ISA 2006 Enables FBA and ActiveSync-RPC/HTTP on the Same Web Listener
As you know, the best way to secure your Exchange Server organization is to put an ISA firewall in front of it. Unlike traditional hardware firewalls, the ISA firewall is purpose designed to protect Exchange Servers and services. Remote access to OWA, OMA, Exchange ActiveSync, and RPC/HTTP is critical for any business running Microsoft Exchange Servers. Only the ISA firewall contains the application layer intelligence to provide the security you require for your Exchange remote access plans.
A challenge ISA 2004 firewall admins experienced was that if you wanted to enable FBA (Forms-based authentication) on a Web listener for OWA access, you could not use that same Web listener for remote access to OMA, ActiveSync and RPC/HTTP. The reason for this is that you needed to use a second certificate for those services, and the second certificate must be bound to a second Web listener that listens on an IP address that is different from the IP address used by the OWA/FBA-enabled Web listener.
For details on why each certificate must be bound to a different IP address and Web listener, check out this post on the ISA firewall team blog at https://blogs.technet.com/isablog/archive/2006/04/01/423869.aspx
ISA 2006 solves this problem by reading the User-Agent HTTP header before making an authentication decision. This enables you to use the same Web listener and IP address for both OWA/FBA-enabled connections and connections from OMA/ActiveSync/RPC-HTTP clients.
For example, suppose you configured a Web Publishing Rule that allows connections to all of the Exchange Server Web services, including OWA, OMA, ActiveSync and RPC/HTTP. You have Forms-based authentication enabled on the Web listener for this rule. When an OWA client (IE6 or above or alternative Web browsers for a depleted user experience) connects to the ISA firewall to reach the OWA site, the ISA firewall presents the user with the log on form and all is good. However, when non-OWA connections reach the ISA firewall, the ISA firewall detects the User-Agent header in these requests, understands that these clients do not "understand" the form, and then the ISA firewall reverts to Basic Authentication (which is what these clients all understand). Basic authentication is secure because the user credentials are secured in an SSL tunnel.
If you have only a single IP address and want to publish all of these services, then the ISA 2006 firewall upgrade is for you!
Thomas W Shinder, M.D.
MVP -- ISA Firewalls