Publishing Outlook Web Access Web Sites with a Unihomed (Single-NIC) ISA Server 2004 Web Proxy Server: Part 1

Publishing Outlook Web Access Web Sites with a
Unihomed (Single-NIC) ISA Server 2004 Web Proxy Server: Part 1

by Thomas W Shinder M.D.


Part 2 of this article is at: http://isaserver.org/articles/2004unihomedowapart2.html

Many organizations that already have a firewall infrastructure in place would like to take advantage of ISA Server 2004’s advanced application layer intelligence. This is especially significant when organizations have already invested heavily in traditional packet filter based firewalls that do not protect their Exchange organizations from modern application layer attacks. The problem these companies run into that that it isn’t realistic for them to “rip and replace” their current firewall infrastructure. They are concerned that because they can’t replace their current firewall infrastructure, they might not be able to use the ISA Server 2004 advanced application layer intelligence without major network reconfiguration.

The good news for these companies is that they can drop an ISA Server 2004 machine between their front-end and back-end traditional packet filter based firewalls by installing an ISA Server 2004 firewall in “Web Proxy” configuration. Although ISA Server 2004 firewall configured in “Web Proxy” mode cripples the majority of the firewall protections the ISA Server 2004 firewall can provide, it does leave in place the strong intelligent application layer protection for HTTP and HTTPS (SSL/TLS) connections. Since incoming connections from remote hosts to a published OWA site use HTTPS, you still benefit from the full range of application layer intelligence that ISA Server 2004 provides.

In this two part article we will go through the step by step procedures required to configure the ISA Server 2004 machine as a unihomed Web Proxy machine and publish the OWA site on the internal network located behind the back end firewall. If you plan to implement this on your own network that already has a front-end and back-end firewall, the only thing you need to do on the front-end firewall is forward incoming SSL connections to the unihomed Web Proxy server. On the back-end firewall, you need to forward incoming SSL connections to the OWA site. In this article we will use a ISA Server 2004 firewall to simulate a back-end packet filter based firewall by using a Server Publishing Rule instead of a Web Publishing Rule.

You will perform the following steps to publish the OWA Web site using a unihomed Web Proxy:

  • Issuing and Binding a Web Site Certificate to the OWA Web site
  • Exporting the OWA Web Site Certificate to a File (Including the Site’s Private Key)
  • Configuring the OWA Site to Force SSL Encryption and Basic Authentication
  • Installing ISA Server 2004 in Unihomed Web Proxy Mode
  • Importing the OWA Web Site Certificate into the ISA Server 2004 Proxy Machine Certificate Store
  • Running the Outlook Web Access Publishing Wizard and creating the HOSTS file entry for the OWA Web Site Address
  • Create a Server Publishing Rule on the Back-end Firewall
  • Configuring the public DNS to resolve the name of the OWA site
  • Installing CA certificates on the OWA clients
  • Creating a HOSTS File Entry on the OWA Client Machine
  • Making the Connection to the OWA Web Site

The figure below provides location and IP addressing information about the topology used in this document.

The Exchange Server and the ISA Server 2004 firewall machine belong to the same domain, which is msfirewall.org. The unihomed Web proxy server in front of the ISA Server 2004 firewall is not a member of the domain. Domain membership is not required for the unihomed Web Proxy server to support this OWA publishing scenario. The Exchange Server is also a domain controller, and the Microsoft Certificate Server is installed on the domain controller. Certificate services is installed so that the certificate server is an enterprise CA.

The ISA Server 2004 firewall behind the Web Proxy will simulate a conventional packet filtering firewall and perform reverse NAT to publish the Exchange Server on the internal network. We can accomplish this with ISA Server 2004 by creating a Server Publishing Rule. The ISA Server 2004 machine simulating the packet filter based firewall on the back end is configured using the installation defaults and network ID 10.0.0.0/24 as its Internal network.

Issuing and Binding a Web Site Certificate to the OWA Web Site

In order to perform SSL to SSL bridging, the ISA Server 2004 Web Proxy must establish two SSL connections: the first between the OWA client and the ISA Server 2004 Web Proxy and the second between the ISA Server 2004 Web Proxy and the OWA Web site on the Internal network. In order to support the second SSL connection between the ISA Server 2004 Web Proxy and the OWA Web site, we must request a Web site certificate and bind that certificate to the OWA Web site.

Perform the following steps to request a Web site certificate for the OWA Web Site:

  1. At the EXCHANGE2003BE (the Exchange Server in this example) machine, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the left pane of the Internet Information Services (IIS) Manager console, expand the Web Sites node and click the Default Web Site. Right click Default Web Site and click Properties.
  3. On the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.
  5. On the Welcome to the Web Server Certificate Wizard page, click Next.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.
  7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option and click Next.

  1. On the Name and Security Settings page, accept the default settings and click Next.
  2. On the Organization Information page, enter your organization’s name in the Organization text box and your Organizational Unit’s name in the Organizational Unit text box. Click Next.
  3. On the Your Site’s Common Name page, enter the common name of the site. The common name is the name that external and internal users will use to access the site. For example, if users will enter https://owa.msfirewall.org into the browser to access the OWA site, you would make the common name owa.msfirewall.org. In our current example, we will enter owa.msfirewall.org into the Common name text box. This is a critical setting. If you do not enter the correct common name, you will see errors when attempting to connect to the secure OWA site. Click Next.

  1. On the Geographical Information page, enter your Country/Region, State/province and City/locality in the text boxes. Click Next.
  2. On the SSL Port page, accept the default value, 443, in the SSL port this web site should use text box. Click Next.
  3. On the Choose a Certification Authority page, accept the default selection in the Certification authorities list and click Next.

  1. Review the settings on the Certificate Request Submission page and click Next.
  2. Click Finish on the Completing the Web Server Certificate Wizard page.
  3. Notice that the View Certificate button is now available. This indicates that the Web site certificate has been bound to the OWA Web site and can be used to enforce secure SSL connections to the Web site.
  4. Click OK in the Default Web Site Properties dialog box.

Export the OWA Web Site Certificate to a File – Including the Site’s Private Key

The ISA Server 2004 Web Proxy impersonates the OWA Web site when the OWA client establishes the first SSL link between itself and the ISA Server 2004 Web Proxy. In order for the ISA Server to do this, you must export the Web site certificate and import that certificate into the ISA Server 2004 Web Proxy’s machine certificate store. It is important that you export the Web site’s private key when you export the certificate to a file. If the private key is not included in the file, you will not be able to bind the certificate to a Web Listener on the ISA Server 2004 Web Proxy.

Perform the following steps to export the Web site certificate with its private key to a file:

  1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.
  2. In the Default Web Site Properties dialog box, click the Directory Security tab.
  3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.
  4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.

  1. Click Next on the Welcome to the Certificate Export Wizard page.
  2. On the Export Private Key page, select the Yes, export the private key option and click Next.

  1. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) checkbox. Click Next.

  1. On the Password page, enter a Password and then enter it again in the Confirm Password field. Click Next.
  2. On the File to Export page, enter c:\owacert in the File name text box. Click Next.
  3. Click Finish on the Completing the Certificate Export Wizard page.
  4. Click OK in the Certificate dialog box.
  5. Click OK in the Default Web Site Properties dialog box.
  6. Copy the owacert.pfx file to the root of the C:\ drive on the ISA Server 2004 Web Proxy machine.

Configuring the OWA Site to Force SSL Encryption and Basic Authentication

As a best security practice, you should prevent data and user credentials from being visible to intruders who may install network protocol analyzers (sniffers) on the corporate network. This can be accomplished by forcing all connections to the OWA Web site directories to use SSL. In addition, you should configure the OWA directories to use basic authentication only. This prevents browser compatibility issues. You do not need to worry about using basic authentication because the user credentials are secured by the SSL link.

Perform the following steps to configure the OWA Web site to force SSL connections and basic authentication on the OWA Web sites:

  1. Click Start, point to Administrative Tools and click on Internet Information Services. In the Internet Information Services (IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console. The three OWA Web site directories that you will make accessible to remote users are:

/Exchange
/ExchWeb
/Public

  1. We want the ISA Server to always negotiate an SSL connection when proxying communications between these directories and the remote OWA client. Start by clicking on the Exchange directory so that it is highlighted. Then right click on an empty area in the right pane of the console. Click the Properties command.
  2. Click on the Directory Security tab. In the Authentication and access control frame, click the Edit button.
  3. In the Authentication Methods dialog box, remove the checkmark from all checkboxes except the Basic authentication (password is sent in clear text) checkbox. Place a checkmark in the Basic authentication checkbox. Click Yes in the dialog box warning you that the credentials should be protected by SSL. Enter your domain name in the Default domain text box. In this example, the domain name is MSFIREWALL. Click OK.

  1. Click Apply and then click OK in the Exchange Properties dialog box.
  2. Repeat these steps with the /Exchweb and /Public directories in the left pane of the console. Close the Internet Information Services (IIS) Manager console after you have forced basic authentication on the Exchange, Exchweb and Public folders.

The next step is to force the ISA Server’s Web Proxy service to use SSL when connecting to the OWA directories. Perform the following steps to force all connections to the OWA directories to negotiate an SSL connection:

  1. Click Start, point to Administrative Tools and click Internet Information Services. In the Internet Information Services (IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console. Next, you will force an SSL connection on the directories the remote OWA users will access through the ISA Server. These directories are:

/Exchange
/Exchweb
/Public

  1. Click the Exchange node in the left pane of the console to highlight it. Right click an empty area in the right pane of the console and click the Properties command.
  2. Click the Directory Security tab in the Exchange Properties dialog box. Click the Edit button in Secure communications frame.
  3. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

  1. Click Apply and then click OK in the Exchange Properties dialog box.
  2. Repeat the procedure to force an SSL connection on the /Exchweb and /Public directories in the left pane of the console. Close the Internet Information Services (IIS) Manager console after forcing SSL on the Exchange, Exchweb and Public directories.

Install ISA Server 2004 in Unihomed Proxy Mode

Perform the following steps to install ISA Server 2004 in unihomed Web Proxy mode:

  1. At the machine acting as the unihomed ISA Server 2004 Web Proxy machine, insert the ISA Server 2004 into the CD-ROM tray. On the autorun menu, click the Install ISA Server 2004 link.
  2. On the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page, click Next.
  3. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
  4. Enter you User Name, Organization and Product Serial Number on the Customer Information page. Click Next.
  5. On the Setup Type page, select the Custom option and click Next.
  6. On the Customer Setup page, note that Firewall Services, Advanced Logging and ISA Server Management as installed by default. We will accept these default settings and click Next.
  7. On the Internal Network page, click the Add button.
  8. On the Internal Network addresses page, click the Select Network Adapter button.
  9. On the Select Network Adapter page, remove the checkmark from the Add the following private ranges… checkbox. Put a checkmark in the Add address ranges based on the Windows Routing Table checkbox and put a checkmark in the checkmark next to the machine’s single adapter. Click OK.

  1. Click OK in the Setup Message dialog box informing you that the Internet network was defined based on the routing tab.
  2. Click OK in the Internal network definition page.
  3. Click Next on the Internal Network page.
  4. On the Firewall Client Connection Settings page, do not put a checkmark in the Allow computers running earlier versions of Firewall Client software to connect checkbox. The reason for this is that in unihomed Web Proxy mode, the ISA Server 2004 machine cannot accept Firewall client connections. Click Next.
  5. Click Next on the Services page.
  6. Click Install on the Ready to Install the Program page.
  7. Click Finish on the Installation Wizard Completed page.
  8. Click Yes on the Microsoft ISA Server dialog box informing that you must restart the computer.
  9. Log on as administrator after the ISA Server 2004 machine restarts.
  10. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node.
  11. Click the Networks node in the left pane of the console. Click the Templates tab in the Task Pane. Scroll down to the Single Network Adapter template and click it.

  1. Click Next on the Welcome to the Network Template Wizard page.

  1. On the Export the ISA Server Configuration page, you have the option to export the current configuration. This will create a backup file that you can use to restore the ISA Server 2004 machines current configuration. In this example we will not back up the configuration because this machine is a fresh install. Click Next.
  2. On the Internal Network IP Addresses page, accept the default settings for the Internal network. These addresses represent all valid IP addresses. The reason for this is that the unihomed ISA Server 2004 Web Proxy machine sees all machines as Internal, since the machine will not be acting as a firewall. Click Next.

  1. On the Select a Firewall Policy page, select the Apply default Web proxying and caching configuration policy. Click Next.

  1. Click Finish on the Completing the Network Template Wizard page.
  2. The new network topology appears in the Details Pane.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Importing the OWA Web Site Certificate into the ISA Server 2004 Web Proxy’s Machine Certificate Store

The Web site certificate must be imported into the ISA Server 2004 machine’s certificate store before it can be bound to the Web Listener. Only after the Web site certificate (along with its private key) is imported into the Web Proxy’s machine certificate store will the certificate be available for binding.

Perform the following steps to import the OWA server’s Web site certificate into the ISA Server’s machine certificate store:

  1. At the ISA Server 2004 Web Proxy machine, click Start and click on the Run command. Enter mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.
  2. Click the Add button in the Add/Remove Snap-in dialog box.
  3. Click the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.
  4. Select the Computer account option on the Certificates snap-in page. Click Next.
  5. On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.
  6. Click Close on the Add Standalone Snap-in page.
  7. Click OK in the Add/Remove Snap-in dialog box.
  8. Right click the Personal node in the left pane of the console, point to All Tasks and click Import.
  9. Click Next on the Welcome to the Certificate Import Wizard.
  10. Click the Browse button and locate the certificate file. Click Next after the file path and name appear in the File name text box.
  11. On the Password page, enter the password for the file. Do not put a checkmark in the checkbox labeled Mark this key as exportable. This will allow you to back up or transport you keys at a late time. You should not use this option because this machine is a bastion host with an interface in a perimeter network or on the Internet and may be compromised. The compromiser might be able to steal the private key from this machine if it is marked as exportable. Click Next.
  12. On the Certificate Store page, confirm that the Place all certificate in the follow store option is selected and that it says Personal in the Certificate store box. Click Next.
  13. Review the settings on the Completing the Certificate Import page and click Finish.
  14. Click OK on the Certificate Import Wizard dialog box informing you the import was successful.
  15. You will see the Web site certificate and the CA certificate in the right pane of the console. The Web site certificate has the FQDN assigned to the Web site. This is the name external users use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it. Double click the Web site certificate in the right pane of the console.

  1. Expand the Trusted Root Certification Authorities node in the left pane of the console and scroll down to the CA certificate of the enterprise CA that issued the Web site certificate. Note that the enterprise CA certificate does not automatically appear in the Trusted Root Certification Authorities node. The reason for this is that the ISA Server 2004 machine does not belong to the same domain as the enterprise CA. We must copy the CA certificate into this node.
  2. Right click the EXCHANGE2003BE certificate in the \Personal\Certificates node and click Copy. Click on the \Trusted Root Certification Authorities\Certificates node. Right click on it and click Paste. The CA certificate now appears in the right pane of the console.

Summary

In this article we began the process of publishing an OWA Web using a unihomed ISA Server 2004 Web Proxy server. In part 2 of this article, we will complete the configuration and test it using a Web client located outside of the Internal network.

Part 2 of this article is at: http://isaserver.org/articles/2004unihomedowapart2.html

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000044 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top