Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000
By Thomas W Shinder M.D.
One of the most compelling reasons to upgrade to Exchange 2003 is the new version of Outlook Web Access (OWA). Previous versions of OWA provided a basic Web based interface that allowed you to read and send messages, access some parts of your calendar and your contacts, and provide all this via a firewall-friendly HTTP and HTTP interface. While previous versions of OWA got their job done, they weren’t much fun to work with, and their limitations always made one beg to get back to “big Outlook” (the full Outlook 2000/2002) client.
The Exchange OWA client is an entirely new beast! Not only does it sport enhanced functionality over its OWA predecessors, its looks almost exactly the same that the full Outlook 2003 client. Some of these new features include:
We’ll go over OWA and the details of its configuration and management in the future. This article is about getting you connected to the OWA Web site via ISA Server 2000 OWA Web Server Publishing. ISA Server 2000 Web Publishing Rules allow you to securely publish the Exchange 2003 OWA site and get your road warriors connected to their Exchange 2003 message store.
- Note: ISA Server 2000 is the firewall of choice when publishing Exchange 2000 and Exchange 2003 services. If you are running, or plan to run, Exchange 2000 or 2003 services and want to make those services available to external network users, then it behooves you replace any existing firewall setup you current have in place and use an ISA Server 2000-based firewall offering.
Publishing the Exchange 2003 OWA site is relatively easy using ISA Server 2000 Web Publishing Rules. However, there are a lot of steps involved and it’s important that you understand the reasons why you perform these steps. It will be your understanding of why you perform these procedures that will aid you in troubleshooting problems you experience with OWA setup and configuration.
We will cover the following topics and procedures in this series of articles on Publishing an Exchange 2003 OWA site:
In this, part 1 of the series, we’ll cover the following:
Understanding the Example Network
Exchange 2003 will find itself in a multiplicity of network environments, ranging from the smallest SOHO network to the largest government installations in the world. A good friend of mine who was involved in politics for many years once said to me “all politics are local politics”.
If that’s, then perhaps we can generalize the concept and say “all networks are small networks”. Of course this isn’t literally true in the physical or technical sense, but if you understand how things work on the simplest of networks, then you’ll have the core understanding required to bring ISA Server 2000 OWA 2003 publishing to larger networks.
Our test network contains just three hosts:
The Windows Server 2003 domain controller on the internal network acts like your typically Small Business Server machine. It runs the followings services:
While not all these services are required in this scenario, they are useful for a number of other scenarios in which ISA Server 2000 finds itself in, such as in the role of VPN server. Also, if the Windows Server 2003 domain controller is the only server in the domain, it needs to provide these services to internal network clients.
The ISA Sever firewall runs no services other than ISA Server 2000. The defaults were selected during Windows Server 2003 installation and the ISA Server was installed using the guidelines I provide over at ISAServer.org
The Windows XP SP1 OWA client on the external network user the default settings for the Windows XP installation. Windows XP Service Pack 1 (SP1) was installed immediately after installing the based Windows XP operating system.
Step 1: Install Windows Server 2003 Server on the Exchange 2003 Machine
Install Windows Server 2003 on the machine that will run Exchange 2003. In this scenario, the Windows Server 2003 operating system was installed using the defaults except that the machine was assigned a static IP address instead of using the default network setting, which is DHCP. The following networking services were installed in the following order:
-
IIS Web Service, SMTP Service and NNTP Service
You need the IIS Web service to support the Certificate Server Web enrollment site and OWA. The SMTP and NNTP services support the basic Exchange 2003 installation
This machine will be the first domain controller in a new domain. DNS is required for Active Directory services. The DNS server was configured with the forward and reverse lookup zones for the domain before Active Directory was installed. The machine was configured to use its own IP address for DNS name resolution and the adapter was configured to dynamically update the DNS. The forward and reverse lookup zones were configured to accept dynamic updates.
DHCP is not required for our OWA scenario. However, it is helpful for assigning TCP/IP addressing information to internal network hosts and VPN clients that connect to the ISA Server firewall.
RADIUS is not required to support our OWA publishing scenario. However, it is of value in authenticating VPN clients and in centralizing RRAS policies if you decide to run multiple ISA Server firewall/VPN servers in the future.
Run dcpromo to make the machine a domain controller. Remember that you need to configure DNS prior to running dcpromo so that the Active Directory Wizard has access to a DNS server to popular with the required SRV and other Active Directory related entries.
A Certificate Server is required to assign a Web site certificate to the OWA site. This certificate will be exported, and then imported into the ISA Server firewall’s machine certificate store. This allows the ISA Server firewall to impersonate the OWA Web site and enable it to create the SSL link with the external OWA client. It also allow the link from the ISA Server firewall’s internal interface and the Web site to be protected by SSL. The CA certificate needs to be placed on the all machines participating in the transaction.
Step 2: Install Exchange 2003
Exchange 2003 Server setup is very simple in this scenario. Install the machine using the defaults. You can change the locations of the database files, but there are no special configuration options or settings required. You may want to install the message store on a volume other than the default.
Step 3: Install Windows Server 2003 and ISA Server 2000 on the Firewall Computer
The firewall computer has two network interfaces: one connected to an external, untrusted network and one connected to an internal, trusted network. The trusted network is on the Local Address Table (LAT) and the untrusted network is not on the LAT. The external interface can be connected to a DMZ segment between the LAN interface of the upstream router, or to a DSL or cable modem.
- Note: I strongly recommend against using a dial-up interface for OWA publishing. OWA publishing environments require a dedicated IP address to provide the best performance and stability. External interfaces without dedicated IP addresses tend to be hobbyist accounts that do not afford an acceptable level of performance or reliability.
No extra services are installed on the ISA Server firewall. The firewall will not host DNS, WINS, DHCP, RADIUS, Certificate Services, Kazaa, Morpheus, DOOM, Outlook Express, or any other non-firewall related application or service.
The ISA Server firewall is joined to the internal network domain before ISA Server 2000 is installed. While you do not need to join the ISA Server firewall to the domain, it does allow you to take advantage of the ISA Server Feature Pack 1 feature which allows you to delegate basic authentication. Delegation of basic authentication allows the ISA Server firewall to pre-authenticate OWA connections before they are forwarded to the OWA server. This prevents non-authenticated requests from ever getting near the OWA Web site and bolsters your defenses in the process.
ISA Server 2000 should be installed on the Windows Server 2003 machine using the procedures outlined in Installing ISA Server 2000 on Windows Server 2003
Step 4: Configure Authentication on the OWA Folders
The OWA client needs to connect to three directories at the OWA site for almost all activities. These folders are:
/Exchange*
/Exchweb*
/Public*
Although it is not an absolute requirement, you will run into many fewer troubles of “unknown origin” if you allow only basic authentication on these directories. This prevents the Web browser and/or ISA Server firewall from negotiating authentication protocols with the OWA site. It’s the process of negotiating authentication protocols that gets you into trouble when using OWA. You don’t have to worry about basic credentials being sent in clear text because the SSL channel is negotiated before any credentials are sent.
Perform the following steps on the Exchange 2003 computer to force the Basic authentication on the OWA folders:
- Click Start, point to Administrative Tools and click on Internet Information Services.
- In the Internet Information Services (IIS) Manager console, expand the server name and then expand the Web sites node. Expand the Default Web Site node in the left pane of the console. Click on the Exchange node and then right click on it. Click the Properties command.
- Click on the Directory Security tab and click on the Edit button in the Authentication and access control frame.
- In the Authentication Methods dialog box, remove the checkmark from the Enable anonymous access checkbox. Remove the checkmarks from all the checkboxes except for the Basic authentication (password is sent in clear text) checkbox. Type in the name of the default user domain in the Default domain text box. The name of the user domain on our example network is internal.net. You can use the Select button and select the default domain from a list. Click OK.
- Click Apply and then click OK in the Exchange Properties dialog box.
- Repeat the procedure with the Exchweb and Public folders. You want to make sure that only Basic authentication is enabled on the Exchange, Exchweb and Public folders.
- Right click on the server name in the left pane of the console, point to All Taks and click on Restart IIS.
- In the Stop/Start/Restart dialog box, select the Restart Internet Services on the ServerName option in the What do you want IIS to do drop down list box.
- A progress bar appears showing you the services stopping and restarting.
At this point the OWA directories will only negotiate basic authentication.
Summary
In this first part of our multipart article on how to publish the Exchange 2003 OWA site, we went over the advantages of using the Exchange 2003 OWA site over previous versions. We also discussed the overall procedures required to make the OWA publishing rules work and some of the high level details of the example network setup. In the second part of this series we’ll move on to the next step: requesting a certificate for the OWA site and then exporting the OWA site certificate with its private key to a file. We’ll then take the file to the ISA Server firewall and import it into the machine’s certificate store. See you then!
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=009703 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
