Académique Documents
Professionnel Documents
Culture Documents
Page 1 of 16
TechNet Home > Products & Technologies > Servers > ISA Server TechCenter Home > ISA Server 2004 > Technical Library
On This Page Introduction Scenarios Solutions Appendix A: Using the New Web Publishing Rule Wizard Appendix B: Creating Rule Elements More Information
Introduction
Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition uses Web publishing rules to handle issues associated with publishing Web content to the Internet, without compromising Internal network security. Web publishing rules determine how ISA Server intercepts incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server and how ISA Server responds on behalf of the Web server. Requests are forwarded downstream to an internal Web server, located behind the ISA Server array. If possible, the request is serviced from the ISA Server cache. Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server array.
Mapping requests to specific internal paths. You can limit the portions of your servers that can be accessed. Restricting access to specific users, computers, or networks. You can restrict access, to further improve security. Requiring user authentication. User authentication can be passed through to the Web server, eliminating the need to reauthenticate at the Web server. Providing link translation. You can handle links to internal servers. Providing SSL bridging. You can encrypt traffic between the ISA Server array and the Web server.
Web Listeners
All incoming Web requests must be received by a Web listener. A Web listener may be used in multiple Web publishing rules.
Page 2 of 16
The network corresponding to the Internet Protocol (IP) addresses on the ISA Server array that will listen for incoming Web requests. The Web listener can listen on all the IP addresses associated with a network or on specific IP addresses. The port number that will listen for incoming Web requests on the selected network IP addresses. Client authentication methods (optional).
Rule Elements
An ISA Server rule element is an object that you can use to refine ISA Server rules. For example, a subnet rule element represents a subnet within a network. You can create a rule that applies only to a subnet, or a rule that applies to a whole network exclusive of the subnet. Another example of a rule element is a user set, representing a group of users. By creating a user set and making use of it in an ISA Server rule, you can create a rule that applies only to that set of users. You can see the rule elements that are available to you by expanding the ISA Server array node, clicking Firewall Policy, and selecting the Toolbox tab in the task pane. There are five types of rule elements:
Protocols. This rule element type contains protocols that you can use to limit the applicability of access rules. For example, you can allow or deny access on one or more protocols, rather than on all protocols. Users. In this rule element type, you can create a user set to which a rule will be explicitly applied, or
Page 3 of 16
which can be excluded from a rule. Content Types. This rule element type provides common content types to which you may want to apply a rule. Schedules. In this rule element type, you can designate hours of the week during which the rule applies. Network Objects. In this rule element type, you can create sets of computers to which a rule will apply, or which will be excluded from a rule.
You may want to use rule elements in your Web publishing rules, to make the rules more specific. Creation of rule elements is described in Appendix B: Creating Rule Elements in this document. If the enterprise administrator has created rule elements on the enterprise level, these will also be available to you on the array level, so that you can use those rule elements in Web publishing.
NLB configuration is performed through ISA Server Management. ISA Server provides NLB health monitoring, and discontinues NLB on a particular computer as necessitated by its status. This prevents the continued functioning of NLB when the state of the computer does not allow the passage of traffic. For example, if there is a failure of the network adapter on the computer, or if you stop the Microsoft Firewall service, ISA Server stops NLB-directed traffic from passing though that computer. When the issue is resolved, ISA Server will again allow NLB traffic to pass through that computer. ISA Server works with Windows NLB to automatically configure bidirectional affinity, and does so for multiple networks. This guarantees that traffic is handled in both directions by the same array server. Note When you configure NLB through ISA Server, it is automatically configured in unicast mode and with single affinity. Single affinity ensures that all network traffic from a particular client is directed to the same host.
When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional network adapter, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication. You should then configure intra-array communication to use the IP address of the new adapter on each server.
Top of page
Scenarios
This document describes several Internet Security and Acceleration (ISA) Server 2004 Web publishing
Page 4 of 16
scenarios:
Publish a Web server that is located in your Internal network or perimeter network. Publish specific folders to differing public names. Publish two Web servers with different domain names.
Top of page
Solutions
The solutions described in this document start with publishing an internal Web server or perimeter Web server, and progress to publishing specific folders, and publishing multiple Web servers behind an Internet Security and Acceleration (ISA) Server 2004 array.
Network Topology
The following sections describe the network topologies when:
Publishing a Web server on an Internal network. Publishing a Web server on a perimeter network.
A connection to the Internet. At least one computer to serve as the computer running ISA Server services (the ISA Server array), and a computer to serve as the Configuration Storage server. You can install the Configuration Storage server and ISA Server services on the same computer. We recommend that in a production environment, the Configuration Storage server be installed on a computer that will be behind the ISA Server array. The computer running ISA Server services must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network. If you are using ISA Server integrated NLB on the ISA Server array, you will also require a network adapter on each computer running ISA Server services, for intra-array communication. A computer that will be the Web server, located in the Internal network. To test the setup, a computer that is external to your network, with a connection to the Internet.
A connection to the Internet. At least one computer to serve as the computer running ISA Server services (the ISA Server array), and a computer to serve as the Configuration Storage server. You can install the Configuration Storage server and ISA Server services on the same computer. We recommend that in a production environment, the Configuration Storage server be installed on a computer that will be behind the ISA Server array. The computer running ISA Server services must have at least three network adapters. One adapter will be connected to the External network (representing the Internet), one adapter will be connected to the perimeter network, and one adapter will be connected to the Internal network. If you are using ISA Server integrated NLB on the ISA Server array, you will also require a network adapter on each computer running ISA Server services, for intra-array communication. A computer that will be the Web server, located in the perimeter network. If you want your perimeter Web server to retrieve data from a data server on the Internal network, you need a computer to serve as the data server. To test the setup, a computer that is external to your network, with a connection to the Internet.
Page 5 of 16
3. 4.
5. 6.
You can choose to export confidential information. If you do, it will be encrypted during export. If you want to export confidential information, select Export confidential information and provide a password. You can choose to export user permission settings, by selecting Export user permission settings. User permission settings contain the security roles of ISA Server users, for example, indicating who has administrative rights.
Click Next. On the Export File Location page, provide the location and name of the file to which you want to save the configuration. Choose a meaningful name, and consider including the date in the name of the file, such as Cleveland Array ISA Backup 15 October 2004. Click Next. On the Completing the Export Wizard page, click Finish. When the export has completed, click OK. Note Because the .xml document is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.
7. 8.
3.
4. 5.
Creating an intra-array network To create an ISA Server network that includes only the addresses of the new network adapters (an intra-
Page 6 of 16
array network), follow these steps: 1. 2. 3. 4. 5. 6. In ISA Server Management, expand the array, expand Configuration, and click Networks. In the details pane, select the Networks tab. On the task pane, in the Tasks tab, click Create a New Network. On the Welcome page, type a name for the network, and then click Next. On the Network Type page, select Internal Network, and click Next. On the Network Addresses page, click Add Adapter to open the Select Network Adapters dialog box. Select the network adapter that is used for intra-array communication. Click OK, and click Next. On the Completing the New Network Wizard page, review the settings, and click Finish. In the details pane, click Apply to apply your changes.
7. 8.
2. 3.
4.
5.
6.
7.
Publishing a Web Server Walk-through Procedure 5: Design and Create Web Publishing Rules
You will use Web publishing rules to publish Web servers. The following are some examples of possible Web publishing scenarios, and the rules needed for the solution. For specifics on how to use the New Web Publishing Rule Wizard, see Appendix A: Using the New Web Publishing Rule Wizard in this document. You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box. Publishing a Web server on an Internal network or a perimeter network To publish a Web server on the Internal network or a perimeter network, create a Web publishing rule using
Page 7 of 16
the procedure in Appendix A: Using the New Web Publishing Rule Wizard in this document. Remember to click Apply in the ISA Server details pane after creating the rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box. The following table describes the tabs in the rule properties dialog box. Tab General Property Name Setting Provide a name. Comments Make the name as descriptive as possible, to differentiate this rule from other rules. Optional. None. None.
Action
Log requests matching this rule This rule applies to traffic from these sources Exceptions
Select if you want requests to be logged. Specify the networks to which you are publishing the Web site. None.
None.
From
None.
From
You can specify a network object to which this rule will not apply. A network object is a rule element, which is described in Rule Elements in this document. None.
To
Server
Specify the server you are publishing. Select whether to send the original host header. If the Web server requires the original IP address of the external client, select Requests appear to come from the original client.
To
Forward the original host header instead of the actual one Proxy requests to published server
For more information, see Original Host Headers in this document. If you select Requests appear to come from the original client, make sure that the Web servers response to the original client is routed through the ISA Server array. Also provides access to the HTTP configuration properties, through the Filtering button. For more information, see Configuring HTTP policy in this document. The network containing the listener must be included in the sources listed on the From tab.
To
Traffic
Listener
Page 8 of 16
Public Name
If you are publishing more than one Web site on the same Web listener, you should specify Requests for the following websites (and specify the published site name) so that another rule can publish a server or directory using the same listener. When you specify Requests for the following websites, only requests for the name you provide will match the rule. This also may reduce the amount of traffic handled by the listener. The path /* is generic, indicating that all folders are published under their own names on the Internet. An example of specific folder publication is provided later in this document. For details, see SSL bridging in this document. Limits access to a specific set of users.
Paths
Bridging
Specify the type of server This rule applies to requests from the following user sets Exceptions
Users
Users
None.
You may define user sets to which this rule will not apply. For details, see Allowing delegation of Basic authentication in this document. You could limit the hours during which the Web site is available by creating a schedule and applying it to this rule. A schedule is a rule element, which is described in Rule Elements earlier in this document. Link translation will only work if you specify Requests for the following websites (and specify the published site name) on the Public Name tab. For details, see Configuring link translation in this document.
Users
Schedule
Link Translation
Select whether to replace absolute links, and make dictionary entries if needed.
Page 9 of 16
Publishing Web server folders on the Internal or perimeter network to one domain name You can publish specific folders on a Web server on the Internal network or on a perimeter network. In this scenario, both folders are published to the same domain. For example, you want to publish the \news folder to www.fabrikam.com/news, and the \updates folder to www.fabrikam.com/updates. To do this, follow these steps: 1. Create a Web publishing rule as described in the previous scenario, with the same properties. You do not have to specify any folders when creating the rule, because the New Web Publishing Rule Wizard does not provide the granularity you require for this scenario. After you create the rule, in the Firewall Policy details pane, double-click the rule to display its properties, and select the Paths tab. Select the default path displayed (<same as internal> to Internal Path /*) and click Remove. Click Add to add new paths through the Path mapping dialog box. Specify the folder that you want to publish on the Web site. This is the name of the folder on your Web server. In External Path, either:
2.
3. 4. 5.
6.
Select Same as published folder if you want the URL that users type to be the same folder name in their browsers. For example, if your internal folder name is /news and you select Same as published folder, users would type http://www.fabrikam.com/news to access that folder. Select The following folder to specify a different name for the folder as accessed from the Internet. For example, you may have a folder on the Web server named news03032003 that you want to publish to www.fabrikam.com/news. In that case, select The following folder and provide the name news.
7.
In the ISA Server details pane, click Apply to apply the changes.
Publishing two Web server folders to two domain names You can publish specific folders on a Web server on the Internal network or on a perimeter network to two different domain names. For example, you want to publish the \news folder to www.fabrikam.com, and the \updates folder to www.adatum.com. To do this, you will create two Web publishing rules, one for each domain name. To do this, follow these steps: 1. Create a Web publishing rule for the www.fabrikam.com site using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in this document, with the changes described in the next steps On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the Web site that you want to publish. This can be the computer name or the IP address of the Internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is the default condition. For more information, see Original Host Headers in this document. In Path, you can specify the Web site folder that you want to publish, such as News. Click Next. Note To publish all of the subfolders under News to www.fabrikam.com, you would provide the folder as News/* 3. On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.fabrikam.com. Complete the wizard. Create a second Web publishing rule, this time for the www.adatum.com site, using the New Web Publishing Rule Wizard, as described in Appendix A: Using the New Web Publishing Rule Wizard in
2.
4. 5.
Page 10 of 16
this document, with the changes described in the following steps. 6. On the Define Website to Publish page, in Computer name or IP address, specify the Web server computer that hosts the Web site that you want to publish. This can be the computer name or the IP address of the Internal network or perimeter network Web server. Verify that Forward the original host header is not selected. This is the default condition. For more information, see Original Host Headers in this document. In Folder, you can specify the Web site folder that you want to publish, such as Update (or Update/*, to include its subfolders). Click Next. On the Public Name Details page, verify that This domain name is selected, and provide the domain name, such as www.adatum.com. Complete the wizard. In the ISA Server details pane, click Apply to apply the changes.
7.
8. 9.
SSL bridging If you are publishing a server that requires Secure Sockets Layer (SSL) communication, you must have a digital certificate installed on each member of the ISA Server array. In addition, you may have a digital certificate installed on the Web server. To ensure that HTTPS requests are sent from the ISA Server array to the Web server using the appropriate protocol, you must configure SSL bridging accordingly. SSL bridging is a property for each Web publishing rule. SSL bridging determines whether HTTPS requests received by the ISA Server array are passed to the Web server as HTTPS requests or as HTTP requests, as follows:
If there is no digital certificate installed on the Web server, SSL and HTTP requests are passed to the Web server as HTTP requests. The SSL-secured communication is handled by ISA Server, and continues internally as HTTP. If there is a digital certificate installed on the Web server, HTTPS requests are passed to the internal Web server as HTTPS requests, and HTTP requests are passed as HTTP requests. In this case, SSL-secured communication takes place from both the external client to the ISA Server array and from the ISA Server array to the Web server. Important We recommend that you install digital certificates on both the Web server and the ISA Server array, and pass HTTPS requests as HTTPS. This is a more secure configuration.
If your Web server has a digital certificate, and you want ISA Server to listen for HTTPS requests without purchasing an additional certificate, you must export the certificate from the Web server and import it to each member of the ISA Server array. For more information, see Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink?linkid=20794). To modify the SSL bridging configuration, perform the following steps: 1. 2. 3. In the properties of the Web publishing rule, select the Bridging tab. Ensure that Web server is selected. Select Redirect requests to HTTP port or Redirect requests to SSL port:
If you are using the ISA Server digital certificate to handle HTTPS requests (no digital certificate installed on the Web server), select Redirect requests to HTTP port, and then click OK.
Page 11 of 16
4.
If you want to continue to use an existing digital certificate on the Web server as well as the certificate on the ISA Server array, select Redirect requests to SSL port, ensure that the default port number 443 is appropriate to your network, and then click OK.
Click OK to close the Web publishing rule properties dialog box. Note The option Use a certificate to authenticate to the SSL Web server enables you to specify the client certificate that ISA Server will use to authenticate itself to the Web server.
A common issue in Web publishing using SSL bridging is that the server name or IP address provided on the Web publishing rule To tab does not match the name on the digital (SSL) certificate. This will result in the Web client receiving a 500 Internal Server Error page. This problem can be resolved using one of the following approaches:
Obtain a new certificate that matches the name on the server. Change the server name on the Web publishing rule To tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server. Change the server name on the Web publishing rule To tab to match the name on the certificate. On each member of the ISA Server array, in the file %WINDIR%\system32\drivers\etc\hosts, add a mapping from the server name to the IP address of the internal Web server.
Creating additional path mappings In the Web publishing solution, you created a single path mapping, from http://www.fabrikam.com/news to the \news folder on the Internal network or perimeter network Web server. You can add additional path mappings, such as http://www.fabrikam.com/archives to the \archives folder on the Web server. To add additional path mappings, follow this procedure: 1. 2. 3. 4. In the properties of the Web publishing rule, select the Paths tab. Select the default path displayed (<same as internal> to Internal Path /*) and click Remove. Click Add to add new paths in the Path mapping dialog box. Provide the name of the internal folder, for example, archives. If you leave the default External Path option, Same as published folder, the public name will be the same as the private name, archives. However, if you want your internal folder to be published to a different external name, you should select The following folder and provide the public name. With this selection, you can publish the \archives folder to http://www.fabrikam.com/Old. Click OK. Click OK to close the Web publishing rule properties dialog box. In the Firewall Policy details pane, click Apply to apply the changes.
5. 6.
Configuring link translation Some published Web sites may include references to internal names of computers. Because only ISA Server and not the whole network is made available to external clients, these references could appear as broken links. ISA Server includes a link translation feature with several levels of functionality, so that you can provide the appropriate level of link connectivity:
Header link translation. This is an inherent part of any Web publishing rule, in which a link returned in a header to the client is translated to an externally recognizable URL. When the user accesses the link, it is recognized by the Web publishing rule, and forwarded to the internal server. This form of link translation is always active in any Web publishing rule. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document. Translation of links in the body of a returned Web page. This functions in the same manner as the header link translation, but includes links returned in the body of Web pages, not just in the header. Note that this translation works only within the definition of the Web publishing rule. If a link refers to another internal server or a different port number than those specified in the rule, the link will not be translated unless a dictionary entry is made, as described later in this document. To enable this functionality,
Page 12 of 16
perform the following steps: 1. 2. In the properties of the Web publishing rule, select the Link Translation tab. Select Replace absolute links in Web pages to enable link translation.
You can also configure the content types to which link translation will be applied. This configuration will apply to all of the Web publishing rules that use link translation. (It cannot be configured per rule.) To configure the content types, perform the following steps: 1. 2. 3. In the properties of the Web publishing rule, select the Link Translation tab. Click Content Types, to open the Link Translation dialog box Content Types tab. Select the content types to which link translation will apply, and then click OK.
Translation of links to other internal Web pages. Link translation works only for links to the Web server specified in the Web publishing rule. If you want links to other internal or perimeter Web servers to also be translated (so that the links are recognized by their respective Web publishing rules), you must provide information about how to translate each link. This information is stored by ISA Server in a link dictionary.
For example, consider a scenario where two internal Web servers are published. The Web server computers, Internal_IIS_A and Internal_IIS_B, are accessible by their publicly resolvable names www.wingtiptoys.com and www.woodgrovebank.com. The Web servers include cross-references to the published sites. However, the references are to the internal Web site names and not the publicly resolvable site names. Specifically, Internal_IIS_A contains references to Internal_IIS_B. External users who access Internal_IIS_A by typing www.wingtiptoys.com will not be able to follow the links to Internal_IIS_B. By enabling link translation and creating a dictionary with entries for each of the Web sites, these internal links can be resolved before the page requested by the client is returned. Important ISA Server cannot translate relative links. This will affect links that begin with /, such as /sports, in a situation where you are using path mappings and the external path is not the same as the internal path. To make entries in the link translation dictionary, perform the following steps: 1. 2. 3. 4. In the properties of the Web publishing rule, select the Link Translation tab. Select Replace absolute links in Web pages to enable link translation. Click Add to open the Add/Edit Dictionary Item dialog box. In Replace this text, provide the internal link text, such as Internal_IIS_B. In With this text, provide the external link, such as www.woodgrovebank.com. Click OK. Click OK to close the Web publishing rule properties dialog box.
5.
Allowing delegation of Basic authentication ISA Server can handle user authentication when the request arrives at the external listener, and then pass the authentication information to the Web server so that the user does not have to supply credentials again. To do so, perform the following procedure: 1. 2. 3. In the properties of the Web publishing rule, select the Users tab. Select Forward Basic authentication credentials (Basic delegation). Click OK to close the Web publishing rule properties dialog box.
Configuring HTTP policy ISA Server is an application-layer firewall, and applies a Web filter to HTTP traffic. Because ISA Server can examine HTTP requests, applications that are tunneled through HTTP can be blocked, depending on how you configure the HTTP Web filter. This additional protection offers you the ability to reduce the vulnerability of published servers to malicious requests. The HTTP Web filter also provides granular control over the HTTP requests allowed by your firewall policy.
Page 13 of 16
You can configure HTTP policy, which encompasses the following settings:
Request header maximum length Request payload length Configure URL protection Block executables Allow or block methods Specify actions for specific file extensions Deny specific headers Modify Server and Via headers Block specific signatures
For more information, see HTTP Filtering in ISA Server 2004 (http://www.microsoft.com). To configure HTTP policy, follow this procedure: 1. 2. 3. In the properties of the Web publishing rule, select the Traffic tab. Click Filtering and select Configure HTTP to open the Configure HTTP policy for rule dialog box. Select the appropriate tab and configure the policy settings.
Publishing a Web Server Walk-through Procedure 7: Test the Web Publishing Configuration
On a computer in the External network (any computer outside of your corporate networks with a connection to the Internet), open Internet Explorer, and type the URL of the Web site, such as http://www.fabrikam.com/news. Verify that you reach the intended page on the published Web server. Note The URL of the Web site must resolve to the IP address used by the Web listener of the ISA Server array for the request to be received by the array.
Publishing a Web Server Walk-through Procedure 8: View Web Site Access Information in the ISA Server Log
ISA Server will log the requests that match the Web publishing rule. To view the information in the log, perform the following steps : 1. 2. 3. In the Microsoft ISA Server Management console tree, select Monitoring. In the Monitoring details pane, select Logging. Create a filter so that you receive only the log information regarding Web site access attempts. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has three default conditions, specifying that log information from both the firewall and the Web Proxy should be provided, that the log time is Live, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query. From the list of entries, select Log Time. From the Condition drop-down menu, select Last 24 Hours, and then click Update. From the list of entries, select Log Record Type. From the Value drop-down menu, select Web Proxy Filter, and then click Update. You can add another expression by selecting an item from the Filter by drop-down menu, and then providing a Condition and Value. For example, to limit the log to display access to your published Web servers, in addition to the expression Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, which you modified in Step 5, you can add Filter by: Service, Condition: Equals, and Value: Reverse Proxy.
4.
5.
6.
Page 14 of 16
7.
After you have created an expression, click Add To List to add it to the query list, and then click Start Query to start the query. The Start Query command is also available in the task pane on the Tasks tab.
Top of page
2.
3.
4.
5.
6.
2.
3.
Page 15 of 16
all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
4.
Click OK to close the External Network Listener IP Selection dialog box, and on the IP Addresses page, click Next. On the Port Specification page, the TCP port is set to 80 (default setting). If you want to receive HTTPS requests, select Enable SSL, verify that the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. This requires that you have a digital certificate installed on each member of the ISA Server array. For more information about certificates, see Digital Certificates for ISA Server 2004 (http://www.microsoft.com). Click Next. On the Completing the New Web Listener Wizard page, review the settings, and click Finish. On the Select Web Listener page, click Next.
5.
6.
8.
On the User Sets page, make sure the default, All Users, is displayed. This will allow any computer in the External network to access the published Web pages. Note that to restrict access to specific users, use the Remove button to remove All Users, and the Add button to access the Add Users dialog box. Click Next. On the Completing the New Web Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and click Finish. In the ISA Server details pane, click Apply to apply the changes you have made.
9.
10.
Top of page
Page 16 of 16
1.
Open Microsoft ISA Server Management, expand Arrays, expand the ISA Server array node, and click Firewall Policy. In the task pane, select the Toolbox tab. Select the rule element type by clicking the appropriate header (Protocols, Users, Content Types, Schedules, or Network Objects) for that element. At the top of the list of elements, click New. Provide the information required. When you have completed the information and clicked OK in the dialog box, your new rule element will be created. Click Apply in the details pane to apply changes. If you prefer, you can click Apply after you have created your Web publishing rules (after you have made all of your changes, rather than after each change). It will take a few moments for the changes to be applied. Note You can also create enterprise level rule elements that can be used in the creation of enterprise policy. Follow the same procedure, but in the Enterprise node, under Enterprise Policies.
2. 3.
4. 5.
6.
Top of page
More Information
Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance Page (http://www.microsoft.com). Do you have comments about this document? Send feedback.
Top of page
Manage Your Profile 2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement