I have been customizing the html login forms to create a different look and feel, but I now need to add a link to a "Forgot Password" page. It doesn't appear that you can add new forms within the ISA server, much less edit the server-side code.
If the ISA server is the only externally facing server, how/where can I add a new web form to accomplish this? Do I need another web server? Or do I have to add IIS to the ISA Server and set up a separate web application? Somebody mentioned IAG 2007, but I'm not sure how that would help.
I'm interested to see what others have done to accomplish this, as it seems like it would be a common request.
The ISA server is a firewall and not a webserver, hence why there is no way for you to inject custom html, asp or what ever code into the system. The webforms are there for authentication only and all you can/should do is create custom authentication pages.
If you want to create custom webpages you need a webserver IIS, apache or what ever technology you want. If you stick with MS there are two options with both pro's and con's.
1) Installing IIS on the ISA server:
1.1)Pro's: - it's a cheap sollutions as you don't need to add an extra system in your network - It works if you know about the socket pooling and the fact that IIS should bind on an internal IP and you listener on an External IP. more info: http://www.isaserver.org/tutorials/iis6socketpooling.html
1.2) Con's: - ISA is a firewall and should be treated no differently than any other even if it's a windows server under the hood. Ever installed a webserver on your checkpoint, netscreen, pix,...? - Not supported setup - Less secure as a compromise of you IIS wil render your ISA system vulnerable
2) Installing IIS on a second server in your network:
2.1)Pro's: - The best and most secure setup you can get - seporate roles are easier to manage as there is no potential conflict, issue,... - if you webserver starts getting heavy load it will NOT influence the ISA server performance.
2.2) Con's: - You need an extra server physical or virtual on you internal network - you need an extra windows license
I have configurations running with both possible setups and both are working perfectly, but for the ISA/IIS combination I ALWAY warn the client about the security risk and have them sign off on this setup to avoid conflicts if anything ever goes wrong. My sugguestion is:
1) Check if there are any other servers on the internal network that have IIS running. You can perfectly add an extra website or virtual directory to an internal exchange system or other webserver.
2) if no other system is available check if you can get a budget for an extra server
3) if there is no other option go for ISA + IIS but warn the end user about the danger and make sure you have it in writing so they don't come yelling at you if something gets compromised.