How to publish a Web server on a perimeter network by using ISA Server 2006 or ISA Server 2004 (838242)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 313562.

IN THIS TASK

INTRODUCTION

This step-by-step article describes how to use Microsoft Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004 to publish a Web server that is on a perimeter network.

back to the top

Configure the perimeter network addressing

To publish a Web server on a perimeter network, you must assign a range of public Internet Protocol (IP) addresses to computers that are on the perimeter network. To assign the IP addresses, use one of the following methods.

Method 1

Use a separate, publicly accessible IP address range for computers that are on the perimeter network.

Method 2

Subnet your public IP address range. Divide the IP addresses between the computers that are on the external network and the computers that are on the perimeter network.

Note You must also reconfigure upstream routers to recognize each subnet as a separate network.

For additional information about how to subnet an IP address range, click the following article number to view the article in the Microsoft Knowledge Base:

269098 How to configure Windows 2000 subnets

Method 3

You can assign a range of private IP addresses to the computers that are connected to the perimeter network.

For example, consider the network configuration where:
  • Your ISP assigns you an IP address for the external interface of the ISA Server computer.
  • You assign the IP address range 192.168.0.x/24 to the internal network.
  • You assign the IP address range 192.168.1.x/24 to the perimeter network.
In this example, you can define the following network relationships:
  • A routing relationship between the internal network and the perimeter network.
  • A network address translation (NAT) relationship between the internal network and the external network.
  • A network address translation relationship between the perimeter network and the external network.
For additional information about network relationships, see the "Multi-networking overview" topic in ISA Server 2004 Help.

back to the top

Verify the DNS entries

To configure ISA Server behind a NAT router and to use a range of private addresses in the perimeter network, you must configure a publicly-accessible DNS server with the A resource record or with the CNAME resource record of the Web server that resolves to the IP address of the external network interface of the NAT router. In this scenario, you also have to map this IP address to the external network interface of the ISA Server computer.

Note If you do not maintain your own publicly-accessible DNS server, contact your Internet service provider (ISP) for this configuration. For additional information about how to configure a DNS server, click the following article numbers to view the articles in the Microsoft Knowledge Base:

172953 How to install and configure Microsoft DNS Server

308201 How to create a new zone on a DNS server

back to the top

Configure the perimeter network

Configure the perimeter network on the ISA Server computer. To do this, follow these steps:
  1. Start the ISA Server Management tool.
  2. Expand ServerName where ServerName is the name of your ISA Server computer.
  3. Expand Configuration, and then click Networks.
  4. Click the Tasks tab, and then click Create a New Network.
  5. In the Network name box, type a descriptive name for the perimeter network, and then click Next.
  6. Click Perimeter Network, and then click Next.
  7. Click Add Adapter, click to select the check box of the network adapter that is connected to the perimeter network, and then click OK.
  8. Click Next, and then click Finish.
  9. Click Apply to update the firewall policy, and then click OK.
back to the top

Publish the Web server computer

To publish the Web server computer, follow these steps.

Note These steps describe how to publish a Web site that allows for anonymous access. To publish a Web site that requires authentication, or to publish a Web site that requires a Secure Sockets Layer (SSL) connection, modify these steps as appropriate for your requirements.

ISA Server 2006

  1. Start the ISA Server Management tool.
  2. Expand ServerName, where ServerName is the name of the ISA Server computer.
  3. Click Firewall Policy, click the Tasks tab, and then click Publish Web Sites.
  4. In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.
  5. Leave the Allow option selected, and then click Next.
  6. Leave the Publish a single Web site or load balancer option selected, and then click Next.
  7. Click Use non-secured connections to connect the published Web server or server farm, and then click Next.

    Note For more information about the connection security methods that are available in ISA Server 2006, click the server connection security link.
  8. In the Internal site name box, type the internally-accessible name of the Web server, click to select the Use a computer name or IP address to connect to the published server check box, type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box, and then click Next.
  9. In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
  10. If you only want to publish a particular folder in the Web site, type that folder name in the Path (optional) box. The full path of the published Web site appears in the Web site box.
  11. Click Next.
  12. In the Accept requests for list, click This domain name (type below), type the publicly-accessible fully qualified domain name of the Web site in the Public name box, and then click Next.
  13. In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps:
    1. Click New, type a descriptive name for the new Web listener, and then click Next.
    2. Click Do not require SSL secured connections with clients, and then click Next.
    3. In the Listen for requests from these networks list, click to select the External check box, and then click Next.
    4. In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.

      Note For more information about the authentication methods that are available in ISA Server 2006, click the authentication settings link.
    5. On the Single Sign On Settings page, click Next, and then click Finish.
  14. Click Next.
  15. In the Select the method used by ISA Server to authenticate to the published Web server list, click No delegation, and client cannot authenticate directly, and then click Next.

    Note For more information about the authentication delegation methods that are available in ISA Server 2006, click the authentication delegation link.
  16. Leave the default user setting of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
  17. Click Apply to update the firewall policy, and then click OK.

ISA Server 2004

  1. Start the ISA Server Management tool.
  2. Expand ServerName where ServerName is the name of your ISA Server computer.
  3. Click Firewall Policy, click the Tasks tab, and then click Publish a Web Server.
  4. In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.
  5. Leave the Allow option selected, and then click Next.
  6. In the Computer name or IP address box, type the IP address of the Web server computer, and then click Next.
  7. In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
  8. In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps:
    1. Click New, type a descriptive name for the new Web listener, and then click Next.
    2. In the Listen for requests from these networks list, click to select the External check box, and then click Next.
    3. Leave the Enable HTTP check box selected, click Next, and then click Finish.
  9. Click Next, leave the default user set of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
  10. Click Apply to update the firewall policy, and then click OK.
back to the top

Configure the default gateway on the Web server

On the Web server computer, set the default gateway to the IP address of the ISA Server computer's network adapter that connects to the perimeter network. To do this, follow these steps:
  1. On the Web server computer, click Start, point to Settings, and then click Control Panel.
  2. Double-click Network and Dial-up Connections, right-click the network connection, and then click Properties.
  3. In the list of components, double-click Internet Protocol (TCP/IP).
  4. In the Default gateway box, type the IP address of the ISA Server computer's perimeter network interface.
  5. Click OK two times.
back to the top

Troubleshooting

Verify that the internal network does not contain the IP addresses of computers that are on the perimeter network. To view the internal network:
  1. Start the ISA Server Management tool.
  2. Expand ServerName where ServerName is the name of your ISA Server computer.
  3. Expand Configuration, and then click Networks.
  4. Click the Networks tab, right-click Internal, and then click Properties.
  5. Click the Addresses tab, and then verify the address range that appears.
back to the top

REFERENCES

For additional help and support with Microsoft Internet Security and Acceleration (ISA) Server, visit the following Web sites:

http://www.microsoft.com/isaserver/

http://www.isaserver.org/

For additional information about Web publishing rules, search for "Web publishing rules" in ISA Server Help. For additional information about ISA Server HTTP inspection options, search for "HTTP filter" in ISA Server Help.

For additional information about how to configure Windows 2000 as a Web server, click the following article number to view the article in the Microsoft Knowledge Base:

308192 How to configure Windows 2000 as a Web server

For additional information about how to change the IP address of a network adapter, click the following article number to view the article in the Microsoft Knowledge Base:

308199 How to change the IP address of a network adapter in Windows 2000



back to the top
Modification Type:MinorLast Reviewed:9/20/2006
Keywords:kbISA2006Swept kbHOWTOmaster kbDeployment kbFirewall kbhowto kbinfo KB838242 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.