Publishing Exchange 2007 OWA via ISA 2006 Reverse Proxy

The best way to publish OWA is to publish via ISA reverse proxy deployment. In this blog i will discuss the process for publishing OWA via ISA reverse proxy. The process will be like this;

1. Generate CSR for Exchange 2007 CAS server(s).

I have discussed CSR generation in my previous blogs (http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/ and http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/) if you have more than one CAS servers then you have to repeat the steps for all of them.

Make sure you have included all Subject Alternative  Names (SANs) in your certificate requests such as for webmail, auto discover services etc.

2. Submit this request to online Certificate Authorities such as VeriSign, Thwate or Entrust for purchasing UCC (Unified communication certificate). (Exchange 2007 only supports UCC type certificates, UCC=multiple SANs).

3. Now we have to import these certificates to Exchange CAS servers.( I have discussed these steps in my previous blog http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/)

4. Now we have to deploy this certificate to ISA servers. In order to do this you have to first Export certificate from CAS server in .PFX format and then imports it to the ISA servers. Following is the process for doing this;

1. Open Certificate MMC Snap in on the CAS server for local computer.
2. Go to personal container and locate the certificate which you want to Deploy on ISA Server.
3. Export this certificate with private key in .PFX format.
4. Copy this certificate on ISA Server.
5. Open Certificate MMC Snap in on the ISA server for local computer.
6. Import the copied certificate.
7. Repeat steps 4 to 7 if you have more than one ISA Servers.

5. Forms-based authentication can be configured on the Client Access server when not using ISA Server to publish Exchange Web client access. When ISA Server is being used to publish Exchange Web client access, forms-based authentication should only be configured on the ISA Server computer following are the steps for validating this;

1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select a Client Access server and then select owa (Default Web Site) on the Outlook Web Access page.
4. In the action pane, click Properties under owa (Default Web Site).
5. Select the Authentication page, and confirm that the following are selected: Use one or more of the following standard authentication methods and Integrated + Basic authentication (password is sent in clear text).
6. Click OK.
7. Review the Microsoft Exchange Warning dialog box and click OK.
8. Restart IIS by running following command: "iisreset /noforce".
9. Perform this procedure for every Exchange Client Access server.

6. On the CAS server please make sure that “Forms based authentication” is not configured on the Exchange Client Access Activesync folder. By default it is configured for basic authentication.This folder is configured to Basic authentication by default.

7. On the enabling page for Outlook Anywhere, we will use Basic authentication (default).

Note: The external host name used here should match the common name or FQDN used in the server certificate installed on the ISA Server computer

8. Now we need to publish a Rule for OWA on ISA but before doing this we need to configure web Listener for OWA which will be responsible for  listening OWA requests, following are the steps for configuring web listener for OWA

1. In the console tree of ISA Server Management, click Firewall Policy:
2. For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
3. For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
4. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table

Page	Field or property	Setting
Welcome	Web listener name	Type a name for the Web listener. For example, type Exchange Web Listener.
Client Connection Security	Select what type of connections this Web listener will establish with clients	Select Require SSL secured connections with clients.
Web Listener IP Addresses	Listen for incoming Web requests on these networks ISA Server will compress content	Select the External and Internal networks. Check box should be selected (default). Click Select IP Addresses
External Network Listener IP Selection	Listen for requests on Available IP Addresses	Select Specified IP addresses on the ISA Server computer in the selected network. Select the correct IP address and click Add.   Notes For ISA Server Enterprise Edition with an NLB-enabled array, you should select a virtual IP address.
Listener SSL Certificates	Select a certificate for each IP address, or specify a single certificate for this Web listener	Select Assign a certificate for each IP address. Select the IP address you just selected and click Select Certificate. Choose the certificate corresponding to the url mapped to this IP in the public DNS/NAT configuration Example: External 192.168.1.101 for abcmail; .102 for xyzmail and .103 for autodiscover Internal: 192.168.12.101 for abcmail; .102 for xyzmail (autodiscover is resolved differently in intranet)
Authentication Settings	Select how clients will provide credentials to ISA Server Select how ISA Server will validate client credentials	Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA Server will use to validate the client's credentials.
Single Sign On Settings	Enable SSO for Web sites published with this Web listener SSO domain name	Leave the default setting to enable SSO. To enable SSO between two published sites, such as abcmail.Contoso.com and autodiscover.Constoso.com, type .Contoso.com (with the dot)
Completing the New Web Listener Wizard	Completing the New Web Listener Wizard	Review the selected settings and click Back to make changes or Finish to complete the wizard.

 

9.  Now after creating web Listener we need to publish a rule for OWA, following are the steps for this process;

1. In the console tree of ISA Server Management, click Firewall Policy:
2. For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
3. On the Tasks tab, click Exchange Web Client Access Publishing rule.
4. Use the wizard to create the rule as outlined in the following tables. For a single Web server, use the table in New Exchange Publishing Rule wizard for a single Web site. If you are using a server farm, use the table in New Exchange Publishing Rule wizard for a server farm.

   Page	Field or property	Setting
   Welcome	Exchange Publishing rule name	Type a name for the rule. For example Constoso OWA Publishing Rule
   Select Services	Exchange version Web client mail services	Select Exchange Server 2007. Select the desired access method – begin with OWA, then Outlook Anywhere (Select to publish additional folders) and finally choose ActiveSync
   Publishing Type	Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites	Select Publish a single Web site or load balancer.
   Server Connection Security	Choose the type of connections ISA Server will establish with the published Web server or server farm	Select Use SSL to connect to the published Web server or server farm.   Note A server certificate must be installed on the published Exchange Client Access server, and the root CA certificate of the CA that issued the server certificate on the Exchange Client Access server must be installed on the ISA Server computer.
   Internal Publishing Details	Internal site name	Type abc.contoso.com or whatever you like   Important The internal site name must match the name of the server certificate that is installed on the internal Exchange Client Access server.
   Public Name Details	Accept requests for Public name	This domain name (type below) Type the domain name that you want ISA Server to accept the connection for. For example, type abc.contoso.com. This must match the FQDN of the certificate selected when creating the Web listener.
   Select Web Listener	Web listener	Select the Web listener you created previously, Exchange Web Listener
   Authentication Delegation	Select the method used by ISA Server to authenticate to the published Web server	For Outlook Web Access, select Basic Authentication. For Exchange ActiveSync, select Basic Authentication For Outlook Anywhere, select Basic Authentication
   User Sets	This rule applies to requests from the following user sets	Select the user set approved to access this rule. Replace the default All Authenticated users with All Users Pass the warning
   Completing the New Exchange Publishing Rule Wizard	Completing the New Exchange Publishing Wizard.	Review the selected settings, click Back to make changes or Finish to complete the wizard.

   Note: When publishing Outlook Web Access, after you click Finish, review the Remaining Exchange Publishing Tasks dialog box, and then click OK.

5. In the path tab (properties of the OWA rule), add the path “/” in order to be able to access OWA without typing /owa at the end of the url