Publishing Exchange 2000 Outlook Web Access with ISA Server UPDATE Dec 12 2002
Outlook Web Access (OWA) for Exchange 2000 allows users to access their mailbox located on an Exchange 2000 server using a web interface. Users are also able to use their web browser to access the Public information store. Outlook Web Access can greatly simply remote access to Exchange based information for remote clients.
Because OWA uses HTTP as the application layer protocol to access the information store, you do not need to support proprietary interfaces required by Outlook 97/98/2000/2002. In addition, you do not have to configure a mail client application to access the internal Exchange Server. Even the most unsophisticated of users can use their web browser without any extra configuration on the user's end to access their Exchange 2000 mailbox and public folders.
Outlook Web Access is also an ideal solution for UNIX and Apple clients. Since there is no port of the Office version of Microsoft Outlook for UNIX platforms, Outlook Web Access provides the only method these clients can use to access the Exchange 2000 message store. Apple clients are also at risk of not having the full version of Outlook, and therefore can gain access to their mailbox via Outlook Web Access.
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
However, Outlook Web Access is not the same as the full version of Outlook. Outlook Web Access does not provide the same feature set. Some limitations include:
However, even with these limitations, Outlook Web Access remains a powerful tool in your remote mail access toolbox.
In order for your Outlook Web Access solution to work correctly, you have to insure that:
After Exchange 2000 and ISA Server are configured correctly, your users will be able to connect to their mailboxes using Outlook Web Access.
Configuring Exchange 2000 Outlook Web Access
Outlook Web Access is integrated with Internet Information Server 5.0 (IIS 5.0). Administration of Outlook Web Access therefore is done through the IIS console. Issues that need to be addressed on the Outlook Web Access server include:
Note that this tutorial is focused on a simple setup, and does not explicitly address Front End/Back End Outlook Web Access/Exchange Server 2000 configurations.
ISA Server Client Type
The Exchange Server should be configured as a SecureNAT client. Configuring a machine to be a SecureNAT client is easy to do, because all that is required is that you configure it to use a default gateway that routes to the internal interface of the ISA Server.
If the Exchange Server is on the same network ID as the internal interface of the ISA Server, you can enter the IP address of the internal interface of the ISA Server as the Default Gateway for the Exchange Server. If the Exchange Server is remote from the internal interface of the ISA Server, configure a default gateway on that server which will route Internet bound requests to the internal interface of the ISA Server.
Since you will be using a Web Publishing Rule to publish the server, you do not want to make the Outlook Web Access server a Firewall client. Making the machine a Firewall client will only make the configuration needlessly complex. So, don't do it!
The type of DNS support required by the Exchange server depends on how you have configured the server to handle delivery. Exchange 2000 uses the IIS 5.0 SMTP service. This service can be configured to allow the Exchange 2000 server to resolve mail domain names itself, or allow the server to forward mail to a Smart Host.
To configure the SMTP service's handling of outbound mail domain resolution, perform the following steps:
The Smart Host text box provides a space for you to type in the IP address or FQDN of a mail server on the Internet that the SMTP service will forward email for non-local domains. Note that if you put is a FQDN, the Exchange Server SMTP service will still need to resolve the IP address of the Smart Host! If you wish to get around the name resolution issue, enter an IP address instead. To prevent the SMTP service from trying to resolve the IP address to an IP address (!), place the IP address in straight brackets. For example, if the Smart Host has the IP address of 126.96.36.199, then enter into the text box [188.8.131.52].
Click the Add button, and put in the IP address(s) of your Internet DNS server(s). The SMTP service will use these DNS server addresses preferentially over the DNS server configured on the NIC for this machine. This allows you to use the DNS settings on the Exchange Server's NIC for internal name resolution, and to use the settings configured here for mail domain name resolution for the IIS SMTP service.
Another way to support DNS for the Exchange server is to configure the Exchange Server to use an internal DNS server that supports DNS Forwarding. You would configure the internal DNS server to forward requests for which it is not authoritative to a DNS server on the Internet, such as your ISPs DNS server.
When the browser attempts to connect to the Outlook Web Access site, a credentials dialog box will appear. You will definitely want to require authentication to access mailboxes on the Outlook Web Access site! However, ISA does not treat all authentication types equally. It is much easier to get Basic authentication to work consistently. Integrated authentication will lead to very poor performance and painful browser compatibilites troubleshooting sessions.
This is a tricky situation because Basic Authentication sends user credentials in clear text and therefore is easily sniffable. You could use anonymous access, but that puts you in an even worse situation.
One solution is to use SSL and have the Outlook Web Access clients establish an SSL connection to the external interface of the ISA Server. This solution is very effective and is our preferred solution for publishing OWA sites. There are multiple problems with working with integrated authentication because of browser incompatibilties based on Internet Explorer versions. You could also have users use client certificates to authenticate with the Incoming Web Requests listener and then authenticate with the Web site. Note that if you do use Basic authentication, you do not have users authenticate with the listener; they must authenticate with the Web site.
You can also use Server Publishing rules and publish the Outlook Web Access server's TCP Port 443. There are drawbacks to this approach, but you might find it easier to implement if you have multiple IP addresses. The drawback of this approach is that you can use the client certificate/basic authentication double log on option if you use server publishing rules.
We cover a number of different SSL and authentication scenarios for OWA in the ISA Server and Beyond book. If you want to use SSL and get the most completely coverage of OWA/ISA Server issues and configuration details, then check out the book!
Another option would be to establish a VPN connection to the to the ISA Server, and then an Outlook Web Access session. The VPN link would secure the connection and no passwords would be passed in the clear. This is a good choice for companies that do not want to endure the additional costs of installing the full Outlook client on laptop computers, but still want their road-warriors to be able to access Exchange mail.
It will be up to you and your security analysts to decide on the best way to secure communications between the Outlook Web Access client and server. Different organizations will have different security requirements. It is also hoped that ISA Server will be able to pass Integrated or Digest Authentication credentials through the Web Proxy service with updates or future releases of the product.
Configuring Authentication on the Outlook Web Access Server
To configure authentication on the Outlook Web Access server, you can use the Internet Information Services console. Perform the following steps to configuration authentication options:
The Exchange related folders are the Exchweb, public, Exchange and Exadmin. Users do not need access to the admin folder.
Note: If you see red error icons for the Exchange related folders, click on the Default Web Site node in the left pane and then stop and restart the Default Web Site. Then refresh the display and the error icons should disappear.
The Basic authentication (password is sent in clear text) option should be select. After making the selection, click the Edit button. This brings up the Basic Authentication Domain dialog box as seen below.
The domain the Exchange Server belongs to should be in the text box by default. However, if it does not appear, either type in the name of the authentication domain, or click the Browse button and select the domain from the list.
Enabling User Accounts
When Exchange 2000 is installed on a Windows 2000 Server machine, it will update the schema in its domain. These schema changes allow you to create Exchange Server mailboxes when creating a new user account. If you have existing users accounts before installing Exchange, they will not have a mailbox creating for them.
For users in the domain that do not already have an exchange mailbox configured, open Active Directory Users and Computers, right click on the account and click the Exchange Tasks command. Follow the Wizard to create a new mailbox.
After the account is created and a mailbox configured, the user will have access to Outlook Web Access by default. If you wish to disable access to Outlook Web Access, open the user account in Active Directory Users and Computers and click on the Exchange Advanced tab, as seen below.
Click on the Protocol Settings button. This will bring up the Protocols dialog box as seen below.
Click on the HTTP protocol and click the Settings button and you'll see what appears below.
Remove the checkmark from the checkbox to disable Outlook Web Access for the user.
In order for a user to access his email via Outlook Web Access, there must be at least one address for the user that belongs to the same domain as the Exchange Server. For example, look at the figure below.
The Exchange Server belongs to the shindertexas.net domain. Note that the address in bold is the users Primary Account. This account will be the one included in the users from: entry. This user also has accounts in other mail domains. The Exchange Server can accept mail to this user from any of these email addresses. But there must be at least one with a local domain address.
Now that the Outlook Web Access server is configured, we can move onto the ISA Server.
Publishing the Outlook Web Access Site using Web Publishing Rules
We will use a Web Publishing rule to publish the Outlook Web Access Server. Before the Web Publishing rule will work, the network infrastructure needs to be configured to support Web Publishing.
If you are not sure if your network is configured to support Web Publishing, take a moment to read part one of my two part series on how to publish a web site at www.isaserver.org/shinder You should also visit http://www.isaserver.org/pages/learning%20zone.htm and read the other articles in the Learning Zone. You'll find many of them quite helpful in solving your ISA Server configuration issues.
You will need to create a Destination Set before you create the Web Publishing rule. The Destination Set will be used to redirect requests for Outlook Web Access specific subfolders to the Outlook Web Access server.
Creating the Outlook Web Access Destination Set
To create the Destination Set, perform the following steps:
When you are finished, the properties of the Destination Set should look like the figure below. After the Destination Set is completed, click OK.
Creating the Outlook Web Access Publishing Rule
After the Destination Set is configured, you can use it in the Web Publishing rule used to publish the OWA server. Perform the following steps to publish the server:
Connecting to the Outlook Web Access Site
Let's connect to the Outlook Web Access web site and access a mailbox. To access the Outlook Web Access server and connect to a user mailbox, perform the following steps:
If you are not able to access the Outlook Web Access site for a particular user, check and make sure that the user has an email address in the same domain as the Exchange Server. You may be using the Exchange Server to access mail for domains outside of the one that the server belongs to. If the user does not have an email account listed in his entry in Active Directory Users and Computers for the Exchange Server's domain, add one.
In this article we reviewed what Outlook Web Access can do, and how to implement Outlook Web Access on an ISA Server network. Before implementing an Outlook Web Access solution, you must first configure the Exchange Server to support Outlook Web Access and ISA Server. This includes DNS and user configuration issues. After the Exchange Server is configured, the ISA Server side of the equation can be addressed. The network environment must be able to support publishing of the Outlook Web Access Exchange Server. Depending on your security requirements, you will use either Web Publishing or Server Publishing to make the Outlook Web Access server available to external network users.
I highly recommend the ISA Server and Beyond book to anyone rolling out an OWA solution. I cover many different SSL and authentication scenarios in the book that I haven't been able to discuss in this article. If you are having problems or troubelshooting issues with your OWA setup, make sure to check out chapter 6 of ISA Server and Beyond. The answer to your problem will likely be there.
We hope you enjoyed this article and that it helps you roll out Outlook Web Access on your ISA Server protected network. If you have any questions or comments, please post them to the web boards, or write to me at [email protected] and I'll try to answer you as soon as possible. - Tom.