Publishing Exchange Client Access with ISA 2006

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/publishing-exchange-client-access-isa-2006-complete-solution-part1.html

PART-1

An end-to-end solution for publishing Exchange Server 2003/2007 with ISA Server 2006.

Introduction

Publishing Exchange Server Client Access with ISA Server should be a straightforward and easy task. Well, it isn’t. Although there are lots of resources on the Internet about the subject and Microsoft provides extensive technical documentation with more or less detailed steps, the truth is that every time I go through the process of providing access to Exchange for external users using ISA Server, I can’t help feeling a little bit frustrated.
Some of the technical information needed is somehow dispersed through several sites and articles and I usually end up spending a lot of time searching for that particular solution that I know will solve my problem. That’s why I decided to write one more article about publishing Exchange with ISA. I call it the complete solution (I know it’s kind of pretentious) because it covers all aspects of the most common scenario I keep finding at my customers.
So, what can you expect in this one-stop article?

• ISA Server configuration
• Exchange configuration
• Certificates: getting them, installing and exporting
• How to create the appropriate web listener
• ISA Server publishing rules
• Redirection (folder and protocol)

This is meant to be an objective article, so I’ll try not to lose too much time diving into some more deep technical content. I’ll enumerate the necessary steps to reach the main goal and they will be illustrated with lots of pictures.
This article applies to both Exchange 2003 and Exchange 2007. Whenever there are specific configurations, I’ll use distinct topics to cover them.
Main Objectives

The main goals we’re trying to accomplish are:

• Publish full Exchange Client Access to the Internet:
  
  • Outlook Web Access (OWA)
  • Outlook Mobile Access and ActiveSync
  • RPC over HTTP(s) / Outlook Anywhere
  
  
• Use a simple URL without the need to type HTTPS or /exchange (or /owa)
• Use Forms-Based Authentication on the Internet
• Open a reduced set of TCP ports on the firewalls

Solution Topology

As I said previously, I’ll cover the most common scenario I find at my customers. In order to provide you the “Complete Solution” I had to keep focused on one particular configuration or it would be impossible to write an online article about it.
The following image depicts the topology that will be used along this article:

Figure 1: Exchange Topology
The main characteristics of this topology are:

• ISA Server is in a workgroup
• ISA Server has only one network interface (unihomed)
• ISA Server is in a DMZ

ISA Server Configuration

Our first task is to configure ISA Server in a unihomed workgroup configuration. I’ll skip the ISA Server setup procedure, so we’ll start from the point where the ISA is already installed in a Windows Server 2003 environment that doesn’t belong to a domain.
What we’ll have to do is apply the Single Network Adapter Template.

1. Open ISA Server Management Console. Browse to Configuration and then Networks. On the Templates pane, you’ll find the Single Network Adapter. Select it and that will trigger the configuration wizard. Click Next twice.

Figure 2

1. On the Internal Network IP Addresses page, you’ll see the addresses that will be configured to define the default ISA firewall Internal Network. You can accept the default options. Click Next.

Figure 3

1. Select Apply default web proxying and caching configuration and click Next.

Figure 4

1. On the Completing the Network Template Wizard page, click Finish.

Figure 5

1. A warning will appear. Click OK.

Figure 6

1. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Certificates

To ensure the communications between the all the peers are properly secured, you need to install a server certificate on both the Exchange CAS/Front-End and ISA Server. If this certificate is from an internal CA you’ll need to install the CA certificate on both servers and your clients must all trust that same internal CA.
When you install Exchange 2007, you can install a default Secure Sockets Layer (SSL) certificate that is created by Exchange Setup. However, it is not recommended to use it, since this certificate is not a trusted SSL certificate.

1. To obtain a new server certificate using the Web Server Certificate Wizard, in IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site for the Exchange services and click Properties. On the Directory Security tab, click Server Certificate. Use the wizard to request and install the Web server certificate. In the Web Server Certificate Wizard, select Create a new certificate.

Figure 7

1. On the Delayed or Immediate Request page, select Send the request immediately to an online certification authority if you have a Windows Server 2003 enterprise CA installed in your domain. Otherwise select Prepare the request now, but send it later.
2. Enter the required information on the Name and Security Settings and the Organization Information pages.

Figure 8

Figure 9

1. Type the FQDN on the Your Site's Common Name page. This name must match the name ISA Server will use to communicate with the Exchange server. It doesn’t have to be the final external name, as we will see ahead.

Figure 10

1. Enter the required information on the Geographical Information page.

Figure 11

1. If you’ve selected Send the request immediately to an online certification authority, accept the default port of 443 on the SSL Port page and from the list under Certification authorities, select the correct internal enterprise CA. Click Next to submit your request. This will also install the certificate for your Web site.
   If you’ve selected Prepare the request now, but send it later, save the request to a text file and submit it using a browser. If it’s a Microsoft CA, the URL will be http://CAServerName/CertSrv. Select Request a certificate, click Next and select Advanced request. Click Next and select Submit a certificate request using a base64 encoded PKCS #10 file. Click Next, and open the request file that you saved from the Web Certificate Wizard in Notepad. Paste the entire text of the file, including the BEGIN and END lines, into the Base64 Encoded Certificate Request text box. When the certificate is issued, go back to IIS Manager, right click the web site and on the Directory Security tab, click Server Certificate. Select Process the pending request.

Figure 12

Figure 13
The next step is to install server certificate on the ISA Server computer, to enable a secure connection between the client computer and the ISA Server computer. If a private CA is used, the root CA certificate from the private CA will need to be installed on any client computer that needs to create a secure connection (an HTTPS connection) to the ISA Server computer.
This certificate can be the same as that installed on the Exchange CAS/Front-End, if the internal name matches the public name. In that case, we’ll perform the following procedure to export the server certificate:

1. On the CAS / Front-End, in IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site for the Exchange services, and click Properties.
2. On the Directory Security tab, click Server Certificate to start the Web Server Certificate Wizard. Click Next on the Welcome page.
3. Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.

Figure 14

1. Type the path and file name on the Export Certificate page and click Next. Enter a password for the .pfx file, preferably a strong one. This password will be requested when a user is importing the .pfx file.
2. Copy the .pfx file created in the previous section to the ISA Server computer.
3. On the ISA Server, click Start, and then click Run. In Open, type MMC, and then click OK. Click File, click Add/Remove Snap-in, and click Add to open the Add Standalone Snap-in dialog box. Select Certificates, click Add, select Computer account, and then click Next. Select Local Computer, and then click Finish. Click Close and click OK.
4. Expand the Certificates node, and right-click the Personal folder. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.
5. On the File to Import page, browse to the file that you created previously and copied to the ISA Server computer, and then click Next.
6. On the Password page, type the password for this file, and then click Next.
7. On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Personal (the default settings), and then click Next.
8. On the wizard completion page, click Finish.
9. If you’re using a private CA, you also need to import the CA certificate. Again, if it’s a Microsoft CA, browse to http://CAServerName/CertSrv and select Download a CA certificate, certificate chain or CRL. Repeat steps 6 to 11, but when asked where to put the certificate (step 10), select Trusted Root Certification Authorities.

Figure 15

1. Verify that the server certificate was properly installed. Double-click the new server certificate. On the General tab, there should be a note that shows You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that shows This certificate is OK.

Figure 16
Summary

In this first part we explored the solution topology and set our main goals. We also saw how to configure ISA Server in a unihomed configuration and how to generate, export and import certificates.
In the next part we’ll cover the necessary configuration settings for Exchange CAS/Front-End Server and also how to configure the authentication mechanism for ISA Server when it is not part of an Active Directory domain.

---

موضوعات مشابه:

• Exchange Publishing in Isa Server 2006
• Exploring Exchange 2010 RPC Client Access service
• Publishing Exchange 2007 Autodisover in ISA 2006
• Configuring Client Access Array for Exchange 2010 – Walkthrough
• Securing an Exchange 2007 Client Access Server using a 3rd party SAN Certificate

---

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/publishing-exchange-client-access-isa-2006-complete-solution-part2.html

PART-2

Configuration settings for Exchange CAS/Front-End and the authentication mechanisms of ISA Server.

Exchange 2003 Front-End Configuration

Now we have to make some changes to the Exchange 2003 configuration so that ISA Server Web client publishing works properly:

• Confirm forms-based authentication is not selected on the Exchange front-end server
• Enable RPC over HTTP on the front-end Exchange server
• Require secure channel (SSL) communications to the Web site

1. To confirm that forms-based authentication is not selected on an Exchange front-end server, start Exchange System Manager, expand Servers, and then expand your front-end server. Expand Protocols, expand HTTP, right-click Exchange Virtual Server, and then click Properties. Click the Settings tab, and clear the check box Enable Forms Based Authentication. Click OK.

Figure 1

1. To make your Exchange Front-End server an RPC proxy server, expand Servers, right-click your front-end server, and then click Properties. Select the RPC-HTTP page, select RPC-HTTP front-end server, and click OK to close the properties dialog box for the selected server. Click OK.
2. After a certificate is installed for the Web site, you need to require the Web site to only accept secure channel communications. In IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the /Exchange virtual directory and click Properties. On the Directory Security tab click Edit. Select Require secure channel (SSL) on the Secure Communication page and then click OK. Click OK again to close the Web site properties dialog box. Repeat this step for /Public, /Exchweb and /rpc.

Figure 2
Exchange 2007 Client Access Configuration

For Exchange 2007, the required changes are:

• Confirm forms-based authentication not selected on the Exchange Client Access server
• Enable Outlook Anywhere on the Exchange Client Access server
• Require secure channel (SSL) communications to the Web site

1. To confirm that forms-based authentication is not selected on an Exchange CAS, in the Exchange Management Console, expand Server Configuration, and then click Client Access. Select your Client Access server and then select owa (Default Web Site) on the Outlook Web Access page. In the action pane, click Properties under owa (Default Web Site).

Figure 3

1. Select the Authentication page and confirm that the following are selected: Use one or more of the following standard authentication methods and Basic authentication (password is sent in clear text). Click OK.

Figure 4

1. Review the Microsoft Exchange Warning dialog box and click OK. For the changes that were just made, you must restart Internet Information Services (IIS). To restart IIS, run the following command: "iisreset /noforce".

Figure 5

1. Repeat steps 1–3 for the following sites: Exchange (Default Web Site), Exchweb (Default Web Site), and Public (Default Web Site).
2. To enable Outlook Anywhere on your Client Access server, in the Exchange Management Console, expand Server Configuration, and then click Client Access. Select your Client Access server. In the action pane, click Enable Outlook Anywhere under the server name you just selected. Enter the host name that the client will use to connect to the Client Access server in the External Host name field. This name should match the common name or FQDN used in the server certificate installed on the ISA Server computer. Confirm that the External authentication method is set to NTLM authentication and click Enable.

Figure 6

1. To require the Web site to only accept secure channel communications, follow step 3 from previous section (Exchange 2003 Front-End Configuration) for all the mentioned virtual directories plus /owa.

ISA Authentication Basics

Before entering the publishing rules section, let’s take a look how ISA Server pre-authenticates client requests.

Figure 7
Step 1, receipt of client credentials: The client sends a request to connect to the corporate Outlook Web Access server in the Internal network. The client provides the credentials in HTML form.
Steps 2 and 3, sending credentials: ISA Server sends the credentials to the authentication provider, such as a domain controller for Integrated Windows authentication in Active Directory, or a RADIUS server, and receives acknowledgment from the authentication provider that the user is authenticated.
Step 4, authentication delegation: ISA Server forwards the client's request to the Outlook Web Access server, and authenticates itself to the Outlook Web Access server using the client's credentials. The Outlook Web Access server will revalidate those credentials, typically using the same authentication provider. The Web server must be configured to use the authentication scheme that matches the delegation method used by ISA Server.
Step 5, server response: The Outlook Web Access server sends a response to the client, which is intercepted by ISA Server.
Step 6, forwarding the response: ISA Server forwards the response to the client.
Remember that Active Directory validation can only take place when ISA Server is a domain member (either the same domain as the domain controller or in a trusted domain). Since our ISA Server is in a workgroup configuration, we will have to use RADIUS or LDAP.
In order to use RADIUS, you can install the IAS service on any Windows 2003 member server on your internal network.
ISA Server can connect to an LDAP server in any of the ways described in the following table.

Connection
Port
Requires Active Directory domain name
Supports Change Password option
LDAP
389
Yes
No
LDAPS
636
Yes
Yes
LDAP using global catalog
3268
No
No
LDAPS using global catalog
3269
No
No

Table 1

To use LDAPS or LDAPS using global catalog, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer.

I prefer LDAP, though, so I will enumerate the required steps to configure this authentication method:

1. Open the ISA Firewall console and expand the Arrays node and then expand the array name. Expand the Configuration node and click the General node. In the middle pane, click the Specify RADIUS and LDAP Servers link.

Figure 8

1. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box. In LDAP server set name, type the name of the domain.
2. Click Add, to add each LDAP server name or IP address. In Server name, specify the DC and click OK. We must also provide user credentials that can be used to access the Active Directory. You do not need to use a domain admin account, a regular user account can be used. Click OK to close the Add LDAP Server Set dialog box.

Figure 9

1. Click New to open the New LDAP Server Mapping dialog box. In Login expression, type DOMAIN\*. In LDAP server set, select the domain name previously defined, and click OK.

Figure 10

1. Click Close to close the Authentication Servers window.

Summary

Now that we have our Exchange CAS/Front-End configured and ISA Server has the required authentication mechanism working, we can move on to the publishing rules. That will be covered in the next and final part of this article.

[patris1]

کد:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/publishing-exchange-client-access-isa-2006-complete-solution-part3.html

PART-3

ISA Server configuration aspects: web listener and publishing rules.

Create Web Listener

Before creating the Web publishing rule, we must first specify a Web listener to be used.

1. In the console tree of ISA Server Management, click Firewall Policy. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Type a name for the Web listener. For example, type Exchange FBA.

Figure 1

1. On the Client Connection Security screen, select Require SSL secured connections with clients.

Figure 2

1. On the Web Listener IP Addresses, Listen for requests on these networks select Internal, since we have only one network interface.

Figure 3

1. Click Select Certificate and choose the certificate previously installed on the ISA Server. Click Next.

Figure 4

Figure 5

1. Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA Server will use to validate the client's credentials. We’ll use LDAP (Active Directory).

Figure 6

1. Leave the default setting to enable SSO and type your DNS name.

Figure 7

1. Review the selected settings, and click Finish to complete the wizard.
2. Since we want our users to type in a simple URL without HTTPS (ISA will do the redirection), we must now modify the Web Listener just created, in order to provide access to HTTP. Right click the web listener and select Properties. Click Enable HTTP connections on port: 80 and then select Redirect all traffic from HTTP to HTTPS. This will allow our users to make the connection without explicitly typing the https portion of the URL.

Figure 8
ISA Server Rules

1. To create an Exchange Web client access publishing rule, in the console tree of ISA Server Management, click Firewall Policy. On the Tasks tab, click Publish Exchange Web Client Access. Type a name for the rule. For example, type Exchange Web Client Publishing.

Figure 9

1. Select the proper version of Exchange and select the desired Web client mail services. For Exchange 2003 you can choose all the methods in one rule; for Exchange 2007 you must create separate rules for each access method.

Figure 10

Figure 11

1. Select Publish a single Web site or load balancer.

Figure 12

1. Select Use SSL to connect to the published Web server or server farm.

Figure 13

1. Type the internal FQDN of the Exchange Client Access server. The internal site name must match the name of the server certificate that is installed on the internal Exchange Client Access server. If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer. You can use whatever approach you like: use the same internal and external site name, or differentiate them. If you use different names, you’ll need 2 different certificates.

Figure 14

Figure 15

1. Type the (external) domain name that you want ISA Server to accept the connection for. This must match the FQDN of the certificate selected when creating the Web listener.

Figure 16

1. Select the Web listener you created previously.

Figure 17

1. On the Authentication Delegation page, select Basic Authentication.

Figure 18

1. Select the user set approved to access this rule (All Authenticated Users). If you later have problems with this rule, to troubleshoot it, start by modifying the User Set to All Users. If it works, it might indicate that there is an issue with LDAP authentication, which was set in the previous part of this article.

Figure 19

1. Review the selected settings and click Finish to complete the wizard. Click the Apply button in the details pane to save the changes and update the configuration.
2. If you are using different internal and external names, for RPC over HTTP(s) to work you must make a modification in the publishing rule. Right click the rule, select Properties, go to the To tab and deselect Forward the original host header instead of the actual one (specified in the Internal site name field).

Figure 20
Redirection

We already saw how to enable HTTP to HTTPS redirection in the Web Listener creation process. Now it’s time to drop the /Exchange or the /owa from the URL. If we were using ISA Server 2004, this would be done by including a special path mapping translating the root path “/” to the special Exchange path “/Exchange\”. Unfortunately, with ISA Server 2006 this is no longer possible because it generates the Event ID 21177.
You have two options to accomplish this:

• Include the root path “/” in the OWA web publishing rule and use HTML code on the front-end to do the redirection.
• Use a Deny Rule on the ISA Server that performs the redirection.

I prefer the former, so I’ll explain the steps involved.

1. In the ISA Firewall console, click the Firewall Policy node in the left pane of the console. In the Task Pane, click Publish Web Sites. On the Welcome to the New Web Publishing Rule Wizard page, enter a name for the rule. In this example, we’ll name the rule OWA Folder Redirection and click Next.

Figure 21

1. On the Select Rule Action page, select the Deny option. All connections matching the parameters we set in this rule will be denied. Click Next.

Figure 22

1. On the Publishing Type page, select the Publish a single Web site or load balancer and click Next.

Figure 23

1. On the Server Connection Security page, select the Use SSL to connect to the published Web server or server farm. This option actually has no meaning in this scenario, since no connections will be forwarded by this Deny rule. Click Next.

Figure 24

1. On the Internal Publishing Details page, enter the internal site name of the Exchange CAS/Front-End server. Click Next.

Figure 25

1. On the Internal Publishing Details page click Next.
2. On the Public Name Details page, enter the public name. Click Next.

Figure 26

1. On the Select Web Listener page, click the down arrow on the Web listener drop down list and select the listener we use for the Exchange publishing rule. Click Next.

Figure 27

1. On the Authentication Delegation page, accept the default entry, No delegation, and client cannot authenticate directly. There’s no need for the client to authenticate in this scenario, since we want the connection to be automatically redirected for everyone.

Figure 28

1. On the User Sets page, remove the All Authenticated Users entry. Click the Add button. In the Add Users dialog box, double click the All Users entry and click Close. Click Next. You’ll see a warning that you can safely ignore.

Figure 29

Figure 30

1. Click Finish on the Completing the New Web Publishing Rule Wizard page.
2. Double click the OWA Redirect rule we have just created. Go to the Action tab and put a checkmark in the Redirect HTTP requests to this Web page checkbox. Enter the complete URL of the Exchange OWA in the text box (https://webmail.ruisilva.org/exchange). Click OK.

Figure 31

1. Make sure that the Deny rule is below the Exchange Web Client Publishing allow rule, as seen in the figure below. If it is not, use the up down arrow buttons in the MMC button bar to get the rules in the correct order.

Figure 32

1. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Testing the Solution

In order to test the solution, use a computer outside the internal network, open a browser and at the address bar type the URL of the external Exchange public name (webmail.ruisilva.org).

Figure 33
If everything is working, you’ll be presented with the HTML form authentication, and after a successful logon, the Outlook Web Access page will appear, as illustrated in the pictures below.

Figure 34

Figure 35

Figure 36
To test RPC over HTTP(s) / Outlook Anywhere, make sure the Outlook profile is configured correctly to support this access method. Next, run Microsoft Outlook and verify that you can connect to your mailbox server. To confirm that you are using HTTPS, hold the CTRL key, right click the Outlook connection icon on the Taskbar and select Connection Status…

Figure 37

Figure 38
Conclusion

ISA Server 2006 introduced some new features and publishing wizards that can make the task of publishing Exchange much easier. Nevertheless, there are certain aspects and scenarios that are still difficult to find the right solution for.
The scenario I used in this series of articles is the most common I find with my customers. Hopefully it is the same in your case, so now you have a complete and detailed solution to publish Exchange 2003/2007 client access.