Web publishing rules

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Internet Security and Acceleration (ISA) Server uses Web publishing rules to relieve the concerns associated with publishing Web content to the Internet without compromising internal network security. Web publishing rules determine how ISA Server should intercept incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server and how ISA Server should respond on behalf of the Web server. Requests are forwarded downstream to an internal Web server, located behind the ISA Server computer. If possible, the request is serviced from the ISA Server cache.

Web publishing rules essentially map incoming requests to the appropriate Web servers behind the ISA Server computer.

Important

  • It is recommended that you do not enable directory browsing on the Web server that is published by ISA Server. Also, the Web server cannot require digest or basic authentication. If it does, the internal name or IP address of the Web server may be exposed on the Internet.

For more information, see How caching works, Controlling incoming requests, and Create a Web publishing rule.

Destination sets and client sets

For Web publishing rules, destination sets usually include the external name of your ISA Server computer and path. Client address sets probably include Internet Protocol (IP) addresses of clients located on the Internet, including those not necessarily in your corporate network. For more information, see Configure a destination set for a Web publishing rule and Configure users for a Web publishing rule.

Action

Web publishing rules specify which server (if any) should return the requested object. The request can be discarded or redirected to an alternate site, usually to a Web server on your corporate network. For more information, see Configure an action for a Web publishing rule.

When you configure the rule to redirect to a hosted site, ISA Server retrieves the object from the path, specified in the request, on the host computer. For example, suppose you specify that ISA Server redirect requests for example.microsoft.com/development to a host computer called Dev. When a client requests an object from example.microsoft.com/development, then ISA Server retrieves the object from the development folder on Dev.

Web publishing rules determine the requested destination by reading the host header.

Bridging

With bridging, you can configure how traffic should be passed to the Web server. For example, suppose a client uses Secure Sockets Layer (SSL) to communicate with the ISA Server computer and a Web publishing rule maps the request to an internal Web server. The initial communication uses SSL. However, by default, all further communication uses a protocol that is not secure, such as Hypertext Transfer Protocol (HTTP).

When you create a Web publishing rule, you can configure how SSL requests should be redirected—as HTTP requests or as SSL requests. If requests are redirected as SSL requests, then ISA Server re-encrypts the packets before passing them on to the Web server. In other words, a new secure channel is established for the communication with the SSL Web server. This redirection is also referred to as SSL bridging. For more information, see SSL bridging.

You can also secure HTTP communication. That is, even if the initial communication uses HTTP, after ISA Server passes the request to the internal Web server, the communication can be redirected using SSL. If the request is redirected as an SSL request, then the packets are encrypted.

You can also set whether HTTP or SSL requests should be passed on as an FTP request to the Web server. In other words, if the external client requests an object using HTTP or SSL, ISA Server can then redirect the request to the internal Web server using FTP. If you configure bridging in this way, you can specify which port should be used when bridging FTP requests.

The upstream Web server may require a client certificate. In this case, configure ISA Server to authenticate with a specific client-side certificate.

If you configure the Web publishing rule to require a secure channel, then all client requests for the specified destinations must be on the port specified for SSL connections.

For more information, see Configure an action for a Web publishing rule, Use client-side certificate to authenticate to Web server, Enable SSL listeners, Configure how to redirect HTTP requests for Web publishing rules, and Configure how to redirect SSL requests for Web publishing rules.

Rule order

Web publishing rules are processed in order, for each incoming Web request. When the rule matches a request, the request is routed and cached accordingly. If no rule matches the request, ISA Server processes the default rule and discards the request.

For more information, see Change the order of a Web publishing rule and Controlling incoming requests.

Default Web publishing rule

When you install ISA Server, it configures a default Web publishing rule. The default rule is configured so that all requests are discarded.

The default Web publishing rule is last in the order. You cannot modify or delete the default Web publishing rule.

Example

Suppose you want to publish two internal servers, on the example.microsoft.com domain, one called Dev and one called Mktg. The Mktg computer should return objects when a client requests //example.microsoft.com/Marketing, and Dev should return objects when a client requests //example.microsoft.com/Development.

First, create two destination sets. The first destination set, called Marketing, should include the computer \\example.microsoft.com and the path \Marketing\*. The second destination set, called Development, should include the computer \\example.microsoft.com and the path \Development\*.

Next, create two Web publishing rules which redirect requests to the appropriate internal Web servers. Configure the first Web publishing rule with the following parameters:

  • Set Destination Set to the Marketing destination set.

  • Set Applies to to Any user, group, or client computer.

  • Set Action to Redirect to a hosted site and specify Mktg as the specified host.

Configure the second Web publishing rule with the following parameters:

  • Set Destination Set to the Development destination set.

  • Set Applies to to Any user, group, or client computer.

  • Set Action to Redirect to a hosted site and specify Dev as the specified host.

When a client requests an object on //example.microsoft.com/Development, ISA Server retrieves the request from /Dev/Development.

For more detailed scenarios that illustrate the use of Web publishing rules, see Web publishing scenarios.