by July 4, 2002 0 comments



Companies use a simple proxy server to control and improve Internet access. This is called forward proxying, wherein it acts as a gateway on behalf of clients on your network, sending their HTTP requests to the Internet. 

Another type of setup is called a reverse proxy, which instead of catering to requests from your internal clients, caters to requests from clients on the Internet. This comes in handy when you have a Web server running, perhaps your website, and don’t want anyone to access it directly from the Internet. You would place a reverse proxy in front of the Web server, which would then secure it and also do load balancing. Anyone on the Internet would then see and access this proxy server, and not your Web server. 

One benefit of reverse proxying is that you can put multiple Web servers securely behind it. It also makes managing the setup easier, as you just have to make the changes to the reverse proxy. For instance, if you replace a backend server or change its host name, you just have to change the corresponding reverse proxy rules or mappings. There’s no need to republish new names to the outside world. It can also cache external requests, thereby load balancing your Web servers. Plus, you don’t need to have separate servers for internal clients, thereby saving the hardware cost. Internal client can access the same servers.

Not all proxy servers support reverse proxying, as it involves heavy load handling and tight security features. We created a reverse proxy server using Microsoft’s Internet Security and Acceleration Server. It’s an enterprise firewall and a high-performance proxy server combined in one. It works on the Windows 2000 Server family, with Service Pack 1 or later. It’s also often called an upgrade to Microsoft Proxy server 2.0. Some of its features include stateful packet inspection firewall, active caching, smart application filters and reporting. 

The setup
The reverse-proxy feature is termed as Web Publishing in ISA server. Our setup consisted of two servers running Windows 2000 Server and one client machine. One was running a Web server, while the other the ISA server. The Web server was running on the main network with an internal IP address (say, 192.168.2.2). The machine with ISA server had two network cards, one with an external IP address (192.168.3.1, say), and the other was connected to the company network with an internal IP (192.168.2.1). The server hosting the Web server with the company’s website was a Windows 2000 domain controller, with the ISA server machine logging on to it as a member server. You must also configure your DNS server properly, so that Internet clients can access your website using a domain name, and not IP address. 

Configuring ISA server

How to configure the server. 

  • Open the ISA management console from Start Menu, and expand the Servers and Arrays node. From there, expand the policy elements node and right click on the destination sets. 

  • Click on New and a New Destination Set Wizard appears. Give a name and description (optional) and click on Add. In the Add-Edit Destination window give the name and IP address of the desired destinations and click OK. We used our ISA server’s internal IP here.

  • Next, you have to the Web server you want to publish. This must be configured as a secure NAT client. To do this, make the ISA server’s internal IP as the default gateway of the web server.

  • Configure the ISA server’s inbound request listener. Right click on the Servers and Arrays and select Properties. Go to Incoming Web Requests, choose Configure Listeners Individually Per IP address and click Add. Select the IP address of the external interface (192.168.3.1) that will act as a listener to all inbound requests. Authentication is an optional feature and need not be configured. 

  • Create a Web publishing Rule by opening the ISA management console>Servers and Arrays and expand your array. Now expand Publishing and right click on Web Publishing rules node. Select New>Rule. This launches the Web Publishing wizard. First give it a name (say, publish). Then specify the destinations it applies to. Here, give your ISA server’s host name or internal IP. Next choose the client type and select Any Request. Finally, in Rule Action, select Redirect request to internal web server, and give the IP address of your internal web server and click Finish. 

  • Go to a client computer and type the IP address or host name of your ISA server. The server should redirect this request to the internal web server and respond back. 

There are a number of things to remember when setting up a reverse proxy with ISA server. Make sure your DNS and Web server are up and running. Also ensure that the configuration required for the normal functioning of ISA server is done before the Web publishing configurations. These include configuring the Protocol rules and Site and Content rule. Also, ensure that the services are running after the configuration process is complete. 

Rashmi Sahu

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.