Your OWA Publishing Rule Works -- You're Not Done Yet
Yay! You got your Outlook Web Access Web Publishing Rule to work. Even better, you also got your RPC/HTTP Web Publishing Rule to work. Your users are happy and now you can get to the thousand other things you need to take care of before starting your Christmas vacation. Whoa! Good job on getting OWA and RPC/HTTP to work, but you're not done yet.
Why aren't you done? Because you haven't secured the connections yet. Yes, you're doing pre-authentication at the firewall, which is a good thing since it protects you against anonymous attacks on your Exchange Server's Web site. But you also need to make sure that only known good HTTP communication reach your Exchange Server.
How do you do that? You configure the HTTP Security Filter on the ISA or TMG firewall. The HTTP Security Filter enforces checks on a number of HTTP protocol parameters so that communications that fall outside of these parameters are dropped by the firewall. No, the HTTP Security Filter isn't a "magic bullet" against all HTTP exploits, but it's a powerful addition to your ISA or TMG firewall defense in depth plan.
for instructions on how to configure the HTTP Security Filter for your Exchange Web Publishing Rules.
Also, check out:
This article shows you how to use a simple script to export your HTTP Security Filter configuration so that if you need to configure it for other servers, or to restore the configuration on this server, you can use the script to import the settings that you've exported using the same script.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer