Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA) Part 3

Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA) Part 3
by Thomas W Shinder MD, MVP

In part 1 of this series on how to use commercial Web site certificate to publish your corporate OWA site, I went over the basics of SSL to SSL bridging and how the ISA firewall brings a much higher level of security to your OWA remote access solution compared to a conventional “hardware” firewalls. After making the security advantages of the ISA firewall abundantly clear, we then went over the reasons why you would want to use a commercial Web site certificate instead of a privately generated certificate. We finished up by providing the roadmap for the overall commercial Web site certificate OWA publishing solution presented in this series.

In part 2 we started with the details of the configuration and began the process of requesting the commercial Web site certificate that will be subsequently bound to the Web listener used by an ISA firewall Web Publishing Rule.

In this, part 3 of our four part series on using commercial certificates to publish OWA sites, we’ll go over the following topics and procedures:

• Export the Web Site Certificate, with its Private Key and Certificate Chain, to a File and then Copy the File to the ISA Firewall
  You will need to export the commercial Web site certificate from the OWA site, along with its private key, so that you can copy the certificate to the ISA firewall. In addition, in the scenario we’re using with the VeriSign trial certificate, we’ll need to install the CA certificate on the ISA firewall of the VeriSign trial certificate authority.
• Remove the Web Site Certificate from the OWA Web Site
  We’re done with the commercial Web site certificate on the OWA Web site after the certificate is exported to a file, along with its private key. Now we need to unbind the commercial Web site certificate from the OWA Web site so that we can request a private certificate, with a different common/subject name, to bind to the OWA Web site.
• Request a Private Web Site Certificate for the OWA Web Site
  Now we can request a Web site certificate from our internal enterprise CA. This private Web site certificate will be automatically trusted by all of our internal domain members, since when we deploy an internal enterprise CA in our domain, the CA certificate is automatically placed in the domain member computers’ Trusted Root Certification Authorities machine certificate store.
• Import the Commercial Web Site Certificate and Create the SSL Listener
  Here we’ll move away from the OWA server and focus our attention to the ISA firewall. We’ll import the commercial Web site certificate into the ISA firewall’s machine certificate and create the SSL Web listener that we’ll bind the commercial Web site certificate to. This will get us in the position to create the Web Publishing Rule that publishes the OWA Web site.

Let’s get started!

Export the Web Site Certificate, with its Private Key and Certificate Chain, to a File and then Copy the File to the ISA Firewall

Figure 1: You are here

We need to use the Web site certificate and the CA certificate on the ISA firewall so that the ISA firewall can accept incoming requests for mail.msfirewall.org. We do this by exporting the Web site certificate along with its private key from the OWA server’s certificate store. We also need to export the CA certificate of the CA that issued the Web site certificate.

Export the Web Site Certificate with its Private Key and Certificate Chain

Perform the following steps to export the certificate with its private key and certificate chain:

1. Click Start and click the Run command.
2. In the Run dialog box, enter mmc in the Open text box and click OK.
3. In the new MMC console, click the File menu and click Add/remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click the Add button.
5. In the Add Standalone Snap-in dialog box, select the Certificates snap-in and click Add.
6. On the Certificates snap-in page, click the Computer account option and click Next.
7. On the Select Computer page, select the Local Computer option and click Finish.
8. Click Close in the Add Standalone Snap-in dialog box.
9. Click OK in the Add/Remove Snap-in dialog box.
10. Expand the Certificates (Local Computer) node and then expand the Personal node. Click on the Certificates node. Right click on the commercial Web site certificate in the right pane of the console, point to All Tasks, and click Export.
11. Click Next on the Welcome to the Certificate Export Wizard page.
12. On the Export Private Key page, select the Yes, export the private key option. Not selecting this option is one of the most common reasons for secure SSL publishing rules not working as expected. Click Next.

Figure 2

13. On the Export File Format page, confirm that the Personal Information Exchange – PKCS #12 option is selected. Remove the checkmark from the Enable strong protectcion checkbox. Place a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.

Figure 3

14. On the Password page, enter a password and confirm the password. Click Next.
15. On the File to Export page, enter a path and filename in the File name text box. In this example, we’ll enter c:\commcert. Click Next.

Figure 4

16. Click Finish on the Completing the Certificate Export Wizard page.
17. Click OK in the dialog box indicating that the export was successful.
18. Copy the Commcert.pfx file to the ISA firewall computer.

Remove the Web Site Certificate from the OWA Web Site

Figure 5: You are here

It might be hard to believe, but after all that work, now we need to remove the commercial Web site certificate from the OWA Web site. Actually, what we want to do is unbind the commercial certificate from the OWA Web site, we don’t need to remove it from the OWA computer’s certificate store. We need to unbind the certificate from the Web site so that we can bind a private certificate to the OWA Web site.

The reason why we want to do this is that most commercial CAs require that you pay for each server on which the commercial Web site certificate is installed. For our scenario, we would need to pay for two certificates if we wanted to bind the mail.msfirewall.org commercial certificate to both the internal OWA server and the ISA firewall’s Web listener.

We can avoid the extra cost by creating our own Web site certificate using our enterprise CA. This works because:

• All machines on the internal network are managed machines that are members of the Active Directory domain
• All domain member machines in a domain with an enterprise CA installed automatically have the CA certificate installed on their Trusted Root Certificate Authorities machine certificate store

Because the internal clients are managed machines with the CA certificate automatically installed, there’s no advantage to using a commercial certificate. This allows us to use a private certificate that we create ourselves.

Keep in mind that in this scenario that the ISA firewall is a domain member and therefore it also has the enterprise CA’s certificate in its Trusted Root Certification Authorities machine certificate store. If the ISA firewall were not a domain member, you would have to manually add the CA certificate into the ISA firewall’s Trusted Root Certification Authorities machine certificate store, because the ISA firewall must trust the CA issuing the Web site certificate installed on the OWA server.

Remove the Commercial Certificate from the OWA Web Site

Perform the following steps to unbind the commercial certificate from the OWA Web site on the Exchange Server:

1. Open the Internet Information Services console from the Administrative Tools menu.
2. In the Internet Information Services console, expand the server name and expand the Web Sites node in the left pane of the console. Right click the Default Web Site node, and click Properties.
3. In the Default Web Site Properties dialog box, click the Directory Security tab.
4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.
5. Click Next on the Welcome to the Web Server Certificate Wizard page.
6. On the Modify the Current Certificate Assignment page, select the Remove the current certificate option and click Next.

Figure 6

7. Click Next on the Remove a Certificate page.
8. Click Finish on the Completing the Web Server Certificate Wizard page.
9. Left the Default Web Site Properties dialog box open, we’ll use it for the next procedure.

Request a Private Web Site Certificate for the OWA Web Site

Figure 7: You are here

Now that that the commercial Web site certificate is unbound from the OWA Web site, we’re ready to request and bind a private certificate to the site. We’ll make an online request from our enterprise CA. This allows us to use the IIS Web site certificate request wizard and automatically bind the certificate to the OWA Web site. The enterprise CA certificate is already installed on this machine, because it is a domain member, so we don’t have to worry about manually installing it.

The common/subject name on the certificate will be owa.msfirewall.org. This is the name that internal users will use to connect to the site. This is also the name that the ISA firewall will be configured to use when it establishes the second SSL connection from itself to the OWA Web server. I’ll point this detail out to you and explain the rationale when we get to creating the Web Publishing Rule that publishes the OWA Web site.

Request a Certificate for the OWA Web Site

Perform the following steps to request a certificate for the OWA Web site:

1. In the Default Web Site Properties dialog box, on the Directory Security tab, click the Server Certificate button.
2. On the Welcome to the Web Server Certificate Wizard page, click Next.
3. On the Server Certificate page, select the Create a new certificate option and click Next.
4. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option and click Next.

Figure 8

5. On the Name and Security Settings page, enter a friendly name in the Name text box. In this example we’ll name the certificate OWA Site Certificate. Note that this name is not the common/subject name on the certificate.
6. On the Organization Information page, enter your Organization and Organizational Unit information and click Next.
7. On the Your Site’s Common Name page, enter the name that will be in the subject name field on the OWA Web site’s Web site certificate. In this example, internal clients, including the ISA firewall, will use the name owa.msfirewall.org to reach the OWA Web site. For this reason, we’ll enter owa.msfirewall.org in the Common name text box. Click Next.

Figure 9

8. Enter your Country/Region, State/Province and City/locality information on the Geographical Information page and click Next.
9. On the SSL Port  page, leave the default value in the SSL port this web site should use text box and click Next.
10. Accept the default enterprise CA that appears in the Choose a Certification Authority page and click Next.
11. Review the information on the Certificate Request Submission page and click Next.
12. Click Finish on the Completing the Web Server Certificate Wizard page.
13. Click the View Certificate button on the Directory Security tab.
14. On the General tab of the Certificate dialog box, you’ll see the common/subject name listed and that you have a private key associated with the certificate. Click OK to close the dialog box.

Figure 10

15. Click OK to close the Default Web Site Properties dialog box.

Import the Commercial Web Site Certificate and Create the SSL Listener

Figure 11: You are here

Now we’re ready to configure the ISA firewall. The first thing we need to do is import the commercial Web site certificate into the ISA firewall’s machine certificate store. This is required so that the Web site certificate will be available for binding to the ISA firewall’s SSL listener. We will also import the CA chain into the Trusted Root Certification Authorities machine store so that the ISA firewall trusts the commercial Web site certificate.

Import the Commercial Web Site Certificate and Certificate Chain into the ISA Firewall’s Machine Certificate Store

1. Click Start and click the Run command.
2. In the Run dialog box, enter mmc in the Open text box and click OK.
3. In the new MMC console, click the File menu and click Add/remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click the Add button.
5. In the Add Standalone Snap-in dialog box, select the Certificates snap-in and click Add.
6. On the Certificates snap-in page, click the Computer account option and click Next.
7. On the Select Computer page, select the Local Computer option and click Finish.
8. Click Close in the Add Standalone Snap-in dialog box.
9. Click OK in the Add/Remove Snap-in dialog box.
10. Expand the Certificates (Local Computer) node and then click the Personal node. Right click the Personal node, point to All Tasks, and click Import.
11. On the Welcome to the Certificate Import Wizard page, click Next.
12. On the File to Import page, click the Browse button to locate the commercial Web site certificate file that you exported the Web site certificate and certificate chain to. Click Next after the name of the file appears in the File name text box.
13. On the Password page, enter the password you assigned to the certificate in the Password text box and click Next.
14. Accept the default settings on the Certificate Store page and click Next.
15. Click Next on the Completing the Certificate Import Wizard page.
16. Click OK in the dialog box informing you that the import was successful.
17. You will see the Certificates node appear under the Personal node. Click the Certificates node. In the right pane of the console you’ll see the commercial Web site certificate and the CA certificate chain. We want to move the CA certificates into the Trusted Root Certification Authorities certificate store.

Figure 12

18. Hold down the CTRL key on the keyboard and click both of the CA certificates. The names of the CA certificates in our example are VeriSign Trial Secure Server Test CA and VeriSign Trial Secure Server Test Root CA. With both certificates selected, click the Cut button in the MMC toolbar.
19. Expand the Trusted Root Certification Authorities node in the left pane of the console and click the Certificates node. Click the Paste button in the MMC toolbar.
20. You will see the two CA certificate appear in the right pane of the console.

Figure 13

21. Close the MMC console and do not save the changes.

Now we’re ready to do some firewall configuration. The first thing we’ll do here is create a Web listener that will be used for the OWA Web Publishing Rule. We will bind the commercial Web site certificate to this SSL listener.

Create the SSL Listener

Perform the following steps on the ISA firewall to create the SSL Web listener:

1. Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA Server Management.
2. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
3. On the Firewall Policy node, click the Toolbox tab in the Task Pane.
4. On the Toolbox tab, click the Network Objects section. Click the New menu and click Web Listener. 
5. On the Welcome to the New Web Listener Wizard page, enter a name for the Web Listener in the Web listener name text box. In this example we’ll name the listener SSL Listener. Click Next.
6. On the IP Addresses page, put a checkmark in the External checkbox. Click Next.
7. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Put a checkmark in the Enable SSL checkbox. Click the Select button.

Figure 14

8. In the Select Certificate dialog box, select the commercial Web site certificate from the Certificates list. Click OK.

Figure 15

9. Click Next on the Port Specification page.
10. Click Finish on the Completing the New Web Listener Wizard page.
11. Double click on the SSL Listener entry in the Web Listeners list.

Figure 16

12. In the SSL Listener Properties dialog box, click the Preferences tab.
13. On the Preferences tab, click the Authentication button.
14. In the Authentication dialog box, remove the checkmark from the Integrated checkbox.
15. Click OK in the dialog box informing you that no authentication methods are selected.
16. Put a checkmark in the OWA Forms-Based authentication checkbox. Then put a checkmark in the Require all users to authenticate checkbox. Click OK.

Figure 17

17. Click OK in the SSL Listener Properties dialog box.

Summary

In this article we continued with our series on how to use commercial Web site certificates to publish OWA Web sites on your corporate network. We exported the commercial Web site certificate with its private key to a file, copied it to the ISA firewall, unbound the commercial Web site from the OWA Web site, and requested a private certificate for the OWA Web site. We then finished up by creating an SSL Web listener which we’ll use in the next article in the Web Publishing Rule that publishes the corporate OWA Web site. See you then!

If you missed the other parts of this series, then check them out at:

• Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA), Part 1
• Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA), Part 2
• Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA), Part 4