Module 7: Configuring Access to Internal Resources
Overview Introduction to Publishing Configuring Web Publishing Configuring Server Publishing Adding an H.323 Gatekeeper
Microsoft® Internet Security and Acceleration (ISA) Server 2000 enables you to publish services to the Internet without compromising the security of your internal network. You can use ISA Server to publish internal servers to make Web content and services available to external clients. You publish servers by configuring server publishing rules to redirect requests from external clients to a server on your internal network. By publishing servers and routing requests from Internet clients to an ISA Server computer, you provide an increased layer of security for your internal servers. You can also use ISA Server to route incoming multimedia conferencing sessions by adding an H.323 Gatekeeper.
After completing this module, you will be able to: Explain the concepts associated with server publishing. Configure Web publishing. Configure server publishing. Add an H.323 Gatekeeper.
Introduction to Publishing Publishing Overview Publishing Servers on a Perimeter Network Guidelines for Using Publishing and Routing Publishing Rules Overview
Publishing servers enables you to provide access to selected resources in a secure manner. To publish a server, you must create a publishing policy. Publishing policies define rules for controlling how ISA Server processes incoming requests. You can create publishing policies for Web servers, mail servers, and other types of servers.
Publishing Overview 6 Internet External Adapter Internal Adapter Web Server Internal Network
Publishing a server makes the server on an internal network available to users that gain access to the network through the Internet. You use Web publishing to publish a Web server and server publishing to publish any other type of server that uses Transmission Control Protocol/Internet Protocol (TCP/IP). When you publish a Web server or other server, users connect to the external network adapter of the ISA Server computer. The ISA Server computer uses the internal network adapter to forward the request to the published server on the internal network. Depending on how you configure the local address table (LAT) on the ISA Server computer, an internal server can be on a perimeter network or on a corporate network.
Publishing Web Servers You can publish a Web server to allow external users on the Internet to communicate with an internal Web server or a Web server on the perimeter network through an ISA Server computer. When an external user requests an object from the Web server, they actually receive the object from the ISA Server computer. The ISA Server computer ensures that external users do not reach the internal network directly. In addition, the Internet Protocol (IP) address of the Web server is not exposed to external users. Instead, external users communicate with the Web server by specifying an external IP address of the ISA Server computer. The ISA Server computer then re-issues the request through its internal network interface. When the ISA Server computer receives a reply from the internal Web server, it then changes the packet header and sends the reply to the external user from the ISA Server computer's external network interface. Because this process is similar to the process that ISA Server uses to process requests from internal clients, Web publishing is sometimes referred to as reverse proxy. Web server publishing supports the Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol-Secure (HTTP-S), and File Transfer Protocol (FTP) protocols.
Important: For Web server publishing to work properly, external clients must be able to resolve the name of a published server to the external IP address on the ISA Server computer. For example, if the external IP address of the ISA Server computer is and the Domain Name System (DNS) name of the published server is the DNS on the Internet must resolve the DNS name to
Because ISA Server uses the Microsoft Web Proxy service when publishing a Web server, ISA Server can cache Web objects for clients on the Internet. Caching in this manner is called reverse caching. Reverse caching improves the performance for external clients because ISA Server can retrieve Web objects from its cache instead of from the Web server on the internal network or the perimeter network. Note: For more information about Web caching and configuring caching, see Module 4, "Configuring Caching," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Publishing Other Servers You can also publish a server that is not a Web server. You can publish any type of server that uses TCP/IP. For example, you can make an internal mail server available to external clients by publishing it. Unlike Web publishing, server publishing does not provide for reverse caching. In addition, by publishing a server, external users are not able to see the structure of the internal network. Because IP addresses on the internal network are not visible to external users, publishing a server by using ISA Server is also referred to as secure publishing.
Publishing Servers on a Back-to-Back Perimeter Network LAT Internal Network LAT Perimeter Network Web Server SQL Server Internal Network Perimeter Network ISA Server Internet
If your network has a back-to-back perimeter network configuration, you can use ISA Server to publish servers that are on your perimeter network to the Internet. You can also publish internal servers to the perimeter network. Using a back-to-back perimeter network configuration enables you to control the traffic that enters the perimeter network separately from the traffic that enters the internal network. By controlling this traffic separately, you do not have any direct connections from the Internet to your internal network.
To publish servers on a perimeter network: On the ISA Server computer that is connected to the Internet, ensure that the LAT contains the IP addresses of the computers on the perimeter network and the IP address of the ISA Server computer that is connected to the internal network. Create publishing rules on the ISA Server computer that is connected to the Internet to make selected servers on the perimeter network, such as a mail server or a published Web server, available to external clients. Include the IP addresses of the computers on only the internal network in the LAT of the ISA Server computer that is connected to the internal network. Create publishing rules on the ISA Server computer that is connected to the internal network to make servers on the internal network available to selected servers on the perimeter network. For example, create a publishing rule to make a Microsoft SQL Server™ database that contains inventory data available to a published Web server on your perimeter network.
Note: For more information about the LAT, see Module 2, "Installing and Maintaining ISA Server," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server For more information about perimeter networks, see Module 6, "Configuring the Firewall," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Guidelines for Using Publishing and Routing If your network Does not have a perimeter network Has a back-to-back perimeter network configuration Has a three-homed perimeter network configuration Then use Server publishing Server publishing on both ISA Server computers Routing and packet filtering between the Internet and perimeter network; server publishing between the internal and perimeter networks
Publishing servers can achieve results similar to configuring ISA Server to perform routing and packet filtering. However, unlike routing, which routes Web requests directly to a server, ISA Server intercepts all of the requests of a published server. You always use routing to send IP packets between two IP addresses that ISA Server treats as internal or between two IP addresses that ISA Server treats as external. You use publishing to enable ISA Server to send packets between an external network and an internal network.
Use the following guidelines to determine when to use server publishing and when to use routing and packet filtering. If your network Then use Does not have a perimeter network Server publishing Has a back-to-back perimeter network configuration Server publishing on both ISA Server computers Has a three-homed perimeter network configuration Routing and packet filtering between the Internet and the perimeter network and server publishing between the internal network and the perimeter network
Publishing Rules Overview Web Publishing Rules Server Publishing Rules Publishing a server Publishing a mail server Rules Available for Each Mode
To publish servers, you must configure a publishing policy. Publishing policies can consist of Web publishing rules and server publishing rules.
Web Publishing Rules Web publishing rules determine how ISA Server should redirect incoming requests for an internal Web server that use the HTTP, HTTP-S, or FTP protocols. When using Web publishing rules, you can also specify which port the ISA Server computer uses to connect to the Web server. This port can be different from the port that the client uses to connect to the ISA Server computer.
Server Publishing Rules Server publishing rules determine how ISA Server should process incoming requests for internal servers that use protocols other than the HTTP, HTTP-S, or FTP, such as protocols used by database servers or mail servers.
Publishing a Server When you publish a server, ISA Server forwards requests to an internal server located behind the ISA Server computer. As with Web publishing rules, server publishing rules determine which requests the ISA Server computer forwards and which requests it discards. Unlike Web publishing rules, server publishing rules do not allow you to change the port that the ISA Server computer uses to connect to the published server.
Publishing a Mail Server ISA Server includes the Mail Server Security Wizard that you can use to publish a mail server. When you complete the Mail Server Security Wizard, ISA Server creates rules that allow incoming or outgoing mail traffic that uses one or more of the most common mail protocols. When using the Mail Server Security Wizard, it is not necessary to know the details of each mail protocol. ISA Server creates the required rules based on the service that you select in the wizard. Publishing a server also enables you to apply rules to enforce strict policies on the incoming traffic. For example, you can specify a publishing rule that allows traffic from only a mail server in the perimeter network to be forwarded to your internal mail server.
Rules Available for Each Mode The following table lists the publishing policy rules that are available for each ISA Server installation mode. Rule typeFirewallCacheIntegrated Web publishing rules NoYes Server publishing rules YesNoYes
Configuring Web Publishing Publishing a Web Server Configuring Listeners for Incoming Web Requests Redirecting Requests to Other Ports Establishing Secure Communication Configuring SSL Bridging Requiring a Secure Channel
In addition to enabling secure access to the Internet for internal clients, ISA Server can provide secure access to internal servers for external clients. To make internal servers available to external clients, you create a publishing policy to securely publish your internal servers. The publishing policy consists of Web publishing rules or server publishing rules that determine how the internal servers are published. In addition, you can require authentication for your network and specify Secure Sockets Layer (SSL) encryption when redirecting incoming requests to ensure secure communication.
Publishing a Web Server Internet africa.internal.nwtraders.msft europe.internal.nwtraders.msft Internal Network ISA Server Africa Europe
You can publish Web servers to make internal Web sites accessible to users on the Internet. To publish a Web server, you must first create a Web publishing rule. By creating a Web publishing rule, you configure the ISA Server computer to redirect incoming requests to a Web server on the internal network.
Using Destination Sets Unlike the destination sets that you configure for access policies, destination sets for publishing rules specify computers in your internal network that external clients connect to, such as the name or the IP address of your ISA Server computer. You can create a specified destination set to use in Web publishing rules for redirecting requests for sections of a Web site to different internal servers. For example, you can create a destination set for You would use this destination set in a Web publishing rule to redirect requests for this section of the Web site to an internal server named europe.internal.nwtraders.msft. You can then create another destination set for You would use this destination set in a Web publishing rule to redirect requests for this section of the Web site to an internal server named africa.internal.nwtraders.msft.
When using a destination set that contains a path after the computer name, the Web server must contain the same path. For example, if a client requests the internal server africa.internal.nwtraders.msft must contain the path and file /africa/default.htm. Note: For more information about how to configure destination sets, see Module 3, "Enabling Secure Internet Access," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Creating a New Web Publishing Rule To create a new Web publishing rule: In ISA Management, in the console tree, expand your server or array, expand Publishing, click Web Publishing Rules, and then in the details pane, click Create a Web Publishing Rule. In the New Web Publishing Rule Wizard, type a name for the rule, and then click Next. On the Destination Sets page, specify a destination set and the associated information, and then click Next. On the Client Type page, specify a client type, and then click Next. Note: Unlike the rules that you configure for access policies, client sets for publishing rules typically specify locations outside the internal network, such as the IP addresses for a business partner. For more information about how to configure client sets, see Module 3, "Enabling Secure Internet Access," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
On the Rule Action page, click Discard the request to ignore requests that match the rule conditions or click Redirect the request to this internal Web server, type the name of the published Web server, and then click Next. Note: If your internal Web server hosts multiple Web sites, you may have to configure how ISA Server handles host headers. For more information about how to configure ISA Server for advanced Web publishing scenarios, see the \support\docs\ copublish.htm file on the ISA Server compact disc. On the Completing the New Web Publishing Rule Wizard page, review your choices, and then click Finish.
Changing the Rule Order ISA Server processes Web publishing rules in the order in which they are listed in the Web Publishing Rules folder and processes the first rule that applies to a request. After a match occurs, no further processing is done for that request. To change the rule order, click a rule, and then on the toolbar, click the Move Up button or the Move Down button. ISA Server always contains the default rule, which discards all incoming requests. Because ISA Server always processes the default rule last, ISA Server applies this rule to all incoming requests that are not covered by another Web publishing rule. You cannot modify, delete, or change the order of the default rule.
Configuring Listeners for Incoming Web Requests LONDON Properties General OKCancel Edit… Apply Enable SSL listeners TCP port:80 SSL port: 443 Connections Outgoing Web Requests Incoming Web Requests Security PerformanceAuto Discovery Identification Use the same listener configuration for all internal IP addresses. Configure listeners individually per IP address ServerIP AddressDisplay N… Authentic…Server C… PHOENIX<All internal Integrated Remove Add… Configure… Connection settings: Ask unauthenticated users for identification CancelOK Server: LONDON IP Address: Display Name:PartnerWeb Use a server certificate to authenticate to web clients Authentication Basic with this domain: Digest with this domain: Integrated Client certificate (secure channel only) Select… Select domain… Add/Edit Listeners Select domain…
Before ISA Server responds to HTTP requests and SSL connection requests on the external interface of an ISA Server computer, you must configure at least one listener that determines how ISA Server responds to these requests. A listener is an ISA Server configuration that defines how the ISA Server computer listens for incoming or outgoing HTTP requests and SSL requests. Unless you configure listeners for incoming requests, ISA Server discards all of the incoming Web requests before applying Web server publishing rules. You can configure the same listener configuration for all IP addresses, or you can configure separate listener configurations for different IP addresses.
You can also require authentication for users that gain access to the ISA Server computer by using a listener. The authentication that you configure for the ISA Server computer is in addition to any authentication that the published Web server requires. ISA Server applies rules based on ISA Server authentication. These rules determine whether and how a request is passed on to the Web server. The authentication method that you configure for the Web server determines whether a user is allowed to gain access to content on the Web server. Note: The procedure for configuring authentication for incoming requests is analogous to the procedure for configuring authentication for outgoing requests. For more information about configuring authentication, see Module 3, "Enabling Secure Internet Access," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
To configure listeners: In ISA Management, in the console tree, right-click your server or array, and then click Properties.
In the Properties dialog box for your server or array, on the Incoming Web Requests tab, perform the following actions. ToDo this Use the same configuration for all IP addresses Click Use the same listener configuration for all IP addresses, and then click Edit. To use individual listeners for each IP address Click Configure listeners individually per IP address, and then click Add. In the Add/Edit Listeners dialog box, select an ISA Server computer, and then select the IP address of that computer.
In the Display Name box, type a display name for the listener. Note: Perform the following step only if you use user or group restrictions in your Web publishing rules. Under Authentication, select one or more of the check boxes for your designated authentication methods, and then click OK. In the TCP port box, type the port number on which ISA Server will listen for Web requests. The default port is Transmission Control Protocol (TCP) port 80. To require authentication for gaining access to ISA Server by using a listener, select the Ask unauthenticated users for identification check box, and then click OK. Tip: Requiring authentication is impractical when you publish a Web server to make that Web server publicly available. Most often, a better option is to configure the appropriate authentication on the Web server. Use authentication only when publishing Web servers with limited availability, such as a Web server that is available to only selected business partners.
Redirecting Requests to Other Ports PartnerWeb Properties General OKCancel Use this page to specify whether the request should be discarded or redirected, and configure the hosted site to which this rule redirects. DestinationsActionApplies To Discard the request. Bridging Redirect the request to this internal Web server (name or IP address): London ApplyApply Browse… Send the original host header to the publishing server instead of the actual one (specified above). Connect to this port when bridging request as Connect to this port when bridging request as SSL:443 Connect to this port when bridging request as FTP:21 Type the IP address or DNS name of the published server. Define ports this rule redirects to
Web publishing rules specify which server should return a requested object to a client. By default, ISA Server redirects HTTP requests and SSL requests to the default ports for these services on an internal server. If an internal server uses a non-standard port for HTTP, SSL, or FTP requests, you can redirect incoming Web requests to a published server on your internal network. Note: Some Web servers use non-standard ports to allow a single computer to run multiple Web sites.
To redirect incoming Web requests to a published server: In ISA Management, in the console tree, click Web Publishing Rules. In the details pane, click the applicable Web publishing rule, and then click Configure a Web Publishing Rule. In the Properties dialog box for the Web publishing rule, on the Action tab, click Redirect the request to this internal Web server (name or IP address), type the IP address or the DNS name, perform the following actions, and then click OK.
In theType Connect to this port when bridging requests as HTTP box The port number to use for HTTP requests. The default HTTP port is 80. Connect to this port when bridging. requests as SSL box The port number to use for SSL requests. The default SSL port is 443. Connect to this port when bridging requests as FTP box The port number to use for FTP requests. The default FTP port is 21.
Establishing Secure Communication Select Certificate Select a certificate form the list of certificates available on the specified server: Certificates: Cancel OK Issued ToIssued By Expiration Date Friendly Name vancouver.nam…Northwind Tra… 10/12/2002 Partner Web… vancouver.nam…Northwind Tra… 10/12/2002 Public Web Site CancelOK Server: LONDON IP Address: Display Name:Partner Web Use a server certificate to authenticate to web clients Authentication Basic with this domain: Digest with this domain: Integrated Client certificate (secure channel only) Select… Select domain… Add/Edit Listeners Select domain…
When you redirect incoming Web requests, you must ensure that all network traffic is secured appropriately. For example, when clients attempt to establish a secure session with a published Web Server, you must configure ISA Server to establish this secure connection across the Internet on behalf of the Web server. When ISA Server receives an SSL request from a client for an object on a published server, ISA Server establishes a separate SSL channel with the published server. This type of redirection is called SSL bridging. SSL bridging ensures that both parts of the connection, the session between the client and the ISA Server computer and the session between ISA Server and the internal Web server, are encrypted.
SSL Overview The SSL protocol enables secure data communication over networks by using encryption and decryption. Many Web sites use the SSL protocol to obtain confidential data from users, such as credit card information. Web pages that use an SSL connection begin with https instead ofhttp. By default, Web servers receive SSL packets on TCP port 443.
SSL uses server certificates to encrypt traffic between the client and the server. Clients can also use a server's certificates to authenticate the identity of the server before sending confidential information. Note: For more information about Public Key Infrastructure (PKI), including how to use and install certificates in Microsoft Windows® 2000, see Module 14, "Designing a PKI for Business Partners," in Course 2150, Designing a Secure Microsoft Windows 2000 Network, and Module 5, "Configuring Network Security by Using Public Key Infrastructure," in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure.
Publishing Secure Web Sites When you publish a server that uses the SSL protocol to encrypt client requests to the server, clients connect to the ISA Server computer on port 443. To enable the ISA Server computer to respond to this request, you must configure the ISA Server computer to listen on port 443. You must also configure the ISA Server computer to use a server certificate to impersonate the published server.
To configure the ISA Server computer to listen for incoming SSL requests: In ISA Management, in the console tree, right-click your server or array, and then click Properties. In the Properties dialog box for the server or array, on the Incoming Web Requests tab, ensure that the Enable SSL listeners check box is selected and that the SSL port number matches the port number that external clients use to connect to the ISA Server computer. By default, this port is port 443. Select the appropriate listener, and then click Edit. In the Add/Edit Listeners dialog box, select the Use a server certificate to authenticate to web clients check box, and then click Select. In the Select Certificate dialog box, select the certificate that was issued for the published Web site, and then click OK three times.
Important: Before you can select a certificate, the certificate must have been issued for the Web site, and you must have installed this certificate on the ISA Server computer by using the Certificates Microsoft Management Console (MMC) snap-in.
Configuring SSL Bridging PartnerWeb Properties OKCancel Redirect HTTP requests as: HTTP requests SSL requests (establish a secure channel to the site) FTP requests Apply Redirect SSL requests as: HTTP requests (terminate the secure channel at the proxy) SSL requests (establish a secure channel to the site) FTP requests Require secure channel (SSL) for published site Require 128-bit encryption Select to authenticate the ISA Server by using a certificate. Select to redirect SSL requests as HTTP requests. GeneralDestinationsActionApplies ToBridging Use a certificate to authenticate to the SSL Web server Select…
After the ISA Server computer has received a Web request, it provides one endpoint of the SSL connection. ISA Server then establishes a separate connection to the published Web server. By default, ISA Server uses SSL for this connection. Note: If you are not concerned about the security of the communications channel between ISA Server and the internal Web server, or if the internal Web server does not support SSL, you can change the communication protocol that ISA Server uses to connect to the Web server.
To configure SSL bridging: In ISA Management, in the console tree, expand your server or array, and then click Web Publishing Rules. In the details pane, click the applicable Web publishing rule, and then click Configure a Web Publishing Rule. On the Bridging tab, under Redirect SSL requests as, select whether to redirect SSL requests as HTTP, SSL, or FTP requests. If you redirect by using SSL and the published Web server is configured to require certificates for authenticating client requests, select the Use a certificate to authenticate to the SSL Web server check box, click Select, select the client certificate, and then click OK.
Requiring a Secure Channel PartnerWeb Properties General OKCancel DestinationsActionApplies To Redirect HTTP requests as: Bridging HTTP requests SSL requests (establish a secure channel to the site) FTP requests Cancel Select… Redirect SSL requests as: HTTP requests (terminate the secure channel at the proxy) SSL requests (establish a secure channel to the site) FTP requests Require secure channel (SSL) for published site Require 128-bit encryption Use a certificate to authenticate to the SSL Web server Select for a higher level of security. Select to require a secure channel for Web requests.
For increased security, you can configure ISA Server to require a secure SSL channel for all Web requests for the published Web server. When you select this option, the Web publishing rule allows only connections that clients make to the port that you configured for SSL connections and denies connection requests that clients make to the TCP port.
To require a secure channel: In ISA Management, in the console tree, expand your server or array, and then click Web Publishing Rules. In the details pane, click the applicable Web publishing rule, and then click Configure a Web Publishing Rule. On the Bridging tab, select the Require secure channel (SSL) for published site check box. For high security sites or to ensure a higher level of encryption, select the Require 128-bit encryption check box, and then click OK. Important: 128-bit encryption requires you to install the Microsoft Windows 2000 High Encryption Pack on the ISA Server computer. You can download the Windows 2000 High Encryption Pack at
Configuring Server Publishing Publishing a Server Publishing a Mail Server Configuring the Message Screener
When you publish a server, server publishing rules direct incoming requests from external clients to internal servers. ISA Server uses server publishing rules to process incoming requests to internal servers, such as Simple Mail Transfer Protocol (SMTP) servers, FTP servers, or Structured Query Language (SQL) servers. ISA Server forwards the requests to an internal server, which is located behind the ISA Server computer.
ISA Server includes the Mail Server Security Wizard, which you can use to host and secure a mail server located behind an ISA Server computer. The wizard configures ISA Server rules to securely publish internal mail services to your external users. If you install and enable the SMTP filter, you can apply content filtering for all incoming mail. Important: To enable publishing of an internal server, you must configure that server as a SecureNAT client. For information about configuring SecureNAT clients, see Module 2, "Installing and Maintaining ISA Server," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Publishing a Server Name the Rule Specify Address Mapping Select a Protocol Setting Select a Client Type StartStart FinishFinish
You can configure server publishing rules for protocols other than HTTP, HTTP-S, and FTP. Server publishing rules gram access, as specified, to internet users to the specified published server. You can configure a server publishing rule to allow client connections by using any protocol that you have configured in an incoming protocol definition.
To create a new server publishing rule: In ISA Management, in the console tree, expand your server or array, double-click Publishing, and then click Server Publishing Rules. In the details pane, click Publish a Server. In the New Server Publishing Rule Wizard, type a name for the rule, and then click Next. On the Address Mapping page, specify the IP address of the internal server and the external server as follows, and then click Nest: IP address of internal server. Type the address to which the ISA Server computer forwards all incoming requests. External IP address on ISA Server. Type the external address of the ISA Server computer that the external clients connect to when they establish a session with the published server.
On the Protocol Settings page, select a protocol to which the rule applies, and then click Next. You can select from all of the protocol definitions that are configured on the ISA Server computer with the direction configured as inbound. Note: For more information about configuring protocol definitions, see Module 3, "Enabling Secure Internet Access," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server On the Client Type page, select a client type, and then click Next. On the Complete the New Server Publishing Rule Wizard page, review your choices, and then click Finish.
Publishing a Mail Server Mail Server Security Wizard Mail Services Selection Select the mail services that you would like to publish to your external users < Back Publish these mail services: Default Authentication SSL Authentication Incoming SMTP Apply content filtering Outgoing SMTP Incoming Microsoft Exchange/Outlook Incoming POP3 Incoming IMAP4 Incoming NNTP Next >Cancel Select to apply content filtering to incoming SMTP traffic.
The Mail Server Security Wizard allows you to choose default authentication or SSL authentication for clients to gain access to the mail services. You can also choose to apply content filtering to incoming SMTP traffic. To run the Mail Server Security Wizard: In ISA Management, in the console tree, expand your server or array, expand Publishing, and then in the details pane, click Secure Mail Server. Follow the on-screen instructions to complete the wizard.
Configuring Content Filtering The Mail Server Security Wizard gives you an option to apply content filtering of incoming SMTP traffic. If you choose this option, ISA Server enables the SMTP application filter and processes messages based on the SMTP commands that you configured in the SMTP filter. After you enable the SMTP filter, you can configure advanced content filtering, such as filtering by attachment type. To enable advanced content screening, you must install and configure the Message Screener, an optional ISA Server component. You must install this component on a computer that runs Internet Information Services (IIS) with the optional SMTP Server component. The configuration steps that are required depend on whether you run the Message Screener on the ISA Server computer or on another computer on your internal network. It is recommended that you run the Message Screener on a separate computer unless there is only light SMTP traffic.
Using Content Filtering When you have configured all components, the following process takes place: ISA Server forwards all incoming SMTP messages to the SMTP server. The SMTP Server can be running on the ISA Server computer or on another computer on your network. The Message Screener retrieves the filter settings that you configured for the SMPT filter from the ISA Server computer.
The Message Screener processes messages according to the settings that you configured and then forwards or delivers all messages that it does not drop or hold because of a rule. For example, the SMTP server may forward all messages to a Microsoft Exchange Server computer that acts as the main mail server for your organization. Users can then retrieve messages from that server. Note: For more information about how to configure content filtering after you have enabled the Message Screener, see Module 6, "Configuring the Firewall," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Configuring the Message Screener Running the Message Screener on the ISA Server Computer Running the Message Screener on a Separate Computer
You can run the Message Screener on an ISA Server computer or on another computer.
Running the Message Screener on the ISA Server Computer To run the Message Screener on the ISA Server computer: On the ISA Server computer, install or configure MS, including the SMTP Service component. In HS. configure the Default SMTP Virtual Server to use only the internal IP address of the ISA Server computer. In IIS, configure the Default SMTP Virtual Server to accept incoming mail from all domains and to forward all mail to your internal mail server, such as an Exchange Server computer. Note: For maximum security, it is recommended that you use Microsoft Exchange 2000 Server as the mail server for your organization.
Install the Message Screener on the ISA Server computer by running the ISA Server Setup program. Create a server publishing rule or use the Secure Mail Server Security Wizard to publish the SMTP server by specifying the internal IP address of the ISA Server computer. Enable the SMTP filter. Tip: For information about configuring the SMTP filter, see the Advanced Filter Configuration instructions in the \support\docs\smtpfilter.htm file on the ISA Server compact disc.
Running the Message Screener on a Separate Computer To run the Message Screener on a computer separate from the ISA Server computer: On the designated computer, install IIS, including the SMTP Service component. The Message Screener requires IIS and the SMTP Service on the computer on which it is running. In IIS, configure the Default SMTP Virtual Server to accept incoming mail from all domains and to forward all mail to your internal mail server that is running Exchange Server. Note: For maximum security, it is recommended that you use Exchange 2000 Server as the mail server for your organization.
Install the Message Screener on the SMTP server. To install the Message Screener, perform a custom installation of ISA Server. Do not install any other ISA Server components on the computer running the SMTP server unless they are required for other purposes. On the SMTP server, run the SMTPCred.exe utility that is included in the \isa\i386 directory on the ISA Server compact disc, and then enter the following information: The name of the ISA Server computer. The interval at which the Message Screener will retrieve configuration information from the ISA Server computer. The credentials of a user account that is valid on the ISA Server computer. This account must be a valid user account, but it does not require any special privileges. Note: You must run SMTPCred.exe only if ISA Server is running as a stand-alone server or if the Message Screener does not belong to the same Active Directory™ directory service forest as the ISA Server computer.
Create a server publishing rule or use the Secure Mail Server Security Wizard to publish the SMTP server. Configure Distributed Component Object Modeling (DCOM) on the ISA Server computer to allow the Message Screener to gain access to the ISA Server computer. Note: For details about how to configure DCOM for ISA Server, see the Advanced Filter Configuration instructions in the \support\docs\smtpfilter.htm file on the ISA Server compact disc.
Adding an H.323 Gatekeeper H.323 Overview How the H.323 Gatekeeper Works Adding and Configuring an H.323 Gatekeeper
The Microsoft H.323 Gatekeeper service of ISA Server allows you to configure incoming connections and routing for the applications that use the H.323 protocol. Applications that use the H.323 protocol provide multimedia communications services to registered clients. These services include data conferencing and Internet telephony. Microsoft NetMeeting® is one example of an application that uses the H.323 protocol. Note: The H.323 protocol is a standard approved by the International Telecommunication Union (ITU) that defines how packet-based, multimedia data is transmitted across networks. For more information about the H.323 protocol, see the International Telecommunication Union Web site at For more information about NetMeeting, see the Microsoft Web site at
H.323 Overview Internet H.323 Gateway Client The H.323 standard defines: How connections are established How two devices initiate communications with each other How data is transmitted over a network How audio and video codec components encode and decode input/output
The H.323 protocol is an ITU standard that specifies how terminals, equipment, and services for multimedia communicate over networks that do not provide a guaranteed quality of service, such as the Internet. H.323 terminals and equipment can carry real-time video, voice streams, data streams, or any combination of these elements. Devices that use the H.323 protocol for audio and video enable you to connect to and communicate with other people over the Internet, just as people that use different types of telephones can communicate over the public switched telephone network (PSTN).
The H.323 standard defines: How connections are established. How two devices initiate communication with each other, or capability negotiation. How data is transmitted over a network. How audio and video compressor/decompressor (codec) components encode and decode input/output. Note: Codec components can be implemented in software, in hardware, or in a combination of both.
How the H.323 Gatekeeper Works DNS Origination Endpoint Destination Endpoint SRV _Q931_tcp.contoso.msft SRV _Q931_tcp.contoso.msft SRV _Q931_tcp.nwtraders.msft SRV _Q931_tcp.nwtraders.msft NetMeeting queries DNS to find Gatekeeper Returns IP address to John’s computer 44 Internet ISA H.323 Gateway ISA H.323 Gateway Gatekeeper Gatekeeper
Every H.323 transaction has two endpoints, an origination endpoint and a destination endpoint. An endpoint can be an H.323 client, such as a client computer running NetMeeting, or a proxy server, such as an ISA Server computer. The gatekeepers control access to the network, allowing or denying calls and controlling the bandwidth of the call. Gatekeepers also help with address resolution, which is the process of converting addresses into appropriate network addresses.
For example, a client computer running NetMeeting uses the H.323 Gatekeeper service on the ISA Server computer to find and connect with a user in another organization as follows: A user, opens NetMeeting and places a call to another user, NetMeeting queries DNS on the Internet to find a gatekeeper for contoso.msft. DNS finds the appropriate service location (SRV) resource record and then returns the IP address of the gatekeeper at contoso.msft to John's computer. The NetMeeting on John's computer calls the gatekeeper for contoso.msft. If is a valid user and is registered on the contoso.msft gatekeeper, the gatekeeper routes the incoming connection to Susan. Note: In the example, the gatekeeper at contoso.msft has the ability to perform IP address translation because is on a private network. The gatekeeper acts as a proxy for and transparently handles all address translations that are required to maintain the connection.
Adding and Configuring an H.323 Gatekeeper ISA Management ActionView GatekeeperStatusDescription celeration Server Monitoring Server Access Policy Publishing Bandwidth Rules Policy Elements Cache Configuration Monitoring Configuration Extensions Application Filters Web Filters Network Configuration Client Configuration H323 Gatekeepers LONDON Normal Add gatekeeper… View Help Add Gatekeeper Select a computer running H.323 Gatekeeper that you want to add OKCancel Gatekeeper computer: This computer Another computer
You can add an H.323 Gatekeeper when you want to enable incoming connections for applications that use the H.323 protocol or if you want to configure detailed routing rules for H.323-based applications. You can use an H.323 Gatekeeper to establish incoming connections with both SecureNAT clients and Firewall clients. You do not have to create a gatekeeper to enable outgoing connections that use the H.323 protocol. If you choose Full Installation while installing ISA Server, the H.323 Gatekeeper Service is automatically installed. You can also add the H.323 Gatekeeper Service by performing a custom installation.
Adding an H.323 Gatekeeper To add an H.323 Gatekeeper after installing ISA Server: In ISA Management, in the console tree, right-click H323 Gatekeepers, and then click Add gatekeeper. In the Add Gatekeeper dialog box, choose one of the following options, and then click OK. ToDo this Specify that the H.323 Gatekeeper should run on the local computer Click This computer. Specify that the H.323 Gatekeeper should run on a remote computer Click Another computer, and then type the DNS name of the remote computer.
Configuring the H.323 Application Filter After you create the H.323 Gatekeeper, you also must configure the H.323 filter to allow incoming calls. Note: For more information about how to configure the H.323 filter, see Module 6, "Configuring the Firewall Service," in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.
Creating a DNS SRV Record To allow clients on the Internet to locate the H.323 Gatekeeper for a lookup zone, such as contoso.msft, add a record to the DNS zone with the following properties: Record Type: SRV Serv/ce:Q931 Protocol: TCP Port Number: 1720 Host name: Fully qualified domain name (FQDN) of the H.323 Gatekeeper computer
Configuring Call Routing After you have added an H.323 Gatekeeper, you can configure call routing rules to determine how to route the calls that the gatekeeper receives. Note: For more information about call routing, see "Call routing rules" in ISA Server Help.
Configuring Applications to Use a Gatekeeper After you have installed an H.323 Gatekeeper, you must configure H.323 applications to register the users with a gatekeeper so that the gatekeeper can correctly route incoming calls. The settings that you must configure depend on the H.323 application. Note: For more information about configuring NetMeeting, see NetMeeting Help and see the NetMeeting Resource Kit at NetMeeting/Corp/reskit/default.asp NetMeeting/Corp/reskit/default.asp
Lab A: Configuring Access to Internal Resources
Review Introduction to Publishing Configuring Web Publishing Configuring Server Publishing Adding an H.323 Gatekeeper