Publishing Outlook Web Access (OWA) Sites using ISA Server 2004 Firewalls
By Thomas W Shinder M.D.
ISA Server 2000 made it easy to publish Outlook Web Access (OWA) sites. With the help of ISA Server 2000 Feature Pack 1, an easy to use OWA publishing wizard walked you through the steps required to securely publish an OWA Web site. ISA Server 2004 builds on the successes of ISA Server 2000 and makes publishing OWA sites even easier.
It helps to understand the flow of information before you begin publishing your OWA sites. The figure below shows what happens beginning from when the external host sends a request to the published OWA Web site.
- The external client enters into the browser https://owa.msfirewall.org and clicks OK. The name, owa.msfirewall.org resolves to the IP address on the external interface of the ISA Server 2004 firewall.
- The Web site certificate installed on the OWA Web site on the internal network is installed on the ISA Server 2004 firewall machine. This was accomplished by exporting the Web site certificate (along with its private key) from the OWA Web site machine, and then importing that certificate into the machine certificate store on the ISA Server 2004 firewall. In this way, the ISA Server 2004 firewall can impersonate the OWA Web site. It is able to impersonate the OWA Web site because the common name on the certificate is the same as that used by the client’s request (in this case, owa.msfirewall.org). In addition, the CA certificate from the CA that issued the certificate to the OWA Web site machine is installed in the Trusted Root Certificate Authorities machine store on the ISA Server 2004 firewall machine.
- The ISA Server 2004 machine evaluates the request and finds that it has a Web Publishing Rule that instructs it to forward incoming requests to owa.msfirewall.org to the Exchange Server on the internal network. The ISA Server 2004 firewall is configured to redirect the request to owa.msfirewall.org, and a split DNS infrastructure or HOSTS file entry is configured so that this FQDN resolves to the IP address the Exchange Server uses on the Internal network.
- The OWA site on the internal network receives the request after the user is authenticated. Unauthenticated requests never make it to the Exchange OWA Web site.
[Note: The IP address on the Exchange Server in the figure above should be 10.0.0.2. Also, the user should enter HTTPS to create the secure connection to the ISA firewall’s external interface. Thanks! –Tom]
One of the important advancements in ISA Server 2004 is OWA Forms-based authentication. The figure below shows how ISA Server 2004 OWA Forms-based authentication works to protect the OWA site:
- The external user sends a request to connect to owa.msfireawll.org. The ISA Server 2004 firewall generates a log on form where the user enters his user name and password. The user name and password are sent from the external client to the ISA Server 2004 firewall.
- The ISA Server 2004 firewall forwards the credentials sent by the user to the OWA Web server.
- The OWA machine forwards these credentials for authentication to a Active Directory domain controller. The domain controller authenticates the user and returns the result
- The OWA site returns the successful authentication result to the ISA Server 2004 firewall.
- The ISA Server 2004 firewall allows the incoming connection and forwards it to the OWA site.
The key to success in any OWA publishing scenario is the correct certificate deployment. I won’t cover those procedures again, as I’ve written about how to export the Web site certificate and import that certificate in Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 – Part 3: SSL Bridging Drill Down and Requesting a Web Site Certificate
http://www.msexchange.org/articles/owa2003pub3.html and Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 – Part 4: Importing the OWA Web Site Certificate, Binding the Certificate to the Web Listener and Creating the Destination Set http://isaserver.org/tutorials/pubowa2003part4.html. You can use the information in these two articles to request the Web site certificate for the OWA site, export the certificate, and then import the certificate into the ISA Server 2004 firewall’s machine certificate store. However, do not use the information in these articles to configure any of the ISA firewall’s settings. We will go through that procedure in this article.
Another important consideration regarding OWA Web site publishing is that the directories on the OWA site are correctly configured to support secure SSL connections. The directories need to be configured to use basic authentication only and you should also force them to use SSL. All the details for this configuration can be found in the ISA Server 2000 Exchange 2000/2003 Deployment Kit document Publishing Secure Exchange 2003 Outlook Web Access Sites with ISA Server 2000 (http://www.isaserver.org/img/upl/exchangekit/2003owapub/2003owapub.htm). Look in the section, Configure the OWA Site to Force SSL Encryption and Basic Authentication for those details.
The remainder of this article will go over the details of configuring the OWA Web Publishing Rule and the HOSTS file entry that resolves the name owa.msfirewall.org to the IP address used by the Exchange Server on the Internal network.
You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configured to support secure SSL connections. These procedures include forcing SSL on the OWA directories and allowing the directories to accept only basic authentication.
Perform the following steps to create the Outlook Web Access Web Publishing Rule:
- In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
- Right click the Firewall Policy node, point to New and click Mail Server Publishing Rule.
- On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we will call it OWA Web Site. Click Next.
- On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
- On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. Click Next.
- Note the Enable high bit characters used by non-English character sets option allows uses to view documents there were created using extended character sets. If you expect uses to read only English-based character sets, then you can disable this option.
- On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next. This option creates a Web Publishing Rule that insures a secure SSL connection from the client to the OWA Web site. This prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information. Remember, the external client made an SSL connection and expects that traffic to be secure from end to end. When you enable SSL to HTTP bridging, you violate the implicit trust the external client has in the secure SSL connection.
- On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example we will use the name owa.msfirewall.org. Note that this is the name used for the Exchange Server site on the internal network. You could use an IP address, but that would create problems with the SSL connection between the internal interface of the ISA Server 2004 firewall and the Exchange OWA site. You can use either a split DNS or a HOSTS file entry on the ISA Server 2004 firewall machine to resolve this name to the IP address used by the Exchange Server on the internal network. This is required in order for the name in the request that the ISA Server 2004 firewall sends to the Exchange Server on the internal network is the same name as that on the certificate installed on the OWA Web site. Click Next.
- On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Again, this is the name the external uses when accessing the Web site. This is the name the user enters into his browser in the browser’s Address bar. Click Next.
- On the Select Web Listener page, click the New button. The Web listener works the same way as the Web listener did in ISA Server 2000, but with ISA Server 2004, you have a lot more options. For example, you can create a separate Web listener for SSL and non-SSL connections on the same IP address. In addition, the Web listener settings are no longer global, and you can configure separate settings for each listener based on the number of addresses bound to the external interface of the ISA Server 2004 firewall.
- On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we will use the name OWA SSL Listener. Click Next.
- On the IP Addresses page, put a checkmark in the External checkbox. Click the Address button.
- In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click on the external IP address on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select the 192.168.1.70 entry. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
- Click Next on the IP Addresses page.
- On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443. By configuring this listener to use only SSL, you can configure a second listener with different settings that is dedicated for non-SSL connections. Neat!
- Click the Select button. In the Select Certificate dialog box, click on the OWA Web site certificate that you imported into the ISA Server 2004 firewall’s machine certificate store and click OK. Note that this certificate will appear in this dialog box only on after you have installed the Web site certificate into the ISA Server 2004 firewall’s machine certificate store. In addition, the certificate must contain the private key. If the private key was not included, it will not appear in this list.
- Click Next on the Port Specification page.
- Click Finish on the Completing the New Web Listener page.
- The details of the Web listener now appear on the Select Web Listener page. Click Edit.
- In the OWA SSL Listener Properties dialog box, click the Preferences tab.
- On the Preferences tab, click the Authentication button.
- In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that the no authentication methods are currently configured.
- Place a checkmark in the OWA Forms-Based authentication checkbox. Click OK. The OWA Forms-based authentication feature is very useful and enhances the security the ISA Server 2004 firewall provides for your OWA site. The firewall generates the log on form and then forwards the credentials sent by the user to the OWA site for authentication. Only after the user is successfully authentication is the connection request forwarded to the OWA site. This prevents unauthenticated users from connecting to the OWA site and eliminates the risks inherent in unauthenticated users accessing the OWA site.
- Click Apply and then click OK in the OWA SSL Listener Properties dialog box.
- Click Next on the Select Web Listener page.
- On the User Sets page, accept the default entry, All Users, and then click Next. Note that this does not mean that all users will be able to access the OWA site. Only users that can authenticate successfully will be able to access the site. The actual authentication is done by the OWA site using the credentials that the ISA Server 2004 firewall forwards to it. You cannot have the ISA Server 2004 firewall itself and the OWA site authenticate the user. This means that you must allow All Users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 firewall itself using client certificate authentication. I’ll write more about this configuration when I update the ISA Server 2000 Exchange 2000/2003 Deployment kit for ISA Server 2004.
- Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
- Right click on the OWA Web site rule in the Details pane of the console and click Properties.
- In the OWA Web site Properties dialog box, click the To tab. On the To tab, select the Requests appear to come from the original client option. This option allows the OWA Web site to receive the actual IP address of the external client. This feature enables Web logging add-ons installed on the OWA Web site to be use this information when creating reports.
- Click Apply and then click OK.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
Configuring the HOSTS File Entry
The next step is to create a HOSTS file entry on the ISA Server 2004 firewall machine so that it resolves the name owa.msfirewall.org to the IP address of the Exchange Server on the Internal network. You could use a split DNS infrastructure instead of a HOSTS file entry, but for simplicity’s sake, in this example we will create a HOSTS file entry. On a production network you would create a split DNS so that the ISA Server 2004 firewall resolves the FQDN of the OWA site to the IP address the Exchange Server uses on the Internal network.
- Click Start and click Run. In the Run dialog box, enter notepad in the Open text box and click OK.
- Click the File menu and then click Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
- Add the following line to the HOSTS file:
And press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to indicate that you wish to save the changes.
In this article we went over the procedures required to create a Web Publishing Rule on the ISA Server 2004 firewall that allows secure inbound access to the OWA site on the Internal network. We also covered the steps involved in creating a HOSTS file entry on the ISA Server 2004 firewall so that the FQDN of the OWA site correctly resolves to the IP address of the Exchange Server on the Internal network.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000015
and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!