Running PASSPORT Web to Host® with Microsoft® ISA Server

By incorporating TN3270, TN5250, VT100, VT220, VT420, SCO ANSI and Wyse 60 host connectivity through an ISA Server, organizations can use TCP port 80 for both HTTP and Telnet traffic.

Benefits

• TCP Port redirection may be used to allow remote users to connect to host systems using port 80 rather than opening port 23 on the corporate firewall. This is very useful for organizations that do not allow ports other than 80 to be opened for security reasons.
• Administrators may also use ISA Server to restrict access to terminal emulation sessions on the PASSPORT Web to Host® Server.

PASSPORT Web Based Terminal Emulator

PASSPORT Web to Host® is a web based terminal emulation program. A server component provides centralized configuration and administration of host access session profiles. The host session profiles contain host connection information, keyboard mapping information and other attribute configuration information. All software and configuration files reside on the web server.

When a terminal emulation session is started, an ActiveX applet is downloaded from the Web Server to the client desktop and runs inside Internet Explorer, making a direct connection to the host system.

Microsoft® ISA Server

Microsoft Internet Security and Acceleration Server is an advanced application-layer firewall, VPN, and Web cache solution that enables customers to easily maximize existing IT investments by improving network security and performance. A member of the Microsoft Windows Server System™, ISA Server is a secure, easy-to-use, cost-effective solution that helps IT professionals combat new and emerging security threats. For more information regarding ISA Server, visit http://www.microsoft.com/isaserver/.

TCP Port Redirection

ISA Server may be configured so that both HTTP network traffic and Telnet traffic are passed through on TCP port 80. Once the Telnet traffic reaches the internal network it is redirected to the actual TCP port of the Telnet host (normally port 23). The steps below should be followed to configure ISA Server:

Note: These instructions were written for ISA Server version 2004 and may vary slightly with other versions.

1. The external interface on the ISA Server computer must have at least two IP addresses assigned to it. This is configured under the Advanced TCP/IP Settings for the operating system.
2. A Web Publishing Rule must be configured on the ISA Server, which listens on one of the assigned IP addresses and directs remote users to the PASSPORT Web to Host® Server HTML documents. This maps TCP port 80 on this external interface to TCP port 80 on the internal web server.
3. A Server Publishing Rule must be configured on the ISA Server, which listens on the other IP address and directs Telnet Server traffic to the host. This map TCP port 80 on this external interface to TCP port 23 on the host.
4. Sessions on the PASSPORT Web to Host® Server should be configured to connect to the same IP address used to configure the Server Publishing rule in step 3 above using TCP port 80.

Configuring a Web Publishing Rule for HTTP

Follow the steps below to configure the Web Publishing Rule on ISA Server:

1. Start the ISA Server Management Console.
2. Choose Firewall Policy in the left-hand pane of the console.
3. Select the Tasks tab in the right-hand pane of the console.
4. Choose Publish a Web Server under Firewall Policy Tasks to start the New Web Publishing Rule wizard.
5. Enter a name for your web publishing rule and click Next.
6. Make sure Allow is selected for the action and click Next.
7. Enter the computer name or IP address of the PASSPORT Web to Host® server or Browse to select and click Next.
8. If a domain name has been registered you may enter it under Public Name, otherwise enter one of the IP addresses assigned to the external interface of the ISA Server and click Next.
9. Click the New button to start the New Web Listener Wizard.
10. Enter a name for the Web Listener and click Next.
11. Enable the check box next to the External Interface and click the Address… button.
12. Choose the “Specified IP Addresses on the ISA Server computer in the selected network” radio button, select the appropriate address and then click Add.
13. Click OK to save and then click Next to continue.
14. Make sure Enable HTTP is selected and port 80 is entered for the HTTP port.
15. Click Next, click Finish and then click Next.
16. To allow anonymous access leave the All Users user set in the list and click next. To prompt users for credentials remove All Users and replace with a user set that contains the appropriate network users.
17. Click Finish and then click Apply to save the changes.
18. Test the web publishing rule by typing the IP address or domain name with /pec appended to the end into the address bar of Internet Explorer on a PC that is located outside the ISA Server. For example, http://myisaserver.zephyrcorp.com/pec. This should display the PASSPORT Web to Host® Client web page.

Configuring a Server Publishing Rule for Telnet

Follow the steps below to configure the Server Publishing Rule on ISA Server:

1. Start the ISA Server Management Console.
2. Choose Firewall Policy in the left-hand pane of the console.
3. Select the Tasks tab in the right-hand pane of the console.
4. . Choose Create New Server Publishing Rule to start the New Server Publishing Rule wizard.
5. Enter a name for your server publishing rule and click Next.
6. Enter the IP address of the host and click Next.
7. Choose Telnet Server from the Selected Protocol drop-down list and click Ports.
8. Under Firewall Ports, choose the “Publish on this port instead of the default port” radio button, enter 80 for the port number, click OK and then click Next.
9. Enable the check box next to the External Interface and click the Address… button.
10. Choose the “Specified IP Addresses on the ISA Server computer in the selected network” radio button, select the IP address that was not used for the Web Publishing Rule above and then click Add.
11. Click OK to save and then click Next to continue.
12. Click Finish and then click Apply to save the changes.
13. Double-click the new server publishing rule to display the properties page.
14. Select the To tab and choose the “Requests appear to come from the ISA Server computer” radio button.
15. Click OK and then click Apply to save the changes.
16. Test the server publishing rule by choosing the Launch button from the PASSPORT Web to Host® Client page. Select 3270 Display, 5250 Display or VT Display depending on what type of session was created. Type the session name and then click Submit. This should start the session and connect to the host.

Note: this can only be tested after completing the next step.

Configuring a Session from the PASSPORT Web to Host® Administrator

Follow the steps below to configure a session using the PASSPORT Web to Host® Administrator application:

1. Start the PASSPORT Web to Host® Administrator application.
2. Choose what type of session to create.
3. Double-click Sessions in the right-hand pane.
4. Right-click the right-hand pane and choose New from the popup menu.
5. Enter a name for the session and click OK.
6. Enter the IP address that was used to configure the server publishing rule above (step 9).
7. Change the TCP Port from 23 to 80.
8. Make any additional configuration changes then click OK to save.
9. This can only be tested from a PC that is outside the ISA Server (see step 15 above).

Variations

In the above scenario, if HTTPS (port 443) is utilized for accessing the PASSPORT Web to Host® Server, then a single IP address may be used if normal HTTP traffic is not required. With this configuration both publishing rules on the ISA Server would listen on the same IP address. Bridging may be used on the Web Publishing rule to provide SSL encryption from the client to the ISA Server or all the way thru to the Web to Host Server. An SSL certificate must be installed on the ISA Server to utilize SSL.

Internal Network Clients Accessing External Resources

• HTTP – to allow internal clients access to a remote PASSPORT Web to Host® Server an Access Rule must be configured on the ISA Server, which allows the HTTP protocol from the Internal network to the External network.
• Telnet – if internal clients require access to a remote host using the PASSPORT Web to Host® Client an Access Rule must be configured on the ISA Server to allow Telnet traffic from the Internal Network to the External Network.
• FTP – if internal clients will be using the PASSPORT FTP Client to transfer files to and from a remote FTP Server, an Access Rule must be configured on the ISA Server to allow FTP traffic from the Internal Network to the External Network. The PASSPORT FTP Client must also be configured to Use PASV Transfer Mode, which is configured on the Profiles tab of the Communication Setup screen.

Remote Clients Accessing Internal Network Resources

• HTTP – to allow remote clients to access the PASSPORT Web to Host® Server, a Web Publishing Rule must be added to the ISA Server, which allows HTTP and/or HTTPS traffic from the External Network to the server where PASSPORT Web to Host® is installed.
• Telnet – allowing Telnet traffic to pass thru the ISA Server for access to an internal host by remote clients requires that the appropriate configuration has been applied to the ISA Server. A Server Publishing Rule must be added that allows Telnet Server traffic from the External network to the IP Address of the internal host. The Server Publishing Rule must be configured so that requests appear to come from the ISA Server computer.
• FTP – a Server Publishing Rule must be added to allow external clients to access an internal FTP server thru the ISA Server. This rule should be configured to allow FTP Server traffic from the external network to the specific IP Address of the FTP server to publish. The Server Publishing Rule must also be configured so that requests appear to come from the ISA Server computer. The listener should also be configured to use the external interface. External PASSPORT FTP Clients should be configured to connect to the external IP address of the ISA Server using port 21. If a non-standard port was used to configure the Server Publishing Rule, use this port when configuring the FTP Client. The PASSPORT FTP Client must also be configured to Use PASV Transfer Mode, which is configured on the Profiles tab of the Communication Setup screen.

HTTP 407 Proxy Authentication Error

If internal clients require access to an external PASSPORT Web to Host® Server thru the ISA Server, an HTTP 407 – Proxy Authentication error may be returned by the PASSPORT client. This occurs if the Access Rule for Internet access is configured for a specific set of users. To overcome this, you must re-configure the Access Rule or create a specific Access Rule for PASSPORT Web to Host® access, which uses the All Users user set. This issue has been addressed in PASSPORT Web to Host® version 2004-930-2. If specific user sets are required on the ISA Server, this version or later must be used to prevent the HTTP 407 error.

About Zephyr

Zephyr Development Corporation is committed to delivering high-quality, affordable TN3270, TN5250, VT100, VT220, VT420, SCO ANSI or Wyse 60 terminal emulation software and host access solutions. Zephyr offers subscription based licensing that substantially reduces the cost of terminal emulation software. Founded in 1985, Zephyr is a Microsoft Certified Solution Partner, Citrix Premier Alliance Partner, a Cisco Enterprise Associate, a member of IBM® PartnerWorld, Microsoft® MSDN and the IETF. Zephyr headquarters are in Houston, Texas and can be accessed on the web at http://www.zephyrcorp.com.

About Microsoft

Founded in 1975, Microsoft is the worldwide leader in software, services and solutions that help people and businesses realize their full potential. Microsoft headquarters are in Redmond, WA and can be accessed on the web at www.microsoft.com.

Trademarks

Zephyr and PASSPORT Web to Host® are trademarks of Zephyr Development Corporation. Microsoft, Windows and Windows Server are registered trademarks of Microsoft. All other trademarks and trade names are the property of their respective owners.