Secure Exchange 2000 IMAP4 Service Publishing with ISA Server 2000
Part 1: Securing Publishing of the IMAP4 Service
By Thomas W Shinder M.D.
Microsoft Exchange is the ideal mail server for both large and small businesses. While the advantages of Microsoft Exchange for large businesses is evidenced from the voluminous information you can find in bookstores and the Internet on configuring Exchange 2000 for 100,000 seats, Exchange 2000 provides a ton of features that make it the best solution of small and medium sized businesses too.
One of those valuable services is the Exchange 2000 IMAP4 service. IMAP4 stands for Internet Message Access Protocol version 4 and is described in RFC 2060. The IMAP4 protocol supports a number of operations that are critical to managing user mailboxes. These operations include: creating, naming and renaming mail folders, downloading message headers and message contents, deleting messages, setting message flags (such as read and unread), message searching and a lot more. Check out the RFC for details.
The big advantage of IMAP4 over POP3 is that the messages stay on the Exchange 2000 Server and only the headers are downloaded (by default). Downloading only the headers allows you to see the sender and the subject line information without incurring the bandwidth overhead of downloading the entire message. If you want to read the message, you just click on it and the email body is downloaded without deleting the message from the server. This allows someone on the road to use Outlook Express to access mail using a slow dial-up connection and still be able to access the same messages from their Outlook 2000/2002 clients when they get back to the office.
Secure IMAP4 publishing is important because you don’t want it to expose your remote users’ email to intruders who might run packet sniffers on remote networks. For example, you might check into a Hotel room that has high speed Internet access. If you access your IMAP4 account in a non-secure fashion, your credentials and mail content can be displayed in non-encrypted, free text that can be read by anyone. Secure IMAP4 access will protect the mail contents and credentials with SSL.
An interesting thing about IMAP4 is it doesn’t include a mechanism for sending mail. You need another protocol for sending messages. IMAP4 clients use SMTP to send mail. Your remote IMAP4 clients can use their own SMTP server or you can create a SMTP server for your clients. If the remote client is connecting to his own ISP, he should use his ISP’s SMTP server. However, if the remote client is connecting from a Hotel or other facility that doesn’t require an ISP log on, then you’ll need to make an SMTP Server available for these users. Some ISPs are now allowing secure SMTP access so that remote users can log onto their own SMTP servers and send mail to them. Check out this option before creating your own SMTP server.
In this two part article I’ll cover the principles and procedures of secure IMAP4 and SMTP publishing. In this article we’ll focus on secure IMAP4 service publishing. This includes installing the certificate server and assigning a certificate to the IMAP4 site. In the second part of this article we’ll go over the SMTP relay configuration, where the ISA Server itself acts as a secure SMTP relay that allows authenticated relay services to your internal Exchange Server.
Today we’ll go over the following subjects:
Let’s get started!
Install and Configure the Windows 2000 Servers
You’ll need two Windows 2000 Servers to support the scenario in this article. One of the servers is used as the ISA Server, and the other is the Exchange Server. The figure below gives you a high-level overview of the network layout.
The ISA Server has an internal and external network interface and no extraneous services are running on the machine (other than the IIS 5.0 SMTP Service with socket pooling disabled). The machine is a member of the internal network domain so that it can leverage the user accounts database in the Active Directory to control inbound and outbound access.
The Exchange Server machine is also a domain controller. While I realize this is a less than optimal configuration, the purchase of two copies of Windows 2000, one copy of Exchange 2000 and one copy of ISA Server can be seen as prohibitive for many fledgling businesses. You’ll have to give your users the log on locally right to the domain controller in order for them connect to the domain controller. This isn’t required if the Exchange Server is located on a member server instead of DC. However, the log on locally right doesn’t confer administrative privileges, so things could be worse
The remote, external network client is running a plain version of Windows 2000 Professional and uses Outlook Express as its IMAP4/SMTP client. We’ll assume that the client is connected to a Hotel network, so that client doesn’t log onto an ISP. Because the client doesn’t log onto an ISP, you’ll have to make an SMTP server available to these clients so that they can send mail.
Install and Configure the Exchange Server
This is a very simple deployment, so there are no complex decisions to make when installing the Exchange Server. The machine on which the Exchange 2000 Server is installed has already been configured as a domain controller. Since the machine is already configured as a domain controller, and the Exchange 2000 Server is being installed on a domain controller, the Active Directory objects required by Exchange 2000 will be automatically configured. In the current scenario we use the default selections during the setup routine. Make sure that you install Exchange 2000 Server Service Pack 3 just as soon as the initial installation is complete.
Now you can configure the IMAP4 service and request a SSL certificate:
- Open the Exchange System Manager.
- Expand your organization name and then expand the Servers node. Expand your server name and then expand the Protocols node.
- Expand the IMAP4 node, right click on the Default IMAP4 Virtual Server node and click the Properties command.
- On the General tab, click the down-arrow for the IP address drop-down list box, select an individual IP address. Click on the Access tab.
- On the Access tab, click the Authentication button in the Access control frame. In the Authentication dialog box, remove the checkmark from the Integrated Windows Authentication checkbox. This will improve performance and won’t negatively affect security because you’re protecting the credentials with SSL. Click OK in the Authentication dialog box. Click Apply.
- Now we need to get a certificate. The certificate is required to create the SSL link between the IMAP4 client and the Exchange 2000 IMAP4 server. Click the Certificate button in the Secure communication frame.
- Read the info on the Welcome to the Web Certificate Wizard page and click Next.
- Select the Create a new certificate option on the Server Certificate page. Click Next.
- We are going to use a stand-alone certificate server in this scenario. There are advantages and disadvantages to using stand-alone certificate server versus enterprise Active Directory integrated certificate server. I go through those details in ISA Server and Beyond. Since we’re going to use a stand-alone certificate server, the only option we have on the Delayed or Immediate Request page is the Prepare the request now, but send it later option. Click Next.
- On the Name and Security Settings page, you can use the default name for the certificate as it indicates the purpose of the certificate pretty well. The bit length is up to you, but in general, a bit length of 1024 won’t cause problems. Click Next.
- On the Organization page, type in your organization name and the name of your organizational unit. Click Next.
- On the Your Site’s Common Name page, type in a name for your site. Make sure this is the same name external users use to access the site. In our example, the user will configure Outlook Express to use imap.internal.net to access the site. Therefore, the Common name on the certificate needs to be imap.internal.net. Type in the common name and click Next.
- On the Geographical Information page, select your Country/Region, type in your State/province and type in your City/locality. Click Next.
- A path to your certificate request is automatically included on the Certificate Request File Name page. The default file name is certreq.txt and the path is the root of the C: drive. That’s a good place for it. Click Next.
- Review the information on the Request File Summary page and click Next.
- Click Finish on the Completing the Web Server Certificate Wizard page. That finishes up the Wizard and places the certificate request on the hard disk.
- Click OK on the Default IMAP4 Virtual Server Properties dialog box.
Install and Configure the Certificate Server
You have several options when it comes to obtaining certificates. By far the most simple and cost effective solution is to use the Microsoft Certificate Server that comes with Windows 2000. The Certificate Server can be installed as either a stand-alone or enterprise certificate server. There are advantages and disadvantages of each method and those are discussed in ISA Server and Beyond.
We will install and configure a stand-alone certificate server in this example. The reason why I choose the stand-alone certificate server is that it forces me to show you how to use a certificate request file to request a certificate. This is a little more complicated than using an enterprise Certificate Authority (were you can use a simple MMC based Wizard to obtain a certificate), but its good practice to see how to work with certificate request files.
Perform the following steps to install and configure the Certificate Server:
- Open the Control Panel and open the Add/Remove Programs applet. Click the Add/Remove Windows Components button.
- On the Windows Components page, put a checkmark in the Certificate Services checkbox. Click Yes in the dialog box warning you that computer cannot be renamed after installing the certificate server. Click Next.
- Select Stand-alone root CA on the Certification Authority Type page. Click Next.
- Enter your information on the CA Identifying Information page. This enters the information into the self-signed certificate used by this stand-alone root CA. Click Next.
- You can select the defaults or change the location as you need, on the Data Storage Location page. Click Next. Click OK to allow the installation routine to stop IIS services during the installation. They will be restarted automatically.
- Click Finish on the Completing the Windows Components Wizard page.
- From the Administrative Tools menu, open the Certification Authority console.
- Right click your server name in the left pane of the Certificate Authority console and click the Properties command.
- In the Properties dialog box, click on the Policy Module tab. On the Policy Module tab, click on the Configure button. In the Properties dialog box, select the Always issue the certificate option. This allows the user to immediately obtain a certificate. Otherwise, you would have to approve each certificate request manually. Click OK in the Properties dialog box and click OK to confirm that you know you need to restart the Certificate Services in order for the changes to take place. Click OK again in the certificate server Properties dialog box.
- Click the Stop this Service button in the Certification Authority button bar. After the service is stopped, click the Start this Service button in the button bar. Close the Certification Authority console.
We now have a certificate request and a stand-alone CA. We’ll use the Web browser to bring these two things together:
- Open Internet Explorer and type in the URL: http://
/certsrv and press ENTER. Replace with the IP address of the domain controller/certificate server/Exchange 200 Server.
- On the Welcome page of the Web enrollment interface, select the Request a certificate option. Click Next.
- On the Choose Request Type page, select the Advanced request option and click Next.
- On the Advanced Certificate Requests page, select the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file option and click Next.
- On the Submit A Saved Request page, click the Browse link where is says Browse for a file to insert. Click OK in the Internet Explorer dialog box saying that the local server is not one of your trusted sites, and that you’ll have to add the local server to your list of trusted sites if you want to use the Browse link. No one said there wasn’t an inverse relationship between security and functionality! J . Instead of playing around with Internet Explorer security settings, just open the certreq.txt file in Notepad. Then copy the contents of the file as shown in the figure below. Include the entire first and last line of file.
- Paste the certificate request information into the Web interface. Click the Submit button.
- On the Certificate Issued page, click the Download CA certificate link. In the File Download dialog box, click the Open button to open the certificate. In the Certificate dialog box, click the Install Certificate button.
- Click Next in the Welcome to the Certificate Import Wizard page.
- On the Certificate Store page, use the Automatically select the certificate store based on the type of certificate option and click Next. Click Finish on the Completing the Certificate Import Wizard page. Click OK in the dialog box informing you that the import was successful.
- Close the Web Browser.
Now we can bind this certificate to the IMAP4 service:
- In the Exchange System Manager, right click on the Default IMAP4 Virtual Server node in the left pane of the console and click Properties.
- In the Default IMAP4 Virtual Server Properties dialog box, click on the Access tab. On the Access tab, click on the Certificate button in the Secure communication frame.
- Click Next on the Welcome to the Web Server Certificate Wizard page.
- On the Server Certificate page, select the Assign an existing certificate option. Click Next.
- On the Available Certificates page, select the certificate you obtained for your IMAP4 server. In this example, our IMAP4 certificate was issued to imap.internal.net. Select the certificate and click Next.
- Review the information on the Certificate Summary page and click Next.
- Click Finish on the Completing the Web Server Certificate Wizard page. This takes you back to the Default IMAP4 Virtual Server Properties dialog box. Don’t close the dialog box yet, as we need to use it for the next procedure.
The IMAP4 server now is capable of securing all IMAP communications with IMAP clients using SSL. However, the server is still able to use IMAP4 in non-secure mode. Let’s fix that by forcing all IMAP4 communications to use SSL.
- In the Default IMAP4 Virtual Server Properties dialog box, click the Communication button in the Secure communication frame.
- In the Security dialog box, put a checkmark in the Require secure channel checkbox. If your server and all your client operating systems support 128-bit encryption, put a checkmark in the Require 128-bit encryption checkbox. Click OK.
- Click Apply and then click OK in the Default IMAP4 Virtual Server Properties dialog box.
- Stop and restart the IMAP4 service by clicking on the Default IMAP4 Virtual Server node in the left pane of the console and then clicking on the Stop service and Start service button in the console.
Install and Configure the ISA Server
The ISA Server installation is pretty basic. There are no special requirements other than that you install in firewall or integrated mode. I prefer to install in integrated mode and then install all components. If you find you don’t need to use some of the components, such as the H.323 service, you can remove it later. We’ll be using the ISA Server to create SMTP and IMAP4 Server Publishing Rules.
Perform the following steps to install the ISA Server:
- Run the ISAAutorun.exe file on the ISA Server CD. Click the Install ISA Server link on the splash page.
- Click Continue on the Welcome page.
- Enter your CD Key on the CD Key page. Click OK. Click OK on the Product ID page.
- Click the I Agree button on the EULA page.
- Click the Full Installation button on the installation type page. You can always remove the components you don’t want later.
- In this example we are not working with an array, so we’ll select the Yes button on the array warning dialog box.
- On the mode page, select the Integrated mode option and click Continue.
- Click OK on the dialog box warning you that it must stop the W3SVC. Note that when you restart the computer, the W3SVC will restart.
- On the cache settings page, type in a size for your Web cache and click Set. Click OK.
- On the LAT page, click on the Construct Table button. Remove the checkmark from the Add the following private ranges checkbox. Put a checkmark in the checkbox that matches your internal interface. Click OK. Click OK on the dialog box informing you of how the LAT was configured. Click OK.
- Click OK in the Launch ISA Management Tools dialog box. Click OK on the dialog box that says everything worked out OK.
- Install ISA Server Service Pack 1 immediately. After Service Pack 1 is installed, I recommend that you install Feature Pack 1, although its not required. Note that in this scenario I have installed the Feature Pack because we’ll need AUTH support for SMTP server publishing later.
- Disable all IIS Services on the ISA Server except for the SMTP service. You can do this in the Internet Information Services console, or in the Services applet found in the Control Panel. I prefer to use the Control Panel applet because I can set the startup type of Manual. The services sometimes spring back to life after restarting the server when you stop the services in the IIS console.
Now create the IMAP4 Server Publishing Rule:
- Open the ISA Management console, expand your server name and then expand the Publishing node. Right click on the Server Publishing Rules node, point to New and click Rule.
- In the Welcome to the New Server Publishing Rule Wizard page, type in a name for the rule and click Next.
- On the Address Mapping page, type in the IP address of the Exchange 2000 Server on the internal network and the IP address on the external interface of the ISA Server that will accept the incoming IMAP4 connections. Enter that information and click Next.
- Select the IMAPS Server protocol in the Protocol Settings page. This is a pre-built protocol and you don’t need to create it in advance. This will allow the ISA Server to accept incoming connections to TCP 993 and forward them to the Exchange 2000 server on the internal network.
- Select the Any request option on the Client Type page. You want to select this option because its unlikely that you’ll know the IP address of your remote callers. Click Next.
- Review your settings and click Finish on the Complete the New Server Publishing Rule Wizard page.
The Server Publishing Rule will work right away; you don’t need to restart the ISA Server machine or even restart the ISA Server services.
In part 1 of this two part article on publishing secure IMAP4 sites, we went over how to configure the IMAP4 virtual server, how to have the IMAP4 server request a SSL certificate and how to bind the certificate to the IMAP4 service. We then went over the basic ISA Server installation and configured a secure IMAP4 Server Publishing Rule that would pass incoming requests for TCP 993 to the internal IMAP4 server.
In the second part of this article we’ll go over how to configure the ISA Server to be a secure SMTP relay and how to configure the Outlook client. See you then!