LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 4)

If you missed the other parts of the series, check out:

Create the second Web Publishing Rule for the second OWA Server

If you’re thinking “oh no, do we have to do all that all over again!” I’ve got some good news for you. The answer is NO. You don’t have to go through the entire Web Publishing Rule wizard again because we can copy and paste the existing Web Publishing Rule and make only a couple of changes to the copied rule. This allows us to take advantage of the heavy lifting we’ve already done when creating the first OWA Web Publishing Rule.

Discuss this article

Perform the following steps to create the pixkiller.net Web Publishing Rule:

  1. Right click the MSFIREWALL OWA Web Publishing Rule and click Copy.


Figure 1

  1. Right click the MSFIREWALL OWA Web Publishing Rule again and click Paste.


Figure 2

  1. A new Web Publishing Rule named MSFIREWALL OWA(1) appears in the list of rules in the Firewall policy. Right click the MSFIREWALL OWA(1) rule and click Properties.


Figure 3

  1. In the MSFIREWALL OWA(1) dialog box, click the General tab. On the General tab, enter a new name for the Web Publishing Rule in the Name text box. In this example, we name the rule PIXKILLER OWA.


Figure 4

  1. Click the To tab. On the To tab, enter the common/subject name on the Web site certificate bound to the pixkller.net OWA site. In this example, the common/subject name on the Web site certificate bound to the pixkiller OWA site is owa.pixkiller.net, so we enter that name in to the This rule applies to this published site text box. In the Computer name or IP address (required if the internal site name is different or not resolvable) text box, enter the IP address of the OWA site.

    As I mentioned when we created the Web Publishing Rule for the MSFIREWALL OWA site, the new ISA firewall breaks out the name used to resolve the forwarded request and the name used in the CONNECT by allowing us to use the IP address or the actual FQDN of the published Web site.

    In the Proxy requests to published site frame, leave the option Requests appear to come from the ISA Server computer enabled. This allows the source IP address received by the published Web server to be the IP address of the ISA Firewall itself. This allows you to not make the published Web server a SecureNET client of the ISA Firewall, which provides you a bit more flexibility.




Figure 5

  1. Click the Public Name tab. Click the msfirewall.org entry and click the Remove button. Click the Add button. In the Public Name text box enter the public name for the pixkiller.net OWA Web site, which is also the common/subject name for the Web site certificate bound to the Web listener receiving connections for this site. In this example, that name is owa.pixkiller.net, so we enter that name into the text box. Click OK.


Figure 6

  1. Click OK in the MSFIREWALL OWA(1) dialog box.
  2. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Create an LDAP User Set

In the Web Publishing Rules we created for both the msfirewall.org and pixkiller.net OWA servers, we used the default setting for the authentication option, which was to allow all authenticated users access to the published Web sites. In a production environment, you might want to limit access to selected groups, instead of allowing unfettered access to any user who has an account in the domain in question.

For example, suppose we created a global group in the pixkiller.net domain named OWA Users and populated that group with users we want to allow remote access to the pixkiller.net OWA site. We can easily do this by creating an LDAP group. Remember, LDAP has the advantage over RADIUS in that LDAP can leverage existing Active Directory groups while RADIUS cannot.

The following procedure illustrates how to create an LDAP group on the ISA Firewall based on the OWA Users Active Directory global group:

  1. In the ISA Firewall console, click the Firewall Policy node in the left pane of the console and double click the PIXKILLER OWA Web Publishing Rule.
  2. In the PIXKILLER OWA Properties dialog box, click the Users tab. On the Users tab, click the All Authenticated Users entry in the This rule applies to requests from the following user sets list and then click the Remove button.


Figure 7

  1. On the Users tab, click the Add button.
  2. In the Add Users dialog box, click the New command.


Figure 8

  1. On the Welcome to the New User Set Wizard page, enter a name for the LDAP user set in the User set name text box. In this example, we’ll use the name PIXKILLER OWA Users and click Next.


Figure 9

  1. On the Users page, click the Add button. In the fly-out menu, click the LDAP… entry.


Figure 10

  1. In the Add LDAP User dialog box, click the LDAP server set down arrow and select the PIXKILLER entry. Select the Specified group or user option and then enter OWA Users (the name of the group that is populated with users we want to allow access to the pixkiller.net OWA site). Click OK.


Figure 11

  1. An authentication dialog box appears. Enter a valid user name and password. This use does not need to be a domain admin. Click OK.

Discuss this article


Figure 12

  1. The ISA Firewall contacts the domain controller and after finding the group, the log on dialog box will disappear and then you’ll see the LDAP server group listed on the Users page. Click Next on the Users page.


Figure 13

  1. Click Finish on the Completing the New User Set Wizard page.


Figure 14

  1. In the Add Users dialog box, double click the PIXKILLER OWA Users entry and then click Close.


Figure 15

  1. On the Users tab you’ll now see the LDAP user set in the This rule applies to requests from the following user sets list. Click OK.


Figure 16

  1. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Testing the Solution

We can easily test the solution by visiting the OWA Web sites from an external client. In this example, enter the URL https://owa.pixkiller.net/exchange in the external client’s Web browser. You will see the log on page as seen below. Put a checkmark in the I want to change my password after logging on and select the This is a private computer option. Then enter the user name and password in the appropriate text boxes.


Figure 17

The change password Web page appears. Put the old and new passwords in the appropriate dialog box and click Change Password.


Figure 18

A confirmation Web page will appear indicating that the password was changed successfully. You can wait for it to be automatically redirected or you can click the Continue button to go to their mailbox.


Figure 19

The user’s mailbox appears in the browser window.


Figure 20

In the figure below you see an example of when the user’s account is configured to require the user to change his password on next log on (you will also see the same dialog box when the user’s password has expired). All you need to do is enter the old password and then the new passwords and click the Change Password button.


Figure 21

You will see a dialog box that indicates that the password was successfully changed.


Figure 22

If you have problems with getting password changes to work (such as a Web page indicating that the password does not meet complexity requirements), consider the following options:

  • Restart the ISA Firewall device
  • Restart the DC that is authenticating the user
  • Make sure that when you configured the LDAP server that the name you’re using to contact the LDAP server is the same name on the computer certificate installed on the DC
  • That no typos are made in the old password and new password confirmation boxes

Summary

In this four part series we investigated the new ISA Firewall’s ability to use LDAP authentication to allow Active Directory authentication and leverage Active Directory user groups without having to make the ISA Firewall a domain member. This is a viable option in Web publishing scenarios when the ISA Firewall is a front-end firewall when the ISA Firewall does not need to perform outbound authentication. I’ve also used this feature when the ISA Firewall is a domain member of one domain to enable Web publishing of servers in other domains. I hope you enjoyed the series and if you have questions, make sure to ask them on the Web boards! Thanks! –Tom.

Discuss this article

 If you missed the other parts of the series, check out:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top