Configuring ISA Server 2000 to Support Outlook 2003 RPC over HTTP
Part 3: Binding the Web Site Certificate and
Creating the RPC over HTTP Publishing Rule
By Thomas W Shinder M.D.
Configuring ISA Server 2000 to Support Outlook 2003 RPC over HTTP
Part 1 of this series can be found at:
Part 2 of this series can be found at:
In the first part of this series on configuring ISA Server 2000 firewalls to support Outlook RPC over HTTP client connections we went over how to configure some of the core network infrastructure components to support the RPC over HTTP publishing solution. We also discussed how to install the RPC over HTTP proxy service on the front-end Exchange Server and how to issue a Web site certificate to the RPC over HTTP Web server.
In part 2 we started with how to force SSL on the RPC over HTTP proxy directory. Then we configured the Registry entries on the front-end Exchange Server that are required to identify the back-end Exchange Servers and Global Catalog servers on the internal network. Finally, we went through the step by step procedures required to enforce IPSec transport mode security for all communications between the front-end and back-end Exchange Servers.
In this, part 3 of the series we will cover the following procedures:
Installing Windows Server 2003 on the firewall computer
Install ISA Server 2000 on the firewall computer
Import the Web site certificate into the ISA Server 2000 firewall’s machine certificate store
Create the Web or Server Publishing Rule
Install Windows Server 2003 on the Firewall Computer
The computer that will become the ISA Server 2000 firewall must meet the following minimum requirements:
The ISA Server firewall and Web caching components work very well on modest hardware. This is true even when the SMTP filter is enabled and protecting the published SMTP servers. However, if you run decide to use the SMTP Message Screener on the firewall, or if you use SSL to protect Web Published Web site, or if you use the ISA Server firewall as a VPN server, you need to increase the minimum requirements to support encryption services.
Make sure that you disable services that are not required. For more information on security the ISA Server 2000 firewall computer, please see the following articles:
Install ISA Server 2000 on the Firewall Computer
Install ISA Server 2000 after installing Windows Server 2003 onto the firewall computer. You must go through some specific procedures outside of the standard ISA Server 2000 installation on a Windows 2000 machine when installing the firewall software onto a Windows Server 2003 computer. The documentInstalling ISA Server 2000 on Windows Server 2003 has all the information you need to know to install ISA Server 2000 on a Windows Server 2003 computer.
Import the Web Site Certificate into the ISA Server Firewall’s Machine Certificate Store
Now that the ISA Server firewall software is installed, you’re ready to copy the Web site certificate file from the front-end Exchange server to the ISA Server firewall. This certificate is imported into the ISA firewall’s machine certificate store and then it is bound to the Incoming Web Requests listener.
Perform the following steps to import the OWA server’s Web site certificate into the ISA Server’s machine certificate store:
- Click Start and click on the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.
- Click the Add button in the Add/Remove Snap-in dialog box.
- Click on the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.
- Select the Computer account option on the Certificates snap-in page. Click Next.
- On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.
- Click Close on the Add Standalone Snap-in page.
- Click OK on the Add/Remove Snap-in dialog box.
- Right click on the Personal node in the left pane of the console, point to All Tasks and click Import.
- Click Next on the Welcome to the Certificate Import Wizard.
- Click the Browse button and locate the certificate file. Click Next after the file path and name appear in the File name text box.
- On the Password page, type in the password for the file. Do not put a checkmark in the Mark this key as exportable. This will allow you to back up or transport you keys at a late time checkbox. The reason is that this machine is a bastion host with an interface in a DMZ or on the Internet and may be compromised. The compromiser may be able to steal the private key from this machine if it is marked as exportable.
- Click Next.
- On the Certificate Store page, confirm that the Place all certificate in the follow store option is select and that is says Personal in the Certificate store box. Click Next.
- Review the settings on the Completing the Certificate Import page and click Finish.
- Click OK on the Certificate Import Wizard dialog box informing you the import was successful.
You will see the Web site certificate an the CA certificate in the right pane of the console. The Web site certificate has the FQDN that is assigned to the Web site. This is the name external users will use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it.
Double click on the Web site certificate in the right pane of the console.
- Click on the Certification Path tab on the Certificate dialog box. You may notice a red "x" on the CA certificate node. This indicates that this machine does not trust the CA that issued the Web site certificate. In order to use this certificate to perform SSL to SSL bridging, this machine must trust the CA that issued the Web site certificate.
- Close the Certificate dialog box.
If you do not see a red "x" then you do not need to carry out the following steps. The absence of the red "x" indicates that you already have the Root CA certificate in your Trusted Root Certification Authorities certificate store.
- Right click on the CA certificate in the right pane of the console and click the Copy command.
- Expand the Trusted Root Certification Authorities node and click the Certificates node. Right click on the Certificates node and click the Paste command. This pastes the CA certificate into the Trusted Root Certificate Authorities\Certificates store and allows this machine to trust certificates issued by this CA.
- Press F5 to refresh the display. You should see the certificate appear in the right pane of the console. If you do not see the CA certificate in the right pane of the console, repeat the procedure
- Return to the Personal\Certificates node in the left pane of the console and double click on the Web site certificate. In the Web site certificate’s Certificate dialog box, click on the Certification Path tab. Notice that the red "x" no longer appears on the CA certificate. Click OK on the Certificate dialog box.
- Close the mmc console. You may want to save this console with the name of certificates and store it in the Administrative Tools menu.
Create the Web or Server Publishing Rules on the ISA Server Firewall
Now you’re ready to create a publishing rule that allows inbound access to the front-end Exchange server. There are two methods you can use to allow inbound access:
Server Publishing Rules perform a "reverse NAT" function and merely forward the inbound SSL messages to the front-end Exchange Server. The ISA Server firewall is not able to inspect the contents of the SSL communication when you use Server Publishing Rules because the data is protected within an SSL tunnel. Server Publishing Rules for inbound SSL connections provide the same low level of firewall security, such as that obtained when using traditional packet filtering firewalls to publish SSL sites.
Web Publishing Rules provide a much higher level of security. The ISA Server firewall is able to inspect the contents of the SSL stream because of the ISA Server firewall’s ability to perform SSL bridging. The ISA Server firewall can apply rules enforced by the urlscan.ini file, as well enforcing the correct URL and delegating basic authentication, so that the OWA client must authenticate with the firewall before a single packet is passed back to the front-end Exchange Server.
I highly recommend that you use Web Publishing Rules to publish the front-end Exchange Server that is acting as an RPC over HTTP proxy computer. However, some ISA Server 2000 firewall administrators are forced to use Server Publishing Rules, so we will cover both procedures.
Let’s look first at how to create a Server Publishing Rule to allow inbound access to the front-end Exchange Server. The first step is to confirm that the Incoming Web Requests listener is not listening on TCP port 443. Two services cannot listen on the same socket (IP address, transport protocol and port) on the external interface of the ISA Server 2000 firewall. The Server Publishing Rule will fail if the Incoming Web Requests listener listens on TCP 443.
Perform the following steps to confirm that the incoming Web Requests listener is not listening on TCP port 443:
- Open the ISA Management console, expand the Servers and Arrays node and right click on your server name. Click on the Properties command.
On the server Properties dialog box, click on the Incoming Web Request tab. Notice that there are two options in the Identification frame:
Use the same listener configuration for all IP addresses This setting allows the ISA Server firewall to listen on all IP addresses bound to the external interface and use the same security settings for all inbound requests intercepted by the Incoming Web Requests listener
Configure listeners individually per IP address This setting allow you to configure a listener separate. For example, if you have three IP addresses bound to the external interface of the ISA Server firewall, then you can commit a single address to listening for inbound connections to Web sites published via Web publishing Rules.
You want to prevent the Incoming Web Requests listener from use TCP port 443. First, you should always configure listeners on a per listener basis. This gives you control over the IP addresses used by listeners. Second, you will need to remove the checkmark from the Enable SSL listeners checkbox.
When you remove the checkmark from the Enable SSL listeners checkbox, none of your listeners will be able to listen on TCP 443. This checkbox represents a global setting and you cannot control it on a per listener basis.
- Click Apply after removing the checkmark. You will be asked to restart the services. All the service to restart automatically.
- Click OK in the server Properties dialog box.
Removing the SSL listeners allows the Server Publishing Rule to bind TCP port 443. No two services can use the same IP address and port. This is sometimes referred to as socket contention.
Creating a Server Publishing Rule
Perform the following steps to create a Server Publishing Rule to allow inbound access to the inbound RPC over HTTP connection:
- Open the ISA Management console and expand the Servers and Arrays node. Expand your server name and then expand the Publishing node. Right click on the Server Publishing Rules node, point to New and click on Rule.
- Enter a name for the RPC over HTTP Server Publishing Rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page. Click Next.
- Type in the IP address of the front-end Exchange Server in the IP address of internal server text box. Click the Browse button and select the IP address on the external interface you want to use in the Server Publishing Rule. Click OK in the New Server Publishing Rule Wizard dialog box.
- Click Next on the Address Mapping page.
- On the Protocol Settings page, select the HTTPS Server protocol from the Apply the rule to this protocol list. Click Next.
- Select the Any request option on the Client Type page. Click Next.
- Review your settings and click Finish on the Complete the New Server Publishing Rule Wizard page.
The Server Publishing Rule will starting working without requiring you to restart the computer or any services.
Creating a Web Publishing Rule
Web Publishing Rules are more secure than Server Publishing Rules. They can be a bit more complex to create than Server Publishing Rules, but your reward is a much higher level of security. Creating a Web Publishing Rule to make your front-end Exchange Server’s HTTP proxy service available can be made a lot easier by leveraging the automation provided by the OWA Web Publishing Wizard. Even though the OWA Web Publishing Wizard was not designed with the RPC over HTTP site in mind, we can still use it to simply things. The OWA Web publishing Wizard is a feature provided by ISA Server 2000 Feature Pack 1.
The OWA Web Publishing Wizard will do most of the work for you. There are just a few tweaks you have to make to optimize the rule for security and customize it to support RPC over HTTP publishing after the Wizard has completed its job.
Perform the following steps to create the Web Publishing Rule that will allow remote access to both your OWA site and RPC over HTTP:
- Open the ISA Management console. Expand the Server and Arrays node and then expand your server name. Expand the Publishing node and click on the Web Publishing Rules node. Right click on the Web Publishing Rules node, point to New and click Publish Outlook Web Access Server.
- Type in a name for the rule in the Outlook Web Access Server rule name text box on the Welcome to the Outlook Web Access Publishing Wizard page. Click Next.
- On the Name of Published Server page, type in the FQDN of the OWA site in the Internal name or IP address of the Outlook Web Access Server. This information is used to forward the incoming request to the internal OWA server. You can use the IP address of the internal server, or the IP address of the external interface of the firewall protecting the internal OWA server if you are using reverse NAT to publish the OWA server.
I prefer to use the actual FQDN that the external user uses to connect to the site. This makes the Web Proxy logs easier to interpret. You can create a HOSTS file entry on the ISA Server that resolves this name to the IP address you want the incoming request forwarded to.
Put a checkmark in the Use an SSL connection from the ISA Server to the Outlook Web Access Server checkbox. This forces the ISA Server to establish an SSL link between itself and the OWA server. All communications between the ISA Server and the OWA server are protected by SSL.
- On the Listeners page, enter the URL that the external users will use to connect to the OWA site. Because we are forcing an SSL connection between the external client and the ISA Server, we use the URL https://owa.internal.net.
- On the Secure Connection from Client page, put a checkmark in the Enable SSL. Client must use SSL to connect to the ISA Server checkbox. Click the Select button.
Select the Web site certificate in the Select Certificate dialog box. Click OK.
- The Web site certificate appears in the Certificate frame. Click Next.
- Review the settings on the Completing the Outlook Web page and click Finish.
- Select the Save the changes and restart the service(s) option on the ISA Server Warning dialog box, and click Finish.
At this point we have a OWA Web Publishing Rule. In part 4 of this series we’ll configure the Rule to support RPC over HTTP publishing and make some other changes to it to further enhance the level of security for the RPC over HTTP Web site on the front-end Exchange Server.
In this, part 3 in our series on RPC over HTTP publishing, we begin by discussing the Windows Server 2003 and ISA Server 2000 installation procedures. We then imported the Web site certificate into the ISA Server 2000 firewall’s machine certificate store. We ended up today’s session by creating the an OWA publishing rule, which we will subsequently modify to support RPC over HTTP publishing.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=002297 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom