Publishing LDAP Server on ISA.

Understanding LDAP

Windows 2000 use Lightweight Directory Access Protocol (LDAP) a streamlined version of DAP (Directory Access Protocol). The Directory Access Protocol (DAP) is a protocol used in X.500 Directory Services for controlling communications between the Directory User Agent and Directory System Agent.

The Directory User Agent (DUA) provides functionality that can be implemented in all sorts of user interfaces through dedicated DUA clients, Web server gateways, or e-mail applications.

In X.500, the Directory System Agent (DSA) is the database in which directory information is stored. This database is hierarchical in form, designed to provide fast and efficient search and retrieval.

Contrary to X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. LDAP is an open protocol, and applications are independent of the of server platform hosting the directory.

The Active Directory is not an X.500 directory. Instead, it uses LDAP as the access protocol and supports the X.500 information model without requiring systems to host the entire X.500 overhead. The result is the high level of interoperability required for administering real-world, heterogeneous networks.

The Active Directory supports access via the LDAP protocol from any LDAP- enabled client. LDAP names are less intuitive than Internet names, but the complexity of LDAP naming is usually hidden within an application. LDAP names use the X.500 naming convention called “Attributed Naming.”

An example of an LDAP client is Outlook Express.

A Windows 2000 Domain Controller is a LDAP server and contains all your domain information like user accounts and groups.

A Windows 2000 Domain Controller can also be a Global Catalog (GC) server which contains Forest wide information. You can sent queries to a Global Catalog server to ask user attributes information like email address, street address and phone numbers.

Step 1: Creating a Protocol Definition for a LDAP Server

1. Expand the Policy Elements node in ISA Management console and right click on the Protocols Definitions node. Click New and then click Definition.
   
2. On the Welcome page, type the name of the Protocol Definition, example LDAP Server, click Next.
   
3. On the Primary Connection Information page, type 389 for the Port number, TCP for the Protocol Type and Inbound for the Direction, click Next.

4. On the Secondary Connection page select No and click Next.
   
5. On the last page click Finish.

Step 2: Create a Server Publishing rule to publish a LDAP Server

1. Expand the Publishing node in the ISA Management console and right click on the Server Publishing node. Click New and click Rule.
   
2. On the Welcome page, type in the name of the rule, example LDAP Server, click Next.
   
3. On the Address Mapping page, type in the IP address of the internal server, which is the IP address of your internal Domain Controller and the External IP address on the ISA server, which is the IP address on your external interface of ISA, click Next.
   
4. On the Protocols Settings page, select the LDAP Server protocol definition that we created above, click Next.

5. On the Client Type page, select the client type to which you want this rule applied and click Next.
   
6. On the last page click Finish.

Step 3: Configure Outlook Express to use your published LDAP Server

1. Open Outlook Express from a client computer.
   
2. From the menu, select Tools and Accounts.
   
3. Click on Directory Services, click on the Add button and select Directory Service.
   
4. On the Internet Directory Service Name page, type in the FQDN or External IP address of ISA server, select This server requires me to log on, click Next.
   
5. On the Internet Directory Server Logon page, type in the text box Account name a domain user that have permissions to access the domain controller as follow domainname\username. In the password text box, type in the password for that user account, click Next.

6. On the Check E-mail addresses page, select Yes if you want to check recipient email addresses against your LDAP Server, otherwise choose No, click Next.
   No performs faster response to Outlook Express.

7. On the Congratulations page, click Finish
   
8. Select your Directory Service from the listview, click Properties and Advanced.
   
9. Verify if the Directory Service Port Number is 389
   
10. If you send the queries directly to a LDAP server you need the specify a Search Base. Type in the Search Base textbox DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

11. Click Apply, click OK and Close the Internet Account dialog box.

Step 4: Testing the connection

1. Click Addresses on the Outlook toolbar, in the Address Book window, click Find People on the toolbar.
   
2. In the Find window dialog box, select the directory service that you just added. Type in the name text box the username you want to search the email address for and click Find.
   
3. Click Close to exit all windows.

Publishing a Global Catalog Server

Instead of publishing a LDAP server you can publish a Global Catalog server from within your private network. In most cases the GC is the same machine as your DC, but you can use another machine that function as a GC.

Step 1: Creating a Protocol Definition for a Global Catalog Server

1. Expand the Policy Elements node in ISA Management console and right click on the Protocols Definitions node. Click New and then click Definition.
   
2. On the Welcome page, type the name of the Protocol Definition, example GC Server, click Next.
   
3. On the Primary Connection Information page, type 3268 for the Port number, TCP for the Protocol Type and Inbound for the Direction, click Next.

4. On the Secondary Connection page select No and click Next.
   
5. On the last page click Finish.

Step 2: Create a Server Publishing rule to publish a Global Catalog Server

1. Expand the Publishing node in the ISA Management console and right click on the Server Publishing node. Click New and click Rule.
   
2. On the Welcome page, type in the name of the rule, example GC Server, click Next.
   
3. On the Address Mapping page, type in the IP address of the internal server, which is the IP address of your internal Domain Controller and the External IP address on the ISA server, which is the IP address on your external interface of ISA, click Next.
   
4. On the Protocols Settings page, select the GC Server protocol definition that we created above, click Next.
   
5. On the Client Type page, select the client type to which you want this rule applied and click Next.
   
6. On the last page click Finish.

Step 3: Configure Outlook Express to use your published GC Server

1. Open Outlook Express from a client computer.
   
2. From the menu, select Tools and Accounts.
   
3. Click on Directory Services, click on the Add button and select Directory Service.
   
4. On the Internet Directory Service Name page, type in the FQDN or External IP address of ISA, select This server requires me to log on, click Next.
   
5. On the Internet Directory Server Logon page, type in the text box Account name a domain user that have permissions to access the global catalog as follow domainname\username. In the password text box, type in the password for that user account, click Next.
   
6. On the Check E-mail addresses page, select Yes if you want to check recipient email addresses against your GC Server, otherwise choose No, click Next.
   No performs faster response to Outlook Express.
   
7. On the Congratulations page, click Finish
   
8. Select your Directory Service from the listview, click Properties and Advanced.
   
9. Verify if the Directory Services Port Number is 3268
   
10. If you send the queries directly to a LDAP server you need the specify a Search Base. Type in the Search Base textbox “NULL”, without quotes.
    
11. Click Apply, click OK and Close the Internet Account dialog box.

Step 4: Testing the connection

1. Click Addresses on the Outlook toolbar, in the Address Book window, click Find People on the toolbar.
   
2. In the Find window dialog box, select the directory service that you just added. Type in the name text box the username you want to search the email address for and click Find.
   
3. Click Close to exit all windows.

Important
Every time a user performs a query to your LDAP/GC server within Outlook Express, the username and password of the account that is used to query your LDAP/GC server is sent in clear text. Also queries sent to the LDAP/GC and responses (email addressees and user information) are sent in clear text. This can be a security risk, because users email addresses where sent in clear text over the internet and can be used for spamming mail.

Encrypting Traffic From an LDAP Client to the ISA Server using SSL

Perform the following steps to encrypt traffic from an LDAP client to the ISA Server using SSL:

Step 1: Obtain a certificate for the ISA server

1. Before a user application outside the organization can set up an SSL session, your ISA server must have a certificate. An ISA server can obtain a computer certificate through group policies
   
2. Install an Enterprise CA on a Windows 2000 Domain Controller.
   
3. Open the Default Controller Policy using Group Policy Editor.
   
4. Under Computer Configuration, click Windows Settings.
   
5. Click Security Settings, and then click Public Key Policies.
   
6. Click Automatic Certificate Request Settings.
   
7. Use the wizard to add a policy for Computers
   
8. Open the ISA Management console and right click on the server name, select Properties.
   
9. On the Incoming Web Requests page, enable SSL listeners, click Apply.
   
10. Verify that port 443 for SSL is available.
    
11. Close this dialog box.

Note: You can use above procedure to ask a certificate for Domain Controllers (LDAP servers), but instead of Computers, use a Domain Controller policy.

Step 2: Creating a Protocol Definition for a Secure LDAP Server

1. Expand the Policy Elements node in ISA Management console and right click on the Protocols Definitions node. Click New and then click Definition.
   
2. On the Welcome page, type the name of the Protocol Definition, example Secure LDAP Server, click Next.
   
3. On the Primary Connection Information page, type 636 for the Port number, TCP for the Protocol Type and Inbound for the Direction, click Next.

4. On the Secondary Connection page select No and click Next.
   
5. On the last page click Finish.

Step 3: Create a Server Publishing rule to publish a Secure LDAP Server

1. Expand the Publishing node in the ISA Management console and right click on the Server Publishing node. Click New and click Rule.
   
2. On the Welcome page, type in the name of the rule, example Secure LDAP Server, click Next.
   
3. On the Address Mapping page, type in the IP address of the internal server, which is the IP address of your internal Domain Controller and the External IP address on the ISA server, which is the IP address on your external interface of ISA, click Next.
   
4. On the Protocols Settings page, select the Secure LDAP Server protocol definition that we created above, click Next.

5. On the Client Type page, select the client type to which you want this rule applied and click Next.
   
6. On the last page click Finish.

Step 4: Configure Outlook Express to use your published Secure LDAP Server

1. Open Outlook Express from a client computer.
   
   
2. From the menu, select Tools and Accounts.
   
   
3. Click on Directory Services, click on the Add button and select Directory Service.
   
   
4. On the Internet Directory Service Name page, type in the FQDN or External IP address of ISA, select This server requires me to log on, click Next.
   
   
5. On the Internet Directory Server Logon page, type in the text box Account name a domain user that have permissions to access the domain controller as follow domainname\username. In the password text box, type in the password for that user account, click Next.
   
   
6. On the Check E-mail addresses page, select Yes if you want to check recipient email addresses against your LDAP Server, otherwise choose No, click Next.
   No performs faster response to Outlook Express.
   
   
7. On the Congratulations page, click Finish
   
   
8. Select your Directory Service from the listview, click Properties and Advanced.
   
   
9. Check This server requires a secure connection check box. Verify if the Directory Service Port Number is 636
   
   
10. If you send the queries directly to a LDAP server you need the specify a Search Base. Type in the Search Base textbox DC=domainname,DC=toplevel, example : DC=roswell,DC=edu.

11. Click Apply, click OK and Close the Internet Account dialog box.

Step 5: Testing the connection

1. Click Addresses on the Outlook toolbar, in the Address Book window, click Find People on the toolbar.
   
2. In the Find window dialog box, select the directory service that you just added. Type in the name text box the username you want to search the email address for and click Find.
   
3. First an SSL tunnel is created between the Outlook Express client and the ISA server before queries will be send.
   
4. Click Close to exit all windows.

Instead of publishing a Secure LDAP server you can publish a Secure Global Catalog server from within your private network

Step 1: Creating a Protocol Definition for a Secure Global Catalog Server

1. Expand the Policy Elements node in ISA Management console and right click on the Protocols Definitions node. Click New and then click Definition.
   
   
2. On the Welcome page, type the name of the Protocol Definition, example GC Server, click Next.
   
   
3. On the Primary Connection Information page, type 3269 fot the Port number, TCP for the Protocol Type and Inbound for the Direction, click Next.
   
   
4. On the Secondary Connection page select No and click Next.
   
   
5. On the last page click Finish.

Step 2: Create a Server Publishing rule to publish a Secure Global Catalog Server

1. Expand the Publishing node in the ISA Management console and right click on the Server Publishing node. Click New and click Rule.
   
   
2. On the Welcome page, type in the name of the rule, example Secure GC Server, click Next.
   
   
3. On the Address Mapping page, type in the IP address of the internal server, which is the IP address of your internal Domain Controller and the External IP address on the ISA server, which is the IP address on your external interface of ISA, click Next.
   
   
4. On the Protocols Settings page, select the Secure GC Server protocol definition that we created above, click Next.
   
   
5. On the Client Type page, select the client type to which you want this rule applied and click Next.
   
   
6. On the last page click Finish.

Step 3: Configure Outlook Express to use your published Secure GC Server

1. Open Outlook Express from a client computer.
   
   
2. From the menu, select Tools and Accounts.
   
   
3. Click on Directory Services, click on the Add button and select Directory Service.
   
   
4. On the Internet Directory Service Name page, type in the FQDN or External IP address of ISA, select This server requires me to log on, click Next.
   
   
5. On the Internet Directory Server Logon page, type in the text box Account name a domain user that have permissions to access the global catalog as follow domainname\username. In the password text box, type in the password for that user account, click Next.
   
   
6. On the Check E-mail addresses page, select Yes if you want to check recipient email addresses against your GC Server, otherwise choose No, click Next.
   No performs faster response to Outlook Express.
   
   
7. On the Congratulations page, click Finish
   
   
8. Select your Directory Service from the listview, click Properties and Advanced.
   
   
9. Check This server requires a secure connection.
   
   
10. Verify if the Directory Services Port Number is 3269

11. If you send the queries directly to a LDAP server you need to specify a Search Base. Type in the Search Base textbox “NULL”, without quotes.
    
12. Click Apply, click OK and Close the Internet Account dialog box.

Step 4: Testing the connection

1. Click Addresses on the Outlook toolbar, in the Address Book window, click Find People on the toolbar.
   
2. In the Find window dialog box, select the directory service that you just added. Type in the name text box the username you want to search the email address for and click Find.
   
   
3. First an SSL tunnel is created between the Outlook Express client and the ISA server before queries will be send
   
   
4. Click Close to exit all windows.

Summary

LDAP Directory Service Port number is 389
LDAP over SSL Directory Service Port Number is 636

GC Directory Service Port number is 3268
GC over SSL Directory Service Port Number is 326