Publishing Exchange 2000 Outlook Web Access with ISA Server UPDATE Dec 12 2002

Outlook Web Access (OWA) for Exchange 2000 allows users to access their mailbox located on an Exchange 2000 server using a web interface. Users are also able to use their web browser to access the Public information store. Outlook Web Access can greatly simply remote access to Exchange based information for remote clients.

Because OWA uses HTTP as the application layer protocol to access the information store, you do not need to support proprietary interfaces required by Outlook 97/98/2000/2002. In addition, you do not have to configure a mail client application to access the internal Exchange Server. Even the most unsophisticated of users can use their web browser without any extra configuration on the user’s end to access their Exchange 2000 mailbox and public folders.

Outlook Web Access is also an ideal solution for UNIX and Apple clients. Since there is no port of the Office version of Microsoft Outlook for UNIX platforms, Outlook Web Access provides the only method these clients can use to access the Exchange 2000 message store. Apple clients are also at risk of not having the full version of Outlook, and therefore can gain access to their mailbox via Outlook Web Access.

However, Outlook Web Access is not the same as the full version of Outlook.  Outlook Web Access does not provide the same feature set. Some limitations include:

• No support for offline access
• No support for digital encryption of messages
• Calendar, task list, and meetings views are severely limited compared to the full version of Outlook
• No support for Outlook 97 forms
• No support for Outlook rules
• Mail features such as the spell checker, Do not deliver before, and expiration options are not supported
• Reminders and the ability to allow user to type directly and edit in calendar view is not supported.

However, even with these limitations, Outlook Web Access remains a powerful tool in your remote mail access toolbox.

In order for your Outlook Web Access solution to work correctly, you have to insure that:

• Exchange 2000 is configured to support ISA Server and Outlook Web Access
• ISA Server is configured correct to support Outlook Web Access publishing

After Exchange 2000 and ISA Server are configured correctly, your users will be able to connect to their mailboxes using Outlook Web Access.

NOTE:
Outlook Web Access Publishing is an Advanced ISA Server configuration procedure. I expect that you have read and understood the concepts in Configuring ISA Server 2000:Building Firewalls with Windows 2000 before you attempt the procedures in this article.

Configuring Exchange 2000 Outlook Web Access

Outlook Web Access is integrated with Internet Information Server 5.0 (IIS 5.0). Administration of Outlook Web Access therefore is done through the IIS console. Issues that need to be addressed on the Outlook Web Access server include:

• ISA Server client type
• DNS support
• Authentication method
• User Account Configuration

Note that this tutorial is focused on a simple setup, and does not explicitly address Front End/Back End Outlook Web Access/Exchange Server 2000 configurations.

ISA Server Client Type

The Exchange Server should be configured as a SecureNAT client. Configuring a machine to be a SecureNAT client is easy to do, because all that is required is that you configure it to use a default gateway that routes to the internal interface of the ISA Server.

If the Exchange Server is on the same network ID as the internal interface of the ISA Server, you can enter the IP address of the internal interface of the ISA Server as the Default Gateway for the Exchange Server. If the Exchange Server is remote from the internal interface of the ISA Server, configure a default gateway on that server which will route Internet bound requests to the internal interface of the ISA Server.

Since you will be using a Web Publishing Rule to publish the server, you do not want to make the Outlook Web Access server a Firewall client. Making the machine a Firewall client will only make the configuration needlessly complex. So, don’t do it!

DNS Support

The type of DNS support required by the Exchange server depends on how you have configured the server to handle delivery. Exchange 2000 uses the IIS 5.0 SMTP service. This service can be configured to allow the Exchange 2000 server to resolve mail domain names itself, or allow the server to forward mail to a Smart Host.

To configure the SMTP service’s handling of outbound mail domain resolution, perform the following steps:

1. Open the Exchange System Manager.
2. Expand the Servers node in the left pane and then expand the Protocols node.
3. Expand the SMTP node in the left pane. Right click on the Default SMTP Virtual Server or any other virtual server you might have configured on the machine. Click Properties.
4. In the Default SMTP Virtual Server Properties dialog box, click on the Delivery tab. Finally, click on the Advanced button.
5. You will see what appears in the figure below.

The Smart Host text box provides a space for you to type in the IP address or FQDN of a mail server on the Internet that the SMTP service will forward email for non-local domains. Note that if you put is a FQDN, the Exchange Server SMTP service will still need to resolve the IP address of the Smart Host! If you wish to get around the name resolution issue, enter an IP address instead. To prevent the SMTP service from trying to resolve the IP address to an IP address (!), place the IP address in straight brackets. For example, if the Smart Host has the IP address of 222.222.222.111, then enter into the text box [222.222.222.111].

6. If do not wish to use a Smart Host, you can configure the IIS SMTP service to use an external DNS server to resolve Internet mail domain names. Click the configure button, and you’ll see what appears below.

Click the Add button, and put in the IP address(s) of your Internet DNS server(s). The SMTP service will use these DNS server addresses preferentially over the DNS server configured on the NIC for this machine. This allows you to use the DNS settings on the Exchange Server’s NIC for internal name resolution, and to use the settings configured here for mail domain name resolution for the IIS SMTP service.

DNS Forwarders

Another way to support DNS for the Exchange server is to configure the Exchange Server to use an internal DNS server that supports DNS Forwarding. You would configure the internal DNS server to forward requests for which it is not authoritative to a DNS server on the Internet, such as your ISPs DNS server.

Authentication Method

When the browser attempts to connect to the Outlook Web Access site, a credentials dialog box will appear. You will definitely want to require authentication to access mailboxes on the Outlook Web Access site! However, ISA does not treat all authentication types equally. It is much easier to get Basic authentication to work consistently. Integrated authentication will lead to very poor performance and painful browser compatibilites troubleshooting sessions.

This is a tricky situation because Basic Authentication sends user credentials in clear text and therefore is easily sniffable. You could use anonymous access, but that puts you in an even worse situation.

One solution is to use SSL and have the Outlook Web Access clients establish an SSL connection to the external interface of the ISA Server. This solution is very effective and is our preferred solution for publishing OWA sites. There are multiple problems with working with integrated authentication because of browser incompatibilties based on Internet Explorer versions. You could also have users use client certificates to authenticate with the Incoming Web Requests listener and then authenticate with the Web site. Note that if you do use Basic authentication, you do not have users authenticate with the listener; they must authenticate with the Web site.

You can also use Server Publishing rules and publish the Outlook Web Access server’s TCP Port 443. There are drawbacks to this approach, but you might find it easier to implement if you have multiple IP addresses. The drawback of this approach is that you can use the client certificate/basic authentication double log on option if you use server publishing rules.

We cover a number of different SSL and authentication scenarios for OWA in the ISA Server and Beyond book. If you want to use SSL and get the most completely coverage of OWA/ISA Server issues and configuration details, then check out the book!

Another option would be to establish a VPN connection to the to the ISA Server, and then an Outlook Web Access session. The VPN link would secure the connection and no passwords would be passed in the clear. This is a good choice for companies that do not want to endure the additional costs of installing the full Outlook client on laptop computers, but still want their road-warriors to be able to access Exchange mail.

It will be up to you and your security analysts to decide on the best way to secure communications between the Outlook Web Access client and server. Different organizations will have different security requirements. It is also hoped that ISA Server will be able to pass Integrated or Digest Authentication credentials through the Web Proxy service with updates or future releases of the product.

Configuring Authentication on the Outlook Web Access Server

To configure authentication on the Outlook Web Access server, you can use the Internet Information Services console. Perform the following steps to configuration authentication options:

1. From the Administrative Tools menu, open the Internet Information Services console by clicking the Internet Services Manager command.
2. Expand your server name, and then expand the Default Web Site node in the left pane. You will see something like this:

The Exchange related folders are the Exchweb, public, Exchange and Exadmin. Users do not need access to the admin folder.

Note: If you see red error icons for the Exchange related folders, click on the Default Web Site node in the left pane and then stop and restart the Default Web Site. Then refresh the display and the error icons should disappear.

3. Right click on one of the Exchange related folders and click Properties. Click on the Directory Security tab, and then click on the Edit button in the Anonymous access and authentication frame. You should what appears below.

The Basic authentication (password is sent in clear text) option should be select. After making the selection, click the Edit button. This brings up the Basic Authentication Domain dialog box as seen below.

The domain the Exchange Server belongs to should be in the text box by default. However, if it does not appear, either type in the name of the authentication domain, or click the Browse button and select the domain from the list.

4. Click OK, then click OK again. Click Apply and then click OK. Restart the Default Web Site and you’re ready to go!

Enabling User Accounts

When Exchange 2000 is installed on a Windows 2000 Server machine, it will update the schema in its domain. These schema changes allow you to create Exchange Server mailboxes when creating a new user account. If you have existing users accounts before installing Exchange, they will not have a mailbox creating for them.

For users in the domain that do not already have an exchange mailbox configured, open Active Directory Users and Computers, right click on the account and click the Exchange Tasks command. Follow the Wizard to create a new mailbox.

After the account is created and a mailbox configured, the user will have access to Outlook Web Access by default. If you wish to disable access to Outlook Web Access, open the user account in Active Directory Users and Computers and click on the Exchange Advanced tab, as seen below.

Click on the Protocol Settings button. This will bring up the Protocols dialog box as seen below.

Click on the HTTP protocol and click the Settings button and you’ll see what appears below.

Remove the checkmark from the checkbox to disable Outlook Web Access for the user.

Email Addresses

In order for a user to access his email via Outlook Web Access, there must be at least one address for the user that belongs to the same domain as the Exchange Server. For example, look at the figure below.

The Exchange Server belongs to the shindertexas.net domain. Note that the address in bold is the users Primary Account. This account will be the one included in the users from: entry. This user also has accounts in other mail domains. The Exchange Server can accept mail to this user from any of these email addresses. But there must be at least one with a local domain address.

Now that the Outlook Web Access server is configured, we can move onto the ISA Server.

Publishing the Outlook Web Access Site using Web Publishing Rules

We will use a Web Publishing rule to publish the Outlook Web Access Server. Before the Web Publishing rule will work, the network infrastructure needs to be configured to support Web Publishing.

If you are not sure if your network is configured to support Web Publishing, take a moment to read part one of my two part series on how to publish a web site at www.isaserver.org/shinder You should also visit http://www.isaserver.org/pages/learning%20zone.htm and read the other articles in the Learning Zone. You’ll find many of them quite helpful in solving your ISA Server configuration issues.

You will need to create a Destination Set before you create the Web Publishing rule. The Destination Set will be used to redirect requests for Outlook Web Access specific subfolders to the Outlook Web Access server.

Creating the Outlook Web Access Destination Set

To create the Destination Set, perform the following steps:

1. Go to Policy Elements and create a new Destination Set. Call is something like Outlook Web Access like in the figure below. After giving it a Name and a Description, click the Add button.

2. In the destination box type in the FQDN or IP address of the external interface of the ISA Server to which the external users will connect.
3. In the path box type in the following : /exchange/*  and click OK.

4. Repeat steps 2 and 3 but this time in the path box type the following: /exchweb/* and click OK.
5. Repeat step 2 and 3 but this time in the path box type the following: /public/* and click OK.

When you are finished, the properties of the Destination Set should look like the figure below. After the Destination Set is completed, click OK.

Creating the Outlook Web Access Publishing Rule

After the Destination Set is configured, you can use it in the Web Publishing rule used to publish the OWA server. Perform the following steps to publish the server:

1. Right click Web Publishing Rule and select New and the Rule.
2. Name the Rule something like Outlook Web Access and click Next.

3. Using the Drop-Down list box, select the OWA destination set. Click Next.

4. On the Client Type page, select the Any request option, and click Next.

5. Select Redirect the request to this internal Web Server (name or IP address) and put in either the name or the IP address of the server running Outlook Web Access. Check the “Send the original header to publishing server instead of the actual one (specified above) box. and click Next.

6. Click Finish.

Connecting to the Outlook Web Access Site

Let’s connect to the Outlook Web Access web site and access a mailbox. To access the Outlook Web Access server and connect to a user mailbox, perform the following steps:

1. Open Internet Explorer and type in the URL http://exchange.domain.com/exchange/username . If you decide that you don’t want the users to type in a username, make sure that they put in the trailing slash (/) at the end of the URL, or else it won’t work. Note: You may be able to fix this problem by having the IIS 5.0 Server on which the Outlook Web Access folders are located to listen on All Unassigned instead of having is listen on a single IP address.
2. You will be presented with a dialog box like the one below. Enter the User Name, Password and Domain name and click OK.

3. Presto! The user accesses his information store as seen below.

If you are not able to access the Outlook Web Access site for a particular user, check and make sure that the user has an email address in the same domain as the Exchange Server. You may be using the Exchange Server to access mail for domains outside of the one that the server belongs to. If the user does not have an email account listed in his entry in Active Directory Users and Computers for the Exchange Server’s domain, add one.

Summary

In this article we reviewed what Outlook Web Access can do, and how to implement Outlook Web Access on an ISA Server network. Before implementing an Outlook Web Access solution, you must first configure the Exchange Server to support Outlook Web Access and ISA Server. This includes DNS and user configuration issues. After the Exchange Server is configured, the ISA Server side of the equation can be addressed. The network environment must be able to support publishing of the Outlook Web Access Exchange Server. Depending on your security requirements, you will use either Web Publishing or Server Publishing to make the Outlook Web Access server available to external network users.

I highly recommend the ISA Server and Beyond book to anyone rolling out an OWA solution. I cover many different SSL and authentication scenarios in the book that I haven’t been able to discuss in this article. If you are having problems or troubelshooting issues with your OWA setup, make sure to check out chapter 6 of ISA Server and Beyond. The answer to your problem will likely be there.

We hope you enjoyed this article and that it helps you roll out Outlook Web Access on your ISA Server protected network. If you have any questions or comments, please post them to the web boards, or write to me at [email protected] and I’ll try to answer you as soon as possible. – Tom.