ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 2 – Single Exchange Server with Separate DC Scenario/LDAP Authentication

If you missed the other articles, check them out at:

Install Web Site Certificate on the Exchange Server

We need to request a Web site certificate for the msfirewall.org OWA server so that the ISA Firewall can establish a secure SSL connection from it’s internal interface to the OWA site itself. This enables us to have a secure, end-to-end, SSL connection from the external client to the OWA server itself, while at the same time allowing the ISA Firewall to perform application layer inspection on the communications moving between the OWA client and server.

Discuss this article

Perform the following steps to request a Web site certificate for the msfirewall.org OWA Web Site:

  1. At the SNGBEEXCH2003.msfirewall.org machine, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the left pane of the Internet Information Services (IIS) Manager console, expand the Web Sites node and click the Default Web Site. Right click Default Web Site and click Properties.
  3. On the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.


Figure 1

  1. On the Welcome to the Web Server Certificate Wizard page, click Next.
  2. On the Server Certificate page, select the Create a new certificate option and click Next.


Figure 2

  1. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option and click Next.


Figure 3

  1. On the Name and Security Settings page, accept the default settings and click Next.
  2. On the Organization Information page, enter your organization’s name in the Organization text box and your Organizational Unit’s name in the Organizational Unit text box. Click Next.


Figure 4

  1. On the Your Site’s Common Name page, enter the common name of the site. The common name is the name that external and internal users will use to access the site. For example, if users enter https://owa.msfirewall.org into the browser to access the OWA site, you would make the common name owa.msfirewall.org. In our current example, we will enter owa.msfirewall.org into the Common name text box. This is a critical setting. If you do not enter the correct common name, you will see errors when attempting to connect to the secure OWA site. Click Next.


Figure 5

  1. On the Geographical Information page, enter your Country/Region, State/province and City/locality in the text boxes. Click Next.
  2. On the SSL Port page, accept the default value, 443, in the SSL port this web site should use text box. Click Next.
  3. On the Choose a Certification Authority page, accept the default selection in the Certification authorities list and click Next.
  4. Review the settings on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.
  6. Notice that the View Certificate button is now available. This indicates that the Web site certificate has been bound to the OWA Web site and can be used to enforce secure SSL connections to the Web site.


Figure 6

  1. Click OK in the Default Web Site Properties dialog box.

Export the Web Site Certificate to a File

The ISA Firewall impersonates the OWA Web site when the OWA client establishes the first SSL link between itself and the ISA Firewall. In order for the ISA Firewall to do this, you must export the Web site certificate and import that certificate into the ISA Firewall’s machine certificate store.

It is important that you export the Web site’s private key when you export the certificate to a file. If the private key is not included in the file, you will not be able to bind the certificate to a Web Listener on the ISA Firewall and the Web Publishing Rules will not work.

Perform the following steps to export the Web site certificate with its private key to a file:

  1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.
  2. In the Default Web Site Properties dialog box, click the Directory Security tab.
  3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.
  4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.


Figure 7

  1. Click Next on the Welcome to the Certificate Export Wizard page.
  2. On the Export Private Key page, select the Yes, export the private key option and click Next.


Figure 8

  1. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) checkbox. Click Next.


Figure 9

  1. On the Password page, enter a Password and then enter it again in the Confirm Password field. Click Next.
  2. On the File to Export page, enter c:\OWAsiteCert in the File name text box. Click Next.
  3. Click Finish on the Completing the Certificate Export Wizard page.
  4. Click OK in the Certificate dialog box.
  5. Click OK in the Default Web Site Properties dialog box.
  6. Copy the OWAsiteCert.pfx file to the root of the C:\ drive on the ISA Firewall machine.

Discuss this article

Import the Web site Certificate into the ISA Firewall’s Machine Certificate Store

The Web site certificate must be imported into the ISA Firewall’s machine certificate store before they can be bound to the Web Listener. Only after the Web site certificate (along with its private key) is imported into the firewall’s machine certificate store will the certificate be available for binding.

Perform the following steps to import the msfirewall.org OWA server’s Web site certificate into the ISA Server’s machine certificate store:

  1. At the ISA Firewall, click Start and click on the Run command. Enter mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.
  2. Click the Add button in the Add/Remove Snap-in dialog box.
  3. Click the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.
  4. Select the Computer account option on the Certificates snap-in page. Click Next.
  5. On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.
  6. Click Close on the Add Standalone Snap-in page.
  7. Click OK in the Add/Remove Snap-in dialog box.
  8. Right click the Personal node in the left pane of the console, point to All Tasks and click Import.
  9. Click Next on the Welcome to the Certificate Import Wizard.
  10. Click the Browse button and locate the C:\OWAsiteCert.pfx certificate file. Click Next after the file path and the name will appear in the File name text box.


Figure 10

  1. On the Password page, enter the password for the file. Do not put a checkmark in the checkbox labeled Mark this key as exportable. This will allow you to back up or transport you keys at a late time. You should not use this option because this machine is a bastion host with an interface in a perimeter network or on the Internet and may be compromised. The compromiser might be able to steal the private key from this machine if it is marked as exportable. Click Next.
  2. On the Certificate Store page, confirm that the Place all certificate in the follow store option is selected and that it says Personal in the Certificate store box. Click Next.
  3. Review the settings on the Completing the Certificate Import page and click Finish.
  4. Click OK on the Certificate Import Wizard dialog box informing you the import was successful.
  5. You will see the Web site certificate and the CA certificate in the right pane of the console. The Web site certificate has the FQDN assigned to the Web site. This is the name external users use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it. Double click the Web site certificate in the right pane of the console.
  6. Expand the Trusted Root Certification Authorities node in the left pane of the console and click the Certificates node. You need to copy the enterprise CA’s certificate into the Trusted Root Certification Authorities\Certificates node. This can be done by right clicking on the CA certificate and then clicking the Cut command. Then you would click on the \Trusted Root Certification Authorities\Certificates node and click on the Paste button in the mmc’s button bar.

Close the MMC console. You can save the console if you like to make it easier to view certificates later.

Install the RPC/HTTP Proxy on the Exchange Server

In order to provide RPC/HTTP proxy services for the Outlook 2003 client, the Exchange Server must be configured as an RPC/HTTP proxy server. You do this by installing the RPC/HTTP Proxy service on the Exchange Server.

Perform the following steps to install the RPC/HTTP Proxy service on the Exchange Server:

  1. On the Exchange server that will be the RPC proxy server, click Start, click Control Panel, and then click Add or Remove Programs.
  2. In Add or Remove Programs applet, in the left pane, click Add/Remove Windows Components button.
  3. In the Windows Components Wizard, on the Windows Components page, select Networking Services, and then click the Details button.
  4. In Networking Services, select the RPC over HTTP Proxy check box, and then click OK.


Figure 11

  1. On the Windows Components page, click Next to install the RPC over HTTP Proxy Windows component.

Configure the Back-end Only Topology on the Exchange Server

The built in RPC/HTTP support for Exchange SP1 and above assumes that you’ll have a front-end/back-end Exchange Server configuration and doesn’t take into account the scenario where there is a single Exchange Server with a co-located RPC/HTTP Proxy. In order to support the single server scenario that doesn’t include a front-end Exchange Server, you need to configure the Exchange Server as a RPC/HTTP back-end Server and then perform some manual steps to configure a back-end only topology to use RPC over HTTP.

  1. In Exchange System Manager, expand Administrative Groups, and then expand the administrative group that contains your Exchange server.
  2. Expand the Servers object, right-click the Exchange server that you want to set as the RPC proxy server, and then select Properties.
  3. On the Exchange Server Properties page, click the RPC-HTTP tab, and then select the option next to RPC-HTTP back-end server. Click OK.


Figure 12

  1. The following dialog box appears informing you that you do not have an Exchange front-end server in your organization. Click OK to close this dialog box.


Figure 13

Configure the RPC Proxy Server to Use Specified Ports for RPC over HTTP

After you configure the RPC/HTTP networking component for Internet Information Services, you then need to configure the RPC proxy server. Configure the RPC proxy server to use specific ports to communicate with the Active Directory directory service and with the information store on the Exchange computer.

First, verify the registry values automatically set for the Exchange ports. When you run Exchange Server 2003 Setup, Exchange is configured to use the ports in the following table.

Server

Port

Service

Exchange Server (Global Catalog)

6001

Store

6002

DSReferral

6004

DSProxy

Table 1: Service Ports

The following registry values are automatically configured by Exchange Server 2003 Setup. Although you do not have to configure these registry values, you should verify that these registry values are configured correctly.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

Value name: Rpc/HTTP Port

Value type: REG_DWORD

Value data: 0x1771 (Decimal 6001)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: HTTP Port

Value type: REG_DWORD

Value data: 0x1772 (Decimal 6002)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters

Value name: Rpc/HTTP NSPI Port

Value type: REG_DWORD

Value data: 0x1774 (Decimal 6004)

NOTE:
Do not modify these registry values. If you modify these registry values, RPC/HTTP may not function correctly.

Perform the following steps to configure the RPC proxy server to use specific ports:

  1. On the RPC proxy server, start Registry Editor (Regedit).
  2. In the console tree, locate the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
  3. In the details pane, right-click the ValidPorts subkey, and then click Modify.
  4. In Edit String, in the Value data box, type the following information:
    ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004;

  • ExchangeServer is the NetBIOS name (computer name) of your Exchange server.
  • ExchangeServerFQDN is the fully qualified domain name (FQDN) of your Exchange server. If the FQDN that is used to access the server from the Internet differs from the internal FQDN, you must use the internal FQDN.

To determine the NetBIOS name and the fully qualified domain name of your server, start a command prompt, enter ipconfig /all, and then press ENTER. Under Windows IP Configuration, information that is similar to the following appears:


Figure 14

The host name is the NetBIOS name of your computer. The host name together with the primary DNS suffix is the fully qualified domain name of your computer. In this example, the fully qualified domain name is mycomputer.contoso.com.

In our example, we would enter the following string for the RpcProxy Registry entry:

sngbeexch2003:6001-6002; sngbeexch2003.msfirewall.org:6001-6002; sngbeexch2003:6004; sngbeexch2003.msfirewall.org:6004;

Discuss this article

Summary

In this article we continued with our setup that will publish a single Exchange Server that is not co-located on the DC. We requested a Web site certificate for the OWA and RPC/HTTP site, we exported that certificate to the ISA Firewall and installed it into the ISA Firewall’s machine certificate store, we installed the RPC/HTTP proxy on the Exchange Server and we configured the Exchange Server with the appropriate ports to use to forward the RPC communications to the Exchange Server (in the Registry). In the next part of this article series we’ll create the OWA and RPC/HTTP Web Publishing Rule and make some custom configurations to the Web Listener so that everything works the way we want it to work. See you then! –Tom.

If you missed the other articles, check them out at:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top