Exchange 2007 Client Access with ISA 2006 (part 1)

Publishing Exchange Server Client Access with ISA Server should be a straightforward and easy task. Well, it isn’t. Although there are lots of resources on the Internet about the subject and Microsoft provides extensive technical documentation with more or less detailed steps, the truth is that every time I go through the process of providing access to Exchange for external users using ISA Server, I can’t help feeling a little bit frustrated.

Some of the technical information needed is somehow dispersed through several sites and articles and I usually end up spending a lot of time searching for that particular solution that I know will solve my problem. That’s why I decided to write one more article about publishing Exchange with ISA. I call it the complete solution (I know it’s kind of pretentious) because it covers all aspects of the most common scenario I keep finding at my customers.

So, what can you expect in this one-stop article?

• ISA Server configuration
• Exchange configuration
• Certificates: getting them, installing and exporting
• How to create the appropriate web listener
• ISA Server publishing rules
• Redirection (folder and protocol)

This is meant to be an objective article, so I’ll try not to lose too much time diving into some more deep technical content. I’ll enumerate the necessary steps to reach the main goal and they will be illustrated with lots of pictures.

This article applies to both Exchange 2003 and Exchange 2007. Whenever there are specific configurations, I’ll use distinct topics to cover them.

Main Objectives
The main goals we’re trying to accomplish are:

• Publish full Exchange Client Access to the Internet:
  • Outlook Web Access (OWA)
  • Outlook Mobile Access and ActiveSync
  • RPC over HTTP(s) / Outlook Anywhere
• Use a simple URL without the need to type HTTPS or /exchange (or /owa)
• Use Forms-Based Authentication on the Internet
• Open a reduced set of TCP ports on the firewalls

Solution Topology
As I said previously, I’ll cover the most common scenario I find at my customers. In order to provide you the “Complete Solution” I had to keep focused on one particular configuration or it would be impossible to write an online article about it.

The following image depicts the topology that will be used along this article:

Figure 1: Exchange Topology

The main characteristics of this topology are:

• ISA Server is in a workgroup
• ISA Server has only one network interface (unihomed)
• ISA Server is in a DMZ

ISA Server Configuration
Our first task is to configure ISA Server in a unihomed workgroup configuration. I’ll skip the ISA Server setup procedure, so we’ll start from the point where the ISA is already installed in a Windows Server 2003 environment that doesn’t belong to a domain.

What we’ll have to do is apply the Single Network Adapter Template.

1. Open ISA Server Management Console. Browse to Configuration and then Networks. On the Templates pane, you’ll find the Single Network Adapter. Select it and that will trigger the configuration wizard. Click Next twice.

Figure 2

2. On the Internal Network IP Addresses page, you’ll see the addresses that will be configured to define the default ISA firewall Internal Network. You can accept the default options. Click Next.

Figure 3

3. Select Apply default web proxying and caching configuration and click Next.

Figure 4

4. On the Completing the Network Template Wizard page, click Finish.

Figure 5

5. A warning will appear. Click OK.

Figure 6

6. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Certificates
To ensure the communications between the all the peers are properly secured, you need to install a server certificate on both the Exchange CAS/Front-End and ISA Server. If this certificate is from an internal CA you’ll need to install the CA certificate on both servers and your clients must all trust that same internal CA.

When you install Exchange 2007, you can install a default Secure Sockets Layer (SSL) certificate that is created by Exchange Setup. However, it is not recommended to use it, since this certificate is not a trusted SSL certificate.

1. To obtain a new server certificate using the Web Server Certificate Wizard, in IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site for the Exchange services and click Properties. On the Directory Security tab, click Server Certificate. Use the wizard to request and install the Web server certificate. In the Web Server Certificate Wizard, select Create a new certificate.

Figure 7

2. On the Delayed or Immediate Request page, select Send the request immediately to an online certification authority if you have a Windows Server 2003 enterprise CA installed in your domain. Otherwise select Prepare the request now, but send it later.
3. Enter the required information on the Name and Security Settings and the Organization Information pages.

Figure 8

Figure 9

4. Type the FQDN on the Your Site’s Common Name page. This name must match the name ISA Server will use to communicate with the Exchange server. It doesn’t have to be the final external name, as we will see ahead.

Figure 10

5. Enter the required information on the Geographical Information page.

Figure 11

6. If you’ve selected Send the request immediately to an online certification authority, accept the default port of 443 on the SSL Port page and from the list under Certification authorities, select the correct internal enterprise CA. Click Next to submit your request. This will also install the certificate for your Web site.
   If you’ve selected Prepare the request now, but send it later, save the request to a text file and submit it using a browser. If it’s a Microsoft CA, the URL will be http://CAServerName/CertSrv. Select Request a certificate, click Next and select Advanced request. Click Next and select Submit a certificate request using a base64 encoded PKCS #10 file. Click Next, and open the request file that you saved from the Web Certificate Wizard in Notepad. Paste the entire text of the file, including the BEGIN and END lines, into the Base64 Encoded Certificate Request text box. When the certificate is issued, go back to IIS Manager, right click the web site and on the Directory Security tab, click Server Certificate. Select Process the pending request.

Figure 12

Figure 13

The next step is to install server certificate on the ISA Server computer, to enable a secure connection between the client computer and the ISA Server computer. If a private CA is used, the root CA certificate from the private CA will need to be installed on any client computer that needs to create a secure connection (an HTTPS connection) to the ISA Server computer.

This certificate can be the same as that installed on the Exchange CAS/Front-End, if the internal name matches the public name. In that case, we’ll perform the following procedure to export the server certificate:

1. On the CAS / Front-End, in IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site for the Exchange services, and click Properties.
2. On the Directory Security tab, click Server Certificate to start the Web Server Certificate Wizard. Click Next on the Welcome page.
3. Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.

Figure 14

4. Type the path and file name on the Export Certificate page and click Next. Enter a password for the .pfx file, preferably a strong one. This password will be requested when a user is importing the .pfx file.
5. Copy the .pfx file created in the previous section to the ISA Server computer.
6. On the ISA Server, click Start, and then click Run. In Open, type MMC, and then click OK. Click File, click Add/Remove Snap-in, and click Add to open the Add Standalone Snap-in dialog box. Select Certificates, click Add, select Computer account, and then click Next. Select Local Computer, and then click Finish. Click Close and click OK.
7. Expand the Certificates node, and right-click the Personal folder. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.
8. On the File to Import page, browse to the file that you created previously and copied to the ISA Server computer, and then click Next.
9. On the Password page, type the password for this file, and then click Next.
10. On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Personal (the default settings), and then click Next.
11. On the wizard completion page, click Finish.
12. If you’re using a private CA, you also need to import the CA certificate. Again, if it’s a Microsoft CA, browse to http://CAServerName/CertSrv and select Download a CA certificate, certificate chain or CRL. Repeat steps 6 to 11, but when asked where to put the certificate (step 10), select Trusted Root Certification Authorities.

Figure 15

13. Verify that the server certificate was properly installed. Double-click the new server certificate. On the General tab, there should be a note that shows You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that shows This certificate is OK.

Figure 16

Exchange 2003 Front-End Configuration
Now we have to make some changes to the Exchange 2003 configuration so that ISA Server Web client publishing works properly:

• Confirm forms-based authentication is not selected on the Exchange front-end server
• Enable RPC over HTTP on the front-end Exchange server
• Require secure channel (SSL) communications to the Web site

1. To confirm that forms-based authentication is not selected on an Exchange front-end server, start Exchange System Manager, expand Servers, and then expand your front-end server. Expand Protocols, expand HTTP, right-click Exchange Virtual Server, and then click Properties. Click the Settings tab, and clear the check box Enable Forms Based Authentication. Click OK.

Figure 1

2. To make your Exchange Front-End server an RPC proxy server, expand Servers, right-click your front-end server, and then click Properties. Select the RPC-HTTP page, select RPC-HTTP front-end server, and click OK to close the properties dialog box for the selected server. Click OK.
3. After a certificate is installed for the Web site, you need to require the Web site to only accept secure channel communications. In IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the /Exchange virtual directory and click Properties. On the Directory Security tab click Edit. Select Require secure channel (SSL) on the Secure Communication page and then click OK. Click OK again to close the Web site properties dialog box. Repeat this step for /Public, /Exchweb and /rpc.

Figure 2

Exchange 2007 Client Access Configuration
For Exchange 2007, the required changes are:

• Confirm forms-based authentication not selected on the Exchange Client Access server
• Enable Outlook Anywhere on the Exchange Client Access server
• Require secure channel (SSL) communications to the Web site

1. To confirm that forms-based authentication is not selected on an Exchange CAS, in the Exchange Management Console, expand Server Configuration, and then click Client Access. Select your Client Access server and then select owa (Default Web Site) on the Outlook Web Access page. In the action pane, click Properties under owa (Default Web Site).

Figure 3

2. Select the Authentication page and confirm that the following are selected: Use one or more of the following standard authentication methods and Basic authentication (password is sent in clear text). Click OK.

Figure 4

3. Review the Microsoft Exchange Warning dialog box and click OK. For the changes that were just made, you must restart Internet Information Services (IIS). To restart IIS, run the following command: “iisreset /noforce”.

Figure 5

4. Repeat steps 1–3 for the following sites: Exchange (Default Web Site), Exchweb (Default Web Site), and Public (Default Web Site).
5. To enable Outlook Anywhere on your Client Access server, in the Exchange Management Console, expand Server Configuration, and then click Client Access. Select your Client Access server. In the action pane, click Enable Outlook Anywhere under the server name you just selected. Enter the host name that the client will use to connect to the Client Access server in the External Host name field. This name should match the common name or FQDN used in the server certificate installed on the ISA Server computer. Confirm that the External authentication method is set to NTLM authentication and click Enable.

Figure 6

6. To require the Web site to only accept secure channel communications, follow step 3 from previous section (Exchange 2003 Front-End Configuration) for all the mentioned virtual directories plus /owa.

ISA Authentication Basics
Before entering the publishing rules section, let’s take a look how ISA Server pre-authenticates client requests.

Figure 7

Step 1, receipt of client credentials: The client sends a request to connect to the corporate Outlook Web Access server in the Internal network. The client provides the credentials in HTML form.

Steps 2 and 3, sending credentials: ISA Server sends the credentials to the authentication provider, such as a domain controller for Integrated Windows authentication in Active Directory, or a RADIUS server, and receives acknowledgment from the authentication provider that the user is authenticated.

Step 4, authentication delegation: ISA Server forwards the client’s request to the Outlook Web Access server, and authenticates itself to the Outlook Web Access server using the client’s credentials. The Outlook Web Access server will revalidate those credentials, typically using the same authentication provider. The Web server must be configured to use the authentication scheme that matches the delegation method used by ISA Server.

Step 5, server response: The Outlook Web Access server sends a response to the client, which is intercepted by ISA Server.

Step 6, forwarding the response: ISA Server forwards the response to the client.

Remember that Active Directory validation can only take place when ISA Server is a domain member (either the same domain as the domain controller or in a trusted domain). Since our ISA Server is in a workgroup configuration, we will have to use RADIUS or LDAP.

In order to use RADIUS, you can install the IAS service on any Windows 2003 member server on your internal network.

ISA Server can connect to an LDAP server in any of the ways described in the following table.

Connection	Port	Requires Active Directory domain name	Supports Change Password option
LDAP	389	Yes	No
LDAPS	636	Yes	Yes
LDAP using global catalog	3268	No	No
LDAPS using global catalog	3269	No	No

Table 1

To use LDAPS or LDAPS using global catalog, a server certificate must be installed on the LDAP server and the root certificate from the issuing CA needs to be installed on the ISA Server computer.

I prefer LDAP, though, so I will enumerate the required steps to configure this authentication method:

1. Open the ISA Firewall console and expand the Arrays node and then expand the array name. Expand the Configuration node and click the General node. In the middle pane, click the Specify RADIUS and LDAP Servers link.

Figure 8

2. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box. In LDAP server set name, type the name of the domain.
3. Click Add, to add each LDAP server name or IP address. In Server name, specify the DC and click OK. We must also provide user credentials that can be used to access the Active Directory. You do not need to use a domain admin account, a regular user account can be used. Click OK to close the Add LDAP Server Set dialog box.

Figure 9

4. Click New to open the New LDAP Server Mapping dialog box. In Login expression, type DOMAIN\*. In LDAP server set, select the domain name previously defined, and click OK.

Figure 10

5. Click Close to close the Authentication Servers window.

Author: Rui Silva