HOWTO: Configuring Microsoft ISA Server with Zetalink
ZTN2021
ID: ZTN2021
This Zetalink technical note applies to:
- Zetalink version 1.0
- Microsoft Internet Security and Acceleration server 2000
Summary
This document details methods for providing access to Zetalink when protected by a corporate firewall (specifically Microsoft Internet Security and Acceleration (ISA) server) and should be read in conjunction with the Zetalink Implementation Guide.
ISA Server allows you to make internal resources, such a web servers, email servers and FTP servers, available to Internet users. This process of making internal services available to users on an external network is called "Publishing". When you publish a service on your internal, private network, you are allowing selective access to external users.
More information
The Zetalink External Website components can communicate with the Zetalink Server components using either SOAP or DCOM. SOAP is used when these two components are separated by ISA sever, and DCOM when both are protected on the same internal network by ISA. In both cases configuration changes will be required on the ISA server to allow WAP access to Zetalink and are detailed below:
Zetalink External Website behind an ISA server
Configure the ISA server Inbound Request Listener
By default ISA server drops all requests received on port 80, you therefore need to configure the ISA server to accept incoming Web requests on the external interface:
- Open the ISA Management snap-in and expand Servers and Arrays.
- Right click the name of the ISA server and select 'Properties'.
- Select the 'Incoming Web Requests' tab and select 'Add'.
- Select the ISA server name and the IP address of the external interface.
- Leave the other default settings.
- Select OK to close the 'Add/Edit Listeners' dialog.
- Confirm the 'TCP port' is set to 80 and click OK to close.
Create the Zetalink Destination Set
You now need to configure a destination set that will point inbound clients to the appropriate folder that is used by the Zetalink Website.
- Navigate to Policy Elements/Destination Sets, then right click and select 'New' then 'Set'.
- Enter a descriptive name for the destination set, and then click 'Add'.
- Enter the name of the 'Destination'. This needs to be the name of the published Website (e.g. www.domain.com) that resolves to the external IP address on the ISA server.
- Enter the 'Path' to the Zetalink virtual directory as:
/Zetalink/*
- Click OK and OK again to close the 'Destination Set' dialog.
Create the Web Publishing rule
You now need to publish the IIS server hosting the Zetalink External Website using the destination set created above.
- Select Publishing/Web Publishing Rules, right click and select 'New' then 'Rule' to launch the Web Publishing Rule Wizard.
- Give the rule a descriptive name.
- Select 'Apply this rule to:' "Specified destination set" and for 'Name:' select the destination set created above. Click 'Next'.
- Select the appropriate 'Client Type'.
- On the 'Rule Action' window select 'Redirect the request to this internal Web server (name or IP address):'. This can be the IP address or NETBIOS name of the IIS server hosting the Zetalink External Website.
- Check "Send the original host header to the publishing server instead of the actual one (specified above) and click 'Next'. What this means is that the host header will include the name of the original request, rather than the request containing the name or IP address of the IIS server. In this way, multiple web sites that are configured by using host headers on the IIS server will work correctly.
- Click 'Finish' to complete the wizard.
- Use the Services snap-in to restart the 'Microsoft Firewall' and 'Microsoft Web Proxy' services.
At this point you should be able to enter the URL 'http://www.domain.com/Zetalink/test.htm' (where www.domain.com is the name that resolves to the external IP address on the ISA server) and confirm the Zetalink test page is displayed in your browser.
Zetalink External Website separated from the Zetalink server by an ISA server
When the IIS server is protected within a perimeter network, follow the instructions in the "Zetalink External Website behind an ISA server" section to configure the outer firewall, and these instructions to configure the inner firewall. For simplicity sake this section will assume the IIS server is unprotected by an outer firewall and not configured in a perimeter network.
Configure the ISA server Inbound Request Listener
By default ISA server drops all requests received on port 80, you therefore need to configure the ISA server to accept incoming Web requests on the external interface:
- Open the ISA Management snap-in and expand Servers and Arrays.
- Right click the name of the ISA server and select 'Properties'.
- Select the 'Incoming Web Requests' tab and select 'Add'.
- Select the ISA server name and the IP address of the external interface.
- Leave the other default settings.
- Select OK to close the 'Add/Edit Listeners' dialog.
- Confirm the 'TCP port' is set to 80 and click OK to close.
Create the Zetalink Destination Set
You now need to configure a destination set that will point the Zetalink External Website to the appropriate folder that is used by the Zetalink server for SOAP.
- Navigate to Policy Elements/Destination Sets, then right click and select 'New' then 'Set'.
- Enter a descriptive name for the destination set, and then click 'Add'.
- Enter the name of the 'Destination'. This needs to be the IP address of the interface connected to the perimeter network or the published name that resolves to the externally accessible IP address on the ISA server.
- Enter the 'Path' to the Zetalink SOAP directory as:
/ZetalinkSOAP/*
- Click OK and OK again to close the 'Destination Set' dialog.
Create the Web Publishing rule
You now need to publish the IIS server hosting the Zetalink SOAP virtual directory using the destination set created above. The Zetalink server uses this directory to communicate with the Zetalink External Website.
- Select Publishing/Web Publishing Rules, right click and select 'New' then 'Rule' to launch the Web Publishing Rule Wizard.
- Give the rule a descriptive name.
- Select 'Apply this rule to:' "Specified destination set" and for 'Name:' select the destination set created above. Click 'Next'.
- Select the appropriate 'Client Type'.
- On the 'Rule Action' window select 'Redirect the request to this internal Web server (name or IP address):'. This can be the IP address or NETBIOS name of the IIS server hosting the Zetalink SOAP virtual directory.
- Check "Send the original host header to the publishing server instead of the actual one (specified above) and click 'Next'.
- Click 'Finish' to complete the wizard.
- Use the Services snap-in to restart the 'Microsoft Firewall' and 'Microsoft Web Proxy' services.
At this point you should be able to test the SOAP connection from the IIS server hosting the Zetalink External Website. Use a browser and enter the URL: http://www.domain.com/ZetalinkSOAP/EqSOAPPull.wsdl (where www.domain.com is the published name that resolves to the externally accessible IP address on the ISA server, or the IP address of the interface connected to the perimeter network) and confirm the Zetalink SOAP page is displayed in your browser.
References
ZTN2019-HOWTO Enabling HTTPS support on an ISA server
ZTN2020-HOWTO Enabling HTTPS support on an IIS web server
ZTN2022-HOWTO Configuring Zetalink to only allow HTTPS access
Last updated: 23 November 2001 (GC/DH)