Skip to Content

ISA Server as Reverse Proxy for SAP Applications!!!

h4. Introduction  Some of our active SDN members have already discussed the reverse proxy implementation on most of the servers other than ISA Server Series. Since we did not have proper help on the configuration of reverse proxy on ISA Server, we had faced some difficulties while implementing the same. This has motivated me to write something on the same and I believe, this information would be really helpful to those who are planning to implement their reverse proxy scenarios on ISA Server series. In this blog, I will discuss the implementation of reverse proxy on ISA Server 2006. h4. Important Terms and Definitions h5. ISA Server  Internet Security and Acceleration (ISA) Server is the integrated edge security gateway that helps protect IT environments from Internet-based threats while providing users with fast and secure remote access to applications and data. h5. DMZ ( DeMilitarized Zone) A neutral zone that exists between two networks(intranet and internet) that allows connections between the networks. h5. ISA Server Management Microsoft ISA Server 2006 can be administered using ISA Server Management. ISA Server Management is a snap-in console in Microsoft Management Console (MMC) h5. Web Publishing Rule A rule that is configured to specify how incoming requests to Web Servers will be handled. h5. Web Listener The Web Listener specifies the IP addresses and the port on which the ISA Server computer listens for incoming Web requests. h4. Key Features available in ISA Server 2006 Compared to other servers, ISA server 2006 has the following benefits: ** Ease of use and improved management interface ** Web Publishing Load Balancing ** HTTP Compression ** Improved Alerting ** Better Network Integration Because of these additional benefits, nowadays, most of the customers prefer to implement their reverse proxy scenarios on ISA Server series. h4. Recommended Landscape  In general, the ISA server 2006 should be located in the DMZ. The SAP servers are located in the Intranet. Below attached figure describes the recommended landscape and a DMZ scenario.    h4. Prerequisites   To use ISA Server, we need:   0.1. A personal computer with a 550-megehertz or faster processor. (You need to use a server class machine for production environments). 0.2. Microsoft Windows Server™ 2003 operating system with Service Pack 1 (SP1) or Microsoft Windows Server 2003 R2 operating system.(You cannot install ISA on 64-bit versions of Windows Server 2003 operating systems). 0.3. Minimum 256MB RAM should be present. (You should change appropriately for production environments) 0.4. 150 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching. 0.5. One network adapter that is compatible with the computers operating system, for communication with the internal Network.(An additional network adapter for each network connected to the ISA server computer. If you want to implement external scenario also, then you need one more Network Adapter) 0.6. One local hark disk partition that is formatted with the NTFS system. 0.7. You should have the access to ISA Server Management(this is explained under “Important Terms and Definition” section.    h4. Steps to be followed  You need to perform the below mentioned minimum steps to implement reverse proxy on ISA Server 2006   I)  Create Web Publishing Rule      1  Specify Web Publishing Rule Name    2  Select the Rule Action Type    3  Select the Publishing Type    4  Select the Server Connection Security    5  Specify Internal Publishing Details    6  Specify Public Name Details    7  Create Web Listener      7.1 Specify Web Listener Name      7.2 Select Client Connection Security      7.3 Specify Web Listener IP Addresses      7.4 Select Authentication Settings    8  Select Authentication Delegation    9  Specify User Sets   II) Publishing all necessary paths III) Changing the target port IV) Activate Link Translation   h4. I) Create Web Publishing Rule   In order to make the SAP applications accessible via the Microsoft ISA Server, you need to define a new Web Server Publishing Rule. For this, in the ISA Server Management, Right click on “Firewall Policy” and choose “New->Web Site Publishing Rule”. Wizard for creating Web Publishing Rule will be popped up. Web Publishing Rule determines how the incoming requests to the server will be handled.  h5. 1. Specify Web Publishing Rule Name   You can specify the name of the web publishing rule here.    h5. 2. Select the Rule Action Type   You need to select the Rule Action Type here. This specifies how you want this rule to respond when the rule conditions are met. We have two rule action types, “Allow” and “Deny”.    h5. 3. Select the Publishing Type   Here you have to select the publishing type. Select if this rule will publish a single Web Site or external load balancer, a web server farm, or multiple web sites.    h5. 4. Select the Server Connection Security   Choose the type of connections ISA Server will establish with the published Web Server or Server farm. We have two types of connection types; one is secured connections and the other non-secured connections. For this test scenario, I preferred the non-secured connection.  h5. 5. Specify Internal Publishing Details   You need to specify the internal name of the Web Site you are publishing. This is the name internal users type into their browsers to reach the Web Site. The ISA server should be able to resolve the IP address or the name of the internal server specified.    Specify the internal path and publishing options of the published web site. Based on this, we can publish the entire web site or limit access to a specified folder. For portal, it is /irj* and for BSP applications, it is /sap*. For proper functionality, the check box for “Forward original host header instead of actual” should have been selected. h5. 6. Specify Public Name Details You need to specify the pubic domain name or IP address users will type to reach the published web site. The public domain name should be a registered one.h5. 7. Select / Create Web Listener Web listener specifies the IPaddress and the port on which the ISA server computer listens for incoming Web Requests. If the Web Listener is already created, then you only have to select the same, otherwise you need to create Web Listener. Web Listeners specify how ISA server listens for and authenticates incoming Web requests from clients.. h5. 7.1 Specify Web Listener Name For creating Web Listeners, you need to specify the Web Listener name.  h5. 7.2 Select Client Connection Security This specifies the type of connections the Web Listener will establish with clients. We have two types of client connection securities, one is secured and the other non-secured. For this test scenario, I preferred the non-secured connection type.h5.  7.3 Specify Web Listener IP Addresses If all requests are coming from internet, we need to select only the “External”. If you want to access the published applications inside your network also, then you need to select the “Internal” also.h5. 7.4 Select the Authentication Type Select how clients will authenticate to ISA server, and how ISA Server will validate their credentials.Specify the port that the ISA Server computer will use to listen on the selected IP addresses for incoming web requests. For HTTP connections, the port is 80 and for HTTPS connections, port is 443. Below attached figure is for secure HTTP connections.Web Listener will be created after this step and you can select the created web listener just like in the below attached picture.h5. 8. Select Authentication Delegation Authentication Delegation is the method ISA server uses to authenticate the session it opens with the published site. If the published Web Server requests HTTP authentication, ISA server will not pass the authentication request to the user.h5. 9. Specify User Sets We can limit the requests from users using User Sets. We can apply the rule to requests from all users or we can limit access to specific user sets.
You must be Logged on to comment or reply to a post.
  • Hi Kishor,

    I run through your configuration example without problems on our TST-System. But I do not get it working on our PRD-System. The difference between the systems is the SSO (kerberos authentification) for the PRD-System. What’s to do to get it working with SSO?

    Thank you for supporting!
    Kind regards
    Mathias Stebner

    • Hi Mathias,

      Thanks for your comment 🙂
      Nice to hear that it is working in your case !!!!

      I am expecting much more details on your scenarion. Could you please give much more details.

      In addition to the proxy functionality, ISA server can also be used as an authentication gateway.There are variety of possibilities to configure your landscape inorder to ensure efficient and effective authentication. This means that besides the question of method of authentication you also have a choice where the authentication take place, whether you want to authenticate at ISA level or not.

      If you can reply back with your mail id, I can forward you one document which mention all the details on the same- on ISA Server 2004. I believe, currently this document is not available at SDN, which was there:(. But the procedures you can follow for ISA Server 2006 too.

      Thanks & Regards,
      Kishor Gopinathan

      • Hi Kishor,

        Your document is really very nice.
        I have a problem, like i had published my SAp portal on the internet. in this portal we have different links which are hosted on the different servers like Bi, ECC and SRM. I have created one rule for publishing over the internet. For other liks hosted on other server created separate rule like BI, ECC and SRM. My rules are ordered in Like this:
        1. Portal
        2. Bi
        3. ECC
        4. SRM

        These below three rules are not bind to any external path, given as same as internal. these URL’s share the path /sap/* and /sap*.

        Once i try to access links hosted on the ECC it gets denied by rule Bi as they are sharing same path. How can i overcome this problem.

        Do you have any idea.

        • Hi Ravi,

          Thanks for your comments :).

          Yeah its a good question!!!

          Based on your requirement you need to change the path like -:

          For BSP applications, generally the service path would be /sap/bc/bsp/
          For Transactional iViews, service path would be /sap/bc/gui/sap/its/
          For Bex Reports, service path would be /sap/bw/

          So, instead of /sap/*, mention proper paths for your ECC, SRM and BI systems as aforementioned. This solution should work!!! Try this and let me know 🙂

          Thanks & Regards,
          Kishor Gopinathan

          • Hi Kishore,

            Thanks for the update.. but the problem is for every server we have /sap*. which is invoked while any URl accessed is there any procedure for publishing URL’s for the same path but on different server while these paths are not binded with external path.

            could you please help me in this regards. I want to discuss this with you could you please provide me ur contact details on my mail

            Thanks & Regards,
            Ravi Kumar

      • Hello Kishor,

        You are doing a great job with your blog, thank you.

        I guess I have a similar question to that of Mathias. I need to configure an ISA server to act as an authentication gateway for SSO.

        There is a system SAP SRM 5.0 – SAP Web AS (AS ABAP, no Java) published behind MS ISA Server 2006. The scenario goes as follows.

        Presently, a user from Internet browser clicks a particular URL link and gets an ISA server login screen. After logging in, he or she gets a SAP SRM login webpage and has to login again.

        We would like to setup SSO like this. A user initially enters his login and password at ISA login window, and then SAP SRM Webserver gets his credentials (login ticket) from ISA Server, so that the user logs onto SAP SRM webserver without having to prove his identity once again.

        What kind of authentication is used in this case, and what are the steps to achieve this? Also, could you forward the corresponding documents (or links).

        Kind regards,

      • Dear Kishor Gopinathan,

        so far this is a great guide. We used it to setup our landscape. Thank you very much!

        Since a few weeks we are also facing problems with the ISA servers authentication – password reset.

        Would it be possible that you sent me the document also? I would really appreciate it!

        You can find my email adress in my business card.


  • Hi Kishor,

    Thanks for your good documentation.
    We have some problems with the implementation of SSL encryption between external Clients and our Webdispatcher in the DMZ.
    The Firewall is managed by a IS box.
    We cant import the pse in the ISA…
    Would you be so kind and send me the documentation that you mentioned to Mathias?

    Thanks and regards