Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1

Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1

by Thomas W Shinder MD, MVP

Got Questions?
Discuss this article at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000223 

Remote users can connect to your Exchange Server from virtually any site in the world via the HTTP protocol by using Outlook Web Access (OWA). Exchange Server 2003 takes OWA to the next level. The Exchange Server 2003 OWA site provides much greater functionality than the Exchange 2000 OWA site and provides a user experience that is very close to what you get with the full Outlook MAPI client.

Note:

Secure Exchange RPC Publishing is inherently more secure than OWA. The sophisticated layer 7 RPC filter tightly secures the connection between the remote full Outlook MAPI client and Exchange Server. In addition, you can configure the ISA firewall to force encrypted communications between itself and the Exchange Server. However, many remote users are behind conventional packet filter-based firewalls that do not allow outbound MAPI access to your Exchange Server because they lack the layer 7 intelligence provided by ISA firewalls.

OWA Web site publishing provides a viable alternative, both in terms of functionality and security, to secure Exchange RPC Publishing. Your job as the ISA firewall administrator is to provide remote users access to your Exchange Server 2003 OWA site and do so in a secure fashion.

Get the New Book!

Fortunately, it is possible to provide remote users a highly secure connection to your corporate OWA Web site. Security technologies that assure a protected link between the remote user and the OWA Web site include:

  • SSL connection between the OWA client and the ISA Server firewall
  • SSL connection between the ISA Server firewall and the OWA site
  • Client certificate presentation is enforced on the OWA directories; this requires the ISA firewall (and other hosts) to present a client certificate before it can connect to any of the OWA Web site directories
  • Client certificate authentication with the ISA Server firewall’s Incoming Web Requests listener requires the remote OWA client to present a user certificate to authenticate with the firewall before it attempts to forward credentials to the OWA site
  • OWA forms-based authentication enables the ISA firewall to generate the Log On form. This prevents unauthenticated connections from reaching the OWA site, because the firewall (rather than the OWA site) generates the Log On form.
  • Delegation of basic credentials ensures that the firewall pre-authenticates users, preventing unauthenticated hosts from sending a single packet to the OWA Web site
  • Microsoft enterprise CA’s allow tight control over certificates; this removes the risk of clients connecting from untrusted hosts, such as airport kiosks or home computers that do not meet corporate security standards. The access and session control features provided by ISA firewall OWA Forms-based authentication further enhance security.

Secure OWA Web site publishing using ISA firewall provides a higher level of security than can be accomplished with virtually any other firewall in its class and provides a level of functionality and security second only to secure Exchange RPC Publishing.

Get the New Book!

Since the ISA firewall represents the industry standard for Unified Threat Management (UTM) devices, it only makes good sense that you replace those stateful filtering firewall/VPN gateways with an UTM device that sports both stateful filtering and stateful application layer inspection engines to protect your OWA sites. We always recommend that you switch over from your third-party stateful packet filters and use the ISA firewall’s advanced stateful filtering and advanced stateful application layer inspection features to protect OWA.

We will discuss the following procedures in step-by-step detail:

  • Issuing and Binding a Web Site Certificate to the OWA Web site
  • Exporting the OWA Web Site Certificate to a File (Including the Site’s Private Key)
  • Configuring the OWA Site to Force SSL Encryption and Basic Authentication
  • Importing the OWA Web Site Certificate into the ISA firewall’s Machine Certificate Store
  • Running the Outlook Web Access Publishing Wizard and creating the HOSTS file entry for the OWA Web Site Address
  • Increasing Security by Requiring Client Certificate Authentication to the Incoming Web Requests Listener (Optional)
  • Configuring the public DNS to resolve the name of the OWA site
  • Installing CA certificates on the OWA clients
  • Creating a HOSTS File Entry on the OWA Client Machine
  • Making the Connection to the OWA Web Site

The figure below shows the machines participating in the scenario covered in this article:

 

Issue and Bind a Web Site Certificate to the OWA Web Site

In order to perform SSL to SSL bridging, the ISA firewall must establish two SSL connections:

  • The first between the OWA client and the ISA firewall and
  • The second between the ISA firewall and the OWA Web site on the Internal network.

In order to support the second SSL connection between the ISA firewall and the OWA Web site, we must request a Web site certificate for the OWA site and bind that certificate to the OWA Web site.

Perform the following steps to request a Web site certificate for the OWA Web Site:

  1. At the EXCHANGE2003BE machine, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the left pane of the Internet Information Services (IIS) Manager console, expand the Web Sites node and click the Default Web Site. Right click Default Web Site and click Properties.
  3. On the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.
  5. On the Welcome to the Web Server Certificate Wizard page, click Next.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.
  7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option and click Next.
  8. On the Name and Security Settings page, accept the default settings and click Next.
  9. On the Organization Information page, enter your organization’s name in the Organization text box and your Organizational Unit’s name in the Organizational Unit text box. Click Next.
  10. On the Your Site’s Common Name page, enter the common name of the site. The common name is the name that external and internal users will use to access the site. For example, if users will enter https://owa.msfirewall.org into the browser to access the OWA site, you would make the common name owa.msfirewall.org. In our current example, we will enter owa.msfirewall.org into the Common name text box. This is a critical setting. If you do not enter the correct common name, you will see errors when attempting to connect to the secure OWA site. Click Next.

Note

:
I cannot emphasize strongly enough how important it is that you enter the correct name for the common name on the certificate. You MUST use the right name, and this name should be the same name as both remote and internal users will use to access the OWA site. This means you that you will to create a split DNS. In my opinion, all organizations that want to support remote access to hosted resources must create a split DNS. To do so puts you at a significant disadvantage.

  1. On the Geographical Information page, enter your Country/Region, State/province and City/locality in the text boxes. Click Next.
  2. On the SSL Port page, accept the default value, 443, in the SSL port this web site should use text box. Click Next.
  3. On the Choose a Certification Authority page, accept the default selection in the Certification authorities list and click Next.
  4. Review the settings on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.
  6. Notice that the View Certificate button is now available. This indicates that the Web site certificate has been bound to the OWA Web site and can be used to enforce secure SSL connections to the Web site.
  7. Click OK in the Default Web Site Properties dialog box.

Export the OWA Web Site Certificate to a File – Including the Site’s Private Key

The ISA firewall impersonates the OWA Web site when the OWA client establishes the first SSL link between itself and the ISA firewall. In order for the ISA firewall to do this, you must export the OWA site’s Web site certificate and import that Web site certificate into the ISA firewall’s machine certificate store. It is critical that you export the Web site’s private key when you export the certificate to a file. If the private key is not included in the file, you will not be able to bind the certificate to a Web Listener on the ISA firewall.

Perform the following steps to export the Web site certificate with its private key to a file:

  1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.
  2. In the Default Web Site Properties dialog box, click the Directory Security tab.
  3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.
  4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.
  5. Click Next on the Welcome to the Certificate Export Wizard page.
  6. On the Export Private Key page, select the Yes, export the private key option and click Next.

  1. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) checkbox. Click Next.
  2. On the Password page, enter a Password and then enter it again in the Confirm Password field. Click Next.
  3. On the File to Export page, enter c:\owacert in the File name text box. Click Next.
  4. Click Finish on the Completing the Certificate Export Wizard page.
  5. Click OK in the Certificate dialog box.
  6. Click OK in the Default Web Site Properties dialog box.
  7. Copy the owacert.pfx file to the root of the C:\ drive on the ISA firewall machine.

Get the New Book!

Configure the OWA Site to Force SSL Encryption and Basic Authentication

As a best security practice, you should prevent data and user credentials from being visible to intruders who may install network protocol analyzers (sniffers) on the corporate network. This can be accomplished by forcing all connections to the OWA Web site directories to use SSL. In addition, you should configure the OWA directories to use basic authentication only. This prevents browser compatibility issues, although its not absolutely required. You do not need to worry about using basic authentication because the user credentials are secured by the SSL link.

Perform the following steps to configure the OWA Web site to force SSL connections and basic authentication on the OWA Web sites:

  1. Click Start, point to Administrative Tools and click on Internet Information Services. In the Internet Information Services (IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.

    The three OWA Web site directories that you will make accessible to remote users are:

    /Exchange
    /ExchWeb
    /Public

    We want the ISA firewall to always negotiate an SSL connection when proxying communications between these directories and the remote OWA client.

Start by clicking on the Exchange directory so that it is highlighted. Then right click on an empty area in the right pane of the console. Click the Properties command.

  1. Click on the Directory Security tab. In the Authentication and access control frame, click the Edit button.
  2. In the Authentication Methods dialog box, remove the checkmark from all checkboxes except the Basic authentication (password is sent in clear text) checkbox. Place a checkmark in the Basic authentication checkbox. Click Yes in the dialog box warning you that the credentials should be protected by SSL. Enter your domain name in the Default domain text box. In this example, the domain name is MSFIREWALL. Click OK.

  1. Click Apply and then click OK in the Exchange Properties dialog box.
  2. Repeat these steps with the /Exchweb and /Public directories in the left pane of the console. Close the Internet Information Services (IIS) Manager console after you have forced basic authentication on the Exchange, Exchweb and Public folders.

The next step is to force the ISA firewall’s Web Proxy filter to use SSL when connecting to the OWA directories. Perform the following steps to force all connections to the OWA directories to negotiate an SSL connection:

  1. Click Start, point to Administrative Tools and click Internet Information Services. In the Internet Information Services (IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.

    Next, you will force an SSL connection on the directories the remote OWA users will access through the ISA Server. These directories are:

    /Exchange
    /Exchweb
    /Public

    Click the Exchange node in the left pane of the console to highlight it. Right click an empty area in the right pane of the console and click the Properties command.

  2. Click the Directory Security tab in the Exchange Properties dialog box. Click the Edit button in Secure communications frame.
  3. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

  1. Click Apply and then click OK in the Exchange Properties dialog box.
  2. Repeat the procedure to force an SSL connection on the /Exchweb and /Public directories in the left pane of the console. Close the Internet Information Services (IIS) Manager console after forcing SSL on the Exchange, Exchweb and Public directories.

Import the OWA Web Site Certificate into the ISA firewall’s Machine Certificate Store

The Web site certificate must be imported into the ISA firewall’s machine certificate store before it can be bound to the Web Listener that will be used to accept incoming connections from remote users to the OWA site. Only after the Web site certificate (along with its private key) is imported into the firewall’s machine certificate store will the certificate be available for binding.

Perform the following steps to import the OWA server’s Web site certificate into the ISA Server’s machine certificate store:

  1. At the ISA firewall, click Start and click on the Run command. Enter mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.
  2. Click the Add button in the Add/Remove Snap-in dialog box.
  3. Click the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.
  4. Select the Computer account option on the Certificates snap-in page. Click Next.
  5. On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.
  6. Click Close on the Add Standalone Snap-in page.
  7. Click OK in the Add/Remove Snap-in dialog box.
  8. Right click the Personal node in the left pane of the console, point to All Tasks and click Import.
  9. Click Next on the Welcome to the Certificate Import Wizard.
  10. Click the Browse button and locate the certificate file. Click Next after the file path and name appear in the File name text box.

  1. On the Password page, enter the password for the file. Do not put a checkmark in the checkbox labeled Mark this key as exportable. This will allow you to back up or transport you keys at a late time. You should not use this option because this machine is a bastion host with an interface in a perimeter network or on the Internet and may be compromised. The compromiser might be able to steal the private key from this machine if it is marked as exportable. Click Next.
  2. On the Certificate Store page, confirm that the Place all certificate in the follow store option is selected and that it says Personal in the Certificate store box. Click Next.
  3. Review the settings on the Completing the Certificate Import page and click Finish.
  4. Click OK on the Certificate Import Wizard dialog box informing you the import was successful.
  5. You will see the Web site certificate and the CA certificate in the right pane of the console. The Web site certificate has the FQDN assigned to the Web site. This is the name external users use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it. Double click the Web site certificate in the right pane of the console.

  1. Expand the Trusted Root Certification Authorities node in the left pane of the console and scroll down to the CA certificate of the enterprise CA that issued the Web site certificate. Note that the enterprise CA certificate automatically appears in the Trusted Root Certification Authorities because we have an enterprise CA and the ISA firewall belongs to the same domain as the enterprise CA machine. If you used a standalone CA, or if the ISA firewall did not belong to the same domain as the enterprise CA, you would need to copy the enterprise CA’s certificate into the Trusted Root Certification Authorities\Certificates node. This can be done by right clicking on the CA certificate and then clicking the Copy command. Then you would click on the \Trusted Root Certification Authorities\Certificates node and click on the Paste button in the mmc’s button bar.

Get the New Book!

Create a HOSTS File Entry for the OWA Web Site Address and Run the Outlook Web Access Publishing Wizard

In a production environment, strongly recommend that you create a split DNS infrastructure. This enables hosts on internal and external networks to properly resolve the name of the OWA Web site. We have not configured a split DNS infrastructure in our current example, so we will use a HOSTS file on the ISA firewall machine that enables the firewall to resolve the name of the OWA site to the site’s Internal IP address.

This point is worth repeating:
The ISA firewall must be able to resolve the name used by remote users connecting to the OWA site through the ISA firewall to the IP address of the OWA site on the corporate network. The ISA firewall must not resolve this name to the IP address on the external interface of the ISA firewall.

Perform the following steps to create the HOSTS file entry mapping the OWA site to its internal address:

  1. On the ISA firewall, open Windows Explorer, navigate to \WINDOWS\system32\drivers\etc directory and open the hosts file.
  2. In the Open With dialog box, select Notepad and click OK.
  3. The HOSTS file is opened in Notepad. Add a line at the end of the hosts file that resolves the name in the redirect to the IP address that can reach the OWA server on the internal network. For example, if the firewall in front of the OWA server on the internal network is performing reverse NAT to publish the internal OWA site, and the redirect is owa.msfirewall.org, you would add the following entry:
  4. 10.0.0.2 owa.msfirewall.org
  5. “10.0.0.2” is the IP address of the OWA server machine on the internal network. Ensure that you press ENTER after you add this line to the hosts file to ensure that there is an empty line at the end of the file.

  1. Close Notepad and click Yes to save the changes made to the file.

Now we’re ready to create the OWA Web Publishing Rule on the ISA firewall machine. Perform the following steps to securely publish the Exchange OWA Web site:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Click the Tasks tab in the Task Pane. Click the Publish a Mail Server link.
  2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we will call it Publish OWA Web Site. Click Next.
  3. On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
  4. On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. This option allows OWA users to access mail using non-English character sets. Click Next.
  5. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next. This option creates a Web Publishing Rule that ensures a secure SSL connection from the client to the OWA Web site. This prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information. The external client that makes an SSL connection expects that traffic to be secure from end to end.
  6. On the Specify the Web Mail Server page, enter the name for the internal OWA Web site in the Web mail server text box. In this example, we will use the name owa.msfirewall.org. Note that this is the name used for the Exchange Server site on the internal network and this is the common name on the OWA Web site’s certificate. If you used an IP address, it would prevent the SSL connection between the internal interface of the ISA firewall and the Exchange OWA site. You can use either a split DNS or a HOSTS file entry on the ISA firewall to resolve this name to the IP address used by the Exchange Server on the internal network. This is why we created a HOSTS file entry earlier, so that the ISA firewall resolves the name we put in the Web mail server text box to the internal address of the OWA site. Click Next.

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Again, this is the name the external users use when accessing the Web site, and this is also the common name on the Web site certificate. This name must resolve the IP address on the external interface of the ISA firewall when using public DNS servers. This is a critical setting and you must confirm that you’re public DNS server properly resolve this name. This is the name the user enters into his browser in the browser’s Address bar. Click Next.

  1. On the Select Web Listener page, click the New button. The Web listener works like the Web listener in ISA Server 2000, but with ISA firewall, you have more options. For example, you can create a separate Web listener for SSL and non-SSL connections on the same IP address. In addition, the Web listener settings are no longer global, and you can configure separate settings for each listener based on the number of addresses bound to the external interface of the ISA firewall.
  2. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will use the name OWA SSL Listener. Click Next.
  3. On the IP Addresses page, put a checkmark in the External checkbox. Click the Address button.
  4. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click the external IP address on the ISA firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select 192.168.1.70. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
  5. Click Next on the IP Addresses page.
  6. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443. By configuring this listener to use only SSL, you can configure a second listener with different settings that is dedicated for non-SSL connections.
  7. Click the Select button. In the Select Certificate dialog box, click the OWA Web site certificate that you imported into the ISA firewall’s machine certificate store and click OK. Note that this certificate will appear in this dialog box only after you have installed the Web site certificate into the ISA firewall’s machine certificate store. In addition, the certificate must contain the private key. If the private key was not included, the certificate will not appear in this list.

  1. Click Next on the Port Specification page.
  2. Click Finish on the Completing the New Web Listener page.
  3. The details of the Web listener now appear on the Select Web Listener page. Click Edit.

  1. In the OWA SSL Listener Properties dialog box, click the Preferences tab.

  1. On the Preferences tab, click the Authentication button.

  1. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that no authentication methods are currently configured.
  2. Place a checkmark in the OWA Forms-Based authentication checkbox. The OWA Forms-based authentication feature is very useful and enhances the security the ISA firewall provides for your OWA site. The firewall generates the log on form and then forwards the credentials sent by the user to the OWA site for authentication. Only after the user is successfully authenticated is the connection request forwarded to the OWA site. This prevents unauthenticated users from connecting to the OWA site and eliminates the risks inherent in unauthenticated users accessing the OWA site. Note that you must not enable forms-based authentication at the Exchange Server’s OWA site. Forms-based authentication should be enabled only at the ISA firewall. Click the Configure button.

  1. On the OWA Forms-Based Authentication dialog box, put checkmarks in the Clients on public machines, Clients on private machines and Log off OWA when the user leaves OWA site checkboxes. These settings enhance security for your OWA site. Note that you also have the option to set the session times-outs for clients on both public and private machines. It is important to note that the user decides if the machine should be recognized as public or private. Because it is not good security policy to let the user determine the level of security applied to a connection, you should force the same policy on all users. Click OK.

  1. Click OK in the Authentication dialog box.
  2. Click Apply and then click OK in the OWA SSL Listener Properties dialog box.

  1. Click Next on the Select Web Listener page.
  2. On the User Sets page, accept the default entry, All Users, and then click Next. Note that this does not mean that all users will be able to access the OWA site. Only users who can authenticate successfully will be able to access the site. The actual authentication is done by the OWA site, using the credentials that the ISA firewall forwards to it. You cannot have the ISA firewall itself and the OWA site authenticate the user. This means that you must allow All Users access to the rule. An exception to this rule is when users authenticate to the ISA firewall itself using client certificate authentication.
  3. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
  4. Right click the OWA Web site rule in the Details pane of the console and click Properties.
  5. In the OWA Web site Properties dialog box, click the To tab. On the To tab, select the Requests appear to come from the original client option. This option allows the OWA Web site to receive the actual IP address of the external client. This feature enables Web logging add-ons installed on the OWA Web site to use this information when creating reports. This To tab is critical, because the name in the Server text box must match the name on the certificate bound to the OWA site on the corporate network. I encourage you to use the same name from “end to end” but its not absolutely required. In a future article, I’ll show you how you can actually use different public names and private names, but I will reiterate that I do not recommend that approach.

  1. Click Apply and then click OK.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.

Get the New Book!

Configure the public DNS to resolve the name of the OWA site

Correct DNS host name resolution is critical when you design a remote access solution. The ideal DNS configuration allows users who move between the internal and external networks to be able to resolve host names to the correct address regardless of where they are currently located.

The ideal DNS configuration is the split DNS. A split DNS infrastructure consists of two zones that serve the zone domain and subdomains:

  • An internal zone that is used only by internal network hosts
  • An external zone that is used only by external network hosts

Internal network hosts who need to resolve names on the internal network query an internal network zone and receive the internal network IP address of the host to which they want to connect. External network hosts query the external network zone and receive a public IP address to which they can connect. The destination machine is the same for the external and internal hosts; they just take different routes to arrive at their common destination.

For example, your internal network domain to which the Exchange Servers belong is domain.com. You publish the OWA site to the Internet using ISA Server 2000. The ISA Server uses IP address 131.107.0.1 to listen for incoming requests for the OWA site. The Exchange Server on the internal network has the IP address 10.0.0.3.

Your goal is to allow all hosts, regardless of their locations, to access the Exchange Server using the FQDN owa.domain.com. You want hosts on the internal network to connect directly to the OWA site using the IP address 10.0.0.3 and you want remote hosts connecting from the Internet to use IP address 131.107.0.1 to access the OWA site.

The solution is to create entries on a publicly available DNS server for the domain.com domain. You can have a third party host your DNS services or you can host them yourself. Regardless of who hosts these addresses, the DNS resource records for the domain.com domain on this publicly available DNS server contain the public addresses your want users to use to access resources. In the case of the published resources on the Exchange Server, you should create a Host (A) record for owa.domain.com to map to the IP address 131.107.0.1.

You should then create a second DNS server on the internal network behind the ISA Server firewall. The internal network DNS server also hosts a zone for the domain.com domain. You should create a Host (A) resource record on the internal network DNS server within the domain.com zone for owa.domain.com. The difference is that this time you map these three entries to 10.0.0.3.

External network hosts are assigned a DNS server address that allows them to resolve names to public addresses. How these external hosts are assigned an IP address depends on where they are located. You usually have no control over the specific DNS server address that’s assigned to your remote hosts. However, this is not a problem. If you have registered your domain.com with an Internet Registrar and indicated the correct address for the publicly available authoritative DNS server for your domain, external hosts will have no problems resolving your public addresses correctly.

Internal network hosts can be assigned a correct DNS server address using DHCP. When a remote host moves into the internal network, it will receive new IP addressing information, including a DNS server address, from your DHCP server. When the host receives the IP address of your internal DNS server, it will then be able to resolve the names associated with the front-end Exchange Server to its internal address.

Publishing the Web Enrollment Site

The external OWA client needs the CA certificate of the CA that issued the OWA site’s certificate placed in its Trusted Root Certification Authorities certificate store. This certificate can be placed in the User certificate store; it does not need to be placed in the Machine certificate store. We can easily accomplish this task by connecting to the CA’s Web enrollment site. However, before we can connect to the CA’s Web enrollment site, we must publish that site so that it is accessible to external network hosts.

Perform the following steps to publish the enterprise CA’s Web enrollment site:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
  2. In the Task Pane, click the Tasks tab. On the Tasks tab, click the Publish a Web Server link.
  3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing Rule Wizard page. In this example, we will enter the name Publish Web Enrollment Site in the Web publishing rule name text box. Click Next.
  4. Select the Allow option on the Select Rule Action page.
  5. On the Define Website to Publish page, enter the IP address of the enterprise CA’s Web site in the Computer name or IP address text box. In this example, the IP address is 10.0.0.2, so we will enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept request for list box. In the Public name text box, enter the IP address on the external interface of the firewall. In this example, the main office ISA firewall’s external address is 192.168.1.70, so we will enter that value into the text box. Enter /certsrv/* into the Path (optional) text box. Click Next.

  1. On the Select Web Listener page, click the New button.
  2. On the Welcome to the New Web Listener page, enter a name for the rule in the Web listener name text box. In this example, we will name the listener Listener70, to indicate the IP address on which the listener is listening. Click Next.
  3. On the IP addresses page, put a checkmark in the External checkbox and click Next.
  4. On the Port Specification page, accept the default settings. Confirm that there is a checkmark in the Enable HTTP checkbox and that the value 80 is in the HTTP port text box. Click Next.
  5. Click Finish on the Completing the New Web Listener Wizard page.
  6. Click Next on the Select Web Listener page.

  1. Accept the default setting, All Users, on the User Sets page and click Next.
  2. Click Finish on the Completing the New Web Publishing Rule Wizard page.
  3. Right click the Publish Web Enrollment Site rule and click Properties.
  4. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the Paths tab, click the Add button. In the Path mapping dialog box, add the entry /CertControl/* in the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank. Click OK.

  1. Click Apply and then click OK in the Publish Web Enrollment Site dialog box.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.

Installing the Enterprise CA Certificate on the OWA Client Machine

Now we must obtain the CA certificate from the enterprise CA on the internal network. We can connect to the Web enrollment site to obtain the CA certificate. Perform the following steps to obtain the CA certificate and install it on the Outlook Express client computer:

  1. On the Outlook Express e-mail client computer, enter http://192.168.1.70/certsrv in the Address bar and press ENTER.
  2. In the Connect to dialog box, enter Administrator in the User name text box and the Administrator’s password in the Password text box. Click OK.
  3. On the Welcome page of the Microsoft Certificate Services site, click the Download a CA certificate, certificate chain, or CRL link.
  4. On the Download a CA Certificate, Certificate Chain, or CRL page, click the Install this CA certificate chain link.
  5. Click Yes in the Security Warning dialog box asking if you want to install the Microsoft Certificate Enrollment Control.
  6. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site will add a certificate to the machine.
  7. Click Yes in the Root Certificate Store dialog box asking if you want to add the CA certificate.
  8. Close the browser after you see the CA Certificate Installation page that informs you that The CA certificate chain has been successfully installed.

Creating a HOSTS File Entry on the OWA Client Machine

The OWA client machine must be able to resolve the name of the OWA server to the name that is on the OWA server’s Web site certificate. The name we assigned to the Web site certificate on the OWA server is owa.msfirewall.org. The OWA client machine must be able to resolve this name to the IP address on the external interface of the ISA firewall that listens for incoming requests to the OWA server. In our current example, this is 192.168.1.70.

In a production environment, you should have a split DNS infrastructure that correctly resolves names for both internal and external network clients. We have not created a split DNS infrastructure in our test lab, so we will use a HOSTS file to resolve owa.msfirewall.org to the correct IP address.

Perform the following steps to create the HOSTS file entry on the e-mail client machine:

  1. Right click Start and click Explore.
  2. Navigate to <system_root>\system32\drivers\etc and open the HOSTS file in Notepad.
  3. In the HOSTS file, enter on the last line of the HOSTS file the following entry:

    192.168.1.70 owa.msfirewall.org

    Ensure that you press ENTER after you complete the line so that the insertion point is under the new line. Otherwise, the new entry won’t be recognized.

  4. Close the HOSTS file and save the changes.

Making the Connection to the OWA Web Site

Perform the following steps to make the connection to the OWA Web site:

  1. Open Internet Explorer, enter https://owa.msfirewall.org/exchange into the Address bar and press ENTER.
  2. On the Outlook Web Access logon page, enter MSFIREWALL\Administrator in the Domain\user name text box and enter the Administrator’s password in the Password text box. Select the Premium option under Client. Select the Private computer option under Security. Click Log On.


3. The OWA Site opens in an SSL window. The padlock icon in the status bar of Internet Explorer confirms the secure link.

4. Click Log Off to log off the OWA Web site.

Get the New Book!

Conclusion

In this article document, we discussed the procedures required to publish a secure Microsoft Exchange OWA Web site and provision the OWA Web client for a secure connection. We also examined issues related to a split DNS infrastructure and how a split DNS infrastructure supports OWA clients who move between the Internal and External networks. .

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000223 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top