1

Hosting Web Sites on Hosting Web Sites on Microsoft Small Business Microsoft Small Business Server 2000Server 2000

John MorelloJohn MorelloSupport ProfessionalSupport ProfessionalMicrosoft CorporationMicrosoft Corporation

2

What You Will LearnWhat You Will Learn

How to use host headers and destination sets How to use host headers and destination sets to host multiple Web sitesto host multiple Web sites

How ISA packet filters protect network How ISA packet filters protect network securitysecurity

How to configure ISA to publish protected How to configure ISA to publish protected servicesservices

3

Hosting RequirementsHosting Requirements

At least one static IP address for the Small At least one static IP address for the Small Business Server (SBS) networkBusiness Server (SBS) network

An upstream Internet connection of at least An upstream Internet connection of at least 128 Kbps128 Kbps

A server that meets SBS 2000 recommended A server that meets SBS 2000 recommended requirements (500-MHz PIII processor with requirements (500-MHz PIII processor with 256 MB of RAM)256 MB of RAM)

4

Uniqueness of SBS Hosting Uniqueness of SBS Hosting ScenarioScenario Firewall and Web server on the same Firewall and Web server on the same

physical serverphysical server Hosting Internet Security and Acceleration Hosting Internet Security and Acceleration

Server 2000 and Internet Information Services Server 2000 and Internet Information Services 5.0 on the same server requires additional 5.0 on the same server requires additional configurationconfiguration

5

Our Baseline Hosting ScenarioOur Baseline Hosting Scenario

6

Installing Necessary ComponentsInstalling Necessary Components

7

DNS Configuration OverviewDNS Configuration Overview

Determine which server has SOA for the Determine which server has SOA for the domaindomain

Use NSLookup to verify that the server’s A Use NSLookup to verify that the server’s A record is correctly pointed to the IP of your record is correctly pointed to the IP of your SBS 2000 hostSBS 2000 host

Any updates or new records must be made Any updates or new records must be made on the server that has SOA for the domainon the server that has SOA for the domain

8

Using NSLookup for SOA VerificationUsing NSLookup for SOA VerificationMicrosoft Windows 2000 [Version 5.1.2465](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookupDefault Server: server.nwtraders.localAddress: 192.168.16.2

>server dns1.isp.netDefault Server: dns1.isp.netAddress: 200.1.1.1

> set type=soa> nwtraders.comServer: dns1.isp.netAddress: 200.1.1.1

Non-authoritative answer:nwtraders.com primary name server = dns1.isp.net responsible mail addr = admin serial = 2413717 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour)

dns1.isp.net internet address = 200.1.1.1

9

Using NSLookup for Host VerificationUsing NSLookup for Host Verification

Microsoft Windows 2000 [Version 5.1.2465](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookupDefault Server: server.nwtraders.localAddress: 192.168.16.2

>server dns1.isp.netDefault Server: dns1.isp.netAddress: 200.1.1.1

> www.nwtraders.comServer: dns1.isp.netAddress: 200.1.1.1

Name: www.nwtraders.comAddress: 200.2.2.2

>

10

Basic TCP/IP Configuration of the Basic TCP/IP Configuration of the Internal AdapterInternal Adapter

IP address will be a non-routed address (by IP address will be a non-routed address (by default SBS uses 192.168.16.2; private ranges default SBS uses 192.168.16.2; private ranges include 10.0.0.0/8, 172.16.0.0-include 10.0.0.0/8, 172.16.0.0-172.31.255.255/16, and 192.168.0.0/16)172.31.255.255/16, and 192.168.0.0/16)

Gateway should be left emptyGateway should be left empty DNS server should be pointed to the IP DNS server should be pointed to the IP

address of the adapteraddress of the adapter

11

Basic TCP/IP Configuration of the Basic TCP/IP Configuration of the External AdapterExternal Adapter IP address, net mask, and gateway IP address, net mask, and gateway

information will be provided by the ISPinformation will be provided by the ISP Add only the IP of the internal adapter to the Add only the IP of the internal adapter to the

list of DNS serverslist of DNS servers Remove (uncheck) all services and protocols, Remove (uncheck) all services and protocols,

except QoS Packet Scheduler and TCP/IPexcept QoS Packet Scheduler and TCP/IP Disable NetBIOS, disable DNS registrationDisable NetBIOS, disable DNS registration

12

Configuring DNS ForwardersConfiguring DNS Forwarders

If the Internet Connection Wizard has been If the Internet Connection Wizard has been run, DNS Forwarders should already be run, DNS Forwarders should already be configuredconfigured

Forwarders speed up name resolution for Forwarders speed up name resolution for internal clients attempting to resolve external internal clients attempting to resolve external addressesaddresses

13

Adding DNS ForwardersAdding DNS Forwarders

14

Determining Your Hosting ScenarioDetermining Your Hosting Scenario

Hosting multiple Web sites?Hosting multiple Web sites? Using host headers or unique IP addressing?Using host headers or unique IP addressing? Content update methodsContent update methods

15

Assigning New Internal IP AddressesAssigning New Internal IP Addresses

16

Creating Webs Within IISCreating Webs Within IIS

17

Binding the Web Sites to the Binding the Web Sites to the Appropriate IPsAppropriate IPs

18

Reconfiguring Incoming Web Reconfiguring Incoming Web Request ListenersRequest Listeners

19

Creating Destination SetsCreating Destination Sets

20

Creating Web Publishing RulesCreating Web Publishing Rules

21

Packet FiltersPacket Filters

22

Restarting ISA ServicesRestarting ISA Services

23

Logical Flow of a Web RequestLogical Flow of a Web Request

24

Logical Flow of a Web RequestLogical Flow of a Web Request (2) (2)

HTTP request HTTP request

ISA Incoming Web Request listener grabs the ISA Incoming Web Request listener grabs the request and forwards it to the Web request and forwards it to the Web Publishing rules Publishing rules

ISA Web Publishing rule ISA Web Publishing rule (determines (determines whether or not the rule is applicable by whether or not the rule is applicable by comparing host header to destination set)comparing host header to destination set)

IIS responds directly to Internet clientIIS responds directly to Internet client

25

Tuning Your IIS 5.0 Web SiteTuning Your IIS 5.0 Web Site

WindowsWindows®® 2000 Web and Application 2000 Web and Application ServicesServiceshttp://microsoft.com/windows2000/technologihttp://microsoft.com/windows2000/technologies/web/default.aspes/web/default.asp

The Art and Science of Web Server Tuning The Art and Science of Web Server Tuning with Internet Information Services 5.0with Internet Information Services 5.0http://microsoft.com/windows2000/techinfo/ahttp://microsoft.com/windows2000/techinfo/administration/web/tuning.aspdministration/web/tuning.asp

Note that the URLs should be entered as one line; they are wrapped here for readability.

26

Basic IIS SecurityBasic IIS Security

File and directory access permissions are File and directory access permissions are defined by the regular NTFS ACLsdefined by the regular NTFS ACLs

Anonymous Internet users are represented Anonymous Internet users are represented by the IUSR_<by the IUSR_<servername>servername> account account

Windows 2000 exposes most common Windows 2000 exposes most common security configuration options with the security configuration options with the Domain, Domain Controller, and Local Domain, Domain Controller, and Local Security Policy toolsSecurity Policy tools

27

Maintaining Your SecurityMaintaining Your Security

Secure Internet Information Services 5 Secure Internet Information Services 5 ChecklistChecklisthttp://microsoft.com/http://microsoft.com/technettechnet/security/iis5chk.asp/security/iis5chk.asp

Windows 2000 IIS 5.0 Hotfix Checking Tool Windows 2000 IIS 5.0 Hotfix Checking Tool http://www.microsoft.com/Downloads/http://www.microsoft.com/Downloads/Release.asp?ReleaseIDRelease.asp?ReleaseID=24168=24168