ISA Server: Difference between revisions
Matt Gibson (talk | contribs) No edit summary |
Matt Gibson (talk | contribs) (General tidyup and fix for MDL-12156) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world. | ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world. | ||
==Split DNS== | |||
If you wish to install Moodle behind an ISA server e.g. to make it available to the outside world rather than just inside your organisation, you will need to have administrator access to the machine that ISA server that runs on. Windows server comes with IIS, but you can use Apache quite happily (and may well find it runs faster). | |||
Your best bet for doing this is to use split DNS so that from inside your network, typing the URL e.g. http://moodle.yourorganisation.ac.uk will resolve to an internal IP e.g. 192.168.2.34, but from the wider internet it will resolve to the external IP of the ISA Server, which will then forward the request to the internal machine after scanning it for threats. | |||
===Internal DNS=== | |||
Once that is done | This is something that needs to be set up in your DNS managment system e.g. MS active directory, by adding an A record. Once that is done you will need to set up an exception on the ISA's proxy screen so that http://moodle.yourorganisation.ac.uk is not routed through the proxy. Internet explorer and all internal browsers may also need to be told not to route that request through the proxy. | ||
The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. It should be possible to follow the tutorial | ===External DNS=== | ||
Once you can access moodle OK using http://moodle.yourorganisation.ac.uk from an internal machine, you need to sort out your external DNS. Find out the IP which resolves to the external interface of the ISA server (a good way to do this is to browse to www.whatsmyip.net from an internal machine, assuming that the ISA server is the gateway), then set up http://moodle.yourorganisation.ac.uk as a subdomain pointing to that IP with your hosting provider (there may be a web interface for you to do this, companies vary). | |||
Note that the IP address bound to the external interface of the ISA is not necessarily the IP as seen from the wider internet - you may be behind another firewall if you are getting your internet from a consortium e.g. LGfL. Contact them if this is the case and they will clarify. | |||
Once that is done and you have allowed time for the Internet's DNS cache's to update (can be up to 24hrs) you should be able to type http://moodle.yourorganisation.ac.uk and get some sort of server error message from the ISA. This will also show up in the ISA's event logs. If you don't know how to get to the logs, look [http://www.isaserver.org/tutorials/userinfo.html here]. | |||
The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. Do this '''without SSL''' first. It should be possible to follow the tutorial [http://www.isaserver.org/tutorials/ISA-2006-Firewall-Web-Publishing-Rules.html here] or [http://www.isaserver.org/tutorials/Publishing-Multiple-Non-SSL-Web-Sites-Single-IP-Address-using-ISA-Firewalls.html here]. | |||
Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information. | Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information. | ||
If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions here | ==SSL== | ||
If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions [http://www.isaserver.org/tutorials/Configuring_SSL_Bridging.html here] | |||
If you are already using port 443 for something else e.g. publishing your exchange server using forms based authentication so people can access outlook over the web, you will need to set up a second listener on localhost (127.0.0.1) and chain the listeners in a simplified version of [http://www.isaserver.org/tutorials/2004pubowamobile.html this article]The idea is that the external listener does not authenticate, but receives requests on port 443 and either passes them to localhost (which then does the forms based authentication for exchange that the external one used to) or to the moodle server, depending on the URL supplied. You will need a wildcard certificate if you want to do this and can generate one using IIS and certificate services. | |||
==Extra settings== | |||
n.b. You will also need to follow [http://www.tomrafteryit.net/isa-server-error-12217/ these] instructions to prevent some pages from not displaying due to large characters in the URL. | |||
References | ==References== | ||
http://www.isaserver.org | http://www.isaserver.org | ||
[[Category:Administrator]] | [[Category:Administrator]] |
Latest revision as of 08:56, 12 December 2007
ISA Server (Internet, Security and Acceleration Server) from Microsoft can act as a both a proxy server and an application layer firewall. Many organisations use it as the main gateway connecting their internal network to the outside world.
Split DNS
If you wish to install Moodle behind an ISA server e.g. to make it available to the outside world rather than just inside your organisation, you will need to have administrator access to the machine that ISA server that runs on. Windows server comes with IIS, but you can use Apache quite happily (and may well find it runs faster).
Your best bet for doing this is to use split DNS so that from inside your network, typing the URL e.g. http://moodle.yourorganisation.ac.uk will resolve to an internal IP e.g. 192.168.2.34, but from the wider internet it will resolve to the external IP of the ISA Server, which will then forward the request to the internal machine after scanning it for threats.
Internal DNS
This is something that needs to be set up in your DNS managment system e.g. MS active directory, by adding an A record. Once that is done you will need to set up an exception on the ISA's proxy screen so that http://moodle.yourorganisation.ac.uk is not routed through the proxy. Internet explorer and all internal browsers may also need to be told not to route that request through the proxy.
External DNS
Once you can access moodle OK using http://moodle.yourorganisation.ac.uk from an internal machine, you need to sort out your external DNS. Find out the IP which resolves to the external interface of the ISA server (a good way to do this is to browse to www.whatsmyip.net from an internal machine, assuming that the ISA server is the gateway), then set up http://moodle.yourorganisation.ac.uk as a subdomain pointing to that IP with your hosting provider (there may be a web interface for you to do this, companies vary).
Note that the IP address bound to the external interface of the ISA is not necessarily the IP as seen from the wider internet - you may be behind another firewall if you are getting your internet from a consortium e.g. LGfL. Contact them if this is the case and they will clarify. Once that is done and you have allowed time for the Internet's DNS cache's to update (can be up to 24hrs) you should be able to type http://moodle.yourorganisation.ac.uk and get some sort of server error message from the ISA. This will also show up in the ISA's event logs. If you don't know how to get to the logs, look here.
The next step is to run the web publishing wizard on the ISA and enter the details of the machine moodle is running on. Do this without SSL first. It should be possible to follow the tutorial here or here.
Once that's done, you should be able to access from outside. If there is still an error, check the ISA Server's logs to find more information.
SSL
If you want to use SSL, you use SSL bridging. This means that the link between the remote host and the ISA is encrypted, but the link from the ISA to the internal machine need not be (saves on processing). You will need to generate a Certificate to bind to the Listener using IIS and then configure the SSL bridging. Instructions here
If you are already using port 443 for something else e.g. publishing your exchange server using forms based authentication so people can access outlook over the web, you will need to set up a second listener on localhost (127.0.0.1) and chain the listeners in a simplified version of this articleThe idea is that the external listener does not authenticate, but receives requests on port 443 and either passes them to localhost (which then does the forms based authentication for exchange that the external one used to) or to the moodle server, depending on the URL supplied. You will need a wildcard certificate if you want to do this and can generate one using IIS and certificate services.
Extra settings
n.b. You will also need to follow these instructions to prevent some pages from not displaying due to large characters in the URL.