How to Allow HTTP 301 through ISA Server 2006

Introduction

 

When you publish a web site through ISA Server 2006, you can configure the action to take for requests that match that rule to deny (see Figure 1) and redirect the user for another URL. What is happening behind the scenes is that ISA Server 2006 sends an HTTP 302 redirect to the client pointing to this URL as the temporary location.

 

Figure 1 – ISA Server 2006 web publishing rule with a deny action.

 

Per RFC 2616, HTTP 302 means:

“The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests.”

 

Some customers do have the need to send an HTTP 301 response instead of 302, because they want a permanent move. Per RFC 2616, HTTP 301 means:

“The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible.”

 

Since ISA Server 2006 does not send HTTP 301 responses as redirect, the only way out is configure the published web server to send the 301 and to configure ISA Server 2006 to pass this out to external clients.

 

Sample Scenario

 

For this example the following topology will be used:

 

 

Figure 2 – Sample topology.

 

In this case the customer wishes that all users that try to access www.contoso.com (currently published to 10.20.20.25) will be permanently redirected to ww2.contoso.com (new web server at 10.20.20.20).

 

Preparing the Web Server

 

The first step in this configuration is to prepare the current web server (10.20.20.25) to send the HTTP 301. To do that you need to change the Home Directory (assuming that you have an IIS 6 Server) to send the redirect as shown in Figure 3:

 

 

Figure 3 – Configuring IIS to send HTTP 301.

 

Configuring ISA Server Rules

 

You should not configure any redirect rule on ISA Server 2006 for this case, otherwise ISA will send the HTTP 302, which is not what you want to accomplish. In this type of case you need to have your old rule (for www.contoso.com ) and a new rule (for ww2.contoso.com), both using the same listener (in this case called WWW).

 

 

Figure 4 – ISA Server Rules.

General considerations about these rules:

· This is a HTTP rule

· There is no authentication on the listener

· The delegation tab has the option: “No delegation, but client may authenticate directly”

· The users tab has “All Users” selected

 

Note: this is a scenario where we are intentionally not authenticating, however it is important to mention that this exposes the Internal IIS server. In a scenario where you need to authenticate you should change the Users tab to All Authenticated Users and use FBA in the Web Listener, for example. If the redirection occurs for another site hosted by ISA under the same domain you can also use SSO. This will make the authentication go through ISA Server, get 301 internally then get back through ISA with the same authentication cookie.

 

Testing it

 

Here is the communication between client and the two web servers, with ISA in the middle:

 

1. Client sends the HTTP GET for www.contoso.com:

192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /

- Http: Request, GET /

    Command: GET

  + URI: /

    ProtocolVersion: HTTP/1.1

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*

    Accept-Language: en-us

    UA-CPU: x86

    Accept-Encoding: gzip, deflate

    UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

    Host: www.contoso.com

    Connection: Keep-Alive

    HeaderEnd: CRLF

 

2. ISA Server receives the request and sends the request back to the published server:

10.20.20.2 10.20.20.25 HTTP HTTP:Request, GET /

- Http: Request, GET /

    Command: GET

  + URI: /

    ProtocolVersion: HTTP/1.1

Reverse-Via: ISACONTN2

    Host: www.contoso.com

    UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*

    Accept-Language: en-us

    UA-CPU: x86

    Connection: Keep-Alive

    HeaderEnd: CRLF

 

 

 

4. The web server answers with the HTTP 301 permanent redirect:

10.20.20.25 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /

- Http: Response, HTTP/1.1, Status Code = 301, URL: /

    ProtocolVersion: HTTP/1.1

    StatusCode: 301, Moved permanently

    Reason: Moved Permanently

    ContentLength: 146

    ContentType: text/html

    Location: http://ww2.contoso.com/

    Server: Microsoft-IIS/6.0

    XPoweredBy: ASP.NET

    Date: Tue, 24 Feb 2009 02:31:09 GMT

    HeaderEnd: CRLF

  + payload: HttpContentType = text/html

 

5. We can see in the Monitoring / Logging that the “Contoso Web Site” rule is processed successfully for this first access:

 

 

Figure 5 – ISA Processing the first rule for www.contoso.com

 

6. ISA forwards the 301 to the client, that receives the following answer:

192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /

- Http: Response, HTTP/1.1, Status Code = 301, URL: /

    ProtocolVersion: HTTP/1.1

    StatusCode: 301, Moved permanently

    Reason: Moved Permanently

    Connection: Keep-Alive

    ContentLength: 146

    Date: Tue, 24 Feb 2009 02:31:09 GMT

    Location: http://ww2.contoso.com/

    ContentType: text/html

    Server: Microsoft-IIS/6.0

    XPoweredBy: ASP.NET

    HeaderEnd: CRLF

  + payload: HttpContentType = text/html

 

7. Client sends an HTTP GET request for the new location, ww2.contoso.com:

192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /

- Http: Request, GET /

    Command: GET

  + URI: /

    ProtocolVersion: HTTP/1.1

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*

    Accept-Language: en-us

    UA-CPU: x86

    Accept-Encoding: gzip, deflate

    UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

    Connection: Keep-Alive

    Host: ww2.contoso.com

    HeaderEnd: CRLF

 

8. ISA Server processes the request using the new rule (new Contoso web site):

 

 

Figure 6 – ISA processing the request for ww2.contoso.com using the new rule.

 

9. ISA Server sends a GET request to the new server:

10.20.20.2 10.20.20.20 HTTP HTTP:Request, GET /

- Http: Request, GET /

    Command: GET

  + URI: /

    ProtocolVersion: HTTP/1.1

    Reverse-Via: ISACONTN2

    Host: dccont.contoso.msft

    UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*

    Accept-Language: en-us

    UA-CPU: x86

    Connection: Keep-Alive

    HeaderEnd: CRLF

 

10. New web server answers with HTTP 200:

10.20.20.20 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /

- Http: Response, HTTP/1.1, Status Code = 200, URL: /

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Cache-Control: max-age=86400

    ContentLength: 1433

    ContentType: text/html

    Content-Location: http://dccont.contoso.msft/iisstart.htm

    Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT

    Accept-Ranges: bytes

    ETag: "09b60bc3dac21:406"

    Server: Microsoft-IIS/6.0

    Date: Tue, 24 Feb 2009 02:31:10 GMT

    HeaderEnd: CRLF

  + payload: HttpContentType = text/html

 

11. ISA Server sends the HTTP 200 to the client:

192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /

- Http: Response, HTTP/1.1, Status Code = 200, URL: /

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Connection: Keep-Alive

    ContentLength: 1433

    Date: Tue, 24 Feb 2009 02:31:10 GMT

    Content-Location: http://ww2.contoso.com/iisstart.htm

    ContentType: text/html

    ETag: "09b60bc3dac21:406"

    Server: Microsoft-IIS/6.0

    Cache-Control: max-age=86400

    Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT

    Accept-Ranges: bytes

    HeaderEnd: CRLF

  + payload: HttpContentType = text/html

 

Note: If you compare the Location HTTP header in step 10 above (http://dccont.contoso.msft/iisstart.htm) and the Location header in step 11 (http://ww2.contoso.com/iisstart.htm) they are different. The reason for this is due to the fact that step10 shows the HTTP response sent from the Internal Web Server to ISA, while step 11 shows this reponse when sent from ISA to the External Client.

 

Conclusion

 

In this article you learned how to use an internal web server to send the HTTP 301 to external requests instead of using the redirect Deny rule functionality in ISA Server. This solution can assist you in scenarios where the default redirect rule from ISA Server 2006 (which sends HTTP 302 redirects) does not address your needs.

 

Author

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront Edge Team

Technical Reviewers

Thomas Detzner

Escalation Engineer - Microsoft CSS Forefront Edge Team

 

Ian Parramore

Escalation Engineer - Microsoft CSS Forefront Edge Team