Appendix B: Install and Configure an ISA Server 2004 Environment
This section discusses steps for deployment of Exchange Server 2003 SP2 mobile messaging in an ISA Server 2004 environment. During this part of the process, you will:
- Install ISA Server 2004.
- Create the Exchange ActiveSync publishing rule using Web publishing, opening Port 443 as a Web Listener.
- Configure the host file entry.
- Set the ISA Server 2004 idle session timeout to 1800 seconds (30 minutes)
Increasing the timeout values maximizes performance of the direct push technology and optimizes device battery life.
- Test OWA and Exchange ActiveSync.
If you plan to use Certificate Authentication with ISA Server 2004, you must use Server Publishing or tunneling to create your Exchange ActiveSync publishing rule. See the instructions in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
Refer to Network Architecture Alternatives for background about network architecture and SSL setup.
If you have ISA Server 2000, see "Using ISA Server 2000 with Exchange Server 2003" at http://go.microsoft.com/fwlink/?LinkId=62670.
For more information about configuring an ISA 2000, see the following article in the Microsoft Knowledge Base: "How to publish an Exchange 2000 Server computer or an Exchange Server 2003 computer by using Internet Security and Acceleration (ISA) Server 2000." http://go.microsoft.com/fwlink/?LinkId=109205.
Installing ISA Server 2004
If you are following the network architecture that the Deployment Configurations and Best Practices for Deploying a Mobile Messaging Solution section recommends, you should install ISA Server 2004 as a stand-alone firewall on your server. Do not install ISA Server 2004 as part of an ISA server array because this deployment requires domain membership. Your ISA server should not be a member server in your Microsoft Windows forest because, if the ISA server is compromised by attacks from the Internet, the attackers can gain access to domain resources if those resources are in the same domain. Additionally, you should minimize the number of ports that are open to your internal network. Member servers require additional ports for activities, such as talking to domain controllers.
It is recommended that you set up both Exchange ActiveSync and OWA publishing on the ISA server. Having OWA published in addition to Exchange ActiveSync will give you greater troubleshooting capabilities.
To install ISA Server 2004
Install and configure Microsoft Windows Server 2003 on the firewall computer.
Go to Microsoft Update, and then install all critical security hot fixes and service packs for Windows Server 2003.
Remove the server from any domains that is a member of, and then place it in a workgroup.
Install ISA Server 2004.
Export the OWA SSL Certificate from the Exchange front-end OWA server to a file.
Creating the Exchange ActiveSync Publishing Rule Using Web Publishing
Web publishing rules determine how ISA Server 2004 intercepts incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server, and how ISA Server 2004 responds on behalf of the internal Web server.
During this process, you will be required to provide names for the publishing rule itself, the internal and external Web servers, and the Web Listener. Read through these instructions and determine appropriate names before you begin.
For more information, see Publishing Web Servers Using ISA Server 2004 at this Microsoft Website: http://go.microsoft.com/fwlink/?LinkId=108956.
If you plan to use Certificate Authentication with ISA Server 2004, you must use Server Publishing or tunneling to create your Exchange ActiveSync publishing rule. Skip the following procedure, and follow the instructions in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
After you create and name the Web publishing rule, you will create and configure the Web Listener, complete the Web site rule, and update the firewall policy.
To create and name the Exchange ActiveSync Web publishing rule
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.
Right-click the Firewall Policy node, point to New, and then click Mail Server Publishing Rule.
On the Welcome to the New Mail Server Publishing Rule Wizard page, type a name for the rule in the Mail Server Publishing RuleName text box. Click Next.
On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option, and then click Next.
On the Select Services page, click to select the Exchange ActiveSync check box. Confirm that there is a check mark in the Enable high bit characters used by non-English character sets check box. (If you expect users to read only English-based character sets, you can make this option unavailable by clearing the check box.) For troubleshooting purposes, we recommend that you click to select the Outlook Web Access check box. Click Next. The following illustration shows the Bridging Mode page of the New Mail Server Publishing Rule Wizard.
On the Bridging Mode page, click the Secure connection to clients and mail server option, and then click Next.
The Secure connection to clients and mail server option creates a Web publishing rule that provides the SSL connection from the client mobile device to the Exchange Web site. This option prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information.
On the Specify the Web Mail Server page, type the name for the internal Web site in the mail server text box, and then click Next.
The name that you type is the name used for the Exchange Server 2003 Web site on the internal network. The name in the request that the ISA Server 2004 firewall sends to the Exchange server on the internal network should be the same as the name on the certificate that is installed on the Exchange ActiveSync Web site.
On the Public Name Details page, click the This domain name (type below) option in the Accept requests for list. In the Public name box, type the name that external users will use to access theExchange ActiveSync Web site, and then click Next.
All incoming Web requests must be received by a Web Listener. A Web Listener may be used in multiple Web publishing rules.
To Create the Web Listener
On the Select Web Listener page, click New. With the ISA Server 2004 Web Listener, you have several options:
- You can create a separate Web listener for SSL and non-SSL connections on the same IP address.
- Based on the number of addresses that are bound to the external interface of the ISA Server 2004 firewall, you can configure separate settings for each Web Listener. The Web Listener settings are not global.
On the Welcome to the New Web Listener Wizard page, type a name for the Web Listener in the Web listener name text box, and then click Next.
On the IP Addresses page, select the External check box, and then click Address.
In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Servercomputer in the select network option. In the Available IP Addresses list, click on the external IP addresses that are on the ISA Server 2004 firewall and that you want to listen for incoming requests to the OWA Web site, and then click Add. The external IP addresses that you selected now appear in the Selected IP Addresses list. Click OK.
On the IP Addresses page, click Next.
On the Port Specification page, click to clear the Enable HTTP check box, select the Enable SSL check box, and leave the SSL port number at 443.
By configuring this Web listener to use only SSL, you can configure a second Web listener that is dedicated for non-SSL connections with different settings.
- Click Select. In the Select Certificate dialog box, click the Exchange ActiveSync Web site certificate that you imported into the ISA Server 2004 firewall computer’s certificate store, and then click OK.
This certificate will appear in the Select Certificate dialog box only after you have installed the Web site certificate into the ISA Server 2004 firewall computer’s certificate store. In addition, the certificate must contain the private key. If the private key was not included, it will not appear in this list.
On the Port Specification page, click Next.
On the Completing the New Web Listener page, click Finish.
The next procedure is to configure the Web Listener so that no authentications are configured.
To configure the Web Listener
On the Select Web Listener page, where the details of the Web Listener now appear, Click Edit.
In the OWA SSL Listener Properties dialog box, click the Preferences tab. The following illustration shows the OWA SSL Listener Properties dialog box.
On the Preferences tab, click Authentication.
In the Authentication dialog box, click to clear the Integrated check box. In the Microsoft Internet Security and Acceleration Server 2004 dialog box that warns you that no authentication methods are currently configured, click OK.
Do not select the OWA-Forms Based Authentication check box.
In the SSL Listener Properties dialog box, click Apply, and then click OK.
On the Select Web Listener page, click Next.
On the User Sets page, accept the default entry All Users, and then click Next.
Accepting the All Users default entry does not enable all users to access the Exchange Web site. Only users who can authenticate successfully will be able to access the Exchange Web site. The actual authentication is done by the Exchange Web site, which uses the credentials that the ISA Server 2004 firewall has forwarded to it. The ISA Server 2004 firewall and the Exchange Web site cannot both authenticate the user. This means that you must allow all users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 firewall itself by using client certificate authentication.
- On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.
As a final procedure, you will allow the Exchange Web site to receive the mobile device's actual IP address.
To complete the Web Site rule and update the firewall policy
In the Details pane of the ISA Server Management console, right-click the EAS Web site rule, and then click Properties.
In the Web site Properties dialog box, click the To tab. On the To tab, click Requests appear to come from the original client option. This option allows the Exchange Web site to receive the actual IP address of the external client mobile device. This feature enables Web logging add-ons installed on the OWA Web site to use this information when creating reports. The following illustration shows the OWA Web site Properties dialog box.
Click Apply, and then click OK.
Click Apply to save the changes and update the firewall policy.
In the Apply New Configuration dialog box, click OK.
The SSL Web site is now available on the external IP address of the ISA server. You may have to make host record changes on your externally-accessible Domain Name System (DNS) server to map the IP address of the ISA server’s external interface to the host record of the SSL Web site.
Configuring the Hosts File Entry
The next procedure is to create a Hosts file entry on the ISA Server 2004 firewall computer so it resolves the name that you specified for your internal Web mail server to the IP address of the Exchange server that is on the internal network.
You could also use a split DNS infrastructure for this purpose. However a Hosts file entry is easier to create. On a production network, you would create a split DNS infrastructure so the ISA Server 2004 firewall would resolve the fully qualified domain name (FQDN) of the OWA Web site to the IP address that the Exchange Server uses on the internal network.
To configure the Hosts file entry
Click Start, and then click Run. In the Run dialog box, type Notepad in the Open text box, and then click OK.
From the File menu, click Open. In the Open dialog box, type c:\windows\system32\drivers\etc\hosts in the File name text box, and then click Open. The following illustration shows the Open dialog box.
Add the following line to the Hosts file:10.0.0.2 <your firewall name>.
Move your cursor to the end of the line, so the insertion point sits on the next line, and then press ENTER.
From the File menu, click Exit.
In Notepad, save the changes to the file, and then close Notepad.
Setting the ISA Server 2004 Idle Session Timeout
In this procedure, you will modify the idle session timeout to accommodate the time that is required for the direct push technology to successfully function.
For more information about modifying the idle session timeout time, see the "Best Practice: Configuring Your Firewall for Optimal Direct Push Performance" section in Best Practices for Deploying a Mobile Messaging Solution.
To set the ISA Server 2004 idle session timeout to 1800 seconds
In the console tree of ISA Server Management, click Firewall Policy.
On the Toolbox tab, click Network Objects.
From the list of folders, expand the Web Listeners node, and then view the Properties of the appropriate Web Listener.
Select the Preferences tab, and then click the Advanced… button.
Modify the value for Connection Timeout from the default 120 seconds (2 minutes) to 1800 seconds (30 minutes).
Click OK twice to accept the change.
Click Apply to make these changes.
Testing OWA and Exchange ActiveSync
After you complete the configuration, you should test the following features that you configured:
- Test OWA (optional).
- Test Exchange ActiveSync.
An external client mobile device can access the OWA server as long as it can resolve a FQDN to the external IP address of the ISA server. This resolution is usually achieved by registering a public Internet domain name with a public DNS server that maps the Web site name to the external IP address of the ISA Server.
If you have set up OWA according to the instructions in the Exchange Server 2003 Client Access Guide at http://go.microsoft.com/fwlink/?LinkId=62628, you can test it by using the following process.
To test the deployment in a lab environment, specify the Web site host name resolution information by using Notepad in the client mobile device hosts file that is located under the following path: \system32\drivers\etc\hosts in the Windows installation directory.
To test OWA (if installed)
To connect to the OWA Web site from the external client mobile device, type the Web address that you specified during setup. Be certain to specify https in the URL.
When you connect, you should see a logon page that requests credentials and the session type (public or private). Provide this information so you can access your mailbox.
If you have set time-outs or blocked attachments, test those features by leaving the browser inactive for a period of time and then trying to access mail, and by trying to open or save attachments.
Testing Exchange ActiveSync
You can configure a mobile device to connect to your Exchange server by using Exchange ActiveSync, and to be sure that ISA Server 2004 and Exchange ActiveSync are working properly.
As an alternative, you can test Exchange ActiveSync by using Internet Explorer.
To test Exchange ActiveSync by using Internet Explorer
Open Internet Explorer.
In the Address bar, type https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of your OWA server (the name your end users will type).
Type the user name and information that you want to authenticate.
If you receive one of the following error messages: Error 501/505 "Not implemented" or "Not supported", ISA Server 2004 and Exchange ActiveSync are working together properly.