Isa Server Deploys Guide

8/14/2019 Isa Server Deploys Guide

1/41

Microsoft Internet Security andMicrosoft Internet Security andMicrosoft Internet Security andMicrosoft Internet Security and

Acceleration ServerAcceleration ServerAcceleration ServerAcceleration Server 2000200020002000

SharePoint Portal ServerSharePoint Portal ServerSharePoint Portal ServerSharePoint Portal Server

Deployment KitDeployment KitDeployment KitDeployment Kit

Chapter 3Quick Start: Configuring SharePoint Extranet

Virtual Web Site and ISA Server Web Publishing

Martin GrasdalDr. Thomas W ShinderDecember 2003

Table of ContentsTable of ContentsTable of ContentsTable of Contents

AbstractOverview

Step-by-Step Background InformationStep-by-Step How To: Creating New Virtual Web Site To Host the Extranet SharePoint Site

Page 1 of 41Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web Publ...

7/26/2009http://www.isaserver.org/img/upl/spskit/3quickstart/3quickstart.htm


2/41

Step-by-Step How To: Extending SharePoint Portal Site into the Extranet Virtual Web SiteWhat is an Application Pool?Creating Application Pool for Use by Extranet Web SiteExtending SharePoint Site to Extranet Virtual Web SiteConfiguring Virtual the Web Site To Support Basic AuthenticationTesting Extranet SharePoint Site from Internal Client

Step-by-Step How To: Configuring ISA Server 2000 To Protect and To Publish SharePoint Extranet Web SiteConfiguring IP Packet Filter Settings

Creating a Destination SetCreating a Web Publishing RuleConfiguring the Incoming Web Requests Listener

Troubleshooting Tips for Web Publishing RulesConfiguring Outbound Access for Internal ISA ClientsSummary




3/41

AbstractISA Server 2000 Web Publishing Rules can provide highly secure and available access to a SharePoint PortalServer 2003 extranet site. The security of Web Publishing Rules can be further enhanced by leveraging the in-built security features of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003. This document shows youhow to create a secure solution for a SharePoint extranet Web site by extending the SharePoint Portal Server2003 site into a new virtual Web site that uses an application pool to isolate worker processes in IIS 6.0,

configuring the Web site to use a different authentication method, and to configure ISA Server to publish the Website using a Web Publishing Rule.




4/41

This chapter provides an overview of the need for a separate site for extranet access and a summary of therelevant features of ISA Server 2000 that make the extranet site available to external clients. It then provides anexplanation of how to set up the SharePoint Portal site in a separate virtual Web site and how to configure ISAServer 2000 firewall to protect and publish the extranet SharePoint site.

Enabling a SharePoint extranet site for access from the Internet requires the following steps:

Creating a new virtual Web site to host the extranet SharePoint Web site.

o Adding an IP address to Windows 2003 server to assign to new Web site.o Adding a new Web site using Internet Information Services (IIS) Manager.

Extending SharePoint Portal Web into the extranet Web site.o Creating a new application pool in IIS 6.0 for use by the extranet SharePoint Site (optional).

o Creating a new SharePoint portal site in the extranet virtual Web site, or mapping an existing

SharePoint portal site to the extranet virtual Web site.o Configuring authentication methods on the extranet virtual Web site.

o Testing the extranet site from the internal network.

Configuring ISA Server 2000 to protect and to publish the extranet SharePoint site.o Enabling Packet Filtering and IP Routing on ISA Server 2000 firewall.

o Configuring the Incoming Web Requests Listener.

o Adding a Destination Set.

o Testing the Web Publishing rule on ISA Server from external client.

o Creating a Protocol Rule to enable outbound access for internal clients (optional)

OverviewAn extranet is a collection of internal resources that is made available to Internet clients. Access to the extranetusually occurs through a firewall, such as ISA Server 2000, to provide security for extranet resources. ASharePoint Portal Server 2003 site is a sophisticated Web-based application that provides an intuitive and easy-to-use Web browser interface that provides complete access to SharePoints powerful capabilities. Manyorganizations will find it desirable to make some or all of SharePoints resources available on an extranet forexternal employees, customers, or business partners.

In almost all cases where SharePoint is deployed as an extranet resource, its configuration will differ from theconfiguration of SharePoint site(s) located on the intranet. For example, it may be desirable to supportAnonymous or Basic authentication to allow customers and business partners to connect at will. Or, it may bedesirable to implement Secure Sockets Layer (SSL) on the SharePoint site to provide a higher degree ofprotection for user credentials and data. Or, it may be desirable for the extranet SharePoint site to connect todifferent content databases than the intranet site.

All of these scenarios and others require that the extranet site use a different virtual web site from the intranetsite. For example, if a user authenticates to a SharePoint site using Basic Authentication, and the SharePointWeb site is configured to use both Basic and Windows Integrated Authentication, the user will not be able to viewsearch results when he or she invokes a search query on the SharePoint site. However, if the SharePoint Website is configured to use Basic Authentication only, the user will be able to view the results of a search. Because itis undesirable to disable Windows Integrated Authentication on the intranet SharePoint site, it is necessary tocreate a new SharePoint web site that supports Basic Authentication only.

Access to the SharePoint extranet must occur through a firewall to assure a high level of protection. Furthermore,

the firewall must be capable of providing a high degree of functionality for external clients who use the extranetSharePoint site, while at the same time providing a high degree of protection.

ISA Server 2000 is a highly secure and extensible firewall solution that makes it the ideal firewall solution forcontrolling access to the extranet. Its advanced features, such as Web publishing and Server publishing rules,Application Layer filtering, Link Translation, Basic Delegation of Authentication Credentials, SSL bridging, detailedlogging, and others, help to ensure a high degree of both protection and functionality.

In particular, the use of Web publishing rules to make an extranet SharePoint site available to external clientsconfers a number of unique advantages over using ISA Server 2000 Server Publishing rules or using otherfirewall products to provide access to the extranet. Advantages of using ISA Server 2000 Web Publishing rulesinclude:




5/41

Use a single external IP address to publish multiple Web sites.

Use multiple incoming listener configurations with multiple IP addresses to support use of different digitalcertificates and authentication methods.

Authenticate with the ISA Server 2000 firewall using basic, integrated, digest, or certificate authentication.

Use port redirection to redirect HTTP requests to an alternate port used by the Web server on the internalnetwork.

Inspect the URL in the HTTP header and determine destination for request on intranet or perimeter network

(DMZ). Extend ISA Server 2000 firewall security by installing URLScan 2.5 to perform deep inspection of HTTP

header information and accept or deny connections based on a configurable set of rules.

Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTP requests to theinternal Web server. This allows HTTP traffic to be inspected before it is allowed into the internal network andsaves CPU cycles on the Web server because it does not have the overhead of encrypting traffic.

Terminate SSL requests (HTTPS) at the ISA Server 2000 firewall and redirect them as HTTPS requests tothe internal Web server. This allows HTTPS traffic to be inspected before it is allowed into the internalnetwork and enhances end-to-end security for data sent between clients and Web server.




6/41

Step-by-Step Background Information

The test lab used to demonstrate these step-by-step instructions has the following configuration:

Internal Network. The internal network uses the 172.16.1.0/24 network ID. The default gateway for thenetwork is 172.16.1.1, which is the internal IP address of the ISA Server.

External Network The external network uses a 192.168.100.0/24 network ID. Internal DNS and Active Directory Namespace Internal.net is used as the Active Directory and DNS

namespace for the internal network.

Active Directory. A Windows 2003 Active Directory domain controller named Ad1.internal.net is used toprovide directory and DNS services. DNS is set up with root hints and forwarding to support resolution to theexternal network and the Internet. The IP address of the domain controller is 172.16.1.10.

External DNS Namespace. External.net is used as the DNS namespace for external clients connecting toresources published through the ISA Server 2000 firewall. The DNS zone files for external.net are located onthe external network. The zone has been pre-configured with a single host record pointing to the external IPaddress of the ISA Server 2000 firewall to resolve the Fully Qualified Domain Name (FQDN)extranet.external.net for access to extranet SPS Web site.

SharePoint Portal Server 2003 Configuration. SharePoint Portal Server 2003 installed is set up on aWindows 2003 computer named Sps.internal.net. The SharePoint server uses a co-located SQL Server 2000Standard Edition for the configuration and content databases. The SPS server has a primary IP static IP

address of 172.16.1.11 that uses 172.16.1.1 as the default gateway.

SharePoint Server Virtual Web Site Configuration. IIS 6.0 was installed on the Windows 2003 server asper the SharePoint Portal Server 2003 prerequisites found in the SharePoint Portal Server 2003 help files andthe SharePoint Portal Server 2003 Customer Evaluation Guide. The intranet SPS virtual Web site is locatedat 172.16.1.11 and is configured to use Windows Integrated Authentication only. Specifically, IIS 6.0 hasbeen configured as follows:

o Application Server with the following components:

Microsoft ASP.NET Enable COM+ Components Microsoft Internet Information Services with the following components:

Common Files

Internet Information Services Manager

World Wide Web Service with the following components:o Active Server Pages

o World Wide Web Service

ISA Server 2000 Configuration. ISA Server 2000 with Service Pack 1 and HotFix isahf255.exeis installedon a Windows 2003 server. Other than the configuration of the Local Address Table (LAT), ISA Server isconfigured using the defaults from the installation setup program. For specific instructions for installing anISA Server on Windows 2003, please see Tom Shinders article, Installing ISA Server 2000 on WindowsServer 2003 on the ISAServer.org Web site. The ISAServer.org Web site contains much useful informationon installing and configuring ISA Server, such as Will Schmieds article, Installing ISA Server 2000, and JimHarrisons article, Configuring ISA Server Interface Settings. Another good source of information andinstruction is the Microsoft TechNet ISA Server Web site.

o External NIC configuration:

IP address: 192.168.100.22/24 Default Gateway: 192.168.100.254/24 File and Print Sharing: disabled Client for Microsoft Networks: disabled NetBIOS: disabled Registration of external IP address in Dynamic DNS zone: disabled DNS server: None Binding order: lowest

o Internal NIC configuration:

IP address: 172.16.1.1/24




7/41

Default Gateway: None File and Print Sharing: enabled NetBIOS: enabled Registration of IP address in Dynamic DNS zone: enabled DNS server: 172.16.1.10 Binding order: highest

o ISA configuration details:

Installation type: Standalone Installation mode: Integrated (firewall and proxy services) Local Address Table (LAT): 172.16.1.0 172.16.1.255 Site and Content Rule: Default Client Configuration: All clients configured as S-NAT clients (no Web proxy client

configuration or Firewall client).




8/41

Step-by-Step How To: Creating New Virtual Web Site To Host theExtranet SharePoint SiteThis section provides basic instructions for setting up a new virtual Web site on IIS 6.0. This new Web site willsubsequently be used to demonstrate how to map an existing SharePoint site from the virtual Web site where aSharePoint portal site resides. Note that the extranet SharePoint site will be hosted on the same server as

intranet SharePoint site.

This may not be a desirable configuration in a production environment, and you may wish to host the extranet siteon a different server. Also, this step-by-step walkthrough assumes that a pre-existing SharePoint site exists thatcan be used for the extranet. For specific instructions on setting up SharePoint Portal server, please see theSharePoint Portal Server 2003 help files and the SharePoint Portal Server 2003 Customer Evaluation Guide.

Creating New Virtual Web Site

An IIS server can host multiple virtual Web sites that use a single, shared IP address or that use individual IPaddresses that are not shared with other Web sites. To use a single, shared IP address for multiple Web sitesrequires that the Web sites are configured with host header names that uniquely identify the Web sites. Usingnon-shared IP addresses for virtual Web sites does not require host header names, but it does require that

multiple IP addresses (one for each virtual Web site) are bound to the network adapter.

These step-by-step instructions demonstrate how to create a virtual Web site and assign it to an IP address notcurrently in use by a Web site.

To add a new IP address to the Windows 2003 server,

1. Click Start | Settings | Control Panel.2. Double click on the Network Connections folder in Control Panel.3. Right click on the appropriate network adapter, and click on Properties from the context menu. The

network adapters Properties dialog box appears.4. In the Properties dialog box, highlight Internet Protocol (TCP/IP), and click the Properties button. The

Internet Protocol (TCP/IP) Properties dialog box appears.5. Click the Advanced button. The Advanced TCP/IP Properties dialog box appears.

6. In the IP Addresses frame, click the Add button.7. In the TCP/IP Address dialog box, enter an IP address and subnet mask in the appropriate fields, and

click Add.8. Click OK twice, and then click Close to finish adding the IP address.

Once you have added a new IP address to the Windows 2003 server, you can create a new virtual Web site andassign it to the newly added address. To create the new Virtual Web site,

1. Click Start | Administrative Tools, and double click on the Internet Information Services (IIS)Manager. The IIS MMC console opens.




9/41

2. In the Internet Information Services (IIS) Managerconsole, right click on the Web Sites node in the left-hand pane, and select New | Web Site from the context menu, as in Figure 1 below.

Figure 1 IIS Manager Console

3. On the Welcome to the Web Site Wizard page, click Next. The IP Address and Port Settings pageappears.




10/41

4. In the IP Address and Port Settings page, enter an unassignedIP address for the new web site, as inFigure 2 below, and press Next.

To use a shared IP address for the new Web site, you could either enter a host header name, which is theFQDN that external clients would use to connect to the site, or assign the Web site an unused TCP port.Web publishing rules in ISA Server 2000 allow you to redirect an HTTP request to a TCP port other thanport 80 on an internal Web server, so it is possible to use a different TCP port for the internal Web sitewithout inconveniencing external clients.

Figure 2 IP Address and Port Settings of New Web Site

Page 10 of 41Quick Start: Configuring SharePoint Extranet Virtual Web Site and ISA Server Web P...



11/41

5. In the Web Site Home Directory page, enter the path to a folder in the file system that will contain the filesfor the home directory.

If you have not previously created the folder, you can create it at this time by pressing the Browse button,which will present you with an interface to browse to folders in the file system and create a new folder.Create a folder for the extranet Web site here.

You do not wish to allow anonymous access to the Web site. Clear the check box for Allow anonymous

access to this Web site, as in Figure 3 below, and click Next.

Figure 3 Web Site Home Directory Path




12/41

6. In the Web Site Access Permissions page, leave the default permissions as is, and click Next to finishthe creation of the new virtual directory. When you extend the SharePoint Web site into the new virtualdirectory, it will modify permissions on the virtual directory appropriately.

Figure 4 Web Site Access Permissions Page

This completes the creation of the virtual Web site that we will use to extend the SharePoint portal site. After wehave extended the SharePoint portal site into this virtual Web site, we will revisit the Web site property pages to

configure Basic Authentication and verify Web site permissions.




13/41

Step-by-Step How To: Extending SharePoint Portal Site into theExtranet Virtual Web SiteThis section describes how to extend a pre-existing SharePoint site into the new virtual Web site created in thesteps above. One of the decisions you must make before extending the SharePoint site into the new virtual serveris whether the SharePoint site will use the same application poolas the intranet site, or whether it will use adifferent application pool. The application pool can be created prior to extending the SharePoint site, or it can be

created during the process of creating the SharePoint site.

What is an Application Pool?An application pool is a feature of IIS 6.0 that allows one or more Web applications to be isolated from othersrunning in different application pools. Because these applications have their own worker process, failure of anapplication in one application pool will not affect other applications running in another pool. Furthermore, eachapplication pool can use a different identitysetting to enhance security.

An application pool identity is the security context used by the worker process. Previous to IIS 6.0, workerprocesses ran in the security context of the LocalSystem account, which has almost unrestricted access to theoperating system. This creates a number of security implications. With application pool identity settings, it ispossible to use accounts for the security context of the worker process that have relatively low levels of access tothe operating system.

For example, one account that can be used for an application pool is the NT Authority\NetworkServiceaccount. This account has a limited access to the local computer and network resources. Some of the rights thisaccount has include Logon as a service, Replace a process-level token, Access this computer from the network,Allow log on locally, and Impersonate a user account after authentication.

You can also create a user account to use for the application pool identity. However, whatever account you usefor the SharePoint application pool identity, this account musthave a SQL Login, and it must have the db_ownerrole in the SharePoint databases used by the site. These databases are _SITE database, _SERV database, _PROF, and the SharePoint configuration database (by defaultSPS01_Config_db).

Note:

If you have installed SharePoint Portal Server with the WMSDE version of SQL server, you will need to installthe SQL Server tools to add logins and make changes to the database roles. This requires that you purchasea license for SQL Server 2000 Standard or Enterprise edition.

Although using different application pools and identities for SharePoint sites complicates administration, their useenhances security and reliability. For example, if the application pool identity is compromised, only theSharePoint site using the application pool is affected, not all of them. Furthermore, the failure of an application ina dedicated application pool affects only the SharePoint site(s) that use the application pool, not all of them.

For more information on the topic of application pools, identities, and SharePoint sites, please see the Microsoftwhitepaper, Creating Additional Portal Site Application Pools for SharePoint Portal Server 2003.

Creating Application Pool for Use by Extranet Web SiteAlthough it is possible to create a dedicated application pool during the process to extend the portal site, you cancreate the application pool beforehand using the Internet Information Services (IIS) Manager. The NTAuthority\NetworkServices account has very limited rights and consequently makes a good candidate for use ofas the application pool identity. To create an application pool,

1. Open the Internet Information Services (IIS) ManagerMMC console, right click on the ApplicationPools node, point to New in the context menu, can click on Application Pool, as in Figure 5 below.

Figure 5 Creating New Application Pool




14/41

2. In the Add New Application Pool dialog box, type in a descriptive name for the new pool in theApplication pool ID.




15/41

3. In the Application pool settings frame, select the Use existing pool as template radio button; select theapplication used by the SharePoint intranet site from the Application pool name drop down box, and clickOK. The properties page for the application pool will appear.

Figure 6 Selecting SharePoint Application Pool as Template




16/41

4. In the Properties dialog box, click the Identity tab to verify that theappropriate account is being used. You can use the account used by default SharePoint application pool,or you enter another account in this page for use by the application pool. If you want to use the NTAuthority\NetworkSevice account, select the Predefined radio button, and then select Network Servicefrom the drop-down list. Click OK to finish the creation and configuration of the application pool.

Note[twsmd1]:Make sure the account you use for the application pool has sufficient rights and privileges. For example, the

account must have the db_ownerrole for the SharePoint configuration and content databases.

Figure 7 Configuring Identity for Application Pool




17/41

Extending SharePoint Site to Extranet Virtual Web SiteIn this demonstration, we will extend the SharePoint site into a new Virtual Web site. The extranet SharePoint sitewill use the application pool we created in the above steps.

The process for extending the SharePoint site is as follows:

1. On the task bar, click Start, point to Programs | SharePoint Portal Server, and then click on SharePointCentral Administration. (As an alternative, you can access the administrative pages from the SharePointsite by clicking on Go to SharePoint Portal Server central administration site from the GeneralSettings section.) The administration site appears, as in Figure 8 below.

Figure 8 SharePoint Central Administration Site




18/41

2. Click on Extend an existing virtual server from the Virtual Server List page. The Virtual Server Listappears showing the name of the virtual server created in the steps above, as in Figure 9 below.

Figure 9 Virtual Server List




19/41

3. Click on the in the Virtual Server List. The Extend Virtual Serverpageappears, as in Figure 10 below.

Figure 10 Choosing a Provisioning Option

On the Extend Virtual Serverpage, you are presented with the option either to Extend and create a content

database or to Extend and map to another virtual server. Because we are going to make the intranetSharePoint site available to Internet users, we are going to choose the option to Extend and map to anothervirtual server.




20/41

4. Click Extend and map to another virtual server. The Extend and Map to Another Virtual Serverconfiguration page appears, as in Figure 11 below.

Figure 11 Extending and Mapping to Another Virtual Server

5. In the Extend and Map to Another Virtual Serverpage, verify the Server Mapping setting. This shouldbe the virtual server hosting the intranet SharePoint site. Then configure the Application Pool settings asappropriate.

a. If you wish to use an existing application pool, click the radio button forUse an existing applicationpool, and select the application pool from the drop-down list.

b. If you wish to create a new application pool for the SharePoint site, select the radio button Create anew application pool, and enter a name for the pool.

c. In the Select a security account for this application pool section, you can choose to use one ofthe 3 pre-defined application pool accounts (NT Authority\NetworkService, NTAuthority\LocalSystem, or NT Authority\LocalService) or a configurable account.

6. Click OK at the bottom of the Extend and Map to Another Virtual Serverpage to complete theconfiguration.

Configuring Virtual the Web Site To Support Basic AuthenticationOnce these steps have been completed, it is necessary to configure the authentication method for the virtual Website to support basic authentication only and to test the Web site from an internal client.

To configure the Web site to support basic authentication only,

1. Open the Internet Information Services (IIS)ManagerMMC console, expand the Web Sites node, rightclick on the newly created Web site node, and click Properties from the context menu. The Properties page appears.

2. In the Properties page of the virtual Web site, click on the Directory Security tab, and then click on theEdit button in the Authentication and access control frame, as in the figure below.




21/41

Figure 12 Directory Security Tab of Web Site Properties Page




22/41

3. In the Authentication Methods dialog box that subsequently appears, you should see that IntegratedWindows Authentication is selected. Clear the box beside Integrated Windows Authentication, andclick the box beside Basic authentication (password is sent in clear text) to enable basicauthentication. A warning will appear informing you of the consequences of basic authentication, as in thefigure below.

Note:Make sure that you select only oneauthentication method. Otherwise, you may see some peculiar behavior

of the Web site. For example, the search function may not work properly for external clients who connectusing basic authentication through the ISA Server 2000 firewall, if both integrated and basic authenticationmethods are selected for the Web site.

Figure 13 Basic Authentication Warning Message

4. In the IIS Managerwarning message, clickYes.5. In the Default domain text box, enter the name of the Windows domain, or click the Select button and

select the domain name. Configuring a domain name here will make it unnecessary for external clients toenter the domain name along with their account name (eg. Internal\UserName).

6. Click OK twice to commit changes to authentication method.

Testing Extranet SharePoint Site from Internal ClientOnce you have finished configuring the authentication method for the extranet SharePoint site, you should testthe Web from an internal client. To do this,

1. Open Internet Explorer, enterhttp:// in the address box, andpress Enter. You should be prompted for your account credentials. (If you are not prompted forcredentials, this means the web site is still using integrated authentication.) Enter a user name (without thedomain prefix to test the default domain setting in IIS) and password, as in the figure 14, and press OK.




23/41

Figure 14 Testing Extranet Web Site




24/41

Step-by-Step How To: Configuring ISA Server 2000 To Protectand To Publish SharePoint Extranet Web SiteA default installation of ISA Server 2000 prevents both inbound and outbound access. To make internalresources available to external clients, it is necessary to configure either Web or Server Publishing rules on theISA Server 2000 firewall. Web Publishing Rules can be used to publish internal Web sites. Web publishing rulescan also be used to publish internal FTP sites by redirecting HTTP requests as FTP to an internal FTP server.

Server Publishing Rules can be used to publish all other services, including Web and FTP services, provided aprotocol definition is configured on the ISA server. (Some protocols, such as FTP or H.323, also require anapplication filter in addition to a protocol definition to handle the opening of secondary ports to enablecommunication across the ISA Server 2000 firewall.)

This section explains how to publish a SharePoint site using a Web publishing rule on ISA Server 2000. Theseinstructions assume a default installation setup of ISA Server 2000 in integrated mode (Firewall and Web proxyservices). For information on the configuration of the ISA Server used in this demonstration, please go to thebeginning of this document.

There are 3 ISA Server elements that have to be configured to publish a Web site using a Web publishing rule:

1. Destination Set. Destination sets are used to control both inbound and outbound access. They are usedby a number of ISA Server 2000 Policies, such as Site and Content Rules and Bandwidth Rules. ADestination Set is a collection of one or more Fully Qualified Domain Names (FQDNs) or IP addresses. ADestination Set can also comprise a set of one or more path statements that can be used to direct requeststo specific subdirectories under the root directory of the Web server.

2. Web Publishing Rule. A Web Publishing Rule is an ISA Server 2000 Policy Element that uses aDestination Set to determine where on the internal network to send HTTP or HTTPS requests fromexternal clients. Web Publishing Rules are flexible and can be used to redirect HTTP requests to otherports and to FTP servers. Furthermore, they can be configured to redirect HTTPS requests as HTTPrequests to internal Web servers.

3. Incoming Web Requests Listener. Web Publishing Rules depend upon the Incoming Web RequestsListener. The listener redirects requests through the ISA Server 2000 firewalls Web Proxy Service for

processing before it is sent to the internal network. This means the request can be cached and the contentof the HTTP request can be inspected by a Web application filter.

The Incoming Web Request Listener listens on the default ports for HTTP (80) and HTTPS (443)connections, but it can also be configured to listen on other ports. Furthermore, the listener can beconfigured to use a digital certificate for HTTPS connections and can be configured to support a variety ofauthentication methods, such as integrated, basic, digest, and client digital certificate authentication.

The Incoming Web Requests Listener can be configured to use the same listener configuration for all IPaddress bound to the external interface of the ISA Server 2000 firewall, or different listener configurationscan be applied to individual IP address. This is useful if, for example, it is necessary to use two or moredifferent digital certificates for HTTPS requests.

Assuming a default configuration of ISA Server 2000, it is also necessary to verify and configure appropriate IP

Packet Filter settings, in addition to configuring these 3 elements. Primarily, these settings are used to controlwhat packets are accepted on the external interface (for both inbound and outbound access). However, the IPPacket filter settings are also used to enable PPTP access, logging levels, and intrusion detection settings.

The steps for publishing a SharePoint and other Web site using Web Publishing Rules on an ISA Server are asfollows:

Configuring IP Packet Filter Settings

Creating a Destination Set

Creating a Web Publishing Rule

Configuring the Incoming Web Requests Listener




25/41

The following instructions are based on the Advanced View, rather than the TaskpadView of the ISAManagement MMC console. The Advanced View is enabled through the View drop-down menu of the ISAManagement MMC console.




26/41

Configuring IP Packet Filter SettingsThe following steps show you how to configure appropriate settings for IP Packet Filtering:

1. Open the ISA Management MMC console, expand the Access Policy node in the left-hand pane, andright click on IP Packet Filters to display the context menu as in the figure below.

Figure 15 IP Packet Filters Access Policy




27/41

2. Click Properties in the IP Packet Filters context menu. The IP Packet Filters Properties page appears,as in the figure below.

Figure 16 IP Packet Filters Properties Pages

On the General tab, you want to ensure that packet filtering is enabled. For greater security, you canalso enable intrusion detection here and then subsequently configure settings for specific kinds of attacks,such as LAND and Ping of Death, on the Intrusion Detection tab. If you want to allow PPTP accessthrough the ISA Server 2000 firewall, you need to enable IP routing in addition to enabling PPTP throughthe PPTP tab.

IP routing is required in two situations:

It is necessary to enable IP routing when protocols other than TCP or UDP are involved, forexample, ICMP (used for ping, etc.) and GRE (used for PPTP). So, if you want to be able to ping anexternal host from behind the ISA Server 2000 firewall, you need to enable IP routing.

It is also necessary to enable IP routing when ISA Server 2000 is configured as a tri-homedperimeter network (that is the ISA Server has three network adapters, one of which is connected to

a perimeter network using a pubic IP address).

However, enabling IP routing can result in performance improvements for SecureNAT clients on theinternal network.

3. Verify that, at a minimum, packet filtering is enabled on General tab, and enable Intrusion detection andIP routing as appropriate.

4. Select the Packet Filters tab, as in the figure below.

Figure 17 Packet Filters Tab




28/41

On the Packet Filters tab, you are presented with the options to enable filtering of IP fragments, toenable filtering of IP options, and to log packets from Allow filters. The options to enable filtering of IPfragments and IP options provide greater security against certain attacks that exploit the mechanisms offragmented IP datagrams and the options field of an IP datagram. Be aware that if you enable filter of IPfragments, some multimedia applications and applications that require certificate exchange (such as

L2TP/IPSec) that rely on fragmented IP datagrams may not work properly or at all.

5. On the Packet Filters tab enable the filtering and logging options as appropriate.




29/41

6. If you have enabled intrusion detection, click on the Intrusion Detection tab and enable the intrusiondetection settings as appropriate.

Figure 18 Intrusion Detection Tab

7. Click OK when you have finished configuring the IP Packet Filtersettings.




30/41

Creating a Destination SetAfter configuring appropriate Packet Filtersettings, the next step for configuring Web publishing is to create aDestination Set that will be used by the Web Publishing Rule. To create a Destination Set,

1. Open the ISA Management MMC console, expand the Policy Elements node, right click on DestinationSets, and point to New | Set in the context menu, as in figure 19.

Figure 19 Creating a New Destination Set




31/41

2. In the New Destination Set dialog box, enter a descriptive name for the destination set in the Name textbox, as in the figure 20.

Figure 20 New Destination Set




32/41

3. After entering a name and a description (optional), click on the Add button. The Add/EditDestinationdialog box appears, as seen in figure 21.

Figure 21 Add/Edit Destination

4. Ensure that the Destination radio button is selected and enter the Fully Qualified Domain Name (FQDN)that external clients use to connect to the SharePoint site in the Name text box.

Note:It is extremely important that you use the external FQDN of the SharePoint site here. Destination Sets andWeb Publishing Rules are sometimes a little confusing. It may help to keep in mind that the WebPublishing Rule will match a request for a particular FQDN in the HTTP header with an entry in aDestination Set to determine where to redirect the traffic on the internal network.

5. Click OK to finish the creation of the Destination Set.




33/41

Creating a Web Publishing RuleAfter creating the Destination Set, the next step is to create a Web Publish rule to redirect the request from anexternal client to the extranet SharePoint Site on the internal network.

1. In the ISA Management MMC console, expand the Publishing node, right click on the Web PublishingRules object, and select New | Rule from the context menu as in the figure below.

Figure 222

2. In the Welcome to the New Web Publishing Rule Wizard page that subsequently appears, enter adescriptive name for the Web Publishing Rule, and click Next.




34/41

3. In the Destination Sets page, select Specified destination set from the Apply this rule to drop-downlist. Then, in the Name drop-down list, select Destination Set that we created in the previous steps. Thefigure 23 shows the appropriate settings.

Figure 233 Selecting a Destination Set

4. Click Next to proceed to the Client Type page of the wizard.5. On the Client Type page, select the Any request radio button, and click Next to proceed to the Rule

Action page of the wizard.

Figure 24 Rule Action Page




35/41

6. In the Rule Action page, select the radio button to Redirect the request to this internal Web server(name or IP address), and enter the IP address of the SharePoint extranet Web site. Then, click thecheck box to Send the original host header to the publishing server instead of the actual one(specified above). This setting preserves the FQDN specified in the HTTP header of the request from theexternal client.

It is possible to use an unqualified or fully qualified domain name for SharePoint site, instead of the IPaddress. However, this name must be resolvable to an internal IP address by the ISA Server 2000 firewalleither through a Hosts file entry on the ISA Server or a DNS server.

7. Click Next, and then click Finish on the Completing the New Web Publishing Rule Wizard page thatsubsequently appears.




36/41

Configuring the Incoming Web Requests ListenerBy default, the ISA Server 2000 firewall will not allow external clients to connect to the published Web site unlessthe Incoming Web Requests Listeneris configured to listen for requests on its external interface(s). Toconfigure a listener for the published SharePoint extranet Web site,

1. Open the ISA Management MMC Console, right click on the server node object (it will be labeled withname of your ISA Server), and select Properties from the context menu. The Properties dialog box appears.

2. In the Properties dialog box, select the Incoming Web Requests tab, as shown in figure 24.

Figure 25 Incoming Web Listener Property Page

It is possible to use the same listener configuration for all IP addresses bound to the external interface or to usedifferent listener configurations for each of the bound IP addresses. In this demonstration, we are going toconfigure the listener settings for a specific IP address.




37/41

3. In the Identification frame of the Incoming Web Requests page, select the radio button to Configurelisteners individually per IP address, and then click the Add button. The Add/Edit Listeners pageappears, as in the figure below.

On this page, it is also possible to configure the listener to force external clients to authenticate with theISA Server 2000 firewall before it will forward requests to the internal network. This is accomplished byselecting the box to Ask unauthenticated users for identification in the Connections frame. When thischeck box is unselected, the ISA Server 2000 firewall will forward anonymous connections to the Web

server, which can then subsequently authenticate external connections according to its own settings. Inthis example, we will let the SharePoint extranet site be solely responsible for authenticating users and willleave this check box cleared.

Figure 26 Add/Edit Listeners Page

4. On the Add/Edit Listeners page, select the ISA Server from the Serverdrop-down list, and then selectthe desired external IP address from the IP Address drop-down list. The IP address you select here mustbe the IP address that resolves to the Internet FQDN of the published SharePoint site.

Because the listener is not configured to force authentication for external connections, the settings in theAuthentication frame have no effect. You can, for the time being, safely leave these alone.

5. Click OK when finished configuring the listener settings. You will be asked whether or not you wish theISA Web proxy service to be restarted, as in figure 26.

Figure 27 Web Proxy Service Restart Prompt




38/41

To facilitate immediate testing of the Web Publishing Rule, you should select the option to Save thechanges, but dont restart the service(s), and then manually restart the Web proxy service. Thereason for this is that it will take a few minutes for the ISA Server 2000 firewall to restart the service. If

you attempt to test the Web publishing rule too soon, you will receive an HTTP error response, which maysubsequently be cached, further complicating your testing of the Web publishing rule.

6. Choose the appropriate restart option and click OK.

If you choose the option to manually restart the Web proxy service, expand the Monitoring node in the ISAMMC console, open the Servers folder, right click on the Web proxy service in the contents pane, andclick on Stop in the context menu. After the service has stopped, click on Start in the context menu.

7. The final step is to test the Web publishing rule from an external client. Before doing so, make sure thatthe Web proxy service has restarted. Then from an external client, open Internet Explorer, type in theexternal FQDN that you used in the destination set (make sure that this name resolves to the IP addressused by the Incoming Web Requests listener), and press Enter. If you have configured the SharePointextranet site to support basic authentication, you will be prompted to enter authentication credentials.

Troubleshooting Tips for Web Publishing RulesIf you receive an error when you try to access the SharePoint site using the Web publishing rule, double checkthe destination set to make sure that it uses the FQDN that external clients will use. Make sure that this name isresolvable to the external IP address of the ISA Server 2000 firewall. Make sure that the action of the Webpublishing rule, forwards the request to the appropriate IP address of the internal Web site (if using a name forthis setting, make sure the ISA Server 2000 firewall can resolve the name to the internal IP address).

You should double check the incoming listener settings. For example, if you have configured the listener to Ask




39/41


40/41

To configure a simple Protocol Rule to enable outbound access,

1. Open the ISA Management MMC console, expand the Access Policy node, right click on the ProtocolRules object, and select New | Rule from the context menu.

Figure 28 Creating a Protocol Rule

2. In the Welcome to the New Protocol Wizard page that subsequently appears, enter a descriptive name,such as All Outbound Access, in the Protocol rule name text box, and click Next.

3. In the subsequent Rule Action page, select the Allow radio button for the Response to client requeststo use protocol setting, and click Next.

4. In the Protocols page, select All IP traffic in the Apply this rule to drop down list, and click Next.5. On the Schedule page, select Always from the Use this schedule drop down list, and click Next.6. In the Client Type page, select the radio button forAny request for the Apply the rule for requests from

setting, and click Next.




41/41

7. On the Completing the New Protocol Rule Wizard page, click Finish.

Figure 29 Completing the New Protocol Rule Wizard

SummaryWeb Publishing Rules in ISA Server 2000 can provide highly secure and available access to a SharePointextranet site. The security of Web Publishing Rules can be further enhanced by leveraging the in-built securityfeatures of IIS 6.0 on Windows 2003 and SharePoint Portal Server 2003. This document showed you how tocreate a secure solution for a SharePoint extranet Web site by extending the SharePoint site into a new virtualWeb site that uses an application pool to isolate the worker processes in IIS 6.0, configuring the Web site to use adifferent authentication method, and to configure ISA Server to publish the Web site using a Web Publishing Rule.


Documents

Isa Server Deploys Guide