Using ISA Server 2006 with Outlook Web Access
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Outlook Web Access for Exchange Server 2007 is designed to take full advantage of the new features that are available in Internet Security and Acceleration (ISA) Server 2006. Exchange 2007 is also designed to integrate with earlier versions of ISA Server. When you deploy Exchange 2007 in an environment where ISA Server 2006 is being used to help secure your corporate network, the full set of features for Exchange Client Access are available.
Benefits of Using ISA Server 2006 with Outlook Web Access
The following table lists features in ISA Server 2006 that can help you secure your Microsoft Exchange messaging environment that includes Outlook Web Access.
ISA Server 2006 features with Outlook Web Access
ISA Server 2006 redirects Outlook Web Access requests for internal URLs that are contained in the body of any object in Outlook Web Access, such as an e-mail message or calendar entry. Users no longer have to remember the external namespaces for internal corporate information that is mapped to an external namespace. For example, if a user sends a link in an e-mail message to an internal namespace such as http://contoso, and this internal URL is mapped to an external namespace such as http://www.contoso.com, the internal URL is automatically translated into the external URL when the user clicks the internal URL.
Web Publishing Load Balancing
ISA Server 2006 can load balance client requests and send them to an array of Client Access servers. When ISA Server 2006 receives a request for a connection to Outlook Web Access, it selects a Client Access server and then sends the name of the Client Access server back to the Web browser in a cookie.
In the past, if you used forms-based authentication on the ISA Server computer that had Exchange Server 2003 and ISA Server 2004 or ISA Server 2000 installed, it was not possible to use Gzip compression. This was because ISA Server could not decompress and recompress the information correctly. ISA Server 2006 can decompress, inspect, and then recompress data before it sends the data to your Exchange servers.
Gzip compression is available in ISA Server 2004, Service Pack 2 (SP2).
Exchange server locations are hidden
When you publish an application through ISA Server, you are protecting the server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then creates a connection to the Client Access server according to the conditions of the server publishing rule.
SSL bridging and inspection
Secure Sockets Layer (SSL) bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts the request, inspects it, and acts as the endpoint for the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. When you use SSL bridging, the secure Web publishing rule is configured to forward the request by using Secure HTTP (HTTPS). ISA Server then initiates a new SSL connection with the published server. Because the ISA Server computer has become an SSL client, it requires the published Web server to respond with a certificate.
An additional advantage of SSL bridging is that an organization has to buy SSL certificates from an external certification authority only for the ISA Server computers. Servers that use ISA Server as a reverse proxy can either not require SSL or use SSL certificates that are generated internally.
You can also terminate the SSL connection at the ISA Server computer and continue to the Client Access server with a connection that is not encrypted. This is known as SSL offloading. If you do this, the internal URL for Outlook Web Access must be set to use HTTP and the external URL must be set to use HTTPS. The internal URL and external URL can be configured through the Exchange Management Console, or by using the Set-OwaVirtualDirectory cmdlet with the InternalURL parameter and ExternalURL parameter in the Exchange Management Shell.
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage Outlook Web Access virtual directories, see Set-OwaVirtualDirectory and How to Modify Properties on an Outlook Web Access Virtual Directory.
Single sign-on enables users to access a group of published Web sites without being required to authenticate with each Web site. When you use ISA Server 2006 as a reverse proxy server for Outlook Web Access, ISA Server 2006 can be configured to obtain the user's credentials and pass them to the Client Access server so that users are prompted for their credentials only one time.
For more information about the new enhancements to ISA Server 2006 when it is used with Exchange 2007, see What's New and Improved in ISA Server 2006.
When you deploy ISA Server 2006 together with Exchange 2007, you will not have to do any additional configuration to your Microsoft Exchange infrastructure. However, ISA Server 2006 can be configured in different ways to enable Exchange client access by using Outlook Web Access, POP3 or IMAP access, Exchange ActiveSync, and Outlook Anywhere. The configuration options depend on the authentication method that you want to use to access Exchange.
Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000 when they are deployed with Exchange 2007, do not have the same deployment options for authentication. Additionally, if you are deploying Exchange 2007 with both ISA Server 2006 and an earlier version of ISA Server, you can use the following authentication options:
Basic authentication for Outlook Web Access If you plan to use Basic authentication for Outlook Web Access, ISA Server 2006 and earlier versions of ISA Server should all use Web Publishing to publish Outlook Web Access.
Client certificate authentication If you plan to use a client certificate-based authentication method, ISA Server will automatically perform authentication on the computer that is running ISA Server. Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000, require server publishing to use client certificate authentication. If you use client certificate authentication, you cannot use ISA Server to inspect the SSL packets before they are sent to the Client Access server.
Deploying ISA Server 2006 for Outlook Web Access
When you deploy ISA Server 2006 for Outlook Web Access, you use the New Exchange Publishing Rule Wizard on the firewall policy tasks. This new wizard shows you the specific settings that you must configure to enable access to Microsoft Exchange.
If you have multiple versions of Microsoft Exchange in your Exchange organization, you must create an Exchange publishing rule for each version of Microsoft Exchange that you support.
Configuring ISA Server 2006 for Outlook Web Access involves the following steps:
Creating a new publishing rule.
Configuring additional options.
The following sections describe the settings that you must apply to the new publishing rule to successfully deploy ISA Server 2006 for Outlook Web Access.
Create a New Exchange Publishing Rule
During this process, you must provide the following information:
Exchange publishing rule name Provide a friendly name for your publishing rule, such as "Exchange E-mail Access".
Supported client access services On the Select Services page, select the version of Microsoft Exchange that you are deploying and the client access services that you want to support for your users. By default, when you select Exchange Server 2007, Outlook Web Access is selected.
Publishing type On the Publishing Type page, select an option to use depending on whether you plan to publish a single site or an external load balancer, a Web server farm, or multiple Web sites.
Server connection security This page lets you select whether to use Secure Sockets Layer (SSL) or non-secured connections from the ISA Server computer to Microsoft Exchange.
Internal publishing details On the Internal Publishing Details page, enter the internal site name of Outlook Web Access or select the option to use a computer name or IP address to connect to Microsoft Exchange.
Public name details The Public name details page lets you select which domains you will accept requests from. You must also provide a public name, for example, www.contoso.com.
Select web listener The Select web listener page lets you specify the listener for the Exchange server to which you are connecting. A listener is used to specify the authentication type that will be used when the client first contacts the ISA Server computer. The listener contains information about how the ISA Server computer accepts requests from clients, such as the encryption, compression, and authentication that is used on the external connection. You can use this page to create a new listener or edit existing listeners.
Authentication delegation The Authentication delegation page lets you specify the type of authentication mechanism that the Client Access server should expect from the ISA Server. Select from the following:
No delegation, but client may authenticate directly
Kerberos constrained delegation
User sets The User sets page lets you select which users can use this rule to connect to Exchange.
If you have configured the ISA Server computer to authenticate users, you should configure the Outlook Web Access virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication on the Outlook Web Access virtual directories together with ISA Server 2006 authentication, users are prompted for their logon information only one time.
If you select forms-based authentication for the ISA listener, the user will be prompted to reenter authentication credentials if the Outlook Web Access session times out.
However, Integrated Windows authentication disallows access from Outlook Web Access to documents on Windows file shares or in Windows SharePoint Services document libraries. If you must access documents from Outlook Web Access, you must use Basic authentication on the Outlook Web Access virtual directory.
After you complete the wizard, the wizard creates the Exchange publishing rule. The rule you create appears in the Firewall Policy Rules list on the Firewall Policy tab.
After you finish creating your publishing rule, you must wait for the settings to take effect. You can monitor ISA Server 2006 publishing rule progress by using the Monitoring node in the ISA Server 2006 Management console.
Configure Additional Options
You can configure additional features, such as link translation and HTTP compression, for the new rule that you created in the ISA Server 2006 Management console. Additional settings for link translation and HTTP compression are managed under the General node on the ISA Server 2006 Management console.
Configuring Link Translation
To configure link translation, you must select the Exchange publishing rule that you created, and then click Edit Selected Rule under Policy Editing Tasks. On the Link Translation tab, you can configure link translation based on the needs of your users.
Configuring HTTP Compression
The HTTP compression option can be configured in the General node under Configuration in the ISA Server 2006 Management console. Click Define HTTP compression preferences, and then select the options that you want to support for your users.
After you finish configuring these options, the ISA Server configuration for Microsoft Exchange is complete.
Install a Server Certificate for ISA Server 2006
To enable an encrypted channel by using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer or users will receive a warning that the certificate is not trusted.
For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.
For More Information
For more information about how to use ISA Server 2006 with Exchange 2007, see Using ISA Server 2006 with Exchange 2007.
For more information about ISA Server 2006, see the ISA Server Web site.
For more information about ISA Server 2006 features, see ISA Server 2006 Features at a Glance.
For more information about how to use a reverse proxy server, see How to Configure Reverse Proxy Servers for Outlook Web Access.
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage Outlook Web Access virtual directories, see the following topics:
For more information about how to configure Outlook Web Access, see: