Using ISA Server with Exchange ActiveSync
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-08-12
We recommend that you use Microsoft Internet Security and Acceleration (ISA) Server 2006 to enhance the security of all available client access methods in your Microsoft Exchange Server 2010 deployment. When you configure Microsoft Exchange ActiveSync client access with ISA Server 2006, communications between the Exchange ActiveSync clients and the Exchange server computer pass through an ISA Server computer to add an additional layer of Secure Sockets Layer (SSL) encryption.
Exchange ActiveSync enables information workers to access their Microsoft Exchange messaging data using a mobile device. For more information about Exchange ActiveSync, see the following topics:
The following table describes several of the benefits of using ISA Server 2006 to protect client access through Outlook Anywhere to your Exchange deployment.
ISA Server 2006 features for Exchange ActiveSync
Exchange server locations are hidden
When you publish an application through ISA Server, you are protecting the server from direct external access because the name and IP address of the server can't be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then forwards the request to the server according to the conditions of the server publishing rule.
SSL Bridging and Inspection
SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts it, inspects it, and ends the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires the published Web server to respond with a server-side certificate.
When you deploy ISA Server 2006 to help secure communication from Exchange ActiveSync clients on the Internet to Exchange 2010 computers that have the Client Access server role installed, we recommend that you confirm the following:
Forms based authentication isn't configured on the Exchange Client Access server. When ISA Server 2006 is being used to publish Exchange client access, we recommend forms-based authentication be configured only on the ISA Server computer.
A server certificate is installed on the Exchange Client Access server. This certificate can be from an internal certification authority (CA) or a public CA.
SSL is required on all Exchange Client Access virtual directories.
After you confirm these settings, you can configure ISA Server 2006 to provide Exchange ActiveSync access for your clients.
To enable an encrypted channel between the client computer and the ISA Server computer, you first have to install a server certificate on the ISA Server computer. This certificate should be issued by a public CA because it will be accessed by users on the Internet. If a private CA is used, the root certificate from the private CA must be installed on any computer that requires a secure (HTTPS) connection to the ISA Server computer.
For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.
After a server certificate is installed on the ISA Server computer, you can run the New Exchange Publishing Rule Wizard. Running the New Exchange Publishing Rule Wizard to provide Exchange ActiveSync access involves the following steps:
- Create a server farm (optional) When you have more than one Client Access server within your organization, you can use ISA Server to provide load balancing for these servers. The server farm properties determine the following:
The specific servers included in the farm.
The connectivity verification method that ISA Server will use to verify that the servers are functioning correctly.
- The specific servers included in the farm.
- Create a Web listener When you create a Web publishing rule, you must specify a Web listener. The Web listener properties determine the following:
The IP addresses and ports on the specified networks the ISA Server computer uses to listen for Web requests (HTTP or HTTPS).
Which server certificates to use with IP addresses.
The authentication method to use.
The number of concurrent connections allowed.
Single sign-on (SSO) settings.
- The IP addresses and ports on the specified networks the ISA Server computer uses to listen for Web requests (HTTP or HTTPS).
- Create an Exchange Web client access publishing rule When you publish an internal Exchange 2010 Client Access server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server can't be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange client access.
For more information about how to use the New Exchange Publishing Rule Wizard, see Microsoft ISA Server 2006.