Note: You are currently viewing documentation for Moodle 3.2. Up-to-date documentation for the latest stable version of Moodle is probably available here: ISA Server.

ISA Server: Difference between revisions

From MoodleDocs
No edit summary
(General tidyup and fix for MDL-12156)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world.  
ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world.  


If you wish to install Moodle behind an ISA server e.g. to make it available to the outside world rather than just inside your organisation, you will need to have administrator acces to the machine that ISA server that runs on. Windows server comes with IIS, but you can use Apache quite happily.
==Split DNS==


Your best bet for doing this is to use split DNS so that from inside your network, typing the URL e.g. http://moodle.yourorganisation.ac.uk will resolve to an internal IP e.g. 192.168.2.34, but from the wider internet it will resolve to the external interface of the ISA Server, which will then forward the request to the internal machine.
If you wish to install Moodle behind an ISA server e.g. to make it available to the outside world rather than just inside your organisation, you will need to have administrator access to the machine that ISA server that runs on. Windows server comes with IIS, but you can use Apache quite happily (and may well find it runs faster).


'''Internal DNS'''
Your best bet for doing this is to use split DNS so that from inside your network, typing the URL e.g. http://moodle.yourorganisation.ac.uk will resolve to an internal IP e.g. 192.168.2.34, but from the wider internet it will resolve to the external IP of the ISA Server, which will then forward the request to the internal machine after scanning it for threats.
This is something that needs to be set up in your DNS manager like active directory. Once that is done you will need to set up an exception on the ISA's proxy screen so that http://moodle.yourorganisation.ac.uk is not routed through the proxy.
*better instructions needed here on how to make an exception
'''
External'''
Once you can access moodle OK using http://moodle.yourorganisation.ac.uk from an internal machine, you need to sort out your external DNS. Find out the IP  which resolves to the external interface of the ISA server (a good way to do this is to browse to www.whatsmyip.net from an internal machine), then set up http://moodle.yourorganisation.ac.uk as a subdomain pointing to that IP with your hosting provider (there may be a web interface for you to do this, companies vary)


Note that the IP address bound to the external interface of the ISA is not necessarily the IP as seen from the wider internet - you may be behind another firewall if you are getting your internet from a consortium e.g. LGfL
===Internal DNS===
Once that is done and you have allowed time for the Internet's DNS cache's to update (can be up to 24hrs) you should be able to type http://moodle.yourorganisation.ac.uk and get some sort of server error message from the ISA. This will also show up in the ISA's event logs. If you don't know how to get to the logs, look here: http://www.isaserver.org/tutorials/userinfo.html
This is something that needs to be set up in your DNS managment system e.g. MS active directory, by adding an A record. Once that is done you will need to set up an exception on the ISA's proxy screen so that http://moodle.yourorganisation.ac.uk is not routed through the proxy. Internet explorer and all internal browsers may also need to be told not to route that request through the proxy.


The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. It should be possible to follow the tutorial here http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html or here http://www.isaserver.org/tutorials/Publishing-Multiple-Non-SSL-Web-Sites-Single-IP-Address-using-ISA-Firewalls.html
===External DNS===
Once you can access moodle OK using http://moodle.yourorganisation.ac.uk from an internal machine, you need to sort out your external DNS. Find out the IP  which resolves to the external interface of the ISA server (a good way to do this is to browse to www.whatsmyip.net from an internal machine, assuming that the ISA server is the gateway), then set up http://moodle.yourorganisation.ac.uk as a subdomain pointing to that IP with your hosting provider (there may be a web interface for you to do this, companies vary).
 
Note that the IP address bound to the external interface of the ISA is not necessarily the IP as seen from the wider internet - you may be behind another firewall if you are getting your internet from a consortium e.g. LGfL. Contact them if this is the case and they will clarify.
Once that is done and you have allowed time for the Internet's DNS cache's to update (can be up to 24hrs) you should be able to type http://moodle.yourorganisation.ac.uk and get some sort of server error message from the ISA. This will also show up in the ISA's event logs. If you don't know how to get to the logs, look [http://www.isaserver.org/tutorials/userinfo.html here].
 
The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. Do this '''without SSL''' first. It should be possible to follow the tutorial [http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html here] or [http://www.isaserver.org/tutorials/Publishing-Multiple-Non-SSL-Web-Sites-Single-IP-Address-using-ISA-Firewalls.html here].


Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information.
Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information.


If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions here: http://www.isaserver.org/tutorials/Configuring_SSL_Bridging.html
==SSL==
If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions [http://www.isaserver.org/tutorials/Configuring_SSL_Bridging.html here]
 
If you are already using port 443 for something else e.g. publishing your exchange server using forms based authentication so people can access outlook over the web, you will need to set up a second listener on localhost (127.0.0.1) and chain the listeners in a simplified version of  [http://www.isaserver.org/tutorials/2004pubowamobile.html this article]The idea is that the external listener does not authenticate, but receives requests on port 443 and either passes them to localhost (which then does the forms based authentication for exchange that the external one used to) or to the moodle server, depending on the URL supplied. You will need a wildcard certificate if you want to do this and can generate one using IIS and certificate services.


If you are already using port 443 for something else e.g. publishing your exchange server using forms based authentication so people can access outlook over the web, you will need to set up a second listener on localhost (127.0.0.1) and chain the listeners in a simplified version of this article http://www.isaserver.org/tutorials/2004pubowamobile.html The idea is that the external listener does not authenticate, but receives requests on port 443 and either passes them to localhost (which then does the forms based authentication for exchange that the external one used to) or to the moodle server, depending on teh URL supplied.
==Extra settings==
n.b. You will also need to follow [http://www.tomrafteryit.net/isa-server-error-12217/ these] instructions to prevent some pages from not displaying due to large characters in the URL.


References:
==References==
http://www.isaserver.org
http://www.isaserver.org


[[Category:Administrator]]
[[Category:Administrator]]

Latest revision as of 08:56, 12 December 2007

ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world.

Split DNS

If you wish to install Moodle behind an ISA server e.g. to make it available to the outside world rather than just inside your organisation, you will need to have administrator access to the machine that ISA server that runs on. Windows server comes with IIS, but you can use Apache quite happily (and may well find it runs faster).

Your best bet for doing this is to use split DNS so that from inside your network, typing the URL e.g. http://moodle.yourorganisation.ac.uk will resolve to an internal IP e.g. 192.168.2.34, but from the wider internet it will resolve to the external IP of the ISA Server, which will then forward the request to the internal machine after scanning it for threats.

Internal DNS

This is something that needs to be set up in your DNS managment system e.g. MS active directory, by adding an A record. Once that is done you will need to set up an exception on the ISA's proxy screen so that http://moodle.yourorganisation.ac.uk is not routed through the proxy. Internet explorer and all internal browsers may also need to be told not to route that request through the proxy.

External DNS

Once you can access moodle OK using http://moodle.yourorganisation.ac.uk from an internal machine, you need to sort out your external DNS. Find out the IP which resolves to the external interface of the ISA server (a good way to do this is to browse to www.whatsmyip.net from an internal machine, assuming that the ISA server is the gateway), then set up http://moodle.yourorganisation.ac.uk as a subdomain pointing to that IP with your hosting provider (there may be a web interface for you to do this, companies vary).

Note that the IP address bound to the external interface of the ISA is not necessarily the IP as seen from the wider internet - you may be behind another firewall if you are getting your internet from a consortium e.g. LGfL. Contact them if this is the case and they will clarify. Once that is done and you have allowed time for the Internet's DNS cache's to update (can be up to 24hrs) you should be able to type http://moodle.yourorganisation.ac.uk and get some sort of server error message from the ISA. This will also show up in the ISA's event logs. If you don't know how to get to the logs, look here.

The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. Do this without SSL first. It should be possible to follow the tutorial here or here.

Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information.

SSL

If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions here

If you are already using port 443 for something else e.g. publishing your exchange server using forms based authentication so people can access outlook over the web, you will need to set up a second listener on localhost (127.0.0.1) and chain the listeners in a simplified version of this articleThe idea is that the external listener does not authenticate, but receives requests on port 443 and either passes them to localhost (which then does the forms based authentication for exchange that the external one used to) or to the moodle server, depending on the URL supplied. You will need a wildcard certificate if you want to do this and can generate one using IIS and certificate services.

Extra settings

n.b. You will also need to follow these instructions to prevent some pages from not displaying due to large characters in the URL.

References

http://www.isaserver.org