Welcome to ISAserver.org

Discussion on article about Web Publishing Rules and Why we Like Them

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Discussion on article about Web Publishing Rules and Why we Like Them

Page: [1]

Message

<< Older Topic Newer Topic >>

Discussion on article about Web Publishing Rules and Wh... - 13.Sep.2006 3:24:38 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

This thread is for discussing the article on Web Publishing Rules and why we like them at http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html

Thanks!
Tom

< Message edited by tshinder -- 13.Sep.2006 3:28:51 PM >

_____________________________

Thomas W Shinder, M.D.

Post #: 1

Featured Links*

RE: Discussion on article about Web Publishing Rules an... - 14.Sep.2006 2:53:43 PM

mjgraves@tisecurity.

Posts: 73
Joined: 19.Jun.2006
Status: offline

In my recent testing with ISA Server 2006 I have been able to use several of the features you mention. Different authentication methods and the link translation have given us some flexibility to securely provide new services to users in some new web applications we are deploying.

Also, I have performed some vulnerability scans against the external facing ISA server and am pleased with how stealthy it appears to the outside world.

(in reply to tshinder)

Post #: 2

RE: Discussion on article about Web Publishing Rules an... - 14.Sep.2006 3:10:43 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi MJ,

You bet! That's why I've always maintained that the ISA Firewall is right up there with Check Point (and makes the PIX look like a puny Sonicwall).

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)

Post #: 3

RE: Discussion on article about Web Publishing Rules an... - 11.Oct.2007 11:29:08 PM

RobertL

Posts: 5
Joined: 11.Oct.2007
Status: offline

Hello Tom,

Thank you for this very interesting article!

I was just reading this here: " ...You can create two Web Publishing Rules, one for incoming requests to www.msfirewall.org/scripts and one for www.msfirewall.org/deployment_kits. The request for www.msfirewall.org/scripts can be redirect to a Web server named WEBSERVER1 and the second can be redirected to WEBSERVER2. We can even redirect the request to alternate paths on each Web server. ..."

This is exactly what I was going to do - but it seems I can't get it running.

My ISA on a host sitting behind a Cisco hardware firewall.

This firewall forwards HTTP requests for site1.myCompany.com and site2.myCompany.com all to my ISA host.

I would like to setup a rule that forwards this requests to the �real� hosts.

How can I do this?

Regards,
Robert

(in reply to tshinder)

Post #: 4

RE: Discussion on article about Web Publishing Rules an... - 12.Oct.2007 8:13:17 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Robert,

What have you tried that hasn't worked for you so far?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RobertL)

Post #: 5

RE: Discussion on article about Web Publishing Rules an... - 14.Oct.2007 4:54:15 PM

RobertL

Posts: 5
Joined: 11.Oct.2007
Status: offline

Hello Tom,

I try to forward requests, based on the host headers, to different hosts. This should be possible with ISA, right?

I've created a new Firwall Policy "Web Site Publishing Rule". The properties are:

I guess the interesting properties are in "From", "To", "Listener" and Public name.

I can see in the Monitoring window that request are coming in - they are just NOT passed to the webserver it seems.

What I basically try to do is use ISA as a reverse proxy. And I've tried a million ways so far to configure ISA (including all the wizards *g*).

It *should* be so straight forward - but it seems I'm missing something.

Is it possible to run ISA and the webserver (IIS) on the same box. Requests coming in on port 80 and ISA forwards them to IIS (listening in port 80) ?

Any help is appreciated!

Regards,
Robert

(in reply to tshinder)

Post #: 6

RE: Discussion on article about Web Publishing Rules an... - 15.Oct.2007 9:48:12 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

There is also the keep the original host header checkbox, did you play with that too?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RobertL)

Post #: 7

RE: Discussion on article about Web Publishing Rules an... - 20.Nov.2007 4:40:00 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

If I create web publishing rule for a website which needs to be accessed from internet and internal network how's that going to work.
will the internal user access website directly from webserver or the request will go through ISA?
Is there a special configuration which needs to be configure so that internal users dont have to go through ISA?

(in reply to tshinder)

Post #: 8

RE: Discussion on article about Web Publishing Rules an... - 21.Nov.2007 9:29:42 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Yes, you can use a split DNS, and then configure the internal site for Direct Access.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)

Post #: 9

RE: Discussion on article about Web Publishing Rules an... - 21.Nov.2007 10:19:36 AM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

I dont have same name for my AD domain and external domain. I am hosting website for customer which is accessed by customer from internet and by internal users from our network.
A record for the customers website are hosted from their internet dns server.
can I go ahead and just create CNAME record on my internal dns server?

(in reply to tshinder)

Post #: 10

RE: Discussion on article about Web Publishing Rules an... - 22.Nov.2007 9:30:11 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

No, you'll need to create a split DNS and configure the internal site for Direct Access.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)

Post #: 11

RE: Discussion on article about Web Publishing Rules an... - 25.Nov.2007 10:29:52 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

you will be right on this one but I am confused.

If the name of the website is 123.com than you want me to configure a new Forward lookup zone on existing dns server named 123.com and create a host entry pointing to webserver, right?

(in reply to tshinder)

Post #: 12

RE: Discussion on article about Web Publishing Rules an... - 26.Nov.2007 11:56:03 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Yes, on the internal zone only. The external zone needs to point to the external IP address.

Also, you need to configure 123.com for Direct Access by configuring it in the Properties of the ISA Firewall Network that the clients are coming from. Do it for both the Web Proxy and Firewall clients.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)

Post #: 13

RE: Discussion on article about Web Publishing Rules an... - 26.Nov.2007 12:17:41 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

quote:

Also, you need to configure 123.com for Direct Access by configuring it in the Properties of the ISA Firewall Network that the clients are coming from. Do it for both the Web Proxy and Firewall clients

how and where?

(in reply to tshinder)

Post #: 14

RE: Discussion on article about Web Publishing Rules an... - 27.Nov.2007 9:55:03 AM