Configure the perimeter network addressing
To publish a Web server on a perimeter network, you must assign a range of public Internet Protocol (IP) addresses to computers that are on the perimeter network. To assign the IP addresses, use one of the following methods.Method 1
Use a separate, publicly accessible IP address range for computers that are on the perimeter network.Method 2
Subnet your public IP address range. Divide the IP addresses between the computers that are on the external network and the computers that are on the perimeter network.Note You must also reconfigure upstream routers to recognize each subnet as a separate network.
For additional information about how to subnet an IP address range, click the following article number to view the article in the Microsoft Knowledge Base:
269098
How to configure Windows 2000 subnets
Method 3
You can assign a range of private IP addresses to the computers that are connected to the perimeter network.For example, consider the network configuration where:
- Your ISP assigns you an IP address for the external interface of the ISA Server computer.
- You assign the IP address range 192.168.0.x/24 to the internal network.
- You assign the IP address range 192.168.1.x/24 to the perimeter network.
- A routing relationship between the internal network and the perimeter network.
- A network address translation (NAT) relationship between the internal network and the external network.
- A network address translation relationship between the perimeter network and the external network.
Verify the DNS entries
To configure ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition behind a NAT router and to use a range of private addresses in the perimeter network, you must configure a publicly-accessible DNS server with the A resource record or with the CNAME resource record of the Web server that resolves to the IP address of the external network interface of the NAT router. In this scenario, you also have to map this IP address to the external network interface of the ISA Server computer.Note If you do not maintain your own publicly-accessible DNS server, contact your Internet service provider (ISP) for this configuration. For additional information about how to configure a DNS server, click the following article numbers to view the articles in the Microsoft Knowledge Base:
172953
How to install and configure Microsoft DNS Server
308201 How to create a new zone on a DNS server
Configure the perimeter network for ISA Server
Configure the perimeter network on the ISA Server computer. To do this, follow these steps:- Start the ISA Server Management tool.
- Expand ServerName where ServerName is the name of your ISA Server computer.
- Expand Configuration, and then click Networks.
- Click the Tasks tab, and then click Create a New Network.
- In the Network name box, type a descriptive name for the perimeter network, and then click Next.
- Click Perimeter Network, and then click Next.
- Click Add Adapter, click to select the check box of the network adapter that is connected to the perimeter network, and then click OK.
- Click Next, and then click Finish.
- Click Apply to update the firewall policy, and then click OK.
Configure the perimeter network for Microsoft Forefront Threat Management Gateway, Medium Business Edition
Configure the perimeter network on the computer that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition. To do this, follow these steps:- Start the Forefront Threat Management Gateway Management Management console.
- Expand Forefront Threat Management Gateway Servername, where Servername is the name of the computer that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition.
- Click Networking, and then on the Tasks tab, click Create a New Network.
- In the Network Name box, type a descriptive name for the perimeter network (for example, Perimeter), and then click Next.
- In the Network Type section, click Perimeter Network, and then click Next.
- On the Network Addresses page, click Add Adapter, select the adapter that you configured earlier for this network, and then click OK.
- Click Next, and then click Finish.
Publish the Web server computer
To publish the Web server computer, follow these steps.Note These steps describe how to publish a Web site that allows for anonymous access. To publish a Web site that requires authentication, or to publish a Web site that requires a Secure Sockets Layer (SSL) connection, modify these steps as appropriate for your requirements.
Microsoft Forefront Threat Management Gateway, Medium Business Edition
- Start the Forefront Threat Management Gateway Management console.
- Expand ServerName, where ServerName is the name of the computer that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition.
- Click Firewall Policy, click Tasks tab, and then click Publish Web Sites.
- In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.
- Make sure that the Allow option is selected, and then click Next.
- Make sure that the Publish a single Web site or load balancer option is selected, and then click Next.
- Click Use non-secured connections to connect the published Web server or server farm, and then click Next.
- In the Internal site name box, type the internally-accessible name of the Web server, click to select the Use a computer name or IP address to connect to the published server check box, type the internally-accessible fully qualified domain name, or in the Computer name or IP address box, type the IP address of the Web server, and then click Next.
- In the Path (optional) box, type the name of the particular folder that you want to publish in the Web site. In the Web site box, the full path of the published site is displayed. Click Next.
- In the Public name box, type the publicly-accessible domain name of the Web server, and then click Next.
- In the Accept requests for list, click This domain name (type below).
- In the Public name box, type the publicly-accessible fully qualified domain name of the Web site, and then click Next.
- In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps:
- Click New, type a descriptive name for the new Web listener, and then click Next.
- Click Do not require SSL secured connections with clients, and then click Next.
- In the Listen for requests from these networks list, click to select External, and then click Next.
- In the Select how clients will provide credentials for Forefront TMG list, click No Authentication, and then click Next.
- On the Single Sign On Settings page, click Next, and then click Finish.
- Click Next.
- In the Select the method used by Forefront TMG to authenticate to the published Web server list, click No delegation, and client may authenticate directly, and then click Next.
- In the This rule applies to requests from the following user sets box, remove All Authenticated Users, select All Users, click Next, and then click Finish.
- Click Apply to update the firewall policy, and then click OK.
ISA Server 2006
- Start the ISA Server Management tool.
- Expand ServerName, where ServerName is the name of the ISA Server computer.
- Click Firewall Policy, click the Tasks tab, and then click Publish Web Sites.
- In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.
- Leave the Allow option selected, and then click Next.
- Leave the Publish a single Web site or load balancer option selected, and then click Next.
- Click Use non-secured connections to connect the published Web server or server farm, and then click Next.
Note For more information about the connection security methods that are available in ISA Server 2006, click the server connection security link. - In the Internal site name box, type the internally-accessible name of the Web server, click to select the Use a computer name or IP address to connect to the published server check box, type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box, and then click Next.
- In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
- If you only want to publish a particular folder in the Web site, type that folder name in the Path (optional) box. The full path of the published Web site appears in the Web site box.
- Click Next.
- In the Accept requests for list, click This domain name (type below), type the publicly-accessible fully qualified domain name of the Web site in the Public name box, and then click Next.
- In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps:
- Click New, type a descriptive name for the new Web listener, and then click Next.
- Click Do not require SSL secured connections with clients, and then click Next.
- In the Listen for requests from these networks list, click to select the External check box, and then click Next.
- In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.
Note For more information about the authentication methods that are available in ISA Server 2006, click the authentication settings link. - On the Single Sign On Settings page, click Next, and then click Finish.
- Click Next.
- In the Select the method used by ISA Server to authenticate to the published Web server list, click No delegation, and client cannot authenticate directly, and then click Next.
Note For more information about the authentication delegation methods that are available in ISA Server 2006, click the authentication delegation link. - Leave the default user setting of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
- Click Apply to update the firewall policy, and then click OK.
ISA Server 2004
- Start the ISA Server Management tool.
- Expand ServerName where ServerName is the name of your ISA Server computer.
- Click Firewall Policy, click the Tasks tab, and then click Publish a Web Server.
- In the Web publishing rule name box, type a descriptive name for the Web publishing rule, and then click Next.
- Leave the Allow option selected, and then click Next.
- In the Computer name or IP address box, type the IP address of the Web server computer, and then click Next.
- In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
- In the Web listener list, click the Web listener that you want to use for this Web publishing rule. If you want to create a new Web listener, follow these steps:
- Click New, type a descriptive name for the new Web listener, and then click Next.
- In the Listen for requests from these networks list, click to select the External check box, and then click Next.
- Leave the Enable HTTP check box selected, click Next, and then click Finish.
- Click Next, leave the default user set of All Users in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
- Click Apply to update the firewall policy, and then click OK.
Configure the default gateway on the Web server
On the Web server computer, set the default gateway to the IP address of the ISA Server computer's network adapter that connects to the perimeter network. To do this, follow these steps:- On the Web server computer, click Start, point to Settings, and then click Control Panel.
- Double-click Network and Dial-up Connections, right-click the network connection, and then click Properties.
- In the list of components, double-click Internet Protocol (TCP/IP).
- In the Default gateway box, type the IP address of the ISA Server computer's perimeter network interface.
- Click OK two times.
Troubleshooting
Verify that the internal network does not contain the IP addresses of computers that are on the perimeter network. To view the internal network:- Start the ISA Server Management tool or Forefront Threat Management Gateway Management tool.
- Expand ServerName, where ServerName is the name of your ISA Server or the name of the computer that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition.
- In ISA Server, expand Configuration, and then click Networks. In Microsoft Forefront Threat Management Gateway, Medium Business Edition, click Networking, and then click Networks.
- Click the Networks tab, right-click Internal, and then click Properties.
- Click the Addresses tab, and then verify the address range that appears.