ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 1 – Single Exchange Server with Separate DC Scenario/LDAP Authentication

 If you missed the other articles, check them out at:

I’ve done a lot of articles on publishing Exchange Server services on this site. However, all the articles either assume that you have a front-end/back-end Exchange configuration or that you have a single Exchange Server that is co-located on a domain controller. While these configurations are easy for me to configure in my lab, they might not be the most common deployment scenarios. I’m not a Exchange Server expert (at least I don’t know nearly as much about Exchange as I know about ISA) so I could be off in my assumptions on what common Exchange deployments are like.

I began to think about this when I noticed a cluster of requests for information about publishing a single Exchange Server that wasn’t a domain controller and where there was no front-end Exchange Server. This got me to think that this is really the best configuration for a small business that doesn’t plan on remaining small, and for medium sized businesses. From what I understand, the Microsoft Exchange team recommends that you do not place the Exchange Server on a domain controller, both for performance and for security reasons.

This makes sense to me, and so it’s motivated me to do this document on publishing OWA and RPC/HTTP sites using the single Exchange Server scenario, where the Exchange Server is not co-located on the domain controller. In this document I’ll focus on the 2006 ISA Firewall (ISA Server 2006) and many of the new features included in the new ISA Firewall that support secure remote access connections to Microsoft Exchange and make the ISA Firewall the firewall for all networks requiring secure remote access to Exchange Servers.

The Lab Network

The lab network used in the document is fairly simple:

  • A single ISA 2006 Standard Edition Firewall
  • A single domain controller for the msfirewall.org domain
  • A single back-end Exchange Server that belongs to the msfirewall.org
  • A Windows XP SP2 client that connects to the Exchange Server from the external network

Configuration details for each of these include:

ISA Firewall

  • Install Windows Server 2003 SP1
  • Run Microsoft Update and update the core operating system
  • Install ISA 2006 Standard Edition using the default edge firewall configuration
  • Rerun Microsoft Update to update any components introduced by the ISA Firewall installation
  • Configure the external interface with a valid IP address and subnet mask, as well as a valid default gateway and no DNS server address
  • Configure the internal interface with a valid IP address and subnet mask, and configure the internal interface with a DNS server, which is the DNS server on the domain controller
  • Create an anonymous access rule for HTTP/HTTPS for the Microsoft Updates sites so that the DC and the Exchange Server can access the Microsoft Update sites
  • The machine is not a domain member in this scenario

Domain Controller

  • Install Windows Server 2003 SP1
  • Run Microsoft Update to update the core operating system
  • Run dcpromo to promote the machine to a domain controller
  • Install the DHCP service. Create a DHCP scope and activate the scope
  • Install Microsoft Certificate Services in enterprise CA mode
  • Install the Microsoft IAS service for RADIUS support (although it’s not used in this scenario)
  • Install WINS (to support name resolution for VPN clients, although not used in this scenario)
  • Run Microsoft Update again to update components that may have been installed with these services
  • Configure the network interface with a valid IP address and subnet mask, and to use itself as its DNS and WINS server. Configure the default gateway to be the internal IP address of the ISA Firewall

Exchange Server

  • Install Windows Server 2003 SP1
  • Run Microsoft Update to update the core operating system
  • Install the IIS WWW service, SMTP service, NNTP service and RPC/HTTP service
  • Install Microsoft Exchange Server 2003
  • Install Microsoft Exchange Server SP2
  • Run Microsoft Update again to update the Exchange Server components
  • Configure the network interface with a valid IP address and subnet mask, and to use the domain controller as its DNS server and WINS server. Configure the default gateway to be the internal IP address of the ISA Firewall

Windows XP Service Pack 2

  • Install Windows XP Service Pack 2
  • Configure the client with a valid IP address on the external network, including a DNS server and default gateway that will allow it to access the Microsoft Update site
  • Run Microsoft Update to update the core operating system
  • Install Outlook 2003 on the XP client
  • Run Microsoft Update to update the Microsoft Office components
  • Remove the DNS server address on the NIC (so that the public msfirewall.org entries aren’t used by the client)

The figure below shows a high level view of the network.


Figure 1

In this paper we’ll do the following:

  • Install Web Site Certificate on the Exchange Server The Exchange Server needs a Web site certificate so that we can have a secure SSL channel between the ISA Firewall’s internal interface and the Web site itself.
  • Export the Web Site Certificate to a File The Web site certificate, along with its private key needs to be exported to a file so that we can copy the file to the ISA Firewall. This will allow us to install the Web site certificate, along with its private key, into the ISA Firewall’s machine certificate store.
  • Import the Web site Certificate into the ISA Firewall’s Machine Certificate Store We need to import the Exchange Server’s Web site certificate into the ISA Firewall’s machine certificate store so that we can bind this certificate to the Web listener that will be accepting incoming connections for the OWA and RPC/HTTP Web sties.
  • Install the RPC/HTTP Proxy on the Exchange Server The RPC/HTTP proxy service is not part of the Exchange Server installation. Instead, you need to install the RPC/HTTP proxy service from the Add/Remove Programs applet in the control panel as one of the Windows optional network services.
  • Configure the Back-end Only Topology on the Exchange Server The built in support for RPC/HTTP included with Exchange assumes that you have a front-end/back-end configuration. In the single server scenario, we have only a single server, so we have to force the Exchange Server to treat our computer as a single, back-end server.
  • Configure the RPC Proxy Server to Use Specified Ports for RPC over HTTP This is the piece of automation that is left out when not using the front-end/back-end Exchange Server configuration, so we’ll have to create the Registry entries for the required ports ourselves.
  • Create the OWA and RPC/HTTP Web Publishing Rule The Exchange Servers are now set up and we can begin to configure the ISA Firewall. We’ll being by creating the OWA and RPC/HTTP Web Publishing Rule.
  • Configure the Outlook Client One thing often left out of articles like this is the configuration of the client. The author will spend countless hours explaining how the server configuration works, and then just throw you to the winds in terms of client configuration, often with the result that the solution doesn’t work because the client was not set up correctly. We’ll not make that mistake here and go through detailed information on how to set up the Outlook 2003 Client.
  • Test the Configuration The proof of the pudding is in the eating! That’s what we’ll do here. We’ll test out the configuration using the Outlook 2003 client and Internet Explorer and see what happens. Of course, its going to work.
  • Create an LDAP Group and Limit OWA and RPC/HTTP to LDAP Group and Test the Configuration Now we’ll start with some more advanced configuration options that move past the basic Web Publishing Rule. Many ISA Firewall admins need to remove the ISA Firewall from the domain. In such scenarios, the ISA Firewall admin can benefit from LDAP authentication and leverage existing users and groups already part of the Active Directory.
  • Create an HTTPS redirect for HTTP Connections and Test the Configuration Here we’ll see how you can configure the ISA Firewall to automatically redirect HTTP connections to HTTPS, so that users don’t need to enter HTTPS in the browser’s Address bar.
  • Create a Redirect to Forward Root Directory Connections to the /Exchange Path Another issue that ISA Firewall admins have to deal with are users who “forget” to enter the /Exchange path at the end of the URL. In this section we’ll discuss how you can make things easier for users by configuring the ISA Firewall to automatically redirect users
  • Enable Password Changes and Notification for LDAP Authentication A frequently asked for feature is the ability to make it easy for users to change their passwords via the OWA interface, in addition to letting the users know when their passwords are about to expire. The new ISA Firewall provides this feature support and we’ll see how you configure it when using LDAP authentication.
  • Publishing Exchange for Outlook MAPI Clients using Secure RPC Publishing Many organization have no upgraded to Outlook 2003 and Windows XP SP1 or above, and therefore don’t support RPC/HTTP. The ISA Firewall’s Secure RPC Publishing feature makes it possible for these companies to provide seamless support for Outlook remote access connections and do so in a very secure manner.

Summary

In this article we discussed the issues with previous Exchange/ISA articles done on the ISAserver.org site and how they are all based on either a single Exchange Server that is co-located on a DC or as part of a front-end/back-end Exchange Server configuration. In this article series we’ll change course and show how to configure ISA 2006 Firewalls to publish single server Exchange Servers, where the Exchange Server is not co-located on a DC. We’ll focus on one of the most popular deployment scenarios: publishing both OWA and RPC/HTTP, with the goal of making this article series the authoritative voice on publishing both OWA and RPC/HTTP in a single server environment. After publishing the OWA and RPC/HTTP sites, we’ll take a look at some of the more advanced features and demonstrate some of the new capabilities included with the new ISA 2006 Firewall.

If you missed the other articles, check them out at:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top