Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
How to configure two different portals (secure and nonsecure) with the same IP/FQDN based on source IP address or Network - ISA IAG integration
Created by forefrontforums on 10/13/2010 9:30:46 PM

Before you begin

The following technical article was written based on the following customer requirements:

  1. Only one SSL Certificate
  2. Only one FQDN name (DNS entry) and one external IP (I used internal IP's for the demo)
  3. Two different portals for 2 different types of users
  4. Allow access to these portals based on source IP address or network

The following diagram illustrate the custom architecture based on the requirements above and the integration of ISA and IAG together on the same appliance / virtual appliance

Important to know!

  1. I will not demonstrate how to create IAG portals in the following technical documents, there are articles / videos for that purpose in our site www.ForefrontSecurity.org
  2. I will not demonstrate how to create the relevant ISA rules, but I will show all the detailed configurations
  3. ISA server on the IAG appliance / virtual appliance in the following architecture will publish the IAG portals. This means that ISA will perform:
  • HTTP and SSL Termination (Reverse Proxy)
  • Link Translation
  • Application Layer Inspection
  • Path validation
  • Public name validation (FQDN)
  • Layer 3 and Layer 4 protection (Source / Destination IP / ports)
  1. In the following scenario ISA will not perform any kind of authentication, IAG will be responsible for that

Prerequisites

  1. Create your own 2 IAG portals, the first one is HTTPS portal and the second HTTP portal
  2. Configure HOST records on the ISA server (C:\Windows\System32\drivers\etc\hosts) so it will identify the public names of the IAG portals. In our scenario we used the following HOSTS records:

    39.1.1.2    nonsecure.iagserver.org

    39.1.1.3    portal.iagserver.org

Configuration Procedures

Phase 1: Create the IAG portals

  1. The following print screen present the secured HTTPS portal with Public hostname (FQDN): portal.iagserver.org , port 443 and IP address 39.1.1.3 as I showed in the diagram abo

  2. The following print screen present the nonsecure HTTP portal with Public hostname (FQDN): nonsecure.iagserver.org , port 80 and IP address 39.1.1.2 as I showed in the diagram above

    Note! Make sure you choose different portal name because you cannot create 2 portals with the same name

Phase 2: Create ISA Publishing rules

  1. You will need to create 4 publishing rules in the following order with 2 different listeners (pay attention to the Allow/Deny actions and to the http/https listeners

  2. Create the firstRule: nonsecure.iagserver.org(deny)
  3. Pay attention to the action - DENY and Redirect toyourhttps portal

  4. On the "Form" tab pay attention to the source Vendor Network (10.10.10.0)
  5. On the "To" tab make you enter the public name of the nonsecure IAG portal (and you have corresponding hosts record)

  6. On the "Listener" make sure you choose the HTTP listener (without authentication)

  7. On the "Public Name" tab configure the FQDN you want your Vendors and Employees will write in the URL when accessing the portal
  8. On the "Path" tab leave the default configuration

  9. On the "Authentication Delegation" tab choose "No delegation, and client cannot authenticate directly"
  10. On the "Bridging" tab choose "Redirect request to HTTP port" (use the default port 80)

  11. On the "Users" tab choose "All Users"

  12. Create the secondRule: nonsecure.iagserver.org
  13. Pay attention to the Action – Allow

  14. On the "Form" tab pay attention to the source Employees Network (192.168.10.0)
  15. On the "To" tab make you enter the public name of the nonsecure IAG portal (and you have corresponding hosts record)

  16. On the "Listener" make sure you choose the HTTP listener (without authentication)

  17. On the "Public Name" tab configure the FQDN you want your Vendors and Employees will write in the URL when accessing the portal
  18. On the "Path" tab leave the default configuration

  19. On the "Authentication Delegation" tab choose "No delegation, and client cannot authenticate directly"
  20. On the "Bridging" tab choose "Redirect request to HTTP port" (use the default port 80)

  21. On the "Users" tab choose "All Users"

  22. Create the thirdRule: portal.iagserver.org(deny)
  23. Pay attention to the action - DENYand Redirect to your http portal

  24. On the "Form" tab pay attention to the source Employees Network (192.168.10.0)
  25. On the "To" tab make you enter the public name of the secured IAG portal (and you have corresponding hosts record)

  26. On the "Listener" make sure you choose the HTTPS listener (without authentication)

  27. On the "Public Name" tab configure the FQDN you want your Vendors and Employees will write in the URL when accessing the portal
  28. On the "Path" tab leave the default configuration

  29. On the "Authentication Delegation" tab choose "No delegation, and client cannot authenticate directly"
  30. On the "Bridging" tab choose "Redirect request to SSL port" (use the default port 443)

  31. On the "Users" tab choose "All Users"

  32. Create the forth Rule: portal.iagserver.org
  33. Pay attention to the action – Allow

  34. On the "Form" tab pay attention to the source Vendor Network (10.10.10.0)
  35. On the "To" tab make you enter the public name of the secured IAG portal (and you have corresponding hosts record)

  36. On the "Listener" make sure you choose the HTTPS listener (without authentication)

  37. On the "Public Name" tab configure the FQDN you want your Vendors and Employees will write in the URL when accessing the portal
  38. On the "Path" tab leave the default configuration

  39. On the "Authentication Delegation" tab choose "No delegation, and client cannot authenticate directly"
  40. On the "Bridging" tab choose "Redirect request to HTTPS port" (use the default port 443)

  41. On the "Users" tab choose "All Users"

Phase 3: Test your architecture

Vendor Network Test

  1. Access the Vendor computer
  2. Surf to https://portal.iagserver.org
  3. Perform authentication and access the portal
  4. Validate that this is the Vendors portal
  5. Surf to http://portal.iagserver.org
  6. Check that you redirected to https://portal.iagserver.org and this is the Vendors portal

Employee Network Test

  1. Access the Employee computer
  2. Surf to http://portal.iagserver.org
  3. Perform authentication and access the portal
  4. Validate that this is the Employees portal
  5. Surf to https://portal.iagserver.org
  6. Check that you redirected to http://portal.iagserver.org and this is the Employees portal

If you have any issues with the following architecture please go to our Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

powered by metaPost

print
rating
 Comments