Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients (Part 2)

By /

Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients (Part 2)

By Thomas W Shinder MD, MVP

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000774

In part 1 of this two part series on configuring the ISA firewall’s forms-based authentication feature to support both internal and external clients, we went over the issues and challenges that must be overcome so that all clients can avail themselves of the superior security provided by the ISA firewall’s FBA feature. We also went over the procedures required on the OWA Web site to create the certificates required for the Web Listeners on the ISA firewall.  In this, part two of this two-part series, we’ll move our attention to the configuration steps on the ISA firewall device and then test the configuration.

If you missed part 1 of the article, then check it out at http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

Note:
Since you’ve made it this far through this article series, I’ll let you in on a little secret. The method I’ve discussed here isn’t the only way you can enable ISA firewall FBA for both internal and external clients. However, the method I describe in this series is more flexible and enables you to have granular control over access for internal and external OWA clients. The alternate method, which I’ll describe in a later article, lacks the flexibility of the solution discussed in this document.

Copy the Certificates to the ISA Firewall and Import them into the ISA Firewall’s Machine Certificate Store

We’re done with our work at the Exchange Server, so now we’ll move our attention to the ISA firewall. Copy the two certificate files to the ISA firewall device. After copying the certificate files to the ISA firewall device, import each of the certificates into the ISA firewall’s machine certificate store. The certificates will be ready to bind to Web Listeners after they’re imported into the ISA firewall device’s machine certificate store.

Perform the following steps to import the certificates into the ISA firewall device’s machine certificate store:

  1. On the ISA firewall device, click the Start button and then click Run. In the Run dialog box, enter MMC and click OK.
  2. In the Console-1 windows, click File and then click Add/Remove snap-in.
  3. In the Add/Remove Snap-in dialog box, click Add.
  4. In the Add Standalone Snap-in dialog box, select Certificates from the Available Standalone Snap-ins list and click Add.
  5. Select the Computer account option on the Certificates snap-in page and click Next.
  6. On the Select Computer page, select the Local Computer option and click Finish.
  7. Click Close in the Add Standalone Snap-in page.
  8. Click OK in the Add/Remove Snap-in page.
  9. Expand the Certificates (Local Computer) node and then expand the Personal node. Click the Certificates node.
  10. Right click the Certificates node, point to All Tasks and click Import.
  11. Click Next on the Welcome to the Certificate Import Wizard page.
  12. Enter the file name and path for the external interface certificate in the File name text box or click Browse to find it. Then click Next.


    Figure 1

  13. On the Password page, enter the password you assigned the certificate and click Next.
  14. Accept the default settings on the Certificate Store page and click Next.
  15. Click Finish on the Completing the Certificate Import Wizard page.
  16. Click OK in the dialog box informing you that the import was successful.
  17. Repeat the procedure, but this time importing the certificate that will be used on the internal interface’s Web listener.
  18. Right click the CA certificate that was imported into the machine’s Personal\Certificates store and click Cut


    Figure 2

  19. Expand the Trusted Root Certification Authorities node in the left pane of the console and click the Certificates node.
  20. Right click the Certificates node and click Paste.
  21. Return to the Personal\Certificates node. Double click on the certificate with the Friendly Name of External Web Listener Cert. Click on the Certification Path tab. You should not see a red “X” on the root CA cert. If you see a red “X” on the root CA cert, then you have not copied the CA certificate into the ISA firewall’s Trusted Root Certification Authorities machine certificate store. Click OK to close the Certificate dialog box.


    Figure 3

  22. You don’t need to check the other certificate, since it was issued from the same CA.

Create the External and Internal Web Listeners

Now we’re ready to create the Web Listeners for the external and internal OWA Web Publishing Rules. We could create the Web Listeners “on the fly” when creating the Web Publishing Rules, but in order to make the steps more clear, we’ll create the listeners before creating the rules.

Perform the following steps to create the listener used for the external Web listener:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. On the Firewall Policy node, click the Toolbox tab in the Task Pane.
  3. On the Toolbox tab, click the Network Objects link. Click the New menu and then click Web Listener.
  4. On the Welcome to the New Web Listener Wizard page, enter a name for the Listener. In this example we’ll name the listener External OWA Listener in the Web listener name text box and click Next.
  5. On the IP Addresses page, put a checkmark in the External checkbox and click Next. If you have more than one IP address bound to the external interface of the ISA firewall, click the Address button and select the IP address that should receive the incoming requests for the OWA site.
  6. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Put a checkmark in the Enable SSL checkbox. Click the Select button.
  7. In the Select Certificate dialog box, select the certificate with the friendly name you assigned to the certificate that will be used for the external listener. In this example, we’ll select the certificate assigned the friendly name External Web Listener Cert and click OK.


    Figure 4

  8. Click Next on the Port Specification page.


    Figure 5

  9. Click Finish on the Completing the New Web Listener Wizard page.

Perform the following steps to create the internal Web listener:

  1. Click the New menu and then click Web Listener.
  2. On the Welcome to the New Web Listener Wizard page, enter a name for the Listener. In this example we’ll name the listener Internal OWA Listener in the Web listener name text box and click Next.
  3. On the IP Addresses page, put a checkmark in the Internal checkbox and click Next.
  4. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Put a checkmark in the Enable SSL checkbox. Click the Select button.
  5. In the Select Certificate dialog box, select the certificate with the friendly name you assigned to the certificate that will be used for the external listener. In this example, we’ll select the certificate assigned the friendly name Internal Web Listener Cert and click OK.


    Figure 6

  6. Click Next on the Port Specification page.


    Figure 7

  7. Click Finish on the Completing the New Web Listener Wizard page.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000774

Create the Web Publishing Rules

Now we will create two Web Publishing Rules: one that will be used by external users to access the OWA site and the second that will be used by corporate network users to access the OWA Web site. We will use the Web Listeners we created earlier, but we will change their configuration a bit. We need to set each of the listeners to use FBA as their authentication method.

Create the Web Publishing Rule for External Users

Perform the following steps to create the Web Publishing Rule for external users:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Publish a Mail Server link.
  3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we’ll name the rule External OWA Access and click Next.
  4. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
  5. On the Select Services page, select the Outlook Web Access option. Leave the Enable high bit characters used by non-English character sets option enabled if you need to accept e-mail from non-English character sets. Click Next.
  6. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.
  7. On the Specify the Web Mail Server page, enter the name of the OWA server on the corporate network. This name must match the name on the Web site certificate bound to the OWA Web site on the corporate network. In this example, the common/subject name on the Web site certificate bound to the OWA Web site is owa.msfirewall.org, so we will use this name in the Web mail server name text box.

    Note:
    it is critical that the ISA firewall be able to resolve this name to the actual IP address of the OWA site on the corporate network. In order to do this, you will need to create a HOSTS file entry on the ISA firewall that resolves this name to the OWA site on the corporate network. In this example, the split DNS will not work correctly to allow the ISA firewall to resolve the OWA site’s address, since the split DNS component used by the corporate network clients behind the ISA firewall will be configured to map the OWA site’s address to the internal Web listener. The HOSTS file entry will enable the ISA firewall to resolve the name to the actual Web site, which essentially overrides the split DNS settings. Click Next.


    Figure 8

  8. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. In the Public name text box, enter the name that external users will use to access the OWA site. The name that external users must use to access the OWA Web site must be the same as the common/subject name on the Web site certificate bound to the listener used in this Web Publishing Rule. The common/subject name used on the Web listener that we’ll used in this Web Publishing Rule is owa.msfirewall.org, so we will enter that name into the Public name text box. Click Next.


    Figure 9

  9. On the Select Web Listener page, click the down arrow on the Web listener and select the External OWA Listener entry. Click the Edit button.
  10. On the External OWA Listener Properties dialog box, click the Preferences tab.
  11. On the Preferences tab, click the Authentication button.
  12. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the dialog box informing you that there are no authentication methods configured. Put a checkmark in the OWA Forms-based checkbox. Put a checkmark in the Require all users to authenticate checkbox. Click OK.


    Figure 10

  13. Click OK in the External OWA Listener Properties dialog box.
  14. Click Next on the Select Web Listener page.


    Figure 11

  15. On the User Sets page, click the All Users entry and click Remove. Click the Add button.
  16. In the Add Users dialog box, double click the All Authenticated Users entry and then click Close.
  17. Click Next on the Users Sets page.
  18. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.



Create the Web Publishing Rule for Internal Users

Now perform the following steps to create the Web Publishing Rule used by internal users on the corporate network to access the OWA site:

  1. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Publish a Mail Server link.
  2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we’ll name the rule Internal OWA Access and click Next.
  3. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
  4. On the Select Services page, select the Outlook Web Access option. Leave the Enable high bit characters used by non-English character sets option enabled if you need to accept e-mail from non-English character sets. Click Next.
  5. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.
  6. On the Specify the Web Mail Server page, enter the name of the OWA server on the corporate network. This name must match the name on the Web site certificate bound to the OWA Web site on the corporate network. In this example, the common/subject name on the Web site certificate bound to the OWA Web site is owa.msfirewall.org, so we will use this name in the Web mail server name text box.

    Note:
    it is critical that the ISA firewall be able to resolve this name to the actual IP address of the OWA site on the corporate network. In order to do this, you will need to create a HOSTS file entry on the ISA firewall that resolves this name to the OWA site on the corporate network. In this example, the split DNS will not work correctly to allow the ISA firewall to resolve the OWA site’s address, since the split DNS component used by the corporate network clients behind the ISA firewall will be configured to map the OWA site’s address to the internal Web listener. The HOSTS file entry will enable the ISA firewall to resolve the name to the actual Web site, which essentially overrides the split DNS settings. Click Next.


    Figure 12

  7. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. In the Public name text box, enter the name that internal users on the corporate network will use to access the OWA site. The name that internal corporate network users must use to access the OWA Web site must be the same as the common/subject name on the Web site certificate bound to the listener used in this Web Publishing Rule. The common/subject name used on the Web listener that we’ll used in this Web Publishing Rule is owa.msfirewall.org, so we will enter that name into the Public name text box. Click Next.


    Figure 13

  8. On the Select Web Listener page, click the down arrow on the Web listener and select the Internal OWA Listener entry. Click the Edit button.
  9. On the Internal OWA Listener Properties dialog box, click the Preferences tab.
  10. On the Preferences tab, click the Authentication button.
  11. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the dialog box informing you that there are no authentication methods configured. Put a checkmark in the OWA Forms-based checkbox. Put a checkmark in the Require all users to authenticate checkbox. Click OK.


    Figure 14

  12. Click OK in the Internal OWA Listener Properties dialog box.
  13. Click Next on the Select Web Listener page.


    Figure 15

  14. On the User Sets page, click the All Users entry and click Remove. Click the Add button.
  15. In the Add Users dialog box, double click the All Authenticated Users entry and then click Close.
  16. Click Next on the Users Sets page.
  17. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.



Create the Host (A) Records in Your Split DNS and Configure the HOSTS File Entry on the ISA Firewall

You need to create a split DNS infrastructure in order to create a user-friendly and transparent OWA access solution. The split DNS infrastructure is easy to deploy. The key is to create two zones that are authoritative for the same domain. One of the zones is accessible to Internet hosts and is accessible to external users on the Internet, and the second zone is accessible only to internal network hosts. The external zone resolves names to Internet reachable addresses, and the internal zone resolves names to internal corporate network addresses.

In this example, the external msfirewall.org zone resolves the name owa.msfirewall.org to the IP address on the external interface of the ISA firewall used by the external OWA Web listener. The internal zone for the msfirewall.org domain resolves the name owa.msfirewall.org to the IP address on the internal interface of the ISA firewall used by the internal Web listener.

This is a bit of a departure from our usual split DNS infrastructure. Normally, the internal zone will resolve the name of the OWA Web site to the actual IP address used by the OWA Web site. However, we have to deviate from this typical approach because we want the internal corporate network users to have access to the ISA firewall’s FBA features. In order to accomplish this goal, we need to have the name owa.msfirewall.org resolve to the IP address on the internal interface of the ISA firewall used by the internal Web listener.

What you need to do:

  • Create a Host (A) record on the external zone for the external users to resolve the name of the OWA Web site server. In this example we used owa.msfirewall.org, so we would create an entry in the public DNS to resolve owa.msfirewall.org to the IP address on the external interface of the ISA firewall. If you have a NAT device in front of the ISA firewall, then you would use the address on the external interface of the NAT device that performing reverse NAT to allow access to the OWA Web Publishing Rule Web listener used to accept connections from external users
  • Create a Host (A) record on the internal zone that resolves the name of the OWA Web site server. In this example, the internal, corporate network users need to resolve the name of the OWA Web site to the IP address used for the internal Web listener. This record is created on your internal DNS servers and is used only by internal hosts. External hosts should not have access to this DNS zone.
  • Create a HOSTS file entry on the ISA firewall that resolves the name of the OWA Web site to the actual IP address on the OWA Web site server. We need the ISA firewall to resolve this name to the actual IP address of the OWA Web site server so that the ISA firewall can forward the connections to the actual server. In a typical split DNS environment we could depend on the internal zone to correctly resolve the name to the actual IP address of the OWA Web site, but in this example, we need our internal zone to resolve the name of the OWA Web site to the IP address on the internal interface of the ISA firewall that’s used by the internal Web listener.

I won’t go through the details of how to create a HOSTS file entry or a DNS Host (A) record here, as I’ve done that in a number of articles I’ve already done on OWA Web site publishing. In the example discussed in this article, the internal interface of the ISA firewall has the IP address of 10.0.0.1, so this address will be entered in a Host (A) record on the internal zone for the host name owa.msfirewall.org. The external interface of the ISA firewall has the IP address 192.168.1.70, so the external zone will have a Host (A) record for owa.msfirewall.org mapping to that address. Finally, the actual IP address of the OWA site on the internal corporate network is 10.0.0.2, so a HOSTS file entry is created on the ISA firewall so that it resolves owa.msfirewall.org to 10.0.0.2.

WARNING and ALERT:
You will need to configure the internal Web proxy clients to use Direct Access when connecting to the OWA site. This works the same way as when you configure Direct Access to enable the Web proxy clients to directly connect to the OWA Web site on the internal network. The difference in this case is that Web proxy clients will use Direct Access to connect to the Web listener IP address used to connect to the OWA FBA page on the internal interface of the ISA firewall. Use the Search facility on this site and search for Direct Access for more information on how to implement Direct Access for Web proxy clients.

For more information on creating and configuration a split DNS infrastructure, check out the following articles:

You Need to Create a Split DNS at
http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

Using a Split DNS to Support Small Business Remote Access Connections
http://www.windowsnetworking.com/articles_tutorials/Split-DNS-Small-Business-Remote-Access-Connections.html

Enterprise Design for DNS
http://www.microsoft.com/technet/itsolutions/wssra/raguide/NetworkServices/ignsbp_2.mspx

Test the Solution

Let’s test the results of our configuration. First, from a client on an external network, go to the https://owa.msfirewall.org/exchange site. You should receive the ISA firewall’s forms-based authentication page. Enter the appropriate credentials and you’ll see your mailbox. The figure below shows the log file entries on the ISA firewall related to the external client’s connections. Notice that the connection is to the IP address on the external interface of the ISA firewall and that the rule enabling the connection is the External OWA Access rule.


Figure 16

Next, go to another client, this time on the corporate network and log into the OWA Web site. The ISA firewall’s log file entries for such a connection appears in the figure below. Note that the connection is to the internal IP address of the ISA firewall and the ISA firewall forwards the connection to the OWA site on the internal network.


Figure 17

Summary

In this article we finished up our two-part series on allowing both internal and external users access to the ISA firewall’s forms-based authentication feature. In part 1 of the series, we focused on the issues and challenges faced when requiring ISA firewall FBA support for both internal and external clients, and then we configured the certificate infrastructure to support the solution. In this, part 2 of the series, we finished up by installing the certificates in the ISA firewall’s machine certificate store and configuring the Web Listeners and Web Publishing Rules to support the solution. We ended this article we a demonstration of how internal and external OWA clients connect to the OWA site.

If you missed part 1 of the article, then check it out at http://isaserver.org/tutorials/Enabling-ISA-Firewall-Forms-based-Authentication-OWA-Connections-Internal-External-Clients-Part1.html

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000774

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top