SUMMARY
You can configure Microsoft Internet Security and Acceleration (ISA) Server to publish a Web server that is on an internal network or to use packet filtering. By configuring ISA Server to use packet filtering, Web requests can pass through to a Web server that is on a perimeter network, which is also known as a demilitarized zone (DMZ).
This step-by-step article describes how to use a tri-homed ISA Server to publish a Web server that is on a perimeter network. A "tri-homed" computer refers to a computer that contains three network adapters.
back to the top
Configure the Perimeter Network Addressing
To publish a Web server on a perimeter network, you need to assign a range of public IP addresses to computers that are on the perimeter network. To assign the IP addresses, use one of the following methods:
Method 1:
Use a separate, publicly accessible IP address range
for computers that are on the perimeter network.
Method 2:
Subnet your public IP address range. Divide the IP addresses between the computers that are on the external network and the computers that are on the perimeter network.
NOTE: You also have to reconfigure upstream routers to recognize each subnet as a separate network.
For additional information about how to subnet an IP address range, click the article number below
to view the article in the Microsoft Knowledge Base:
269098 How to Configure Windows 2000 Subnets
Method 3:
If you configure ISA Server behind a Network Address Translation (NAT) router, you can assign a range of private IP addresses to the computers that are on the perimeter network. These addresses are considered as external or public IP addresses by ISA Server.
For example, consider the following sample illustration of a network configuration where:
- The IP addresses are assigned to the network interfaces of the ISA Server computer.
- The subnet mask that is assigned to the public network interface and to the perimeter network interface is 255.255.255.128.
- The Internet service provider (ISP) router is configured with two subnets:
- 172.16.16.0 netmask 255.255.255.128 (local)
- 172.16.16.128 netmask 255.255.255.128 (routed to 172.16.16.4)
Sample Illustration:
ISP Router --- 172.16.16.4 - ISA Server - 192.168.0.1 --- LAT
|
172.16.16.130
|
|
Perimeter Network
back to the top
Verify the DNS Entries
To install ISA Server behind a NAT router and to use a range of private addresses in the perimeter network, you must configure a DNS server that you can access from the Internet with the A resource record or with the CNAME resource record of the Web server that resolves to the IP address of the external network interface of the NAT router. In this scenario, you also have to map this IP address to the external network interface of the ISA Server computer.
NOTE: If you do not maintain your own external DNS server, contact your Internet service provider (ISP) for this configuration. For additional information about how to configure a DNS server, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
172953 How to Install and Configure Microsoft DNS Server
308201 HOW TO: Create a New Zone on a DNS Server
back to the top
Configure the ISA Server Packet Filtering
To configure packet filtering on the ISA Server computer, follow these steps:
- Log on to the ISA Server computer as an administrator.
- Start ISA Management.
- In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Access Policy, right-click IP Packet Filters, and then click Properties.
- Click to select the Enable packet filtering check box.
- Click to select the Enable IP Routing check box.
Caution: If you enable IP routing you must also enable packet filtering. If you enable IP routing and you do not enable packet filtering, all packets are automatically forwarded to the destination without filtering. This sequence of events bypasses the firewall protection in ISA Server. - If you want to enable ISA Server intrusion detection filters, click to select the Enable Intrusion detection check box.
- On the Packet Filters tab:
- Click to select the Enable filtering of IP fragments check box to configure ISA Server to reject (drop) fragmented IP packets. The filtering of IP fragments may prevent certain exploits that rely on the re-assembly of fragmented IP packets; however, the performance some streaming media connections may be degraded as well.
- Click to select the Enable filtering IP options check box to protect against exploits such as the source route option, which specifies an alternate route for returned packets.
- Click to select the Log packets from 'Allow' filters check box to log the successful transmission packets. You can use this option to troubleshoot packet filtering options.
NOTE: This option uses a lot of the processor resources and the disk resources.
- On the Intrusion Detection tab, click to select the check boxes for the attacks that you want ISA Server to detect and respond to.
- Click Apply, and then click OK.
back to the top
Configure the Packet Filters for the External Web Server
To configure packet filters for a Web server that is on the perimeter network:
- Log on to the ISA Server computer as an administrator.
- Start ISA Management.
- In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Access Policy, and then click IP Packet Filters.
- Click Create a Packet Filter.
- In the IP packet filter name box, type the name that you want. For example, Web protocol filter. Click Next.
- Verify that the Allow packet transmission check box is selected, and then click Next.
- Click Predefined, click HTTP server (port80) in the Predefined list, and then click Next.
- Click This computer (on the perimeter network), type the IP address of the Web server that is on the perimeter network, and then click Next.
- Click All remote computers, and then click Next.
- Verify that the configuration is correct, and then click Finish.
back to the top
Configure the Routing on the Web Server
On the Web server, set the default gateway to the IP address of the ISA Server computer's network adapter that connects to the perimeter network:
- Log on to the Web server as an administrator.
- Click Start, point to Settings, and then click Control Panel.
- Double-click Network and Dial-up Connections.
- Right-click the Local Area Connection icon, and then click Properties.
NOTE: If you have more than one local area connection, right-click the connection that you use to connect to the ISA Server computer. - In the list of components, click Internet Protocol (TCP/IP), and then click Properties.
- In the Default gateway box, type the IP address of the network interface of the ISA Server computer to which this adapter connects.
- Click OK, click OK, and then close the Network and Dial-up Connections window.
back to the top
Troubleshooting
- Verify that the Local Address Table (LAT) does not contain the IP addresses of computers that are on the perimeter network.
To view the LAT:- Log on to the ISA Server computer as an administrator.
- Start ISA Management.
- In the console tree, click Server and Arrays, click server name where server name is the name of the ISA Server computer, click Network Configuration, and then click Local Address Table (LAT).
- In the details pane, note the IP addresses that are listed. These addresses are considered as part of the internal network by ISA Server.
- To change these settings, double-click the IP address range. Configure the IP address range to contain only the IP addresses that you want in the internal network, and then click OK.
- You cannot use Internet Protocol security (IPSec) or Kerberos authentication.
If you implement private network addressing in the perimeter network, you cannot use IPSec or Kerberos authentication.
back to the top
REFERENCES
For additional help and support with Microsoft Internet Security and Acceleration (ISA) Server, see the following Web sites:
For additional information about how to configure Windows 2000 as a Web server, click the article number below
to view the article in the Microsoft Knowledge Base:
308192 HOW TO: Configure Windows 2000 as a Web Server
For additional information about how to change the IP address of a network adapter, click the article number below
to view the article in the Microsoft Knowledge Base:
308199 HOW TO: Change the IP Address of a Network Adapter
back to the top
Glossary
- Internal network interface: The network adapter in the ISA Server computer that is connected to that portion of the network that is protected by (behind) the firewall. Computers in this segment of the network are considered protected by the ISA Server firewall.
- External network interface: The network adapter in the ISA Server computer that is connected to the Internet or to the portion of the network that is considered unprotected. Computers on this segment of the network are not protected by the ISA Server firewall.
- Perimeter network or de-militarized zone (DMZ): A network that is between an external unprotected network and the internal protected network.
back to the top