Controlling incoming requests
Microsoft Internet Security and Acceleration (ISA) Server can also make internal servers securely accessible to external clients. You use ISA Server to create a publishing policy to securely publish your internal servers. The publishing policy, which consists of Internet protocol (IP) packet filters, Web publishing rules, or server publishing rules, together with the routing rules, determine how internal servers are published.
You can use one of the following ISA Server rules to publish servers:
| • | Web publishing rules to publish Web server content. |
| • | Server publishing rules to publish content on all other servers located on the internal network. |
| • | IP packet filters to publish content on servers on a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet). |
For more information, see Web publishing rules, Server publishing rules, and IP packet filters.
When ISA Server processes a request from an external client, it checks IP packet filters, publishing rules, and routing rules to determine if the request is allowed and which internal server should service the request.
For an incoming Web request, rules are processed in the following order:
1. | IP packet filters |
2. | Web publishing rules |
3. | Routing rules |
The figure illustrates the processing flow for an incoming Web request.
The scenario assumes that you have installed ISA Server in integrated or firewall mode on a computer with two network cards: one connected to the Internet and the other connected to your local network.
1. | If packet filtering is enabled, then if an IP packet filter specifically denies the request, the request is denied. |
2. | If a Web publishing rules specifically denies the request, then the request is denied. |
3. | If a routing rule specifies that the requests be routed to a specific upstream server or an alternate hosted site, then the specified server handles the request. |
4. | If a routing rule specifies that the requests be routed to the specified server, then the internal Web server returns the object. |
For example, consider the following rules:
| • | A Web publishing rule redirects requests from all clients for a destination set to a hosted site (Web server) named Msweb. The destination set includes widgets.microsoft.com. |
| • | A routing rule routes requests for a destination set that includes msweb by servicing them directly. The rule's cache properties specify that responses to requests are never cached. |
When an external user from the Internet requests an object from widgets.microsoft.com, ISA Server intercepts the request. First, it processes the Web publishing rule, determining that the request should be redirected to Msweb. Next, it processes the routing rule and determines that the request should be serviced directly by the specified Web server (Msweb).
