Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 2)

If you missed the first part of this article series please read Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 1).

We will have a look at how to configure and secure your configuration to make it as secure as possible.

This design is often the preferred design for small and medium companies (and sometimes even bigger companies) to securely publish:

  • Outlook Web Access
  • Outlook Mobile Access
  • Exchange Server Sync
  • RPC over HTTPS Services

Preparing your Environment

Before getting started with your installation you will have to design the physical hardware of your Reverse Proxy Server. Due to the fact that it is protected by two physical firewalls, you will only have to use a single network card design. This makes it quite easy to configure.

Hardening your Server

To harden your ISA Server as best as possible you should read the Microsoft ISA Server 2004 Security Hardening Guide that can be found at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

In addition to this you will now have to select the “Single Network Adapter” template on your ISA Server to make things work properly. This selection means that every IP-Address is internal.

Configuring RADIUS/IAS-Services

You also have to have an IAS-Service available in the internal network. This IAS Service can be installed on every Windows Server 2003 machine. If you want to configure things for high availability, you should think about having two IAS Services.


Figure 1: Installing IAS Service

After having successfully installed the IAS-Services, you will need to configure them to know the RADIUS-Clients – in respect to your ISA Server in your DMZ. Communication will generally use the well-known RADIUS ports 1812 and 1813, but I would suggest that you configure your own ports to make things a little bit more secure.


Figure 2: Configuring Ports for IAS

Lastly you will have to make sure that your IAS-Server is registered in Active Directory using the IAS-SnapIn as shown in the exhibit below.


Figure 3: Registering IAS in Active Directory

After having finished your preparations in Active Directory, you will now have to configure ISA Server to successfully communicate with the IAS-Services.


Figure 4: Configuring IAS Service to support ISA Server


Figure 5: Configuring IAS Service Shared Secret

If you configure the request to contain the Message Authenticator attribute, this will make IAS more secure.


Figure 6: Preparing ISA Server 2004

Now ISA Server knows that it is an IAS Client and will be able to communicate with IAS-Services.

Securing your Design

If you want to configure communications to be as secure as possible, you will have to configure HTTPS between the internet and ISA Server and between ISA and Exchange Server. You will have to create a webserver certificate for your public URL. Due to some ISA Server internal design problems, the preferred solution is to use only one certificate for both servers. These problems are described here: http://support.microsoft.com/kb/841664/en-us

Using one certificate is quite easy but you will have to create a DNS alias for the internal server and make sure that the certificate publisher is in the trusted root certificate publishers store on your servers. 

Configuring Webpublishing

After having finished your preparation tasks, our main task now is to make the reverse proxy functionality available.


Figure 7: Creating a new Mail Server Publishing Rule

First we will have to create a new Mail Server Publishing Rule for the Exchange Server that we want to publish.


Figure 8: Choosing the service to publish

The next step is to now choose the correct services to publish. Here we will need to choose the first radio button because our task is to publish Exchange Services directly.


Figure 9: Selection of Web Mail Services

Now we need to select which web mail services should be published in detail.


Figure 10: Selection of Bridging Mode

Due to security reasons all traffic from the internet to ISA and from ISA to Exchange should be encrypted. Bridging means that application filters are able to inspect each packet for security reasons.


Figure 11: Configuring the internal Mail Server

Now we need to put in the IP-Address or the FQDN of our internal mail server, in respect to our Exchange Server.


Figure 12: Configuring Public Name Details

At this point we will have to choose the public name of our internal service, which is the URL you have chosen in your SSL certificate, too.


Figure 13: Configuring a new Web Listener on the corresponding IP-Address

Now we will have to choose the correct internal IP-Address on which ISA Server listens for incoming requests.


Figure 14: Choosing the correct authentication method (RADIUS)

In one of the last steps for creating the new listener you will have to configure the authentication method. This means we will have to choose RADIUS here.


Figure 15: Adding the corresponding RADIUS Server

Now we will have to add the corresponding RADIUS Server to our publishing rule.


Figure 16: Configuring User Sets

The last step is to configure the correct RADIUS-Group from Active Directory to allow access to our new published server.


Figure 17: Applying new settings

The final step to make things work is to apply this new rule to your ISA Server. Now make sure that everything is working properly.

If there are any problems that need to be troubleshooted, the logging feature of ISA Server is your friend and will help to find out where things are going wrong.

Conclusion

After having configured and tested everything you will see that this design is more secure than placing Exchange Server 2003 directly in your DMZ. You will have more security and, in addition to this, less costs as an ISA Server license is less expensive than an Exchange Server one.

If you still have any further questions, please do not hesitate to contact me.

If you missed the first part of this article series please read Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top