How to Allow HTTP 301 through ISA Server 2006
Introduction
When you publish a web site through ISA Server 2006, you can configure the action to take for requests that match that rule to deny (see Figure 1) and redirect the user for another URL. What is happening behind the scenes is that ISA Server 2006 sends an HTTP 302 redirect to the client pointing to this URL as the temporary location.
Figure 1 – ISA Server 2006 web publishing rule with a deny action.
Per RFC 2616, HTTP 302 means:
“The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests.”
Some customers do have the need to send an HTTP 301 response instead of 302, because they want a permanent move. Per RFC 2616, HTTP 301 means:
“The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible.”
Since ISA Server 2006 does not send HTTP 301 responses as redirect, the only way out is configure the published web server to send the 301 and to configure ISA Server 2006 to pass this out to external clients.
Sample Scenario
For this example the following topology will be used:
Figure 2 – Sample topology.
In this case the customer wishes that all users that try to access www.contoso.com (currently published to 10.20.20.25) will be permanently redirected to ww2.contoso.com (new web server at 10.20.20.20).
Preparing the Web Server
The first step in this configuration is to prepare the current web server (10.20.20.25) to send the HTTP 301. To do that you need to change the Home Directory (assuming that you have an IIS 6 Server) to send the redirect as shown in Figure 3:
Figure 3 – Configuring IIS to send HTTP 301.
Configuring ISA Server Rules
You should not configure any redirect rule on ISA Server 2006 for this case, otherwise ISA will send the HTTP 302, which is not what you want to accomplish. In this type of case you need to have your old rule (for www.contoso.com ) and a new rule (for ww2.contoso.com), both using the same listener (in this case called WWW).
Figure 4 – ISA Server Rules.
General considerations about these rules:
· This is a HTTP rule
· There is no authentication on the listener
· The delegation tab has the option: “No delegation, but client may authenticate directly”
· The users tab has “All Users” selected
Note: this is a scenario where we are intentionally not authenticating, however it is important to mention that this exposes the Internal IIS server. In a scenario where you need to authenticate you should change the Users tab to All Authenticated Users and use FBA in the Web Listener, for example. If the redirection occurs for another site hosted by ISA under the same domain you can also use SSO. This will make the authentication go through ISA Server, get 301 internally then get back through ISA with the same authentication cookie.
Testing it
Here is the communication between client and the two web servers, with ISA in the middle:
1. Client sends the HTTP GET for www.contoso.com:
192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.contoso.com
Connection: Keep-Alive
HeaderEnd: CRLF
2. ISA Server receives the request and sends the request back to the published server:
10.20.20.2 10.20.20.25 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Reverse-Via: ISACONTN2
Host: www.contoso.com
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF
4. The web server answers with the HTTP 301 permanent redirect:
10.20.20.25 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /
- Http: Response, HTTP/1.1, Status Code = 301, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 301, Moved permanently
Reason: Moved Permanently
ContentLength: 146
ContentType: text/html
Location: http://ww2.contoso.com/
Server: Microsoft-IIS/6.0
XPoweredBy: ASP.NET
Date: Tue, 24 Feb 2009 02:31:09 GMT
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
5. We can see in the Monitoring / Logging that the “Contoso Web Site” rule is processed successfully for this first access:
Figure 5 – ISA Processing the first rule for www.contoso.com
6. ISA forwards the 301 to the client, that receives the following answer:
192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 301, URL: /
- Http: Response, HTTP/1.1, Status Code = 301, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 301, Moved permanently
Reason: Moved Permanently
Connection: Keep-Alive
ContentLength: 146
Date: Tue, 24 Feb 2009 02:31:09 GMT
Location: http://ww2.contoso.com/
ContentType: text/html
Server: Microsoft-IIS/6.0
XPoweredBy: ASP.NET
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
7. Client sends an HTTP GET request for the new location, ww2.contoso.com:
192.168.0.34 192.168.0.60 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Connection: Keep-Alive
Host: ww2.contoso.com
HeaderEnd: CRLF
8. ISA Server processes the request using the new rule (new Contoso web site):
Figure 6 – ISA processing the request for ww2.contoso.com using the new rule.
9. ISA Server sends a GET request to the new server:
10.20.20.2 10.20.20.20 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Reverse-Via: ISACONTN2
Host: dccont.contoso.msft
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF
10. New web server answers with HTTP 200:
10.20.20.20 10.20.20.2 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
- Http: Response, HTTP/1.1, Status Code = 200, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Cache-Control: max-age=86400
ContentLength: 1433
ContentType: text/html
Content-Location: http://dccont.contoso.msft/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT
Accept-Ranges: bytes
ETag: "09b60bc3dac21:406"
Server: Microsoft-IIS/6.0
Date: Tue, 24 Feb 2009 02:31:10 GMT
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
11. ISA Server sends the HTTP 200 to the client:
192.168.0.60 192.168.0.34 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
- Http: Response, HTTP/1.1, Status Code = 200, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Connection: Keep-Alive
ContentLength: 1433
Date: Tue, 24 Feb 2009 02:31:10 GMT
Content-Location: http://ww2.contoso.com/iisstart.htm
ContentType: text/html
ETag: "09b60bc3dac21:406"
Server: Microsoft-IIS/6.0
Cache-Control: max-age=86400
Last-Modified: Fri, 21 Feb 2003 23:48:30 GMT
Accept-Ranges: bytes
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
Note: If you compare the Location HTTP header in step 10 above (http://dccont.contoso.msft/iisstart.htm) and the Location header in step 11 (http://ww2.contoso.com/iisstart.htm) they are different. The reason for this is due to the fact that step10 shows the HTTP response sent from the Internal Web Server to ISA, while step 11 shows this reponse when sent from ISA to the External Client.
Conclusion
In this article you learned how to use an internal web server to send the HTTP 301 to external requests instead of using the redirect Deny rule functionality in ISA Server. This solution can assist you in scenarios where the default redirect rule from ISA Server 2006 (which sends HTTP 302 redirects) does not address your needs.
Author
Yuri Diogenes
Security Support Engineer – Microsoft CSS Forefront Edge Team
Technical Reviewers
Thomas Detzner
Escalation Engineer - Microsoft CSS Forefront Edge Team
Ian Parramore
Escalation Engineer - Microsoft CSS Forefront Edge Team
Comments
Anonymous
January 01, 2003
PingBack from http://servercoach.com/?p=429Anonymous
January 01, 2003
@Salim: thank you, fixed.Anonymous
December 17, 2011
There is a typo error in: "The first step in this configuration is to prepare the current Web Server (10.20.20.2) to send the HTTP 301." The IP of the current web server is 10.20.20.25 not 10.20.20.2 which is the internal IP of the ISA server.Anonymous
May 18, 2014
CAN HELP ANYBODY MY ISA SERVER BLOCKS TRANSLATE.GOOGLE.COM PLEASE HOW CAN I OPEN IT