Publishing Outlook Web Access Web Sites with a Unihomed (Single-NIC) ISA Server 2004 Web Proxy Server: Part 2

Publishing Outlook Web Access Web Sites with a
Unihomed (Single-NIC) ISA Server 2004 Web Proxy Server: Part 2


by Thomas W Shinder M.D.

Part 1 of this article is at: http://isaserver.org/articles/2004unihomedowapart1.html

In part 1 of this two part series on how to publish OWA Web sites using a single-NIC (unihomed) ISA Server 2004 Web Proxy server, went explained the rationale for creating this type of setup and then went through a number of configuration steps related to ISA Server 2004 configuration and certificate enrollment. If you haven’t read that article yet, then head on over to Publishing Outlook Web Access Web Sites with a Unihomed (Single-NIC) ISA Server 2004 Web Proxy Server: Part 1. After going through those steps you’ll be ready to continue with this article.

In this article you will do the following:

  • Create a HOSTS file entry for the OWA Web site address and run the Outlook Web Access Publishing Wizard
  • Create a Server Publishing Rule on the back-end firewall
  • Publish the Web enrollment site
  • Create a HOSTS file entry on the OWA client machine
  • Make the connection to the OWA site via the unihomed Web Proxy server

 

Creating a HOSTS File Entry for the OWA Web Site Address and Running the Outlook Web Access Publishing Wizard

In a production environment, you should create a split DNS infrastructure that enables hosts on the Internal and External networks to properly resolve the name of the OWA Web site. We have not configured a split DNS infrastructure in our current example, so we will use a HOSTS file on the ISA Server 2004 Web Proxy machine that enables the Web Proxy to resolve the name of the OWA site to the site’s Internal IP address.

Perform the following steps to create the HOSTS file entry that maps the OWA site to the IP address on the external interface of the Web Proxy that publishes the OWA site to the Internet. In this case, the Server Publishing Rule that publishes the OWA site to the Internet will be configured to listen on IP address 192.168.1.70:

  1. Open Windows Explorer, navigate to \WINDOWS\system32\drivers\etc directory and open the hosts file.
  2. In the Open With dialog box, select Notepad and click OK.
  3. The HOSTS file is opened in Notepad. Add a line at the end of the hosts file that resolves the name in the redirect to the IP address that can reach the OWA server on the internal network. For example, if the firewall in front of the OWA server on the internal network is performing reverse NAT to publish the internal OWA site, and the redirect is owa.msfirewall.org, you would add the following entry:

192.168.1.70 owa.msfirewall.org

“192.168.1.70” is the IP address of the firewall that publishes the OWA server to the Internet. In our current example, the ISA Server 2004 firewall behind the ISA Server 2004 Web Proxy machine is acting as a conventional firewall and uses reverse NAT to published the OWA site on the internal network.

  1. Close Notepad and click Yes to save the changes made to the file.

Now we’re ready to create the OWA Web Publishing Rule on the ISA Server 2004 Web Proxy machine. Perform the following steps to securely publish the Exchange OWA Web site:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Click the Tasks tab in the Task Pane. Click the Publish a Mail Server link.
  2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we will call it Publish OWA Web Site. Click Next.

  1. On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.

  1. On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. This option allows OWA users to access mail using non-English character sets. Click Next.

  1. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next. This option creates a Web Publishing Rule that ensures a secure SSL connection from the client to the OWA Web site. This prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information. The external client that makes an SSL connection expects that traffic to be secure from end to end.

  1. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example, we will use the name owa.msfirewall.org. Note that this is the name used for the Exchange Server site on the internal network and this is the common name on the OWA Web site’s certificate. You could use an IP address, but that would create problems with the SSL connection between the interface of the ISA Server 2004 Web Proxy and the Exchange OWA site. You can use either a split DNS or a HOSTS file entry on the ISA Server 2004 Web Proxy machine to resolve this name to the IP address used by the Exchange Server on the internal network. This is required to insure that the name in the request the ISA Server 2004 Web Proxy sends to the Exchange Server on the internal network is the same as the name on the certificate installed on the OWA Web site. Click Next.

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Again, this is the name the external users use when accessing the Web site, and this is also the common name on the Web site certificate. This is the name the user enters into his browser in the browser’s Address bar. Click Next.

  1. On the Select Web Listener page, click the New button. The Web listener works like the Web listener in ISA Server 2000, but with ISA Server 2004, you have more options. For example, you can create a separate Web listener for SSL and non-SSL connections on the same IP address. In addition, the Web listener settings are no longer global, and you can configure separate settings for each listener based on the number of addresses bound to the interface of the ISA Server 2004 Web Proxy.

  1. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will use the name OWA SSL Listener. Click Next.

  1. On the IP Addresses page, put a checkmark in the Internal checkbox. Click the Address button.
  2. In the Internal Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click the Internal IP address on the ISA Server 2004 Web Proxy that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select 192.168.1.95. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
  3. Click Next on the IP Addresses page.

  1. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443. By configuring this listener to use only SSL, you can configure a second listener with different settings that is dedicated for non-SSL connections.

  1. Click the Select button. In the Select Certificate dialog box, click the OWA Web site certificate that you imported into the ISA Server 2004 Web Proxy’s machine certificate store and click OK. Note that this certificate will appear in this dialog box only after you have installed the Web site certificate into the ISA Server 2004 Web Proxy’s machine certificate store. In addition, the certificate must contain the private key. If the private key was not included, the certificate will not appear in this list.

  1. Click Next on the Port Specification page.
  2. Click Finish on the Completing the New Web Listener page.
  3. The details of the Web listener now appear on the Select Web Listener page. Click Edit.
  4. In the OWA SSL Listener Properties dialog box, click the Preferences tab.

  1. On the Preferences tab, click the Authentication button.
  2. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that no authentication methods are currently configured.Place a checkmark in the OWA Forms-Based authentication checkbox. The OWA Forms-based authentication feature is very useful and enhances the security the ISA Server 2004 Web Proxy provides for your OWA site. The Web Proxy generates the log on form and then forwards the credentials sent by the user to the OWA site for authentication. Only after the user is successfully authenticated is the connection request forwarded to the OWA site. This prevents unauthenticated users from connecting to the OWA site and eliminates the risks inherent in unauthenticated users accessing the OWA site. Note that you must not enable forms-based authentication at the Exchange Server’s OWA site. Forms-based authentication should be enabled only at the ISA Server 2004 Web Proxy. Click the Configure button.

  1. On the OWA Forms-Based Authentication dialog box, put checkmarks in the Clients on public machines, Clients on private machines and Log off OWA when the user leaves OWA site checkboxes. These settings enhance security for your OWA site. Note that you also have the option to set the session times-outs for clients on both public and private machines. It is important to note that the user decides if the machine should be recognized as public or private. Because it is not good security policy to let the user determine the level of security applied to a connection, you should force the same policy on all users. Click OK.

  1. Click OK in the Authentication dialog box.
  2. Click Apply and then click OK in the OWA SSL Listener Properties dialog box.
  3. Click Next on the Select Web Listener page.
  4. On the User Sets page, accept the default entry, All Users, and then click Next. Note that this does not mean that all users will be able to access the OWA site. Only users who can authenticate successfully will be able to access the site. The actual authentication is done by the OWA site, using the credentials that the ISA Server 2004 Web Proxy forwards to it. You cannot have the ISA Server 2004 Web Proxy itself and the OWA site authenticate the user. This means that you must allow All Users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 Web Proxy itself using client certificate authentication.
  5. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
  6. Click Apply to save the changes and update the firewall policy.
  7. Click OK in the Apply New Configuration dialog box.

Its important to note that in this type of configuration that you can not configure the OWA Web Publishing Rule for forward the actual IP address to the OWA site. The reason for this is that intelligent Web Proxy services are not part of the complete request path. In our example, the back-end firewall is a conventional packet filter based firewall (which we simulate with a Server Publishing Rule on an ISA Server 2004 firewall).

When the original source IP address is sent to the OWA Web site, the OWA server will attempt to respond to that IP address. Because the back-end firewall is a conventional packet filter, it does not track the connection back to the actual server that forwarded the request, which in this case is the unihomed Web Proxy server. However, if we had used a OWA Web Publishing Rule on the back-end, then we could have preserved the source IP address.

Create a Server Publishing Rule on the Back-end Firewall

We’re now ready to publish the OWA site on the Internal network. In this example the ISA Server 2004 firewall will simulate a conventional packet filtering firewall that performs reverse NAT to make the OWA Web server available to the ISA Server 2004 Web Proxy server in front of it.

Perform the following steps to publish the OWA Web site:

  1. On the ISALOCAL machine behind the unihomed ISA Server 2004 Web Proxy computer, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane. Click the Firewall Policy node.
  2. Click the Tasks tab in the Task Pane. On the Tasks tab, click the Create a New Server Publishing Rule link.
  3. On the Welcome to the New Server Publishing Wizard page, enter Publish OWA Server in the Server publishing rule name text box. Click Next.
  4. On the Select Server page, enter 10.0.0.2 in the Server IP address text box. Click Next.
  5. On the Select Protocol page, select the HTTPS Server entry in the Selected protocol list. Click Next.
  6. On the IP Addresses page, put a checkmark in the External checkbox and click Next.
  7. Click Finish on the Completing the New Server Publishing Rule page.
  8. Click Apply to save the changes and update the firewall policy.
  9. Click OK in the Apply New Configuration dialog box.

Configuring the public DNS to resolve the name of the OWA site

Correct DNS host name resolution is critical when you design a remote access solution. The ideal DNS configuration allows users who move between the internal and external networks to be able to resolve host names to the correct address regardless of where they are currently located.

The ideal DNS configuration is the split DNS. A split DNS infrastructure consists of two zones that serve the zone domain and subdomains:

  •  An internal zone that is used only by internal network hosts
  •  An external zone that is used only by external network hosts

Internal network hosts who need to resolve names on the internal network query an internal network zone and receive the internal network IP address of the host to which they want to connect. External network hosts query the external network zone and receive a public IP address to which they can connect. The destination machine is the same for the external and internal hosts; they just take different routes to arrive at their common destination.

For example, your internal network domain to which the Exchange Servers belong is domain.com. You publish the OWA site to the Internet using ISA Server 2000. The ISA Server uses IP address 131.107.0.1 to listen for incoming requests for the OWA site. The Exchange Server on the internal network has the IP address 10.0.0.3.

Your goal is to allow all hosts, regardless of their locations, to access the Exchange Server using the FQDN owa.domain.com. You want hosts on the internal network to connect directly to the OWA site using the IP address 10.0.0.3 and you want remote hosts connecting from the Internet to use IP address 131.107.0.1 to access the OWA site.

The solution is to create entries on a publicly available DNS server for the domain.com domain. You can have a third party host your DNS services or you can host them yourself. Regardless of who hosts these addresses, the DNS resource records for the domain.com domain on this publicly available DNS server contain the public addresses your want users to use to access resources. In the case of the published resources on the Exchange Server, you should create a Host (A) record for owa.domain.com to map to the IP address 131.107.0.1.

You should then create a second DNS server on the internal network behind the ISA Server firewall. The internal network DNS server also hosts a zone for the domain.com domain. You should create a Host (A) resource record on the internal network DNS server within the domain.com zone for owa.domain.com. The difference is that this time you map these three entries to 10.0.0.3.

External network hosts are assigned a DNS server address that allows them to resolve names to public addresses. How these external hosts are assigned an IP address depends on where they are located. You usually have no control over the specific DNS server address that’s assigned to your remote hosts. However, this is not a problem. If you have registered your domain.com with an Internet Registrar and indicated the correct address for the publicly available authoritative DNS server for your domain, external hosts will have no problems resolving your public addresses correctly.

Internal network hosts can be assigned a correct DNS server address using DHCP. When a remote host moves into the internal network, it will receive new IP addressing information, including a DNS server address, from your DHCP server. When the host receives the IP address of your internal DNS server, it will then be able to resolve the names associated with the Exchange Server to its internal address.

Publishing the Web Enrollment Site

The Web enrollment site allows external hosts to obtain computer and Web site certificates from the enterprise CA located behind the ISA Server 2004 firewall. We will not require an SSL connection to request the certificate in this example because we only want to obtain a CA certificate.

Perform the following steps on the ISA Server 2004 firewall machine that lies in front of the enterprise CA (do not perform these steps on the unihomed Web Proxy machine) to publish the enterprise CA’s Web enrollment site:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
  2. In the Task Pane, click the Tasks tab. On the Tasks tab, click the Publish a Web Server link.
  3. Enter a name for the Web Publishing Rule on the Welcome to the New Web Publishing Rule Wizard page. In this example, we will enter the name Publish Web Enrollment Site in the Web publishing rule name text box. Click Next.
  4. Select the Allow option on the Select Rule Action page.
  5. On the Define Website to Publish page, enter the IP address of the enterprise CA’s Web site in the Computer name or IP address text box. In this example, the IP address is 10.0.0.2, so we will enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.

  1. On the Public Name Details page, select the This domain name (type below) option in the Accept request for list box. In the Public name text box, enter the IP address on the external interface of the firewall. In this example, the main office ISA Server 2004 firewall’s external address is 192.168.1.70, so we will enter that value into the text box. Enter /certsrv/* into the Path (optional) text box. Click Next.

  1. On the Select Web Listener page, click the New button.
  2. On the Welcome to the New Web Listener page, enter a name for the rule in the Web listener name text box. In this example, we will name the listener Listener70, to indicate the IP address on which the listener is listening. Click Next.
  3. On the IP addresses page, put a checkmark in the External checkbox and click Next.
  4. On the Port Specification page, accept the default settings. Confirm that there is a checkmark in the Enable HTTP checkbox and that the value 80 is in the HTTP port text box. Click Next.

  1. Click Finish on the Completing the New Web Listener Wizard page.
  2. Click Next on the Select Web Listener page.
  3. Accept the default setting, All Users, on the User Sets page and click Next.
  4. Click Finish on the Completing the New Web Publishing Rule Wizard page.
  5. Right click the Publish Web Enrollment Site rule and click Properties.
  6. On the Publish Web Enrollment Site Properties dialog box, click the Paths tab. On the Paths tab, click the Add button. In the Path mapping dialog box, add the entry /CertControl/* in the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank. Click OK.

  1. Click Apply and then click OK in the Publish Web Enrollment Site dialog box.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.

Installing the Enterprise CA Certificate on the OWA Client Machine

Now we must obtain the CA certificate from the enterprise CA on the internal network. We can connect to the Web enrollment site to obtain the CA certificate. Perform the following steps to obtain the CA certificate and install it on the OWA client computer:

  1. On the OWA e-mail client computer, enter http://192.168.1.70/certsrv in the Address bar and press ENTER.
  2. In the Connect to dialog box, enter Administrator in the User name text box and the Administrator’s password in the Password text box. Click OK.
  3. On the Welcome page of the Microsoft Certificate Services site, click the Download a CA certificate, certificate chain, or CRL link.
  4. On the Download a CA Certificate, Certificate Chain, or CRL page, click the Install this CA certificate chain link.
  5. Click Yes in the Security Warning dialog box asking if you want to install the Microsoft Certificate Enrollment Control.
  6. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site will add a certificate to the machine.
  7. Click Yes in the Root Certificate Store dialog box asking if you want to add the CA certificate.
  8. Close the browser after you see the CA Certificate Installation page that informs you that The CA certificate chain has been successfully installed.

Creating a HOSTS File Entry on the OWA Client Machine

The OWA client machine must be able to resolve the name of the OWA server to the name that is on the OWA server’s Web site certificate. The name we assigned to the Web site certificate on the OWA server is owa.msfirewall.org. The OWA client machine must be able to resolve this name to the IP address on the interface of the ISA Server 2004 Web Proxy that listens for incoming requests to the OWA server. In our current example, this is 192.168.1.95.

In a production environment, you should have a split DNS infrastructure that correctly resolves names for both internal and external network clients. We have not created a split DNS infrastructure in our example, so we will use a HOSTS file to resolve owa.msfirewall.org to the correct IP address.

Perform the following steps to create the HOSTS file entry on the e-mail client machine:

  1. Right click Start and click Explore.
  2. Navigate to \system32\drivers\etc and open the HOSTS file in Notepad.
  3. In the HOSTS file, enter a line under the localhost entry:

192.168.1.95 owa.msfirewall.org

Ensure that you press ENTER after you complete the line so that the insertion point is under the new line. Otherwise, the new entry won’t be recognized.


4. Close the HOSTS file and save the changes.

Making the Connection to the OWA Web Site

Perform the following steps to make the connection to the OWA Web site:

  1. Open Internet Explorer, enter http://owa.msfirewall.org/exchange into the Address bar and press ENTER.
  2. On the Outlook Web Access logon page, enter MSFIREWALL\Administrator in the Domain\user name text box and enter the Administrator’s password in the Password text box. Select the Premium option under Client. Select the Private computer option under Security. Click Log On.

  1. The OWA Site opens in an SSL window. The padlock icon in the status bar of Internet Explorer confirms the secure link.

  1. Click Log Off to log off the OWA Web site.

Summary

In this two part series on how to publish OWA using a single NIC (unihomed) ISA Server 2004, we went through detailed step by step procedures on how to make the configuration work. This setup is idea for organizations who want to take advantage of ISA Server 2004 HTTP application layer intelligence without having to roll out the ISA Server 2004 machine as a firewall. In future articles we will discuss how to configure Web proxy chaining to further enhance the flexibility this type of solution provides.

Part 1 of this article is at: http://isaserver.org/articles/2004unihomedowapart1.html

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000044 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

Scroll to Top