How ISA Server Enables Internal Resource Publishing:
Most organizations want Internet users to be able to access some resources located on their internal or protected networks. At a minimum, most organizations need to provide access to a public Web site. Organizations that are using the Internet to complete business transactions may need to make confidential information available or collect confidential information via a secure Web site. In addition, organizations may need to enable access to non-Web-based resources, such as DNS servers, media servers, or database servers.
Making internal resources accessible via the Internet increases security risks for an organization.
To reduce these risks, the firewall at the perimeter of a network must be able to block all malicious traffic from entering the organization’s network, and ensure that Internet users can access only the required servers. The firewall may also need to redirect traffic to more than one internal server, and provide access to multiple Web sites or internal servers while shielding the internal network configuration from the Internet. You can use ISA Server 2004 to provide secure access to internal resources for Internet users by using ISA Server to publish the internal resources. To configure ISA Server publishing, you configure a publishing rule that specifies how ISA Server will respond
to requests from the Internet. ISA Server provides three different types of publishing rules: Web publishing rules, secure Web publishing rules, and server publishing rules.
Web Publishing Rules
ISA Server 2004 uses Web publishing to enable secure access to internal Web servers for Internet clients. When you create a Web publishing rule, you are configuring ISA Server to listen for HTTP requests from the Internet. When the request for a Web page arrives, ISA Server evaluates the request. If the request matches the properties of a Web publishing rule, ISA Server forwards the request to an internal Web server. The internal Web server sends the requested Web page to ISA Server, which then forwards the Web page to the Internet client. If caching is enabled on ISA Server, subsequent requests for the Web page can be provided from the ISA Server cache.
Secure Web Publishing Rules
Some organizations need additional security for their Web sites. The sites may contain confidential organizational data that can be accessed only by specified users, or they may collect confidential data from Internet users, including personal and credit card information. The data may need to be encrypted while it is crossing the Internet. You can help to protect such Web servers from Internet attacks by using ISA Server as a firewall, and by using Web publishing rules to enable access to the site. To encrypt traffic between the internal network and the Internet client, you need to configure a secure Web publishing rule.
A secure Web publishing rule is a regular Web publishing rule that uses Secure Sockets Layer (SSL) on port 443 to encrypt all traffic passed from the internal network to the Internet client. ISA Server provides multiple options for using SSL. For example, you can configure ISA Server to encrypt all traffic between ISA Server and the Internet client, but not to encrypt the traffic on the internal network. Alternatively, you can encrypt only traffic on the internal network. You can also configure ISA Server to encrypt traffic on both the internal network and to and from the Internet. You can configure ISA Server to apply application filtering on the encrypted packets as well. With this configuration, the ISA Server computer will decrypt the packet, filter it, and then encrypt the packet again.
Server Publishing Rules
Web publishing and secure Web publishing can grant access only to Web servers using HTTP or Hypertext Transfer Protocol Secure (HTTPS). To grant access to internal resources using any other protocol, you must configure server publishing rules. When you create a server publishing rule, you are configuring ISA Server to listen for client requests using a particular port number. When ISA Server receives a request on the external interface for that port, it checks the server publishing rule to determine which internal server is providing the service. ISA Server then passes the request to the internal server configured in that server publishing rule. The internal server responds to the client request, forwarding the response through ISA Server.
MCP 70-350 : Introduction to ISA Server 2004
