Setting Up isa2006.contoso.com and cwaserver.contoso.com
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
For this lab scenario, isa2006.contoso.com publishes the Communicator Web Access (2007 release) virtual server that is configured for custom authentication. To configure isa2006.contoso.com for this role, you will do the following:
Install Windows Server 2003 SP1 or later on a server with two network adapters, even though ISA Server 2006 supports a dual-homed, single NIC.
Configure a static IP address for each network adapter.
Set the interface order.
Add each IP address to the respective DNS server.
Install ISA Server 2006 Standard Edition.
Keep isa2006 in the workgroup, but set the DNS Suffix and NetBIOS Computer Name to contoso.com.
Configure certificates for isa2006.contoso.com.
Create the external Communicator Web Access virtual server using custom authentication.
Configure ISA Server 2006 to publish the virtual server using custom authentication.
Configure the Web listener to point to the LDAP Validation Server.
Create a Web listener, enabled with SSO on isa2006.contoso.com.
Publish the Communicator Web Access virtual server using custom authentication.
Redirect ssoServer traffic to port 444 on the internal network.
Prepare the client to test SSO.
Perform the lab exercises.
The following sections explain these steps in detail, and assume you are using the classic-style Start menu.
The following table summarizes the naming.
Table 9: Naming Conventions for Lab Scenario 2
Name | Description |
---|---|
ISA Server 2006 enabled for SSO |
The ISA Server 2006 server that must be deployed in order to provide SSO for the Communicator Web Access (2007 release) virtual server that is configured for custom authentication. |
cwa.contoso.com |
The FQDN of the ISA Server external interface. |
isa2006.contoso.com |
The FQDN of the ISA Server internal interface. |
internal |
The ISA internal interface. |
external |
The ISA external interface. |
CWA |
The internal Communicator Web Access (2007 release) virtual server. |
cwaSSO |
The external Communicator Web Access (2007 release) virtual server configured for custom authentication. |
ssoServer |
Web listener on ISA Server 2006. |
ssoCWA |
The Web Publishing Rule on ISA Server 2006 that publishes the cwaSSO virtual server configured for custom authentication. |
sso |
The LDAP Validation Server Set name. |
Install Windows Server 2003 SP1 or Later on a Server with Two Network Adapters
See the Windows Server 2003 SP1 or later documentation.
Configure Static IP Addresses for isa2006 Network Adapters
To distinguish the two interfaces, this document refers to the two ISA Server 2006 network adapters as the internal network adapter and the external network adapter. Connect the internal adapter to hub 1, and then connect the external adapter to hub 2. Configure each adapter with a static IP address.
To configure the internal network adapter on isa2006 with a static IP address
With the classic style Start menu, click Start, point to Settings, and then click Network Connections.
Right-click the internal network adapter connection, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address.
In the IP address box, type 10.10.10.55.
In the Subnet mask box, type 255.255.255.0.
Click Use the following DNS server addresses.
In the Preferred DNS server box, type 10.10.10.1.
Click OK twice.
To configure the external network adapter on isa2006with a static IP address
Click Start, point to Settings, and then click Network Connections.
Right-click the external network adapter connection, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address.
In the IP address box, type 192.168.1.5.
In the Subnet mask box, type 255.255.255.0.
Click Use the following DNS server addresses.
In the Preferred DNS server box, type 192.168.1.x.
Click OK twice.
Set the isa2006 Interface Order
Now set the interface order. Listing the ISA Server 2006 internal interface first in the list of network connections can improve name resolution performance. Any failure to resolve names prevents the Web site from being published successfully.
To set the interface order
Click Start, point to Settings, and click Network Connections.
On the Advanced menu, click Advanced Settings.
On the Adapters and Bindings tab of Advanced Settings, under Connections, click Internal (the name of the ISA internal interface in this example).
Click the up arrow to move the internal interface to the top of the list.
Click OK.
Add the isa2006 Internal IP Address to the contosodc.contoso.com DNS Server
Now add the internal interface IP address to the DNS server.
To add the internal IP address to the DNS server
On contosodc.contoso.com, click Start, point to Programs, point to Administrative Tools, and then double-click DNS.
In the console tree, expand Forward Lookup Zones.
Right-click the contosodc.contoso.com node (using the example naming), and then click Properties.
In the contosodc.contoso.com Properties dialog box, select the Named Servers tab, and then click Add.
On the New Resource Record page, type isa2006.contoso.com in the Server FQDN box.
In the IP address box, type 10.10.10.55, click Add, and then click OK.
In the console tree, expand Reverse Lookup Zones.
Right-click the 10.10.10.in-addr.arpa node (using the example naming), and then click Properties.
In the 10.10.10.in-addr.arpa Properties dialog box, click the Named Servers tab, and then click Add.
In the New Resource Record dialog box, type isa2006.contoso.com in the Server FQDN box.
In the IP address box, type 10.10.10.55, click Add, click OK, and then click Apply.
Click OK.
Close the DNS console.
Add the isa2006External IP Address to the Internet DNS Server
Now add the ISA Server 2006 external interface IP address to the "Internet" DNS server.
To add the external IP address to the Internet DNS server
On the "Internet" DNS server, click Start, point to Programs, point to Administrative Tools, and then click DNS.
In the console tree, expand Forward Lookup Zones.
Right-click the remote.contoso.com node (using the example naming), and then click Properties.
In the remote.contoso.com Properties dialog box, select the Named Servers tab, and then click Add.
In the New Resource Record dialog box, type cwa.contoso.com in the Server FQDN box. This is the URL that is used by external users to access the published Communicator Web Access (2007 release) external virtual server that is configured for custom authentication.
In the IP address box, type 192.168.1.5, click Add, and then click OK.
In the console tree, expand Reverse Lookup Zones.
Right-click the 1.168.192.in-addr.arpa node (using the example naming), and then click Properties.
In the 1.168.192.in-addr.arpa Properties dialog box, click the Named Servers tab, and then click Add.
In the New Resource Record dialog box, type cwa.contoso.com in the Server FQDN box.
In the IP address box, type 192.168.1.5, click Add, click OK, and then click Apply.
Click OK.
Close the DNSconsole.
Install ISA Server 2006, Standard Edition
Install ISA Server 2006, Standard Edition. You can get a free 180-day trial of ISA Server 2006 at https://www.microsoft.com/isaserver/2006/trial-software.mspx.
To install ISA Server 2006 for this lab scenario
Double-click IsaAutorun.exe.
Click Install ISA Server 2006.
On the Welcome page, click Next.
On the License Agreement page, click I accept, and then click Next.
On the Customer Information page, enter the appropriate information in the User Name, Organization, and Product Serial Number boxes, and then click Next.
On the Setup Type page, select Typical, and then click Next.
On the Internal Network page, click Add.
On the Addresses page, click Add Adapter.
On the Select Network Adapters page, click the adapter that is connected to the trusted network hub, click OK twice, and then click Next back on the Internal Network page.
On the Firewall Client Connections page, verify that the check box is cleared (the default), and then click Next.
On the Services Warning page, click Next.
On the Ready to Install the Program page, click Install.
On the Installation Wizard Completed page, click Finish.
Keep isa2006 in the Workgroup
The ISA Server in this lab is not a member server of a domain. Even so, the IP address of both network interface cards on the ISA Server must have the connection-specific DNS suffix of contoso.com. You do this from the Properties page of each network interface and from the DNS Suffix and NetBIOS computer name page of System Properties.
To set the DNS Suffix
Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Computer Name tab.
Click Change, and on the Computer Name Changes, click More.
On the DNS Suffix and NetBIOS computer name page, in the Primary DNS suffix of this computer box, type contoso.com, and then click OK.
Restart the computer.
Configure Certificates on the ISA Server
You must request an SSL certificate and download the CA certificate chain to the Trusted Root Certification Authorities, Certificates folder for the external ISA Server 2006 server interface. The ssoServer interface certificate for this lab scenario should have an FQDN of cwa.contoso.com.
When you create the Web listener in ISA Server 2006, you assign an IP address on which the Web listener listens for traffic. You also bind an SSL certificate to the Web listener and enable SSO on the Web listener, thereby enabling SSO for the internal domain that is accessed by that Web publishing rule. Using a certificate that is issued from a public CA is supported for binding to the Web listener. If you use a certificate that is issued from a private CA, you must install the root CA certificate for the private CA on the ISA server.
Important
The MTLS certificates must be issued from the same CA as the certificates that are used for the Communicator Web Access (2007 release) server and the Office Communications Server 2007 server and must use a duplicated Web server template. A certificate issued from a public CA is supported.
For details about certificate requirements and procedures, see Digital Certificates for ISA Server 2004 at https://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx.
Create the Communicator Web Access Virtual Server using Custom Authentication
Now create the external virtual server that will handle SSO-enabled traffic. The virtual server must be configured to use custom authentication, and it must be published to the Web by an SSO-enabled ISA Server 2006. Users must enter the exact URL that is configured in ISA Server 2006 to get the SSO experience. The user then must enter domain credentials when they first access the SSO-enabled site. The credentials are cached on ISA Server 2006 so that subsequent access by the same user is not challenged.
To create the Communicator Web Access external virtual server using custom authentication
Click Start, point to Programs, point to Administrative Tools, and then click Communicator Web Access (2007 release).
In the scope pane, right-click the server FQDN node, and then click Create Virtual Web Server.
On the Welcome page, click Next.
On the Select Virtual Server Type page, click External, and then click Next.
On the Select Authentication Type page, click Use custom authentication, enter ?Cmd=logoff, and click Next.
On the Select Connection Type page, click HTTPS (recommended), and then click Select Certificate.
On the Select Certificate page, select the certificate for cwaserver.contoso.com, and then click OK.
On the Select Connection Type page, click Next.
On the Select IP Address and Port Settings page, in the Port box, type 444, and click Next. This port number must be different from the port number (443) that you used for the other Communicator Web Access virtual server (lab scenario 1).
On the Server Description page, type cwaSSO, and then click Next.
On the Start Server Option page, click Next.
On the Review Settings before Virtual Server Creation page, click Next.
On the Success page, click Finish.
In the scope pane of the Microsoft Office Communicator Web Access Manager (2007 release) windows, the cwaSSO node is added.
Configure the ISA Server 2006 Server to Publish the External Virtual Server
To provide an SSO experience by using ISA Server 2006, enable SSO for the Web listener on ISA Server 2006 that publishes the Communicator Web Access external virtual server (ssoServer) that is configured for custom authentication.
First, specify the LDAP verification server. Then, enable SSO for the Web listener on ISA Server 2006. Finally, publish the Communicator Web Access external virtual server that is configured to use custom authentication.
Specify the LDAP Verification Server
You must specify the set of LDAP server that ISA will use to validate users. You can specify this server before you create the Web listener (the next step) or during the step to create the Web listener. Regardless of when you specify the LDAP servers, the process includes creating a user set to which you can add only the users and groups that require authentication by the LDAP validation server.
For example, you can create a group in Active Directory called remoteCWAusers and add this group to the LDAP User Set that you create. To the remoteCWAusers group, add only users that require external access to the published Communicator Web Access Web site and that are the only users who will be authenticated on the LDAP validation server. You can also remove users from this group.
Before you create the Web listener, you can use the ISA Server 2006 management snap-in to specify the LDAP servers that will validate users, as shown in the next figure. In the result pane, click Specify RADIUS and LDAP Servers to display the RADIUS and LDAP Server configuration tabs.
Figure 9: Specify RADIUS and LDAP Servers on General Tab
If you choose to specify the LDAP server when you create the Web listener in the next step, the New Web Listener Wizard will provide a page where you can do so. In either case, for details about how to specify the LDAP server, see the Secure Application Publishing paper at .
Create the SSO-Enabled Web Listener
You will now create the SSO-enabled Web listener that listens on the external ssoServer network interface card.
To create the SSO-enabled Web listener
On isa2006.contoso.com, open the ISA server snap-in: click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
On the Firewall Policy (default) result pane, on the Toolbox tab on the right side of the result pane, select Network Objects, click New, and then click Web Listener.
On the Welcome page, type ssoServer in the Web listener name box, and then click Next.
On the Client Connection Security page, accept the default Require SSL secured connections with clients, and then click Next.
On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, select the External check box, and then click Select IP Addresses.
On the External Network Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.
Select the item in the Available IP Addresses list box.
Click Add, and then click OK.
On the Web Listener IP Addresses page, click Next.
On the Listener SSL Certificates page, click Select Certificate.
On the Select Certificate page, select the certificate you created for the ssoServer Web listener. This certificate should have the FQDN of the URL used to access the ssoServer listener; in this case, cwa.contoso.com. Click Select.
On the Listener SSL Certificates page, click Next.
On the Authentication Settings page, select HTML Form Authentication, select LDAP (Active Directory), and then click Next.
On the Single Sign On Settings page, select the Enable SSO check box. In the SSO domain name box, type .contoso.com (notice the leading period in .contoso.com), and then click Next.
If you did not configure the LDAP verification server before creating the Web listener, you can configure it now on the page that appears. If you have already configured the server, skip to the next step.
On the Completing the New Web Listener Wizard page, click Finish.
In the ISA MMC Firewall Policy result pane, click Apply.
On the Saving Configuration Changes page, click OK.
In the ISA Server snap-in, right-click the Server node in the scope pane, and then click Refresh.
Publish the Communicator Web Access ssoServer Virtual Server
Use the following procedure to create an SSL Web publishing rule for the Communicator Web Access ssoServer virtual server that is configured for custom authentication, and then attach the listener to that publishing rule.
To publish the Communicator Web Access ssoServer site
In the scope pane of the ISA Server snap-in, click the Firewall Policy node.
Click the Tasks tab, and then click Publish Web Sites.
On the Welcome page, in the Web publishing rule name box, type ssoCWA, and then click Next.
On the Select Rule Action page, click Allow, and then click Next.
On the Publishing Type page, verify that Publish a single Web site or load balancer is selected, and then click Next.
On the Server Connection Security page, select the Use SSL to connect to the published Web server or server farm check box, and then click Next. Using SSL is required.
On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site (cwaserver.contoso.com).If necessary, specify the computer name or IP address: select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type cwaserver.contoso.com. When this page is as you want it, click Next.
On the next page, which is also titled Internal Publishing Details, type /* and then click Next.
On the Public Name Details page, in the Public name box, type cwa.contoso.com, and then click Next.
On the Select Web Listener page, in the Web listener list, click ssoServer, and then click Next.
On the Authentication Delegation page, click Basic authentication, and then click Next.
On the User Sets page, click Next.
On the Completing the New Web Publishing Rule Wizard page, click Finish.
In the snap-in, click Apply, click OK, and then refresh the ISA server node: in the scope pane, right-click the server node, and then click Refresh.
Configure ISA Server to Redirect ssoServer Traffic to Port 444
Now configure ISA Server to redirect ssoServer traffic from port 443 to the Communicator Web Access ssoServer virtual server that is running on port 444 on cwaserver.contoso.com.
To configure ISA to redirect https://cwa.contoso.com requests to port 444 on cwaserver
In the ISA Server Management scope pane, click the Firewall Policy node.
In the result pane, right-click the ssoServer Web Publishing rule, and then click Properties.
On the ssoServer Properties page, click the Bridging tab.
On the Bridging tab, click Web server.
Clear the Redirect requests to HTTP port check box, click Redirect requests to SSL port, and then type 444 in box next to it. You do not need to select a certificate on this page.
Click Apply, and then click OK.
On the main ISA management console, click Apply to commit the changes.
On the Apply New Configuration confirmation box, click OK.