Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients – Part 1

Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients – Part 1

by Thomas W Shinder MD, MVP

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000760

If you would like to read the next article in this series then please read Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients (Part 2)

The ISA firewall’s forms-based authentication (FBA) feature is one of the killer apps included with the ISA firewall. The ISA firewall’s FBA capability enables the ISA firewall to generate the OWA log on form instead of requiring the Exchange Server to generate the form. This is a tremendous security boon because it enables you to force authentication at the ISA firewall before any connections are forwarded to the Exchange Server. This prevents the situation you see when simple packet filter based firewalls are in front of the Exchange Server and FBA is enabled on the Exchange Server itself. This latter configuration allows unauthenticated and unauthorized connection attempts to the Exchange Server, sometimes with unpleasant results.

One of the requirements of the ISA firewall’s FBA feature is that FBA must be disabled on the Exchange Server. While this isn’t a problem for remote access clients connecting to the Exchange Server’s OWA site, it’s a big problem for ISA firewall admins who want to allow users on the corporate network access to the site.

The reason this is a problem is that in almost all circumstances, you want to prevent users from looping back through the ISA firewall to access corporate resources. Looping back through the ISA firewall to access resources on the corporate network needlessly sucks up the firewall’s processor, disk, and memory resources. For this reason, a split DNS and Direct Access for local resources should always be configured to prevent the looping back misconfiguration phenomenon.

Note:
It might be more accurate to state that you don’t want to allow users to loop back through the ISA firewall to access resources on the same ISA firewall Network. This is a more accurate representation of the ISA firewall facts, because if you have 12 network interfaces on the ISA firewall, and users on one ISA firewall Network need to access OWA resources located on another ISA firewall Network, then those users will need to go through the ISA firewall to reach the destination OWA site. Note when users access resources on another ISA firewall Network, they are not looping back through the ISA firewall. They are going through the ISA firewall. In contrast, when users attempt to access OWA resources on the same ISA firewall Network that the users are located on, then they are looping back or bounce routing from the ISA firewall to reach the same ISA firewall Network from which the requests are made.

However, the only solution is to enable internal hosts to loop back through the ISA firewall if we want them to use the ISA firewall’s FBA feature and preserve a well-designed split DNS. The problem with this is that if we use the Web listener on the external interface of the ISA firewall to reach the OWA site, internal hosts will need to resolve the name of the OWA site to the external IP address on the ISA firewall. This breaks a well-designed split DNS infrastructure, because the internal zone should always contain only internal addresses and the external zone in the split DNS infrastructure should only contain external addresses. If we put external addresses in our internal zones, then this could start a trail of other compromises to a well-designed network infrastructure, such as using the .local for your internal Active Directory top level domain 😉

In this article I will go over the procedures required to create two Web Listeners: one listener for the external network clients, and another listener for the internal network clients. The internal Web Listener will be used for all clients on the corporate network, even those that are not on the same ISA firewall Network as the OWA site. The internal Web Listener will be created on the ISA firewall interface that is on the same ISA firewall Network as the OWA site.

We will go through the following procedures to enable both internal and external users to use the ISA firewall’s FBA feature to enhance security for OWA access:

  • Request and bind a certificate to the OWA Web site
  • Export the Web site certificate with its private key to a file
  • Unbind the Web site certificate from the OWA site
  • Request and bind a certificate to the OWA Web site
  • Export the second certificate with its private key to a file
  • Copy the certificates to the ISA firewall and import them into the ISA firewall’s machine certificate store
  • Create the external and internal Web listeners
  • Create the Web Publishing Rules
  • Create the Host (A) records in your split DNS and create the HOSTS file entry on the ISA firewall
  • Test the solution

In this, part 1 of this two part article series, we’ll go over the configuration steps on the OWA Web site computer. In part 2, we’ll move our attention to procedures performed on the ISA firewall device.

Request and Bind a Certificate to the OWA Web Site

The first step is to request a certificate for the OWA site. This certificate will be exported in a file, along with its private key, and copied to the ISA firewall. This certificate will be bound to the external Web Listener used in the Web Publishing Rule external users will use to access the OWA site.

Perform the following steps to request and bind the certificate to the OWA Web site:

  1. At the Exchange Server hosting the OWA site, open the Internet Information Services console from the Administrative Tools menu.
  2. In the Internet Information Service (IIS) Manger console, expand the server name and then expand the Web Sites node. Right click the Default Web Site and click Properties.
  3. In the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button in the Secure Communications frame.
  5. Click Next on the Welcome to the Web Server Certificate Wizard page.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.
  7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option. We select this option in this example because we have an enterprise CA deployed in this organization. If you do not have an enterprise CA deployed in the organization, you will have to use the Web enrollment site to obtain a certificate for the OWA site. Since enterprise CA’s provide a great deal of integrated functionality for any Active Directory domain, I highly recommend that you deploy an enterprise CA in the Exchange Server’s domain. Click Next.


Figure 1

  1. On the Name and Security Settings page, enter a name that will enable you to identify this certificate as the one that will be bound to the Web Listener that will be used to listen for incoming Web requests from external hosts to the OWA Web site. In this example we will enter External Web Listener Cert in the Name text box. You can leave the other entries at their defaults. Click Next.


Figure 2

  1. Enter your Organization and Organizational unit information in the text boxes on the Organization Information page and click Next.
  2. On the Your Site’s Common Name page, enter the name that external users will use to access the OWA site. In this example, users will access the OWA site by entering the URL https://owa.msfirewall.org/exchange. Therefore, we will enter owa.msfirewall.org in the Common name text box. You must make sure that the common name on the certificate is the same FQDN that external users will use to access the site. Click Next.


Figure 3

  1. Enter your Country/Region, State/province and City/locality information in the text boxes on the Geographical Information page and click Next.
  2. Use the default port listed on the SSL Port page and click Next.
  3. Use the default CA listed in the Certification authorities list on the Choose a Certification Authority page and click Next.
  4. Review the information on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.

Export the Web Site Certificate with its Private Key to a File

The next step is export this certificate to a file. The file will contain the Web site certificate and the private key. Later we will copy this certificate to the ISA firewall.

Perform the following steps to export the certificate to a file:

  1. On the Directory Security tab, click the View Certificate button.
  2. In the Certificate dialog box, click the Details tab.
  3. On the Details tab, click the Copy to File button.
  4. Click the Next button on the Welcome to the Certificate Export Wizard page.
  5. Select the Yes, export the private key option on the Export Private Key page.
  6. On the Export File Format page, remove the checkmark from the Enable strong protection checkbox. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.


Figure 4

  1. In a password and confirm the password in the text boxes on the Password page. Click Next.
  2. On the File to Export page, enter a path and filename for the certificate file. In this example, we’ll enter c:\external_listener_cert and click Next.


Figure 5

  1. Click Finish on the Completing the Certificate Export Wizard page.
  2. Click OK in the Certificate Export Wizard dialog box.
  3. Click OK in the Certificate dialog box.
  4. Do not close the Default Web Site Properties dialog box. We will use it in the next procedure.

Unbind the Web site Certificate from the OWA Site

Now we need to unbind the certificate from the OWA Web site. The reason for this is that we want to generate another certificate with the same common name using the Web Site Certificate Wizard. The reason why we need to generate another certificate with the same name is that we can’t bind the same certificate to two different Web listeners on the ISA firewall. We can get around this problem by creating two different certificates, each with the same common name. One of the certificates will be bound to the external Web listener, and the second certificate will be bound to the Web Listener used to service requests internal corporate network hosts.

Perform the following steps to unbind the certificate from the OWA Web site:

  1. Click the Server Certificate button in the Secure Communications frame on the Directory Security tab.
  2. Click Next on the Welcome to the Web Server Certificate Wizard page.
  3. Select the Remove the current certificate option on the Modify the Current Certificate Assignment page. Click Next.


Figure 6

  1. Review the information on the Remove a Certificate page and click Next.
  2. Click Finish on the Completing the Web Server Certificate Wizard page.

In order to complete the process of removing the certificate so that we can generate a new certificate using the same common name, we must remove the certificate from the local machine’s certificate store. Perform the following steps to remove the Web site certificate from the OWA machine’s local certificate store:

  1. Click Start and then click Run. In the Run dialog box, enter MMC and click OK.
  2. In Console 1, click File and then click Add/Remove snap-in.
  3. Click Add in the Add/Remove Snap-in dialog box.
  4. Click the Certificates entry in the Available Standalone Snap-ins list on the Add Standalone Snap-in page, then click Add.
  5. On the Certificates snap-in page, select the Computer account option and click Next.
  6. On the Select Computer page, select the Local Computer option and click Finish.
  7. Click Close in the Add Standalone Snap-in dialog box
  8. Click OK in the Add/Remove Snap-in dialog box.
  9. In the MMC console, expand the Certificates (Local Computer) node and then expand the Personal node. Click the Certificates node. In the right pane you will see the certificate that was bound to the OWA Web site. Right click the certificate and click Delete.


Figure 7

  1. Click Yes in the Certificates dialog box asking if you are sure you want to delete the certificate.
  2. Minimize the Certificates console.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000760

Request and Bind a Certificate to the OWA Web Site

Now we need to request another certificate for the OWA Web site. This certificate will be bound to the Web listener that will be used by the OWA Web Publishing Rule that will service requests from users on the corporate network. In contrast to the last certificate we requested, we will not unbind this certificate from the OWA site. This will allow connections to the OWA site using the same common name, owa.msfirewall.org. The key to the well-designed split DNS infrastructure is that you can use the same name from end to end.

The ISA firewall will be configured to forward requests to owa.msfirewall.org to owa.msfirewall.org. The ISA firewall will be configured with a HOSTS file entry that will resolve the name of the OWA site to the actual IP address of the OWA site. All other hosts, both internal and external, will resolve the name of owa.msfirewall.org to either the external interface or internal interface of the ISA firewall. This allows all connections to the OWA site to be mediated by the ISA firewall and allow us to use the ISA firewall’s FBA feature for both internal and external network hosts.

Perform the following steps to request and bind the Web site certificate to the OWA site:

  1. In the Default Web Site Properties dialog box, click the Directory Security tab.
  2. On the Directory Security tab, click the Server Certificate button in the Secure Communications frame.
  3. Click Next on the Welcome to the Web Server Certificate Wizard page.
  4. On the Server Certificate page, select the Create a new certificate option and click Next.
  5. On the Delayed or Immediate Request page, select the Send the request immediately to an online certificate authority option. We select this option in this example because we have an enterprise CA deployed in this organization. If you do not have an enterprise CA deployed in the organization, you will have to use the Web enrollment site to obtain a certificate for the OWA site. Since enterprise CA’s provide a great deal of integrated functionality for any Active Directory domain, I highly recommend that you deploy an enterprise CA in the Exchange Server’s domain. Click Next.


Figure 8

  1. On the Name and Security Settings page, enter a name that will enable you to identify this certificate as the one that will be bound to the Web Listener that will be used to listen for incoming Web requests from external hosts to the OWA Web site. In this example we will enter Internal Web Listener Cert in the Name text box. You can leave the other entries at their defaults. Click Next.


Figure 9

  1. Enter your Organization and Organizational unit information in the text boxes on the Organization Information page and click Next.
  2. On the Your Site’s Common Name page, enter the name that external users will use to access the OWA site. In this example, users will access the OWA site by entering the URL https://owa.msfirewall.org/exchange. Therefore, we will enter owa.msfirewall.org in the Common name text box. You must make sure that the common name on the certificate is the same FQDN that external users will use to access the site. Click Next.


Figure 10

  1. Enter your Country/Region, State/province and City/locality information in the text boxes on the Geographical Information page and click Next.
  2. Use the default port listed on the SSL Port page and click Next.
  3. Use the default CA listed in the Certification authorities list on the Choose a Certification Authority page and click Next.
  4. Review the information on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.

Export the Second Certificate with its Private Key to a File

Now we need to export this certificate, along with its private key, to a file. We will later copy this certificate to the ISA firewall and use it to bind to the internal Web Listener that will service requests from the OWA site from hosts on the internal network. Perform the following steps to export the certificate:

  1. On the Directory Security tab, click the View Certificate button.
  2. In the Certificate dialog box, click the Details tab.
  3. On the Details tab, click the Copy to File button.
  4. Click the Next button on the Welcome to the Certificate Export Wizard page.
  5. Select the Yes, export the private key option on the Export Private Key page.
  6. On the Export File Format page, remove the checkmark from the Enable strong protection checkbox. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.


Figure 11

  1. In a password and confirm the password in the text boxes on the Password page. Click Next.
  2. On the File to Export page, enter a path and filename for the certificate file. In this example, we’ll enter c:\external_listener_cert and click Next.


Figure 12

  1. Click Finish on the Completing the Certificate Export Wizard page.
  2. Click OK in the Certificate Export Wizard dialog box.
  3. Click OK in the Certificate dialog box.
  4. Click OK in the Default Web Site Properties dialog box.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000760

Summary

In this article we reviewed the problem of enabling ISA firewall forms-based authentication for both internal and external hosts. The challenge to this configuration is that we need to allow internal clients to access the OWA site by looping back through the ISA firewall while maintaining a well-designed split DNS infrastructure. The solution proposed in this article is to create two Web Listeners, one used to external hosts and another used by internal hosts. We then went over the certificate configuration on the OWA Web site and exporting the certificates to a file. In part two of this series we’ll move our attention to procedures performed on the ISA firewall device.

If you would like to read the next article in this series then please read Enabling ISA Firewall Forms-based Authentication (FBA) for OWA Connections for both Internal and External Clients (Part 2)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top