Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 5)

If you would like to read the other parts in this article series please go to

If you would like to be notified when Thomas Shinder releases the next part in this article series please sign up to the ISAServer.org Real Time Article Update newsletter.

In the first four parts of this series on how to publish Exchange 2007 Web services we focused on the security and network design and then went on to install and configure the Hub Transport and Mailbox server and the Client Access Server. In this article, we will continue with the story by moving the plot to the ISA Firewall. We will configure the ISA Firewall by requesting a Web site certificate to bind to the Web listener and then we will create the Web listener.

Discuss this article

Configuring the ISA Firewall

That is all we are going to do with the Exchange Server configuration. And it is not soon enough. Whenever I work with Exchange 2007 I feel like I am walking down a dark hallway trying to feel my way through the darkness. That is probably because of PowerShell traumas. But we can move into the light of day now and start configuring the ISA Firewall. I promise that there will not be any need to enter the typo ridden world of PowerShell in our ISA Firewall configuration.

When configuring the ISA Firewall, we will need to perform the following procedures:

  • Request the Web Site Certificate and Install the Certificate into the ISA Firewall’s Machine Certificate Store
  • Create the Web Listener
  • Create the OWA Web Publishing Rules
  • Create the RPC/HTTP Web Publishing Rule
  • Create the ActiveSync Web Publishing Rule

In this article we will focus on obtaining the Web site certificate and creating the Web Listener.

Request the Web Site Certificate and Install the Certificate into the ISA Firewall’s Machine Certificate Store

The ISA Firewall needs a Web site certificate to bind to the Web listener that will listen for the OWA, RPC/HTTP and ActiveSync connections. We have a couple of options for obtaining this Web site certificate:

  • Export the Web site certificate from the Client Access Server and import it into the ISA Firewall machine certificate store
  • Request a Web site certificate using the Web enrollment site on the CA server on the internal network

The first option is not an option because when you use the PowerShell command used to request the certificate, the keys are not exportable. So much for that idea.

However, it is very easy to request the Web site certificate from the Web enrollment site on the CA server on the Internal Network, so we will obtain the certificate that way.

On the ISA Firewall computer, enter the address http://dc/certsrv in the Address bar and press ENTER. You will most likely see what appears in the figure below. Yes, the ISA Firewall blocked the request because we do not have any rules that allow outbound HTTP connections from the ISA Firewall Local Host Network to the CA on the internal Network.


Figure 1

We can solve this problem in a number of ways, but my favorite option is to configure System Policy to allow HTTP traffic to all Networks for CRL downloads. We need to allow CRL downloads anyhow, so let us set the System Policy to allow this traffic.

In the ISA Firewall console, click on the Firewall Policy node in the left pane of the console. Click the Show System Policy button in the button bar in the console (the button on the far right). Look for the Allow all HTTP traffic from ISA Server to all network (for CRL downloads) rule. Right click on the rule and click Edit System Policy.


Figure 2

In the System Policy Editor, make sure the red arrow is pointing to CRL Download and put a checkmark in the Enable this configuration group as seen in the figure below. Click OK.


Figure 3

Click Apply to save the changes and update the firewall policy.


Figure 4

Open Internet Explorer and enter http://dc/certsrv in the Address bar and press ENTER. Enter a user name and password to log onto the Web enrollment site. On the Welcome page of the Web enrollment site, click the Request a certificate link.


Figure 5

On the Request a Certificate page, click the Advanced certificate request link.


Figure 6

On the Advanced Certificate Request page, click the Create and submit a request to this CA link.


Figure 7

On the Advanced Certificate Request page, click  the down arrow on the Certificate Template drop down list and select Web Server. In the Identifying Information of Offline Template section, enter the common name that will appear on the certificate in the Name text box. Remember, the common or subject name must be the name that users will use to access the OWA, RPC/HTTP and ActiveSync sites. Since we are using a split DNS infrastructure in our example, external and internal users will use the same name, which is owa.msfirewall.org. Enter owa.msfirewall.org in the Name text box.

Put a checkmark in the Store certificate in the local computer certificate store. Notice that when you select this option, the keys will not be marked as exportable. This is not a problem since you can always request a new certificate with the same common/subject name in the future in the event that this ISA Firewall needs to be replaced.

Click the Submit button on the bottom of the page.


Figure 8

You will see a Potential Scripting Violation dialog box. Click Yes to dismiss it.


Figure 9

On the Certificate Issued page, click the Install this certificate link.


Figure 10

Another Potential Scripting Violation dialog box will appear. Click Yes to dismiss it.


Figure 11

When the certificate is installed, you will see the Certificate Installed page as seen in the figure below. Close Internet Explorer.


Figure 12

If you create a Certificates MMC console for the local machine account, you can expand the Certificates node and then expand the Personal node to expose the Personal\Certificates node. Click on the Personal\Certificates node and you will see the certificate that was issued to owa.msfirewall.org. Double click on the certificate and click on the Certification Path tab in the Certificate dialog box. Notice that the certificate is good because the ISA Firewall trusts certificates issued by dc.msfirewall.org. The reason why the ISA Firewall trusts certificates from dc.msfirewall.org is that the CA certificate for dc.msfirewall.org is contained in the ISA Firewall’s Trusted Root Certification Authorities\Certificates certificate store.

We did not have to manually install the CA certificate because the ISA Firewall was joined to the domain before the ISA Firewall software was installed. Had we joined the ISA Firewall to the domain after the ISA Firewall was installed, the CA certificate autoenrollment would not have worked, because the RPC filter breaks autoenrollment.


Figure 13

Discuss this article

Create the Web Listener

We needed the certificate to bind to the Web listener so that the ISA Firewall can impersonate the Client Access Server. The next step is to create the Web Listener that we will use for the OWA, RPC/HTTP and ActiveSync Web Publishing Rules.

Click on the Firewall Policy node in the left pane of the ISA Firewall console and then click the Toolbox tab in the right pane of the console. Click Network Objects and then right click on Web Listeners. Click New Web Listener.


Figure 14

On the Welcome to the New Web Listener Wizard page, give a name to the Web Listener. In this example we will name the Listener SSL and click Next.


Figure 15

On the Client Connection Security page you select whether you want to create an SSL or an unsecured HTTP connection with the ISA Firewall. Since we always want security, we will select the Require SSL secured connections with clients option and click Next.


Figure 16

On the Web Listener IP Addresses page we select the IP addresses that this Web listener will listen for connections on. In our split DNS scenario, we have things set up where external users will connect to the ISA Firewall using the ISA Firewall’s external interface IP address and internal users will connect to the ISA Firewall using the ISA Firewall’s internal interface IP address.

Put a checkmark in both the External and Internal network’s checkboxes, then click on the Internal network and click the Select IP Addresses button.


Figure 17

In the Internal Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Then click the IP address in the Available IP Addresses list and click the Add button to move that IP address to the Selected IP Addresses list. Click OK.


Figure 18

You now see on the Web Listener IP Addresses page that the Internal network listener is listening on IP address 10.0.0.1. Click the External network and then click Select IP Addresses.

In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the external IP address in the Available IP Addresses list and click the Add button to move that IP address to the Selected IP Addresses list.


Figure 19

On the Web Listener IP Addresses page you will see that the Web Listener is now listening on 192.168.1.71 on the external interface. For external users, owa.msfirewall.org must resolve to 192.168.1.71 and for internal users, owa.msfirewall.org must resolve to 10.0.0.1. That is how we have outsplit DNS setup so that this will work fine. Click Next.


Figure 20

On the Listener SSL Certificates page, the Assign a certificate for each IP address is automatically selected for you. Click the 10.0.0.1 address and then click the Select Certificate Button. In the Select Certificate dialog box, select the owa.msfirewall.org certificate and click Select.


Figure 21

On the Listener SSL Certificates page, click the 192.168.1.71 entry (which will be a different IP address for you, since it needs to be a valid address on the network on which you are doing the testing) and click Select Certificate. Click on the owa.msfirewall.org certificate and click Select.


Figure 22

On the Listener SSL Certificates page you will see that both the internal and external IP addresses are associated with the owa.msfirewall.org certificate. This will allow external users to connect to the external interface using SSL and the internal users to connect to the internal interface using SSL. Click Next.


Figure 23

On the Authentication Settings page, click the down arrow for the Select how clients will provide credentials to ISA Server drop down list and select HTML Form Authentication. Select the Windows (Active Directory) option from the Select how ISA Server will validate client credentials list.

The ISA Firewall is a domain member (ISA Firewall security best practice) so we can use Windows authentication. Note that even though we have configured this Web Listener to use forms-based authentication, it will still work for the Outlook RPC/HTTP clients and the ActiveSync clients because the ISA Firewall will check the user-agent string and if the user-agent string does not indicate that a Web browser is being used, it will fall-back to basic authentication.

Click Next.


Figure 24

On the Single Sign On Settings page, set the single sign on the domain by putting a checkmark in the Enable SSO for Web site published with this Web listener checkbox and then enter the single sign on domain in  the SSO domain name text box. We are only publishing the Exchange Client Access Server in this scenario, but in other scenarios we might also publish Web sites and SharePoint sites. Since all those sites would be in the same domain, we will enter .msfirewall.org in the text box. Note that you do not actually need to enter in the leading dot “.”, as the wizard will assume that that is what you meant if you do not enter it.


Figure 25

Review the settings on the Completing the New Web Listener Wizard page and click Finish.


Figure 26

Discuss this article

Summary

In this article we moved our attention away from the Exchange Server and moved it to the ISA Firewall. We started by connecting to the Web enrollment site and requesting a Web site certificate from the internal network certificate authority. After that we confirmed that the certificate was installed in the ISA Firewall’s local machine certificate store. Then we created the Web Listener that will be used in our Web Publishing Rules that will publish the OWA, RPC/HTTP and ActiveSync sites. In the next article, we will continue with the ISA Firewall configuration by creating the OWA Web Publishing Rules. See you then! –Tom.

If you would like to read the other parts in this article series please go to

If you would like to be notified when Thomas Shinder releases the next part in this article series please sign up to the ISAServer.org Real Time Article Update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top