Module 7: Configuring Access to Internal Resources

Module 7:Configuring Access to

Internal Resources

Overview

Introduction to Publishing

Configuring Web Publishing

Configuring Server Publishing

Adding an H.323 Gatekeeper


Publishing Overview

Publishing Servers on a Perimeter Network

Guidelines for Using Publishing and Routing

Publishing Rules Overview

Publishing Overview

6

InternetInternet192.168.9.1

131.107.3.1

www.nwtraders.msft

External Adapter

Internal Adapter

Web ServerWeb Server

Internal NetworkInternal Network

Publishing Servers on a Back-to-Back Perimeter Network

LATInternal Network

LATPerimeterNetwork

Web ServerWeb Server

SQL ServerSQL Server


Perimeter NetworkPerimeter Network

ISA ServerISA Server


InternetInternet

Guidelines for Using Publishing and Routing

If your networkIf your network

Does not have a perimeter Does not have a perimeter networknetwork

Has a back-to-back perimeter Has a back-to-back perimeter network configurationnetwork configuration

Has a three-homed perimeter Has a three-homed perimeter network configurationnetwork configuration

Then useThen use

Server publishing Server publishing

Server publishing on both ISA Server computers Server publishing on both ISA Server computers

Routing and packet filtering between the Internet Routing and packet filtering between the Internet and perimeter network; server publishing and perimeter network; server publishing between the internal and perimeter networksbetween the internal and perimeter networks

Publishing Rules Overview

Web Publishing Rules

Server Publishing Rules

Publishing a server

Publishing a mail server

Rules Available for Each Mode


Publishing a Web Server

Configuring Listeners for Incoming Web Requests

Redirecting Requests to Other Ports

Establishing Secure Communication

Configuring SSL Bridging

Requiring a Secure Channel

Publishing a Web Server

InternetInternet

africa.internal.nwtraders.msft

www.nwtraders.msft/africa

europe.internal.nwtraders.msft



www.nwtraders.msft/europe

AfricaAfrica

EuropeEurope

Configuring Listeners for Incoming Web Requests LONDON Properties

General

OK Cancel

Edit…Edit…

Apply

Enable SSL listeners

TCP port: 80

SSL port: 443

Connections

Outgoing Web RequestsIncoming Web Requests SecurityPerformanceAuto Discovery

IdentificationUse the same listener configuration for all internal IP addresses.

Configure listeners individually per IP address

Server IP Address Display N… Authentic… Server C…PHOENIX <All internal Integrated

RemoveRemoveAdd…

Configure…Connection settings:

Ask unauthenticated users for identification

CancelOK

Server: LONDON

IP Address: 131.107.3.1

Display Name: PartnerWeb

Use a server certificate to authenticate to web clients

AuthenticationBasic with this domain:

Digest with this domain:

Integrated

Client certificate (secure channel only)

Select…

Select domain…Select domain…Select domain…Select domain…

Add/Edit Listeners


Redirecting Requests to Other Ports

PartnerWeb Properties

General

OK Cancel

Use this page to specify whether the request should be discarded orredirected, and configure the hosted site to which this rule redirects.

Destinations Action Applies To

Discard the request.

Bridging

Redirect the request to this internal Web server (name or IP address):

London

ApplyApplyApplyApply

Browse…

Send the original host header to the publishing server instead of the actual one (specified above).

Connect to this port when bridging request as HTTP: 80

Connect to this port when bridging request as SSL: 443

Connect to this port when bridging request as FTP: 21

Type the IP address or DNS name of the published server.

Define ports this rule redirects to

Establishing Secure Communication

Select Certificate

Select a certificate form the list of certificates available on the specified server:Certificates:

CancelOKOK

Issued To Issued By Expiration Date Friendly Name

vancouver.nam…Northwind Tra… 10/12/2002 Partner Web…vancouver.nam…Northwind Tra… 10/12/2002 Public Web Site

CancelOK

Server: LONDON

IP Address: 131.107.3.1

Display Name: Partner Web

Use a server certificate to authenticate to web clients

AuthenticationBasic with this domain:

Digest with this domain:

Integrated

Client certificate (secure channel only)

Select…


Add/Edit Listeners


Configuring SSL Bridging


OK Cancel

Redirect HTTP requests as:HTTP requests

SSL requests (establish a secure channel to the site)

FTP requests

Apply

Redirect SSL requests as:HTTP requests (terminate the secure channel at the proxy)


FTP requests

Require secure channel (SSL) for published site

Require 128-bit encryptionRequire 128-bit encryptionSelect to authenticate the ISA Server by using a certificate.

Select to redirect SSL requests as HTTP requests.

General Destinations Action Applies ToBridging

Use a certificate to authenticate to the SSL Web serverUse a certificate to authenticate to the SSL Web server

Select…Select…

Requiring a Secure Channel


General

OK Cancel

Destinations Action Applies To

Redirect HTTP requests as:

Bridging

HTTP requests


FTP requests

Cancel

Select…

Redirect SSL requests as:HTTP requests (terminate the secure channel at the proxy)


FTP requests

Require secure channel (SSL) for published site

Require 128-bit encryption

Use a certificate to authenticate to the SSL Web server

Select for a higher level of security.

Select to require a secure channel for Web requests.


Publishing a Server

Publishing a Mail Server

Configuring the Message Screener

Publishing a Server

Name the RuleName the Rule

Specify Address MappingSpecify Address Mapping

Select a Protocol SettingSelect a Protocol Setting

Select a Client TypeSelect a Client Type

StartStartStartStart

FinishFinishFinishFinish

Publishing a Mail Server

Mail Server Security Wizard

Mail Services SelectionSelect the mail services that you would like to publish to your external users

< Back

Publish these mail services:Default

AuthenticationSSL

Authentication

Incoming SMTP

Apply content filtering

Outgoing SMTP

Incoming Microsoft Exchange/Outlook

Incoming POP3

Incoming IMAP4

Incoming NNTP

Next > Cancel

Select to apply content filtering to incoming SMTP traffic.

Configuring the Message Screener

Running the Message Screener on the ISA Server Computer

Running the Message Screener on a Separate Computer


H.323 Overview

How the H.323 Gatekeeper Works

Adding and Configuring an H.323 Gatekeeper

H.323 Overview

InternetInternet

H.323 Gateway

H.323 Gateway

ClientClient

ClientClient

The H.323 standard defines: How connections are established

How two devices initiate communications with each other

How data is transmitted over a network

How audio and video codec components encode and decode input/output

How the H.323 Gatekeeper Works

DNSDNS

Origination EndpointOrigination Endpoint Destination EndpointDestination Endpoint

SRV_Q931_tcp.contoso.msft

24.0.0.10

SRV_Q931_tcp.contoso.msft

24.0.0.10

SRV_Q931_tcp.nwtraders.msft

136.0.0.1

SRV_Q931_tcp.nwtraders.msft

136.0.0.1

1111

NetMeetin

g queries DNS to

find Gatekeeper

2222

3333

Returns IP address to

John’s computer

4444InternetInternet

[email protected]

[email protected]

ISA H.323 Gateway136.0.0.1

ISA H.323 Gateway136.0.0.1

Gatekeeper24.0.0.10

Gatekeeper24.0.0.10

[email protected]

192.168.0.10

[email protected]

Adding and Configuring an H.323 Gatekeeper

ISA ManagementAction View

Gatekeeper Status Description

celeration Server

MonitoringServerAccess PolicyPublishingBandwidth RulesPolicy ElementsCache ConfigurationMonitoring ConfigurationExtensions

Application FiltersWeb Filters

Network ConfigurationClient Configuration

H323 Gatekeepers

LONDON Normal

Add gatekeeper…

View

HelpAdd Gatekeeper

Select a computer running H.323 Gatekeeper that you want to add

OK Cancel

Gatekeeper computer:This computer

Another computer

Lab A: Configuring Access to Internal Resources

Review





Documents

Module 7: Configuring Access to Internal Resources