Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 – Part 4: Importing the OWA Web Site Certificate, Binding the Certificate to the Web Listener and Creating the Destination Set

In the first part of this series on how to publish the Exchange 2003 OWA site using ISA Server 2000, we went over some of the advantages the Exchange 2003 OWA site has over previous versions and a high level overview of the steps required to make the internal Exchange 2003 OWA available to external network users via ISA Server 2000 Web Publishing Rules. If you missed that article, you can check it out here.

In the second part of this series we went over the concept of SSL bridging and how SSL ISA Server 2000 bridging provides unique protection in a way that no other firewall in its class can provide for your OWA 2003 Web site. We then had a short discussion on certificate services and enterprise CAs and ended up with a detailed account of how to install and configure an enterprise CA. If you need a refresher on what we did, check it out here.

In the third part of this series we expanded on the SSL bridging concept. Then we requested a certificate for the OWA Web site and exported that certificate with its private key to a file. Finally, we forced SSL on the OWA directories. Check out this article here.

In this, part 4 of the series, we’ll discuss:

Let’s jump right in!

Step 8: Importing the Web Site Certificate into the ISA Server Firewall’s Machine Certificate Store

In order to allow the ISA Server firewall to impersonate the OWA Web site, the OWA Web site certificate must be imported into the ISA Server firewall’s machine certificate store. This is a straightforward process when using the Certificates MMC standalone snap-in’s Certificate Import Wizard.

Perform the following steps to import the OWA Web site’s certificate into the ISA Server firewall’s machine certificate store:

1. Copy the file that contains the Web site certificate with its private key to the ISA Server firewall computer.
2. At the ISA Server firewall computer, click the Start button and then click the Run command. Type mmc in the Open text box and click OK.
3. Click the File menu in the Console 1 window, then click the Add/Remove Snap-in command.
4. Click Add in the Add/Remove Snap-in dialog box.
5. Select the Certificates entry in the Add Standalone Snap-in dialog box and click Add.

6. Select the Computer account option in the Certificates snap-in dialog box and click Next.

7. Select the Local computer: (the computer this console is running on) option and click Finish.

8. Click Close in the Add Standalone Snap-in dialog box. Click OK in the Add/Remove Snap-in dialog box.
9. Expand the Certificates node and click on the Personal node in the left pane of the console. Right click on the Personal node, point to All Tasks and click on Import.

10. Click Next on the Welcome to the Certificate Import Wizard page.
11. Type in the path to the OWA Web site certificate, or use the Browse button to find it. Click Next.

12. Type in the password you assigned to the exported certificate and private key on the Password page. Select the Mark this key as exportable. This will allow you to back up or transport your keys at a later time option if you want to be able to copy the certificate and private key from the ISA Server firewall to another computer. This is not required if you have left the certificate in place on the OWA site. In this example we’ll select this option for fault tolerance reasons (i.e., it’s a good backup method). Click Next.

13. Select the Place all certificates in the following store option and confirm that it says Personal in the Certificate store box. Click Next.

14. Review the settings on the Completing the Certificate Import Wizard dialog box and click Finish.
15. Click OK in the Certificate Import Wizard dialog box informing you The import was successful.
16. Expand the Personal node in the left pane of the console and click on the Certificates node. Note that there are two certificates in the right pane of the console: WIN2003CA and www.internal.net. The WIN2003CA certificate is the CA certificate of the enterprise CA. We do not need this certificate in the ISA Server firewall’s Personal certificate store. Right click on the CA certificate and click Delete.

17. Expand the Trusted Root Certificate Authorities node in the left pane of the console and click on the Certificates node. Click the Refresh button in the MMC button bar. Scroll through the list of certificates in the right pane of the console and find the CA certificate. The reason why you see the CA certificate in the list is due to the fact that you choose to export all the certificates in the chain when you exported the OWA Web site certificate. Verify that the CA certificate for your enterprise CA appears in the list I the right pane of the console.

18. Close the console without saving it.

Note:
It is critical that you have the CA certificate in the list of the certificates in the Trusted Root Certification Authorities certificate store. You secure OWA SSL to SSL bridging configuration will not work if the CA certificate is not located here. If you do not see the certificate located in this list, delete the OWA Web site certificate from the Personal certificates store and export the OWA Web site certificate again. Then try importing the certificate again.

Step 9: Configure the Incoming Web Requests Listener to Use the Web Site Certificate

The next step is to configure the Incoming Web Requests listener to use this certificate to impersonate the OWA Web site. The Incoming Web Requests listener listens for requests on TCP port 80 and TCP port 443 (for secure requests) and forwards these to the Web Proxy service. The Web Proxy service then compares elements of the request with settings in Web Publishing Rules. If one of the Web Publishing Rules matches the parameters in the request, then the Web Proxy service forwards it to the published server on the internal network.

We must bind the OWA Web site certificate to the Incoming Web Requests listener before creating the Web Publishing Rule. Perform the following steps to create this binding:

1. Open the ISA Management console. Click on the server name in the left pane of the console and then right click on it. Click the Properties command.
2. In the server Properties dialog box, click on the Incoming Web Request tab. Select the Configure listeners individually per IP address option and click Add.

3. In the Add/Edit Listeners dialog box, set the following options:

• Server
  Select your server name from the list. If this is not a member of an enterprise array, your only choice will be the name of the local server

• IP Address
  Select the IP address you want the listener to listen on. Make sure this address resolves to the IP address used by the FQDN listened in the common name on the certificate. This is also the FQDN the external users will use to access the OWA Web site from external network locations

• Display Name
  Give a name to the listener. In this example I call it primary ext since this is the primary address on the external interface of the ISA Server firewall.

• Use a server certificate to authenticate to web clients
  Place a checkmark in this checkbox to assign the OWA Web site certificate to the listener.

Click the Select button to select the OWA Web site certificate.

4. Select the OWA Web site certificate from the list in the Select Certificate dialog box. In this example we have a single certificate to chose, which is the OWA Web site certificate that we imported into the ISA Server firewall’s machine certificate store. Click on the certificate and then click OK.

5. In the Add/Edit Listeners dialog box, put a checkmark in the Basic with this domain checkbox. An ISA Server Configuration dialog box appears warning you that you should use SSL to protect the credentials when using basic authentication since they are passed in clear text. Click Yes to affirm your understand.

6. Click the Select domain button. In the Select Domain dialog box, type in the name of your user domain and click OK.

7. Click OK in the Add/Edit Listeners dialog box.
8. On the server Properties dialog box, put a checkmark in the Enable SSL listeners check box. Click OK in the SSL Listeners dialog box that informs you that you must bind a certificate to the listener before it will accept inbound SSL connections.

9. Click Apply. Select the Save the changes and restart the service(s) option and click OK.
10. Click OK in the server Properties dialog box.

Step 10: Configure the Destination Set for the Web Publishing Rule

You need to configure a Destination Set to use in the OWA Web Publishing Rule. This Destination Set includes the FQDN used by the external users to access the OWA Web site. This is also the common name used in the OWA Web site certificate. This Destination Set will contain three entries, one for each of the folders required to access the OWA Web site.

Perform the following steps to create the Destination Set:

1. Open the ISA Management Console, expand your server name and then expand the Policy Elements node. Click on the Destination Sets node and then right click on it. Point to New and click on Set.

2. In the New Destination Set dialog box, type in a name for the Destination Set in the Name text box. In this example we’ll name it OWA Web Site. Type in a Description in the Description text box. In this example we’ll use the description Destination Set for the OWA Web Pub Rule. Click Add.
3. In the Add/Edit Destination dialog box, select the Destination option and type in the FQDN for the OWA Web site. In this example the FQDN used to access the OWA Web site is www.internal.net. In the Path text box, type /exchange* and click OK.

4. Click Add in the New Destination Set dialog box. In the Add/Edit Destination dialog box, select the Destination option and type www.internal.net in the text box. In the Path text box, type /exchweb* and click OK
5. Click Add in the New Destination Set dialog box. In the Add/Edit Destination dialog box, select the Destination option and type www.internal.net in the text box. In the Path text box, type /public* and click OK
6. Click OK in the New Destination Set dialog box after entering the three destinations into the Destination Set.

In this, part 4 of our publishing the Exchange OWA site with ISA Server 2000 series, we went over how to import the OWA Web site certificate into the ISA Server firewall’s certificate store, how to bind that certificate to the Incoming Web Requests listener, and how to create the Destination Set that we will use to create the OWA Web Publishing Rule.

In the next and final article in our series, we’ll create the OWA Web Publishing Rule and discuss the DNS issues that you need to confront before bringing your site online. We’ll also discuss a quick and dirty was to create a HOSTS file entry to simplify the redirect you use in the Web Publishing Rule. We’ll finally cover the option to use URLScan 2.5 to protect your OWA site.

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=009703 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom