Clarifying Pre-Authentication Options with the ISA Firewall
I recently received a note from Nori Ingborsson about some material I wrote about the ISA firewall’s pre-authentication options. Nori was referring to something I wrote in the ISA/Exchange Deployment Kit that he found confusing. I’m glad Nori took the time to write to me about this, because my main goal in life is to clarify things that aren’t clear from existing documentation.
The comment that Nori found confusing was found in the isa2004se_exchangekit-rev 1 05.doc regarding OWA and RPC/HTTP publishing:
"On the User Sets page, accept the default entry, All Users, and then click Next. Note that this does not mean that all users will be able to access the OWA site. Only users who can authenticate successfully will be able to access the site. The actual authentication is done by the OWA site, using the credentials that the ISA Server 2004 firewall forwards to it. You cannot have the ISA Server 2004 firewall itself and the OWA or RPC over HTTP site authenticate the user. This means you must allow All Users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 firewall itself using client certificate authentication"
The statement in the above paragraph is wrong. From how I read it, I essentially said that you can’t authenticate at the ISA firewall and at the OWA and RPC/HTTP Web and proxy sites. This is not true. The fact is if you use Basic authentication or Forms-based authentication, then you can authenticate with the ISA firewall and with the destination site, and the user won’t be challenged a second time for credentials. Even if you don’t use Basic or FBA at the ISA firewall for pre-authentication, you can still authenticate at the ISA firewall and the destination Web site for OWA, the difference being that you’ll be challenged a second time, with the second challenge being issued by the destination site.
Nori did find something interesting that I wasn’t previously aware of. When he enabled FBA on the Web listener used by both the OWA and RPC/HTTP Web Publishing Rule and did not require authentication in the Web Publishing Rule or the Web listener, then you could use the same listener for OWA and RPC/HTTP publishing. I don’t yet know why this worked, but it clear that if FBA is enabled on the listener and you don’t require authentication, then you can use the same listener for publishing those services. However, if you don’t pre-authenticate, then you miss out on a significant level of security that the ISA firewall can provide.
Here’s the reason why you can use Basic authentication for pre-authenticating RPC/HTTP. When the Outlook client tries to connect to the RPC/HTTP proxy site, the ISA firewall intercepts the request and challenges the Outlook RPC/HTTP client for credentials. When Outlook RPC/HTTP client is configured to use Basic authentication over SSL (the base64 encoded Basic credentials are protected in the SSL tunnel), it forwards the basic credentials to the ISA firewall. The Web Publishing Rule that’s configured to accept the RPC/HTTP connection is configured to forward basic credentials (this setting is on the Users tab of the Web Publishing Rule) and the ISA firewall after authenticating the user forwards the credentials to the published site. If the published site successfully authenticates the user, then the Outlook RPC/HTTP client connections are then allowed through the ISA firewall and the RCP/HTTP session is complete and the client connects to its Exchange mailbox.
FBA works a bit differently. I’ve never seen this documented on the www.microsoft.com Web site (although it might be buried in the SDK). However, Greg Bell from Collective Software (www.collectivesoftware.com) was kind enough to inform me of how it works. What happens with FBA is that after you fill out the form, the credentials you entered are sent in clear text. What I mean by that is that the credentials aren’t even base64 encoded, they’re just sent as pure unencoded text. When the ISA firewall receives these credentials, it authenticates the user and then converts these credentials into Basic credentials which is sends to the published Web site. So, with FBA, the ISA firewall takes clear text credentials sent via the form, authenticates the user, and then "magically" converts this information into Basic credentials that can be forwarded to the published Web site.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls