کد:
http://blogs.technet.com/isablog/archive/2009/03/04/how-to-allow-http-301-through-isa-server-2006.aspx
Introduction

When you publish a web site through ISA Server 2006 and you configure the action to take for requests that matches that rule to deny (see Figure 1) and redirect the user for another URL. What is happening behind the scenes is that ISA Server 2006 sends a HTTP 302 redirect to the client pointing to this URL as the temporary location.


Figure 1 – ISA Server 2006 web publishing rule with a deny action.

Per RFC 2616, HTTP 302 means:
“The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests.”


Some customers do have the need to send a HTTP 301 instead of 302 because they want a permanent move. Per RFC 2616, HTTP 301 means:
“The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible.”


Since ISA Server 2006 does not send 301 as redirect the only way out is configure the web server to send the 301 and configure ISA Server 2006 to pass this out to external clients.

Sample Scenario

For this example the following topology will be used:


Figure 2 – Sample topology.

In this case customer wants that all users that try to access www.contoso.com (currently published to 10.20.20.2) be permanently redirected to ww2.contoso.com (new web server 10.20.20.20).

Preparing the Web Server

The first step in this configuration is to prepare the current Web Server (10.20.20.2) to send the HTTP 301. To do that you need to change the Home Directory (assuming that you have an IIS 6 Server) to send the redirect as shown in Figure 3:


Figure 3 – Configuring IIS to send HTTP 301.

Configuring ISA Server Rules

You should not configure any redirect rule on ISA Server 2006 for this case, otherwise ISA will send the HTTP 302 and this is not what you want to accomplish. In this type of case you need to have your old rule (for www.contoso.com) and a new rule (for ww2.contoso.com), both using the same listener (in this case called WWW).


Figure 4 – ISA Server Rules.

General consideration about these rules:
·This is a HTTP rule.
·There is no authentication on the listener.
·The delegation tab has the option: “No delegation, but client may authenticate directly”.
·The user’s tab has “All Users” selected.

Note: this is a scenario where we intentionally are not authenticating, however is important to mention that we this exposes the Internal IIS server. In a scenario where you need to authenticate you should change the User’s Tab to All Authenticated Users and use FBA in the Web Listener for example. If the redirection occurs for another site hosted by ISA under the same domain you can also use SSO. This will make the authentication go through ISA Server, get 301 internally then get back through ISA with the same authentication cookie.


Testing it

Here how it happens the whole communication, from client to web server having ISA in the middle:

1. Client sends the HTTP GET for www.contoso.com:
192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.contoso.com
Connection: Keep-Alive
HeaderEnd: CRLF


2. ISA Server receives the request and sends the request back to the published server:
10.20.20.2 10.20.20.25 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Reverse-Via: ISACONTN2
Host: www.contoso.com
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF




4. Web Server answers with the 301:
10.20.20.25 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /
- Http: Response, HTTP/1.1, Status Code = 301, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 301, Moved permanently
Reason: Moved Permanently
ContentLength: 146
ContentType: text/html
Location: http://ww2.contoso.com/
Server: Microsoft-IIS/6.0
XPoweredBy: ASP.NET
Date: Tue, 24 Feb 2009 02:31:09 GMT
HeaderEnd: CRLF
+ payload: HttpContentType = text/html


5. We can see in the Monitoring / Logging that the “Contoso Web Site” rule is processed successfully for this first access:


Figure 5 – ISA Processing the first rule for www.contoso.com

6. ISA forwards the 301 to the client that receives the following answer:
192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /
- Http: Response, HTTP/1.1, Status Code = 301, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 301, Moved permanently
Reason: Moved Permanently
Connection: Keep-Alive
ContentLength: 146
Date: Tue, 24 Feb 2009 02:31:09 GMT
Location: http://ww2.contoso.com/
ContentType: text/html
Server: Microsoft-IIS/6.0
XPoweredBy: ASP.NET
HeaderEnd: CRLF
+ payload: HttpContentType = text/html


7. Client sends a HTTP GET for the new location (ww2.contoso.com):
192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Connection: Keep-Alive
Host: ww2.contoso.com
HeaderEnd: CRLF


8. ISA Server process the request in the new rule (New Contoso Web Site):


Figure 6 – ISA processing the request for ww2.contoso.com in the new rule.

9. ISA Server sends a GET request to the new Server:
10.20.20.2 10.20.20.20 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Reverse-Via: ISACONTN2
Host: dccont.contoso.msft
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF


10. New web server answers with HTTP 200:
10.20.20.20 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
- Http: Response, HTTP/1.1, Status Code = 200, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Cache-Control: max-age=86400
ContentLength: 1433
ContentType: text/html
Content-Location: http://dccont.contoso.msft/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT
Accept-Ranges: bytes
ETag: "09b60bc3dac21:406"
Server: Microsoft-IIS/6.0
Date: Tue, 24 Feb 2009 02:31:10 GMT
HeaderEnd: CRLF
+ payload: HttpContentType = text/html


11. ISA Server sends the HTTP 200 to the client:
192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
- Http: Response, HTTP/1.1, Status Code = 200, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Connection: Keep-Alive
ContentLength: 1433
Date: Tue, 24 Feb 2009 02:31:10 GMT
Content-Location: http://ww2.contoso.com/iisstart.htm
ContentType: text/html
ETag: "09b60bc3dac21:406"
Server: Microsoft-IIS/6.0
Cache-Control: max-age=86400
Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT
Accept-Ranges: bytes
HeaderEnd: CRLF
+ payload: HttpContentType = text/html


Note: If you look the location field in Step 10 (http://dccont.contoso.msft/iisstart.htm) and location field in Step 11 (http://ww2.contoso.com/iisstart.htm) they are different. The reason why is because step10 is sent from ISA to the Internal Web Server while step 11 is from ISA to the External Client.


Conclusion

In this article you learned how to use an internal web server to send the HTTP 301 to external requests instead of using the redirect Deny rule functionality in ISA Server. This type of scenario can assist you in scenarios where the default redirect rule from ISA Server 2006 (which sends HTTP 302 redirects) does not address your needs.

Author
Yuri Diogenes
Security Support Engineer – Microsoft CSS Forefront Edge Team

Technical Reviewers
Thomas Detzner
Escalation Engineer - Microsoft CSS Forefront Edge Team

Ian Parramore
Escalation Engineer - Microsoft CSS Forefront Edge Team



موضوعات مشابه: