How to use ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition to redirect requests to different Web sites based on the client IP address

This step-by-step article describes how to use ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition to redirect requests to different internal Web sites based on a client Internet Protocol (IP) address.

The article describes how to configure ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition to redirect requests from two separate client sets to two different internal Web sites. This redirection process occurs when the client requests originate from the same network and target the same IP address on the ISA Server 2004-based computer or a Microsoft Forefront Threat Management Gateway, Medium Business Edition-based computer. In this case, you can configure a single Web listener. A Web listener is associated with a point of entry for the traffic into the ISA Server 2004-based computer or a Microsoft Forefront Threat Management Gateway, Medium Business Edition-based computer.

Note Although the scenario in this article describes the configuration for a Web listener that listens for requests on a single network, you can configure a Web listener to listen for requests from multiple networks.

To group the client addresses that you want to direct to each internal Web site, you can specify the address sets by creating computer sets or by using a built-in computer set. Then, you can configure Web publishing rules that determine where to direct the traffic for each computer set. The Web publishing rules are where the differentiation between client sets occurs. To redirect requests from two different client sets to two different internal Web sites, follow these steps:

1. Configure a single Web listener.
2. Use either of the following methods.
   • Create two client computer sets.
   • Create one computer set for a specific IP address or address range, and then set the default Anywhere computer to redirect all other traffic.
3. Configure a Web publishing rule for each Web site.
   
   Note You must associate both Web publishing rules with the same Web listener.
4. Configure the first Web publishing rule to apply to traffic that originates from a specific computer set.
5. Configure the second Web publishing rule to apply to traffic that originates from a second specific computer set, or from the built-in Anywhere computer set.

Create the Web listener

To create the Web listener that will be used by both Web publishing rules, follow these steps:

1. In ISA Server Management (the Microsoft Management Console that is included in ISA Server 2004) or in Microsoft Forefront Threat Management Gateway, Medium Business Edition Server Management, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Under Network Objects, click New, and then click Web Listener.
4. In the Web listener name box, type a name for the Web listener, and then click Next.
5. Under IP Addresses, click to select the check box for the network that you want the Web listener to listen for requests from, and then click Next.
6. Under Port Specification, configure the HTTP or the SSL port information that is specific to your environment, and then click Next.
7. Click Finish.

Create the computer sets

When you create the computer sets you can do either of the following:

• You can create two specific computer sets if you know both of the client IP address ranges that you want to redirect to either Web site.
• You can create one computer set to apply to a specific IP address range, and then use the built-in Anywhere computer set to apply to all other traffic.

To create a computer set, follow these steps:

1. In ISA Server Management or in Microsoft Forefront Threat Management Gateway, Medium Business Edition Server Management, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Under Network Objects, click New, and then click Computer Set.
4. In the Name box, type a name for the computer set.
5. Click Add.
6. Click Computer, and then either click Address Range or click Subnet depending on what you want to specify.
7. Configure the name and IP address information for the computer, the address range or the subnet element, and then click OK.
8. Repeat steps 5 through 7 for each computer, address range or subnet element that you want to add to the computer set.
9. Click OK.
10. If you know the client IP address range for the second computer set, repeat steps 3 through 9 for the second computer set.

Create a Web publishing rule for each Web site

For each Web site, create a Web publishing rule by using the same Web listener. Then, assign the appropriate computer set to the Web publishing rule.

ISA Server 2004

1. In ISA Server Management, click Firewall Policy.
2. On the Tasks tab, click Publish a Web Server.
3. In the Web publishing rule name box, type a name for the Web publishing rule for the first Web site, and then click Next.
4. Under Select Rule Action, click Allow, and then click Next.
5. Under Define Website to Publish, specify the Web server where the Web site is located and the path that you want to publish, and then click Next.
6. Under Public Name Details, specify the public domain name or the IP address that users will type to reach the published site, and then click Next.
7. Under Select Web Listener, click to select the Web listener that you created earlier in the Web listener list, and then click Next.
8. Under User Sets, click Next to accept the default setting of all users.
9. Click Finish.

Microsoft Forefront Threat Management Gateway, Medium Business Edition

1. Start the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server Management snap-in. Expand the Threat Management Gateway Server computer node, and then click Firewall Policy.
2. On the Tasks tab, click Publish Web Sites to start the New Web Publishing Rule Wizard.
3. In the Web publishing rule name box, type a name for the rule. For example, type Publish internal Web server, and then click Next.
4. On the Select Rule Action page, make sure that the default Allow action check box is selected. This setting enables requests to reach the Web server according to the conditions that the rule sets. Click Next.
5. On the Publishing Type page, leave the default Publish a single Web site or load balancer check box selected, and then click Next.
6. Click Use non-secured connections to connect the published Web server or server farm and then click Next.
   
   Note If you want to publish a Web server that receives HTTPS requests, click Use SSL to connect to the published Web server or server farm. In this situation, you must have a digital certificate installed on the server. For more information about digital certificates, visit the following Microsoft Web site:
   http://technet.microsoft.com/de-de/library/cc302649.aspx
7. On the Internal Publishing Details page, follow these steps:
   1. In the Internal site name box, type the intranet address of the Web site. For example, type TMG_Server_Name in the Internal site name box. Do not include "http://" in this Web address.
   2. Click to select the Use a computer name or IP address to connect to the published server check box.
   3. In the Computer name or IP address box, type either the fully qualified domain name (FQDN) of the Microsoft Forefront Threat Management Gateway, Medium Business Edition server computer or the IP address of the internal network adapter of the Microsoft Forefront Threat Management Gateway, Medium Business Edition server computer.
   4. Click Next.
8. On the Internal Publishing Details page, follow these steps:
   1. If you want to publish a particular folder on the Web site, type that folder name in the Path (optional) box. If you leave this box blank, you will publish the whole site.
   2. Click to select the Forward the original host header instead of the actual one specified in the Internal site name field on the previous page check box.
   3. Click Next.
9. On the Public Name Details page, provide information about what requests will be received by the ISA Server computer and forwarded to the Web server component. To do this, follow these steps:
   1. In the Accept requests for list, click either Any domain name or This domain name (type below).
      
      Note If you click Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to the Web site. If you click This domain name (type below) and provide a specific domain name, such as www.fabrikam.com, only requests for http://www.fabrikam.com will be forwarded to the Web server component. This configuration assumes that the domain name resolves to the IP address of the external Web listener of the Microsoft Forefront Threat Management Gateway, Medium Business Edition server-based computer.
      
      Note If you want to publish Web sites under more than one domain name, such as www.fabrikam.com and www.adatum.com, you must click This domain name (type below) and specify the domain name in this step. You must specify the domain name so that separate Web publishing rules for the two domains will route requests to the correct sites.
   2. If you click This domain name (type below), type the domain name in the Public name box. For example, type www.fabrikam.com.
   3. If you specify a folder in the Path box, such as News, the path will be required in the request. For example, if you specify News as the path, you must visit the http://www.fabrikam.com/news address to access the Web site. The required request format appears in the Site box. Click Next.
10. On the Select Web Listener page, select the Web listener that you have created in the "Create the Web listener" method.
11. On the Authentication Delegation page, click the kind of delegation that you want to use in the Select the method used by Microsoft Forefront Threat Management Gateway, Medium Business Edition to authenticate to the published Web server list. For a typical Web publishing scenario, click No delegation, and client cannot authenticate directly.
12. On the User Sets page, make sure that the default All users user set appears. This setting enables any computer in the external network to access the published Web pages. Click Next.
13. On the Completing the New Web Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.

Accept traffic from a specific computer set

You have created a Web publishing rule in ISA Server 2004 or in Microsoft Forefront Threat Management Gateway, Medium Business Edition. However, the rules that you have created accept traffic from all sources.To configure the Web publishing rule to accept traffic from a specific computer set, follow these steps:

1. Right-click the Web publishing rule that you just created, and then click Properties.
2. Click the From tab.
3. Click Anywhere, and then click Remove.
4. To add the specific computer set, click Add.
5. Expand Computer Sets, click the computer set that you created earlier, click Add, and then click Close.
6. Click OK.
7. If you created two specific computer sets, repeat the steps to create a Web publishing rule for the second Web site that applies to the second computer set.
8. If you created only one custom computer set and you want to use the built-in Anywhere computer set to direct all other traffic to the second Web site, follow these steps:
   1. Create the second Web publishing rule. To do this, repeat the steps in the "ISA 2004" section for an ISA 2004 Server computer or the steps in the "Microsoft Forefront Threat Management Gateway, Medium Business Edition" section for Microsoft Forefront Threat Management Gateway, Medium Business Edition server.
      
      Note By default, the Web publishing rule applies to traffic from the built-in Anywhere computer set.
   2. Make sure that the Web publishing rule that applies to the Anywhere computer set is listed below the Web publishing rule that you created for the specific client set. To verify this, view the Web publishing rules in the middle pane. The Order column lists the order in which the ISA Server 2004-based or Microsoft Forefront Threat Management Gateway, Medium Business Edition-based computer will process the rules. To move a rule down, right-click the Web publishing rule, and then click Move Down.
      
      The ISA Server 2004 computer or the Microsoft Forefront Threat Management Gateway, Medium Business Edition computer processes the Web publishing rule that applies to the Anywhere computer set last. Therefore, the rule automatically applies to all clients that are not in the computer set that you created for the first Web publishing rule.
9. Click Apply to save the changes and to update the configuration, and then click OK.

For more information about how to configure Web publishing rules, click Help on the Action menu, type configure Web publishing rules in the Type in the word(s) to search for box, and then press ENTER.

For more information about Web listeners, click Help on the Action menu, type Web listener overview in the Type in the word(s) to search for box, and then press ENTER.