Step 5: Install and Configure ISA Server 2006 or Other Firewall

6/2/2010

Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Exchange Server 2003 are designed to work closely together in your network to provide a secure messaging environment.

This section discusses steps for deployment of Exchange Server 2003 SP2 mobile messaging in the recommended ISA Server 2006 environment. You can use this information to determine what to do if you are deploying another firewall.

Note

If you are using ISA Server 2004, follow the instructions in Appendix B: Install and Configure an ISA Server 2004 Environment.

Note

This document does not cover the upcoming release of Exchange Server 2007. Because there are significant changes to Exchange 2007 from Exchange 2003, Exchange 2007 is discussed in a separate document.

During this part of the process, you will:

  • Install ISA Server 2006
  • Install a server certificate on the ISA Server
  • Update Public DNS
  • Create the Exchange ActiveSync publishing rule using Web publishing, opening Port 443 as a Web Listener.
  • Configure ISA Server with your LDAP server set
  • Set all firewalls and proxy server idle session timeout to 1800 seconds (30 minutes)

Note

Increasing the timeout values maximizes performance of the direct push technology and optimizes device battery life.

  • Test OWA and Exchange ActiveSync.

Refer to Network Architecture Alternatives and Best Practices for Deploying a Mobile Messaging Solution for background about network architecture and SSL setup.

Install ISA Server 2006

It is recommended that you configure ISA Server 2006 in a perimeter network in workgroup mode.

To install ISA Server 2006

  1. Install and configure Microsoft Windows Server 2003 on the firewall computer.

  2. Go to Microsoft Update, and then install all critical security hot fixes and service packs for Windows Server 2003.

  3. Install the ISA server in workgroup mode within a perimeter network.

  4. Install ISA Server 2006.

  5. Export the OWA SSL Certificate from the Exchange front-end OWA server to a file.

Install a Server Certificate on the ISA Server Computer

To enable a secure connection between the client computer and the ISA Server computer, you need to install a server certificate on the ISA Server computer. This certificate should be issued by a public Certificate Authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA will need to be installed on any computer that will need to create a secure connection (an HTTPS connection) to the ISA Server computer.

In most cases, the ISA Server computer does not have IIS installed. The following procedures assume that IIS is installed. Use the following procedures to import a certificate on the ISA Server computer.

In this section, you will

  • Request and install a server certificate from a public CA
  • Export the server certificate to a file
  • Import the server certificate on the ISA Server computer

Request and Install a Server Certificate From a Public CA

Perform the following procedure to request and install a server certificate on a computer with IIS installed.

To request and install a server certificate from a public CA

  1. In IIS, create a new Web site, pointing the Web site to a new empty directory.

  2. In IIS Manager, expand the local computer, right-click the Web Sites folder, click New, and then click Web Site to start the Web Site Creation Wizard.

  3. Click Next on the Welcome page.

  4. Type a name for the Web site in the Description field. For example, type ISA Cert Site, and click Next.

  5. Accept the default settings on the IP Address and Port Settings page.

  6. Enter a path for the Web site on the Web Site Home Directory page. For example, enter c:\temp.

  7. Accept the default settings on the Web Site Access Permissions page and click Next.

  8. Click Finish to complete the Web Site Creation Wizard.

Important

By default, the new Web site is stopped. You should leave this Web site in the stopped state. There is no reason to start this Web site.

Note

For more information about creating a new Web site, see IIS product documentation.

  1. Follow the steps provided by the public CA to create and install a server certificate using the Web site you created in Step 1.

Important

The important information in the certificate is the common name or FQDN. Enter the FQDN that will be used by users on the Internet to connect to the Exchange Outlook Web Access site. For example, enter mail.contoso.com.

Note

Confirm that the private key for the certificate that you will install is exportable.

Export the Server Certificate to a File

After the certificate is installed on the Web site that you just created, you will export the certificate to a file. You will then copy this file and import it to the ISA Server computer.

Perform the following procedure to export the server certificate that you just installed.

To export the server certificate to a .pfx file

  1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.

  2. Right-click the Web site for the Exchange front-end services, by default, the Default Web Site, and click Properties.

  3. On the Directory Security tab, under Secure communications, click Server Certificate to start the Web Server Certificate Wizard.

  4. Click Next on the Welcome page.

  5. Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.

  6. Type the path and file name on the Export Certificate page. For example, type c:\certificates\mail_isa.pfx, and then click Next.

  7. Enter a password for the .pfx file. This password will be requested when a user is importing the .pfx file. We recommend that a strong password be used because the .pfx file also has the private key.

Important

You should transfer the .pfx file to the ISA Server computer in a secure fashion because it contains the private key for the certificate to be installed on the ISA Server computer.

Import the Server Certificate on the ISA Server Computer

Perform the following procedure on the ISA Server computer to import the server certificate to the local computer store.

To import a server certificate on the ISA Server computer

  1. Copy the .pfx file created in the previous section to the ISA Server computer in a secure fashion.

  2. Click Start, and then click Run. In Open, type MMC, and then click OK.

  3. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.

  4. Select Certificates, click Add, select Computer account, and then click Next.

  5. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.

  6. Expand the Certificates node, and right-click the Personal folder.

  7. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.

  8. On the Welcome page, click Next.

  9. On the File to Import page, browse to the file that you created previously and copied to the ISA Server computer, and then click Next.

  10. On the Password page, type the password for this file, and then click Next.

Note

The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA Server computer, do not select this option.

  1. On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Personal (the default setting), and then click Next.

  2. On the wizard completion page, click Finish.

  3. Verify that the server certificate was properly installed. Click Certificates, and double-click the new server certificate. On the General tab, there should be a note that shows you have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that shows This certificate is OK.

Update Public DNS

Create a new DNS host record in your domain's public DNS servers. Users will initiate a connection using the name of the Web site. This name needs to match the common name or FQDN used in the certificate installed on the ISA Server computer. For example, a user might browse to https://mail.contoso.com/exchange. In this case, the following conditions need to be met for the user to successfully initiate a connection:

  • FQDN used in the server certificate installed on the ISA Server computer needs to be mail.contoso.com.
  • User needs to resolve mail.contoso.com to an IP address.
  • IP address that mail.contoso.com resolves to needs to be configured on the External network of the ISA Server computer.

Note

For ISA Server Enterprise Edition, if you are working with an NLB-enabled array, the IP address should be a virtual IP address configured for the array. For more information about NLB, see ISA Server product Help.

Create the Exchange ActiveSync Publishing Rule

Now that the Exchange front-end server and the ISA Server computer have been properly configured and have the proper server certificates installed, you can start the procedures to publish the Exchange front-end server. Using the Exchange Publishing Wizard, you can provide secure access to your Exchange front-end server.

The following procedures are used to publish your Exchange front-end server.

  • Create a server farm (optional)
  • Create a Web listener
  • Create an Exchange Web client access publishing rule

Create a Server Farm (optional)

When you have more than one Exchange front-end server, you can use ISA Server to provide load balancing for these servers. This will enable you to publish the Web site once, instead of having to run the wizard multiple times. Also, this eliminates the need for a third-party product to load balance a Web site. If one of the servers is unavailable, ISA Server detects that the server is not available and directs users to servers that are working. ISA Server verifies on regular intervals that the servers that are members of the server farm are functioning. The server farm properties determine the following:

  • Servers included in the farm
  • Connectivity verification method that ISA Server will use to verify that the servers are functioning

Perform the following procedure to create a server farm.

To create a server farm

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Securityand Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, click New, and select Server Farm. Use the wizard to create the server farm as outlined in the following table.

Page Field or property Setting

Welcome

Server farm name

Type a name for the server farm. For example, type Exchange front end servers.

Servers

Servers included in this farm

Select Add and enter either the IP addresses or names of your Exchange front-end servers.

Server Farm Connectivity Monitoring

Method used to monitor server farm connectivity

Select Send an HTTP/HTTPS GET request.

Completing the New Server Farm Wizard

Completing the New Server Farm Wizard

Review the selected settings, and click Back to make changes and Finish to complete the wizard.

  1. When the wizard completes, click Yes in the Enable HTTP Connectivity Verification dialog box.
  2. Click the Apply button in the details pane to save the changes and update the configuration.

For more information about connectivity verifiers, see ISA Server product Help.

Create a Web Listener

When you create a Web publishing rule, you must specify a Web listener to be used. The Web listener properties determine the following:

  • IP addresses and ports on the specified networks that the ISA Server computer uses to listen for Web requests (HTTP or HTTPS).
  • Server certificates to use with IP addresses.
  • Authentication method to use.
  • Number of concurrent connections that are allowed.
  • Single sign on (SSO) settings.

Collect the following information that will be used when you use the New Web Listener Wizard.

Property Value

Web listener name

Name: ________________________

Client connection security

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the client will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the ISA Server computer.

HTTPS or HTTP (circle one)

Web listener IP address

Network: ___________________

Optional

Specific IP address: ___.___.___.___

Note:
If this specific IP address is not the primary network adapter IP address, a secondary IP address needs to be configured on the ISA Server computer before creating the Web listener.

Authentication settings Web listener SSL certificate

Note:
This is only required if HTTPS has been selected for client connectivity security.

___Use a single certificate for this Web listener.

Certificate issued to: _______________________

___Assign a certificate for each IP address. (This option will only be available if a specific IP address has been assigned to the Web listener.)

Certificate issued to: _______________________

Authentication

For forms-based authentication, you have options to authenticate your users to ISA Server.

For more information about authentication, see Authentication for Mobile Devices on the Corporate Network in Security Considerations within the Corporate Network.

Single sign on settings

___Enable single sign on.

Single sign on domain name:

___________________________

Create a Web listener with the information on the worksheet that you filled in previously, and perform the following procedure.

To create a Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.

Page Field or property Setting

Welcome

Web listener name

Type a name for the Web listener. For example, type Exchange FBA.

Client connection security

Select what type of connections this Web Listener will establish with clients

Select Require SSL secured connections with clients.

Web Listener IP Addresses

Listen for incoming Web requests on these networks

ISA Server will compress content sent to clients

Select the External network.

Check box should be selected (default).

Click Select IP Addresses.

External Network Listener IP Selection

Listen for requests on

Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.

Select the correct IP address and click Add.

Note:
For ISA Server Enterprise Edition with an NLB-enabled array, you should select a virtual IP address.

Listener SSL Certificates

Select a certificate for each IP address, or specify a single certificate for this Web listener

Select Assign a certificate for each IP address.

Select the IP address you just selected and click Select Certificate.

Select Certificate

Select a certificate from the list of available certificates

Select the certificate that you just installed on the ISA Server computer. For example, select mail.contoso.com, and click Select. The certificate must be installed before running the wizard.

Authentication Settings

Select how clients will provide credentials to ISA Server

Select how ISA Server will validate client credentials

Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA Server will use to validate the client's credentials.

For example, select LDAP Authentication if you are installing in workgroup mode. Select Windows (Active Directory) if your ISA Server computer is in a domain configuration.

Single Sign on Settings

Enable SSO for Web sites published with this Web listener

SSO domain name

Leave the default setting to enable SSO.

To enable SSO between two published sites portal.contoso.com and mail.contoso.com, type .contoso.com.

Completing the New Web Listener Wizard

Completing the New Web Listener Wizard

Review the selected settings, and click Back to make changes or Finish to complete the wizard.

Create an Exchange Web Client Access Publishing Rule

When you publish an internal Exchange front-end server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Web client access.

Collect the following information that will be used when you use the New Exchange Publishing Rule Wizard.

Property Value

Exchange publishing rule name

Name: ________________________

Services

Note:
You can publish all services in a single rule using the same Web listener configured with forms-based authentication. ISA Server 2006 will use Basic authentication for services that do not support forms-based authentication.

Exchange version: ____________

__Outlook Web Access

__Outlook RPC over HTTP

__Outlook Mobile Access

_X_Exchange ActiveSync

Publishing type

__Publish a single Web site

or

__Publish a server farm of load balanced servers

and

Server farm name:_____________

Server connection security

HTTPS or HTTP (circle one)

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the Web server will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the Exchange front-end server.

Internal publishing details

Internal site name (FQDN): ______________________

If the FQDN is not resolvable by the ISA Server computer:

Computer name or IP address:_____________________

Public name details

Accept request for:

__This domain name:______________

or

__Any domain name

Select Web listener

Web listener:________________

User set

List user sets that will have access to this rule:

_________________

__________________

Use the information on the worksheet that you filled in previously and perform the following procedure to create an Exchange Web client access publishing rule.

To create an Exchange Web client access publishing rule

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Tasks tab, click Publish Exchange Web Client Access. Use the wizard to create the rule as outlined in the following tables.

For a single Web server, use the table in New Exchange Publishing Rule Wizard for a single Web site.

If you are using a server farm, use the table in New Exchange Server Publishing Rule Wizard for a server farm.

New Exchange Publishing Rule Wizard for a Single Web Site

Page Field or property Setting

Welcome

Exchange Publishing rule name

Type a name for the rule. For example, type Exchange Web Client Publishing.

Select Services

Exchange version

Web client mail services

Select the proper version of Exchange. For example, select Exchange Server 2003.

Select the desired access methods.

Publishing Type

Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites

Select Publish a single Web site or load balancer.

Server Connection Security

Choose the type of connections ISA Server will establish with the published Web server or server farm

Select Use SSL to connect to the published Web server or server farm.

Note:
A server certificate must be installed on the published Exchange front-end server, and the root CA certificate of the CA that issued the server certificate on the Exchange front-end server must be installed on the ISA Server computer.

Internal Publishing Details

Internal site name

Type the internal FQDN of the Exchange front-end server. For example, type exchfe.corp.contoso.com.

Important:
The internal site name must match the name of the server certificate that is installed on the internal Exchange front-end server.
Note:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type the domain name that you want ISA Server to accept the connection for. For example, type mail.contoso.com.

Select Web Listener

Web listener

Select the Web listener you created previously. For example, select Exchange FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets

This rule applies to requests from the following user sets

Select the user set approved to access this rule.

Completing the New Exchange Publishing Wizard

Completing the New Exchange Publishing Rule Wizard

Review the selected settings, and click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.

New Exchange Server Publishing Rule Wizard for a Server Farm

Page Field or property Setting

Welcome

Exchange Publishing rule name

Type Exchange Web client Publishing

Select Services

Exchange version

Web client mail services

Select the proper version of Exchange server. For example, select Exchange Server 2003.

Select the desired access methods.

Publishing Type

Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites

Select Publish a server farm of load balanced Web servers.

Server Connection security

Choose the type of connections ISA Server will establish with the published Web server or server farm

Select Use SSL to connect to the published Web server or server farm.

Note:
A server certificate must be installed on the published Exchange front-end servers, and the root CA certificate must be installed on the ISA Server computer.

Internal Publishing Details

Internal site name

Type exchfe.corp.contoso.com.

Specify Server Farm

Select the Exchange server farm you want to publish

Select the name of the server farm previously created. For example, select Exchange front end servers.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type mail.contoso.com.

Select Web Listener

Web listener

Select Exchange FBA.

Authentication Delegation

Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets

This rule applies to requests from the following user sets

Select the user set approved to access this rule.

Completing the New Exchange Publishing Rule Wizard

Completing the New Exchange Publishing Rule Wizard

Review the selected settings, and click Back to make changes and Finish to complete the wizard.

4. Click the Apply button in the details pane to save the changes and update the configuration.

Configure ISA Server 2006 for LDAP Authentication

LDAP authentication is similar to Active Directory authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server 2006 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server, by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:

  • ISA Server 2006 Standard Edition server or ISA Server 2006 Enterprise Edition array members in workgroup mode. When ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
  • Authentication of users in a domain with which there is no trust relationship.

In this section you will do the following:

  • Create an LDAP Server Set
  • Create an LDAP User Set

For more information about LDAP Configuration, see Appendix B of the Secure Application Publication article on Microsoft TechNet. http://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx#AppendixB

Create an LDAP Server Set

Perform the following procedure to create an LDAP Server set:

  • For Standard Edition, perform the following procedure on computer isa01.
  • For Enterprise Edition, perform the following procedure on computer storage01.

To Create an LDAP Server Set

  1. In the console tree of ISA Server Management, click General:

    • For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
    • For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand main, expand Configuration, and then click General.
  2. In the details pane, click Specify RADIUS and LDAP Servers.

  3. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.

  4. In LDAP server set name, type CorpLDAP.

  5. Click Add, to add each LDAP server name or IP address.

  6. In Server name, type dc01 and click OK.

  7. Click OK to close the Add LDAP Server Set dialog box.

  8. Click New to open the New LDAP Server Mapping dialog box.

  9. In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and click OK.

  10. Click Close to close the Authentication Servers window.

For more information on LDAP Server settings, see Appendix B: LDAP Configuration in the Microsoft TechNet article, Secure Application Publishing at http://go.microsoft.com/fwlink/?LinkID=87069.

Create an LDAP User Set

To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.

Perform the following procedure to create an LDAP user set:

  • For Standard Edition, perform the following procedure on computer isa01.
  • For Enterprise Edition, perform the following procedure on computer storage01.
  1. In the console of ISA Server Management, click Firewall Policy:
Page Field or property Setting

Welcome

User set name

Type LDAPUsers.

Users

Select the users to include in this user set.

Click Add, and select LDAP.

Add LDAP User

LDAP server set

User name

Select CorpLDAP, the LDAP server set from the drop-down list.

Select All Users in this namespace.

Note:
You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.

Completing the New User Set Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

  1. Click the Apply button in the details pane to save the changes and update the configuration.

Set the Idle Session Timeout for All Firewalls and Network Appliances to 1800 seconds

In this step, you will modify the idle session timeout time on all firewalls, proxy servers, and other network appliances to accommodate the time required for successful function of the direct push technology.

The default idle session timeout in ISA Server 2006 is 1800 seconds, so you should not need to modify it.

For more information about modifying the idle session timeout time, see "Configuring your Firewall for Optimal Direct Push Performance in the Best Practices for Deploying a Mobile Messaging Solution section in this document.

To confirm the firewall Idle Session Timeout

  1. In the console tree of ISA Server Management, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. From the list of folders, expand the Web Listeners node, and view the Properties of appropriate Web Listener.

  4. Select the Connections tab and then click the Advanced… button.

  5. Make sure the Connection Timeout is set at 1800 seconds (30 minutes). Change it if needed.

  6. Click OK twice to accept any change.

  7. Click Apply to make these changes.

Test Exchange Publishing Rule

In this section, you will test the new Exchange publishing rule that you just created.

Test Exchange ActiveSync

Configure a mobile device to connect to your Exchange server using Microsoft Exchange ActiveSync, and make sure that ISA Server and Exchange ActiveSync are working properly. When configuring your mobile device and you are prompted to enter a name for the server name field, type the name of the Exchange ActiveSync server that was just published, such as https://mail.contoso.com/oma.

Note

You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA Server and Exchange ActiveSync are working together properly.