISA Server

computer.

 

 

Publishing Policy Rules

 

You can use ISA Server to configure a publishing policy, which consists of server publishing

rules and Web publishing rules.  Server publishing rules filter all incoming requests and then

map these requests to the appropriate servers that are protected by the ISA Server services.

 

 

Server Publishing Rules

 

When a server is published by an ISA Server computer, the Internet Protocol (IP) address

that is published is the external IP address of the ISA Server computer.

 

Server publishing rules essentially filter all requests through the ISA Server computer and then

map those requests to the appropriate servers behind the ISA Server computer.

 

Note that the IP address assigned to the ISA Server’s NIC must be configured as the default

gateway on the publishing server.

 

NOTE:  For array members, it enterprise policy settings are configured so that publishing is not

allowed, you will not be able to create a server publishing rule.

 

 

Server Publishing Rule Actions

 

A rule action refers to the action applied to a request by a given rule.  You can configure the

rule action of a new server publishing rule in the Address Mapping and Protocol Settings

screens of the New Server Publishing Rule Wizard.  In either case, when you configure the

action of a server publishing rule, you specify the following:

 

 

 

=====================================================================

 

winisa6.html                                                     PAGE 2                                                   2002/05/26

 

 

 

 

IP address of the ISA Server.  This is the address made available to external clients.

 

IP address of the publishing server.  All requests arriving to the IP address specified on the

ISA Server are forwarded to this IP address.

 

Mapped Server protocol.  The data passed to the internal server depends on which

protocol you specify here.  You can select from all protocol definitions configured on

the ISA Server with, a minimum, an Inbound direction.  Protocol definitions are listed

and configured in the Protocol Definitions folder of the Policy Elements node.

 

 

EG.  SMTP server whose IP address is 111.111.111.111 and uses Port 25.  You create a

server publishing rule with the following parameters:

 

Internal server IP address set to 111.111.111.111

External address on the ISA Server set to an IP address on the external interface card

belonging to the ISA Server computer.

 

 

Mapped server protocol set to SMTP Server.

 

 

Server Publishing Rules and IP Packet Filters

 

Server publishing rules and IP packet filters both open specific ports for communication between

the local network and the Internet.  In most situations, you use server publishing rules to make

internal servers accessible to external clients.

 

However, in some cases, such as the following, you must use IP packet filters instead of

publishing rules:

 

When you are publishing servers that are located on a perimeter network, to make the servers

accessible to external clients

 

When you are publishing services that are located on the ISA Server computer itself.

 

Lesson Summary:

 

•   Through the use of server publishing rules, ISA Server processes incoming requests

to internal servers, such as SMTP servers, FTP server, and database servers.

•   Like site and content rules and protocol rules, server publishing rules open TCP

ports for service requests dynamically, or only as needed.

 

 

 

=====================================================================

 

winisa6.html                                                     PAGE 3                                                   2002/05/26

 

 

 

 

•   When a server is published by ISA Server, the IP address of the published server

that is visible to the outside world is actually the IP address or addresses of the ISA

Server computer.

•   If you want to publish a server on a perimeter network, or if you want to publish a

server on the ISA Server computer itself, you must configure IP packet filters in ISA

•   Server instead of the publishing rules.

 

 

 

Lesson 2:  Publishing Web Servers Securely

 

By publishing a Web server behind ISA Server, the ISA Server receives requests on behalf of

the internal Web server.  When a client on the Internet requests an object from a publishing

Web server, the requests is actually sent to an external address on the ISA Server computer.

 

To create a new publishing rule, use the New Web Publishing Rule Wizard.  This wizard is

started from the Web Publishing Rules folder located below the Publishing node.

 

 

Web Publishing Rules

 

ISA Server uses Web publishing rules to alleviate concerns about publishing Web content to

the Internet and, as a result, compromising internal network security.

 

IMPORTANT:  To enhance security, do not enable directory browsing on the publishing Web

server.  Likewise, do not configure the Web server for digest or basic authentication.  These

authentication methods can expose the Web server’s internal name or IP address to the

external user.

 

 

Destination Sets and Client Sets

 

When configuring Web publishing rules, such as by using the New Web Publishing Rule wizard,

you are given the option to specify a destination set for the Web publishing rule.  For Web

publishing rules, destination sets usually include a domain name whose IP address maps to

your ISA Server computer.

 

NOTE:  For array members, if enterprise policy settings are configured so that publishing is

not allowed, you will not be able to create a Web publishing rule.

 

 

 

=====================================================================

 

winisa6.html                                                     PAGE 4                                                   2002/05/26

 

 

 

 

Web Publishing Rule Actions

 

Web publishing rule actions are configured on the Rule Action screen of the New Web

Publishing rule wizard.  Rule actions for Web publishing rules either discard HTTP requests

targeted for specific destination sets or redirect those requests to an alternate site, usually to a

Web server on your corporate network.

 

 

SSL and HTTP Bridging

 

By accessing the Bridging tab of a Web publishing rule’s properties, you can configure how

incoming HTTP requests should be redirected, whether as HTTP requests, as SSL or as

FTP requests.

 

You can also bridge SSL communications.  This is, if the initial communication uses SSL, after

ISA Server passes to the request to the internal Web server, the communication can be

redirected using HTTP, SSL, or FTP.

 

When you configure HTTP or SSL requests to be passes on as an FTP requests to the Web

server, ISA Server redirects the requests to the internal Web server using FTP.  If you

configure bridging in this way, you can specify which port should be used when bridging

FTP requests.

 

 

Rule Order

 

For each incoming Web request, Web publishing rules are processed in order.  When a

rule matches a request, the request is routed and cached accordingly.  If no rule matches

the request, ISA Server processes the default rule, which discards the request.  If you have

created two or more Web publishing rules in addition to the default rule, you may change

the order of those rules at any time.

 

 

Sample Web Publishing Rule

 

Suppose you want to publish two internal Web servers in the domain example.Microsoft.com,

one called Dev and the other called Mktg.  Though the IP address of the example.Microsoft.com

domain corresponds to the external interface of the ISA Server computer, you would like the

internal server Mkt to respond when a client requests example.Microsoft.com/Marketing, and

the internal server Dev to respond when a client requests example.Microsoft.com/Development.

 

To achieve this goal, you first create two destination sets.  The first destination set, called

Marketing, should include the computer example.Microsoft.com and the path/Marketing/*. 

The second destination set, called Development, should include the computer example.Microsoft.com

and the path/Development/*.

 

 

=====================================================================

 

winisa6.html                                                     PAGE 5                                                   2002/05/26

 

 

 

 

******  Do the practice exercises on page 250 -  page 254 at home *****

 

 

Lesson Summary:

 

•   Through Web publishing rules, ISA Server responds to client requests on behalf of

publishing

•   Web servers.  When an Internet client makes a Web request to an external IP

address on the

•   ISA Server computer, the requests is forwarded to the Web publishing server

specified in the Web publishing rule matching the request.

•   For Web publishing rules, destination sets usually include a domain name (whose

IP address maps to your ISA Server computer) and a path.  Client address sets

usually include IP addresses of clients located on the Internet.

•  To publish a Web server hosted on the ISA Server computer, configure the

Web server so that it listens on a port other than 80.  Then, modify the ISA Server

Web publishing rule so that ISA Server forwards the requests to the appropriate port

on the Web server.

 

 

Lesson 3:  Publishing Mail Server

 

•   Mail servers may provide various services through several different protocols, and

as a result, publishing a mail server behind a firewall normally requires you to allow each

protocol access through the firewall.

 

 

Mail Server Security Wizard

 

ISA Server includes the Mail Server Security wizard, which you can use to host a mail server

securely behind ISA Server.  The wizard configures ISA Server rules to securely publish internal

mail services to your external users.

 

 

Content filtering

 

If the SMTP filter is installed and enabled, you can apply content filtering for all incoming mail by

selecting the Apply Content Filtering check box in the wizard.  The content will be filtered in

accordance with the SMTP filter configuration.

 

NOTE:  If the SMTP filter is already enabled, you cannot use the Mail Server Security Wizard

to disable it.

 

 

=====================================================================

 

winisa6.html                                                     PAGE 6                                                   2002/05/26

 

 

 

Configuring Exchange Server on the Local Network

 

By using ISA Server Mail Server Security Wizard, you can configure an internal Microsoft

Exchange Server so that it is available to external clients through one or more of the following protocols:

 

 

• Messaging Application Programming Interface (MAPI)
• Post Office Protocol 3 (POP3)
• Internet Messaging Access Protocol 4 (IMAP4)
• Network News Transfer Protocol (NNTP)
• Secure NNTP

 

The wizard creates one or more server publishing rules corresponding to each mail server that ISA

Server protects.  The server publishing rules created by the wizard have the following parameters:

 

 

• The mail server’s internal address
• The external address exposed by the ISA Server
• The protocol for the selected mail service

 

The new rules created by the wizard are all named with the prefix “Mail Wizard Rule”.

 

 

Exchange Server on the ISA Server Computer

 

You can use the Mail Server Security Wizard to publish an Exchange server on the ISA

Server computer.  In this scenario, the Mail Server Security Wizard creates an IP packet filter. 

IP packet filters are created for each mail service that you select.  For example, suppose

you run the Mail Server Security wizard and configure ISA Server to allow outgoing SMTP

mail and POP3 client requests.  In this scenario, Microsoft Outlook clients will still not be

able to access the Exchange server from outside the local network.  To allow qualified

clients inside and outside the network to use the SMTP server, you would need to create

the following four IP packet filters:

 

•   An IP packet allowing Inbound TCP connections on local port 25 from any

remote port (to allow incoming SMTP packets)

•   An IP packet filter allowing Outbound TCP connections on all local ports

from remote port 25 (to allow outgoing SMTP packets)

•   An IP packet filter allowing Inbound (TCP connections on local port 110

from any remote port (to allow incoming POP3 packets)

•   An IP packet filter allowing Outbound TCP connections on all local ports

from remote port 110 (to allow outgoing POP3 packets)

 

 

 

 

=====================================================================

 

winisa6.html                                                     PAGE 7                                                   2002/05/26

 

 

 

Lesson Summary:

 

•   The Mail Server Security wizard simplifies the process of publishing mail

servers on your network.  When you publish a mail server by using the

•   Mail Server Security wizard, you create server publishing rules specifying

the published IP address of the mail server and the internal IP address of the

 mail server computer.

•   The Mail Server Security wizard also creates a protocol rule allowing outgoing

mail traffic.

•   To run the Mail Server Security wizard, right-click the Server Publishing Rules

folder in the console tree of ISA Management and select Secure mail Server.