Using ISA Server with Outlook Web App
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-10-14
Outlook Web App for Microsoft Exchange Server 2010 is designed to take full advantage of the features that are available in Microsoft Internet Security and Acceleration (ISA) Server 2006. Exchange 2010 is also designed to integrate with earlier versions of ISA Server. When you deploy Exchange 2010 in an environment where ISA Server 2006 is being used to help secure your corporate network, the full set of features for Exchange Client Access are available.
Looking for more tasks related to external access? See Managing External Client Access.
The following table lists features in ISA Server 2006 that can help you secure your Exchange messaging environment that includes Outlook Web App.
Using ISA Server 2006 as a reverse proxy server for Outlook Web App
ISA Server 2006 redirects Outlook Web App requests for internal URLs that are contained in the body of any object in Outlook Web App, such as an e-mail message or calendar entry. Users no longer have to remember the external namespaces for internal corporate information that is mapped to an external namespace. For example, if a user sends a link in an e-mail message to an internal namespace such as http://contoso, and this internal URL is mapped to an external namespace such as http://www.contoso.com, the internal URL is automatically translated into the external URL when the user clicks the internal URL.
Web Publishing Load Balancing
ISA Server 2006 can load balance client requests and send them to an array of Client Access servers. When ISA Server 2006 receives a request for a connection to Outlook Web App, it selects a Client Access server and then sends the name of the Client Access server back to the Web browser in a cookie.
In the past, if you used forms-based authentication on the ISA Server computer that had Exchange Server 2003 and ISA Server 2004 or ISA Server 2000 installed, it was not possible to use Gzip compression. This was because ISA Server could not decompress and recompress the information correctly. ISA Server 2006 can decompress, inspect, and then recompress data before it sends the data to your Exchange servers.
Exchange server locations are hidden
When you publish an application through ISA Server, you're protecting the server from direct external access because the name and IP address of the server can't be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then creates a connection to the Client Access server according to the conditions of the server publishing rule.
SSL bridging and inspection
Secure Sockets Layer (SSL) bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts the request, inspects it, and acts as the endpoint for the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. When you use SSL bridging, the secure Web publishing rule is configured to forward the request by using Secure HTTP (HTTPS). ISA Server then initiates a new SSL connection with the published server. Because the ISA Server computer has become an SSL client, it requires the published Web server to respond with a certificate.
An additional advantage of SSL bridging is that an organization has to buy SSL certificates from an external certification authority only for the ISA Server computers. Servers that use ISA Server as a reverse proxy can either not require SSL or use SSL certificates that are generated internally.
You can also terminate the SSL connection at the ISA Server computer and continue to the Client Access server with a connection that isn't encrypted. This is known as SSL offloading. If you do this, the internal URL for Outlook Web App must be set to use HTTP and the external URL must be set to use HTTPS. The internal URL and external URL can be configured through the Exchange Management Console, or by using the Set-OwaVirtualDirectory cmdlet with the InternalURL parameter and ExternalURL parameter in the Exchange Management Shell.
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the EMC to manage Outlook Web App virtual directories, see Set-OwaVirtualDirectory and Managing Outlook Web App Virtual Directories.
Single sign-on enables users to access a group of published Web sites without being required to authenticate with each Web site. When you use ISA Server 2006 as a reverse proxy server for Outlook Web App, ISA Server 2006 can be configured to obtain the user's credentials and pass them to the Client Access server so that users are prompted for their credentials only one time.
For more information about ISA Server 2006 when it is used with Exchange 2010, see What's New and Improved in ISA Server 2006.
When you deploy ISA Server 2006 together with Exchange 2010, you won't have to do any additional configuration to your Exchange infrastructure. However, ISA Server 2006 can be configured in different ways to enable Exchange client access using Outlook Web App, POP3 or IMAP access, Exchange ActiveSync, and Outlook Anywhere. The configuration options depend on the authentication method that you want to use to access Exchange.
Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000 when they are deployed with Exchange 2010, don't have the same deployment options for authentication. Additionally, if you're deploying Exchange 2010 with both ISA Server 2006 and an earlier version of ISA Server, you can use the following authentication options:
Basic authentication for Outlook Web App If you plan to use Basic authentication for Outlook Web App, ISA Server 2006 and earlier versions of ISA Server should all use Web Publishing to publish Outlook Web App.
Client certificate authentication If you plan to use a client certificate-based authentication method, ISA Server will automatically perform authentication on the computer that is running ISA Server. Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000, require server publishing to use client certificate authentication. If you use client certificate authentication, you can't use ISA Server to inspect the SSL packets before they are sent to the Client Access server.