Do you think this technique would work with Sharepoint? The client I am working with has 7 Sharepoint root level sites that each have their own IP addresses. Right now, they are just internal sites, but they want to deploy them to an extranet. Do you know if it would be feasible to publish all of the Sharepoint sites using a single IP address? Also, when do you anticipate the SSL version of this article to come out?
Posts: 16
Joined: 19.Jul.2004
From: Australia
Status: offline
Step 4 of the publishing rule section specifies port 80, but would there be any reason why I wouldn't be able to use a different port? It will still be non-SSL web sites.
I'm planning to use a single external IP to reference different web sites hosted on the same internal IIS server, but each web site is running on a different port. Would there be any issues with doing it this way? i.e. the internal server will only have a single IP also, only the port numbers will be different.
Posts: 16
Joined: 19.Jul.2004
From: Australia
Status: offline
Just to answer my own question:
This article is brilliant. I now have 4 different web URLs all directong to different web sites on my internal IIS server.
The port trick is simple. I have all my sites running on the same server and use different ports for each site. After creating the rule, I just need to go into the properties for the rule and under the "Bridging" tab, just set the "redirect requests to HTTP port" to the required internal port on the IIS server.
This article came out at the perfect time for me. One week before I actually needed to do exactly the same thing.
I tried the exact steps listed in the tutorial, but it didn't work out, the client computer is successfully able to resolve the external IP address of the ISA server, but the ISA server is not redirecting the requests to the internal servers, note that the ISA server can access these sites locally, what happenes is that the web browser treates the ISA server as a web server and tries to access a locally hosted website, I installed IIS on the ISA server and tried to open www.msfirewall.org, I got the website hosted on the ISA server.
Please provide any comments on the subject, note that I am using ISA 2004 Enterprise edition with no service packs on a Windows 2003 platform.
Do you think this technique would work with Sharepoint? The client I am working with has 7 Sharepoint root level sites that each have their own IP addresses. Right now, they are just internal sites, but they want to deploy them to an extranet. Do you know if it would be feasible to publish all of the Sharepoint sites using a single IP address? Also, when do you anticipate the SSL version of this article to come out?
Thanks,
Deb
Hi Deb, In order to publish seven SSL sites, you would need to do one of two things:
1. Use a single IP address on the external interface of the ISA firewall, and then bind a wildcard certificate with the common/subject name something like *.domain.com This means all site sites would need to be part of the same second-level domain and accessible to external clients using names such as sps1.domain.com, sps2.domain.com mysps.domain.com, yoursps.domain.com. The certificate would be bound to a single Web listener and then you would create seven Web Publishing rules to publish the sites.
2. A better alternative and more flexible one would be to bind at least seven IP addresses to the external interface of the ISA firewall and then create seven Web listeners, each one with a certificate with the common/subject name you want users to access the site by from external locations. In this case, you are not limited to using the same second-level domain for all the SPS sites.
I've got the SSL title on my list, but it might be some time until I get to it. However, you can use the principles discussed in any of my OWA publishing articles to get an idea of how things work, and our book has a lot of information on Web publishing scenarios, although none are SPS specific. I've published many an SPS site and it works quite nicely in most cases.
I to am very interested in your article about publishing multiple SSL sites on one IP Address. I currently publish multiple sites using SSL but it is not pretty. As the domains are different: ie domain1.com and domain2.com. Your wildcard cert solution just won't do. One of the requirements that we have to meet is to make it seemless meaning that you don;t get the security warning...
I have accomplished this by using different ports ie 443 for domain1.com and 445 for domain2.com. Then the listener listens on those ports with the specified certificate. It works but is not pretty!!
I would love to hear your suggestions for this situation. I am hoping there is some sort of host header/listener config that I am simply missing... so if domain1.com comes in on 443 use this cert and if domain2.com comes in on 443 use the other cert...
Thanks for all the great articles... it makes it a lot easier for those of us that wear many different hats in the organizations we reside!!
I've got a new series planned for 2006 which I'm calling the "ISA Firewall Quick Tip Series" that will be docs that are between 500-1500 words, in contrast to the other articles on this site which are typically 2500+ words. The Quick Tip docs won't go into the same deep detail as the other docs, but will provide useful information for people who already have a good understanding of the ISA firewall and networking, and just need a quick leg up. I've got one planned for the single IP address/SSL scenario which will be out soon.
Thomas....I found your article of great value....but did not understand why you did what you did. I run 4 web servers. Web0 just handles FTP published sites. Web1 handles just static type FrontPage web sites. Web2 hosts dynamic web sites with asp and SQL requirments (a more robust machine). Last but not least is Web3 which is used for Sharepoint (Team) Services. What I did was the same as what you started with. I created a listener for each of my web servers (using 4 IP addresses) But when I created the publishing rule, I only have one per web server.
In the process you discribe in your article, you are really not publishing a web server, but rather a single web site. If you are hosting 100 or more domains/web sites, your method would require 100 publishing rules, one for each web site/domain. I suspect that this would slow things down a bit. Each time the ISA server would have to go out and get the Intranet IP address for the domain from the Internal DNS server. This step is unnecessary!
If you simply put in the internal IP address of the web server in your publishing rule, all requests that match the public names in the listener will be routed to the proper web server and the IIS web server, using host header differentiation will respond with which web site matches the requested (forwarded from ISA) header.
My way would be faster to respond and allows you to publish unlimited domains on a single IP address from a Single Web Server hosting many web sites/domains. If I am missing something, please let me know where my thought process has gone astray!
Thomas....I found your article of great value....but did not understand why you did what you did. I run 4 web servers. Web0 just handles FTP published sites. Web1 handles just static type FrontPage web sites. Web2 hosts dynamic web sites with asp and SQL requirments (a more robust machine). Last but not least is Web3 which is used for Sharepoint (Team) Services. What I did was the same as what you started with. I created a listener for each of my web servers (using 4 IP addresses) But when I created the publishing rule, I only have one per web server.
In the process you discribe in your article, you are really not publishing a web server, but rather a single web site. If you are hosting 100 or more domains/web sites, your method would require 100 publishing rules, one for each web site/domain. I suspect that this would slow things down a bit. Each time the ISA server would have to go out and get the Intranet IP address for the domain from the Internal DNS server. This step is unnecessary!
If you simply put in the internal IP address of the web server in your publishing rule, all requests that match the public names in the listener will be routed to the proper web server and the IIS web server, using host header differentiation will respond with which web site matches the requested (forwarded from ISA) header.
My way would be faster to respond and allows you to publish unlimited domains on a single IP address from a Single Web Server hosting many web sites/domains. If I am missing something, please let me know where my thought process has gone astray!
Regards
Hi Michael,
I have no problem with your approach, I just avoid using Host Headers on the Web server and use different IP addresses for each site. Also, for the internal names, you can use a HOSTS file for each FQDN, so no DNS lookups are required.
However, that said, your methods would work nicely for the scenario you point out, where there are hundreds of sites. Just gave me an idea for another article :)
BTW -- in the past, using Host Headers to differentiate each site on the server didn't work with SSL. Is this still a problem?
Yes Tom....SSL still has the same restrictions as SSL does not use host header differentiation. It still uses IP only and requires a different IP address for each Port 443 web site. So I am looking forward to your wisdom on publishing SSL web sites, especially from a hosting environment. I am sure there some things I may have overlooked!
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Discussion about article on how to publish multiple Web sites using a single IP address 
Discussion about article on how to publish multiple Web... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread