The following topics describe how to configure the ISA Server to operate with the Access Manager ISAPI Webgate.
Task overview: Performing Webgate configuration for ISA Server includes:
After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within ISA Server. Web filters screen all HTTP traffic that passes through the ISA Server host. Only compliant requests are allowed to pass through.
Access Manager authentication schemes define how the user is challenged for credentials, maps user-supplied information, verifies it, and so forth. With the ISA Server, you must choose either Form or Basic authentication as the challenge method. You must also specify a Challenge Parameter to map the credentials provided by the user to the corresponding user profile stored in the directory server.
If Access Manager libraries are not registered as ISA Web filters, Access Manager authentication could fail. Do not point to webgate.dll in the action path for form-based login in the authentication scheme. Instead, specify the path to a dummy file in the /access directory as shown here:
For form based authentication, postgate.dll must be installed and should be at a higher level than webgate.dll.
The following procedure describes how to register Access Manager plug-ins in the ISA Server.
If you need to undo the filter registration, you can use the following procedure with the
/u option in the
regsvr32 command. For example:
regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll
To register Access Manager plug-ins as ISA Server Web filters:
net stop fwsrvto stop the ISA Server.
net start fwsrvto restart the ISA Server.
To authenticate users, ISA Server must be able to communicate with the authentication servers. After registering Access Manager webgate.dll and postgate.dll as ISA Web filters, you must configure the ISA Firewall Policy rule to protect resources that use these Web filters.
Web publishing rules essentially map incoming requests to the appropriate Web servers. Access rules determine how clients on a source network access resources on a destination network. ISA Firewall Policy rules require client membership in a user set: either Firewall clients, authenticated Web clients, or virtual private network (VPN) clients. The ISA Server attempts to match authenticated users based upon ISA Firewall Policy rules.
Your ISA Server documentation for details about ISA Firewall Policies and rules
The following procedure describes how to configure an ISA Firewall Policy rule to use with ISA Web filters for Access Manager webgate.dll and postgate.dll.
After you perform the following procedure, when you create a listener in the authentication click Allow client authentication over HTTP in Advanced Properties.
To configure ISA policies to enable Access Manager authentication and authorization:
From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.
From the tree of the ISA Server Management console, locate the name of this server, and then click Firewall Policy.
From the Tasks tab, click Publish Web Sites.
In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.
On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.
In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.
On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.
If you are using secured connections, see the server connection security settings provided by ISA Server.
Perform the following steps to set internal publishing details:
In the Internal site name box, type the internally-accessible name of the Web server.
Check the Use a computer name or IP address to connect to the published server check box.
Type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box
In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
To publish a particular folder in the Web site:
Type the folder name in the Path (optional) box to display the full path of the published Web site in the Web site box.
In the Accept requests for list:
Click This domain name (type below).
In the Public name box, type the publicly-accessible fully qualified domain name of the Web site.
In the Web listener list, either click the Web listener to use for this Web publishing rule; otherwise or create a new Web listener, as follows:
Click New, type a descriptive name for the new Web listener, and then click Next.
Click Do not require SSL secured connections with clients, and then click Next.
In the Listen for requests from these networks list, click the required networks and click to check the External box, then click Next.
In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.
On the Single Sign On Settings page, click Next, and then click Finish.
Authentication Delegation: Perform the following steps in the Select the method used by ISA Server to authenticate to the published Web server list:
Click No Delegation.
Click Client Cannot Authenticate Directly.
This is used by ISA Server to authenticate to the published Web server.
On the User Sets page:
Choose All (the default user setting) to set the rule that applies to requests from the user sets box.
Click Next and then click Finish.
Click Apply to update the firewall policy, and then click OK.
Validate that only applicable ports are open and that the traffic that you would like to pass through is allowed.
It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll.
To order the Webgate ISAPI filters for ISA Server:
Confirm that there is only one webgate.dll and one postgate.dll filter and ensure that these are in an enabled state. Also, ensure that postgate.dll is installed at higher priority level than webgate.dll.