• Article

Setting Up isa2006.contoso.com and cwaserver.contoso.com

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

For this lab scenario, isa2006.contoso.com publishes the Communicator Web Access (2007 release) virtual server that is configured for custom authentication. To configure isa2006.contoso.com for this role, you will do the following:

  1. Install Windows Server 2003 SP1 or later on a server with two network adapters, even though ISA Server 2006 supports a dual-homed, single NIC.

  2. Configure a static IP address for each network adapter.

  3. Set the interface order.

  4. Add each IP address to the respective DNS server.

  5. Install ISA Server 2006 Standard Edition.

  6. Keep isa2006 in the workgroup, but set the DNS Suffix and NetBIOS Computer Name to contoso.com.

  7. Configure certificates for isa2006.contoso.com.

  8. Create the external Communicator Web Access virtual server using custom authentication.

  9. Configure ISA Server 2006 to publish the virtual server using custom authentication.

  10. Configure the Web listener to point to the LDAP Validation Server.

  11. Create a Web listener, enabled with SSO on isa2006.contoso.com.

  12. Publish the Communicator Web Access virtual server using custom authentication.

  13. Redirect ssoServer traffic to port 444 on the internal network.

  14. Prepare the client to test SSO.

  15. Perform the lab exercises.

The following sections explain these steps in detail, and assume you are using the classic-style Start menu.

The following table summarizes the naming.

Table 9: Naming Conventions for Lab Scenario 2

Name Description

ISA Server 2006 enabled for SSO

The ISA Server 2006 server that must be deployed in order to provide SSO for the Communicator Web Access (2007 release) virtual server that is configured for custom authentication.

cwa.contoso.com

The FQDN of the ISA Server external interface.

isa2006.contoso.com

The FQDN of the ISA Server internal interface.

internal

The ISA internal interface.

external

The ISA external interface.

CWA

The internal Communicator Web Access (2007 release) virtual server.

cwaSSO

The external Communicator Web Access (2007 release) virtual server configured for custom authentication.

ssoServer

Web listener on ISA Server 2006.

ssoCWA

The Web Publishing Rule on ISA Server 2006 that publishes the cwaSSO virtual server configured for custom authentication.

sso

The LDAP Validation Server Set name.

Install Windows Server 2003 SP1 or Later on a Server with Two Network Adapters

See the Windows Server 2003 SP1 or later documentation.

Configure Static IP Addresses for isa2006 Network Adapters

To distinguish the two interfaces, this document refers to the two ISA Server 2006 network adapters as the internal network adapter and the external network adapter. Connect the internal adapter to hub 1, and then connect the external adapter to hub 2. Configure each adapter with a static IP address.

To configure the internal network adapter on isa2006 with a static IP address

  1. With the classic style Start menu, click Start, point to Settings, and then click Network Connections.

  2. Right-click the internal network adapter connection, and then click Properties.

  3. Click Internet Protocol (TCP/IP), and then click Properties.

  4. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address.

  5. In the IP address box, type 10.10.10.55.

  6. In the Subnet mask box, type 255.255.255.0.

  7. Click Use the following DNS server addresses.

  8. In the Preferred DNS server box, type 10.10.10.1.

  9. Click OK twice.

To configure the external network adapter on isa2006with a static IP address

  1. Click Start, point to Settings, and then click Network Connections.

  2. Right-click the external network adapter connection, and then click Properties.

  3. Click Internet Protocol (TCP/IP), and then click Properties.

  4. In the Internet Protocol (TCP/IP) Properties dialog box, click Use the following IP address.

  5. In the IP address box, type 192.168.1.5.

  6. In the Subnet mask box, type 255.255.255.0.

  7. Click Use the following DNS server addresses.

  8. In the Preferred DNS server box, type 192.168.1.x.

  9. Click OK twice.

Set the isa2006 Interface Order

Now set the interface order. Listing the ISA Server 2006 internal interface first in the list of network connections can improve name resolution performance. Any failure to resolve names prevents the Web site from being published successfully.

To set the interface order

  1. Click Start, point to Settings, and click Network Connections.

  2. On the Advanced menu, click Advanced Settings.

  3. On the Adapters and Bindings tab of Advanced Settings, under Connections, click Internal (the name of the ISA internal interface in this example).

  4. Click the up arrow to move the internal interface to the top of the list.

  5. Click OK.

Add the isa2006 Internal IP Address to the contosodc.contoso.com DNS Server

Now add the internal interface IP address to the DNS server.

To add the internal IP address to the DNS server

  1. On contosodc.contoso.com, click Start, point to Programs, point to Administrative Tools, and then double-click DNS.

  2. In the console tree, expand Forward Lookup Zones.

  3. Right-click the contosodc.contoso.com node (using the example naming), and then click Properties.

  4. In the contosodc.contoso.com Properties dialog box, select the Named Servers tab, and then click Add.

  5. On the New Resource Record page, type isa2006.contoso.com in the Server FQDN box.

  6. In the IP address box, type 10.10.10.55, click Add, and then click OK.

  7. In the console tree, expand Reverse Lookup Zones.

  8. Right-click the 10.10.10.in-addr.arpa node (using the example naming), and then click Properties.

  9. In the 10.10.10.in-addr.arpa Properties dialog box, click the Named Servers tab, and then click Add.

  10. In the New Resource Record dialog box, type isa2006.contoso.com in the Server FQDN box.

  11. In the IP address box, type 10.10.10.55, click Add, click OK, and then click Apply.

  12. Click OK.

  13. Close the DNS console.

Add the isa2006External IP Address to the Internet DNS Server

Now add the ISA Server 2006 external interface IP address to the "Internet" DNS server.

To add the external IP address to the Internet DNS server

  1. On the "Internet" DNS server, click Start, point to Programs, point to Administrative Tools, and then click DNS.

  2. In the console tree, expand Forward Lookup Zones.

  3. Right-click the remote.contoso.com node (using the example naming), and then click Properties.

  4. In the remote.contoso.com Properties dialog box, select the Named Servers tab, and then click Add.

  5. In the New Resource Record dialog box, type cwa.contoso.com in the Server FQDN box. This is the URL that is used by external users to access the published Communicator Web Access (2007 release) external virtual server that is configured for custom authentication.

  6. In the IP address box, type 192.168.1.5, click Add, and then click OK.

  7. In the console tree, expand Reverse Lookup Zones.

  8. Right-click the 1.168.192.in-addr.arpa node (using the example naming), and then click Properties.

  9. In the 1.168.192.in-addr.arpa Properties dialog box, click the Named Servers tab, and then click Add.

  10. In the New Resource Record dialog box, type cwa.contoso.com in the Server FQDN box.

  11. In the IP address box, type 192.168.1.5, click Add, click OK, and then click Apply.

  12. Click OK.

  13. Close the DNSconsole.

Install ISA Server 2006, Standard Edition

Install ISA Server 2006, Standard Edition. You can get a free 180-day trial of ISA Server 2006 at https://www.microsoft.com/isaserver/2006/trial-software.mspx.

To install ISA Server 2006 for this lab scenario

  1. Double-click IsaAutorun.exe.

  2. Click Install ISA Server 2006.

  3. On the Welcome page, click Next.

  4. On the License Agreement page, click I accept, and then click Next.

  5. On the Customer Information page, enter the appropriate information in the User Name, Organization, and Product Serial Number boxes, and then click Next.

  6. On the Setup Type page, select Typical, and then click Next.

  7. On the Internal Network page, click Add.

  8. On the Addresses page, click Add Adapter.

  9. On the Select Network Adapters page, click the adapter that is connected to the trusted network hub, click OK twice, and then click Next back on the Internal Network page.

  10. On the Firewall Client Connections page, verify that the check box is cleared (the default), and then click Next.

  11. On the Services Warning page, click Next.

  12. On the Ready to Install the Program page, click Install.

  13. On the Installation Wizard Completed page, click Finish.

Keep isa2006 in the Workgroup

The ISA Server in this lab is not a member server of a domain. Even so, the IP address of both network interface cards on the ISA Server must have the connection-specific DNS suffix of contoso.com. You do this from the Properties page of each network interface and from the DNS Suffix and NetBIOS computer name page of System Properties.

To set the DNS Suffix

  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click System, and then click the Computer Name tab.

  3. Click Change, and on the Computer Name Changes, click More.

  4. On the DNS Suffix and NetBIOS computer name page, in the Primary DNS suffix of this computer box, type contoso.com, and then click OK.

  5. Restart the computer.

Configure Certificates on the ISA Server

You must request an SSL certificate and download the CA certificate chain to the Trusted Root Certification Authorities, Certificates folder for the external ISA Server 2006 server interface. The ssoServer interface certificate for this lab scenario should have an FQDN of cwa.contoso.com.

When you create the Web listener in ISA Server 2006, you assign an IP address on which the Web listener listens for traffic. You also bind an SSL certificate to the Web listener and enable SSO on the Web listener, thereby enabling SSO for the internal domain that is accessed by that Web publishing rule. Using a certificate that is issued from a public CA is supported for binding to the Web listener. If you use a certificate that is issued from a private CA, you must install the root CA certificate for the private CA on the ISA server.

Important

The MTLS certificates must be issued from the same CA as the certificates that are used for the Communicator Web Access (2007 release) server and the Office Communications Server 2007 server and must use a duplicated Web server template. A certificate issued from a public CA is supported.

For details about certificate requirements and procedures, see Digital Certificates for ISA Server 2004 at https://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx.

Create the Communicator Web Access Virtual Server using Custom Authentication

Now create the external virtual server that will handle SSO-enabled traffic. The virtual server must be configured to use custom authentication, and it must be published to the Web by an SSO-enabled ISA Server 2006. Users must enter the exact URL that is configured in ISA Server 2006 to get the SSO experience. The user then must enter domain credentials when they first access the SSO-enabled site. The credentials are cached on ISA Server 2006 so that subsequent access by the same user is not challenged.

To create the Communicator Web Access external virtual server using custom authentication

  1. Click Start, point to Programs, point to Administrative Tools, and then click Communicator Web Access (2007 release).

  2. In the scope pane, right-click the server FQDN node, and then click Create Virtual Web Server.

  3. On the Welcome page, click Next.

    0142ec0d-e65d-4653-94a8-2331a285e958

  4. On the Select Virtual Server Type page, click External, and then click Next.

    4acd2982-aed1-4ff6-8f1b-a07730a23528

  5. On the Select Authentication Type page, click Use custom authentication, enter ?Cmd=logoff, and click Next.

    940beb50-b504-4e46-88ec-e74c445f8f74

  6. On the Select Connection Type page, click HTTPS (recommended), and then click Select Certificate.

    5eafb133-1d0b-4eb2-bd98-f4528334a19d

  7. On the Select Certificate page, select the certificate for cwaserver.contoso.com, and then click OK.

    c7fac718-cc39-48d7-b8ce-6f5d77833222

  8. On the Select Connection Type page, click Next.

    5eafb133-1d0b-4eb2-bd98-f4528334a19d

  9. On the Select IP Address and Port Settings page, in the Port box, type 444, and click Next. This port number must be different from the port number (443) that you used for the other Communicator Web Access virtual server (lab scenario 1).

    9d9ce66f-fdb3-4448-a165-99ecd1db85fd

  10. On the Server Description page, type cwaSSO, and then click Next.

    691237f7-097d-4384-a568-0c2cf6318a7c

  11. On the Start Server Option page, click Next.

    994ab2ed-ccd9-477a-98c7-c1e5a8f4404e

  12. On the Review Settings before Virtual Server Creation page, click Next.

    ff1ec5be-ab42-4530-86e9-be37bf374def

  13. On the Success page, click Finish.

    22f3373d-6716-48f8-9680-2d6ca6894de0

  14. In the scope pane of the Microsoft Office Communicator Web Access Manager (2007 release) windows, the cwaSSO node is added.

    586dac5d-9a01-474a-bd15-ae7eede7b48e

Configure the ISA Server 2006 Server to Publish the External Virtual Server

To provide an SSO experience by using ISA Server 2006, enable SSO for the Web listener on ISA Server 2006 that publishes the Communicator Web Access external virtual server (ssoServer) that is configured for custom authentication.

First, specify the LDAP verification server. Then, enable SSO for the Web listener on ISA Server 2006. Finally, publish the Communicator Web Access external virtual server that is configured to use custom authentication.

Specify the LDAP Verification Server

You must specify the set of LDAP server that ISA will use to validate users. You can specify this server before you create the Web listener (the next step) or during the step to create the Web listener. Regardless of when you specify the LDAP servers, the process includes creating a user set to which you can add only the users and groups that require authentication by the LDAP validation server.

For example, you can create a group in Active Directory called remoteCWAusers and add this group to the LDAP User Set that you create. To the remoteCWAusers group, add only users that require external access to the published Communicator Web Access Web site and that are the only users who will be authenticated on the LDAP validation server. You can also remove users from this group.

Before you create the Web listener, you can use the ISA Server 2006 management snap-in to specify the LDAP servers that will validate users, as shown in the next figure. In the result pane, click Specify RADIUS and LDAP Servers to display the RADIUS and LDAP Server configuration tabs.

Figure 9: Specify RADIUS and LDAP Servers on General Tab

0137c726-19b5-4540-9152-f98fa1134bb9

If you choose to specify the LDAP server when you create the Web listener in the next step, the New Web Listener Wizard will provide a page where you can do so. In either case, for details about how to specify the LDAP server, see the Secure Application Publishing paper at .

Create the SSO-Enabled Web Listener

You will now create the SSO-enabled Web listener that listens on the external ssoServer network interface card.

To create the SSO-enabled Web listener

  1. On isa2006.contoso.com, open the ISA server snap-in: click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. On the Firewall Policy (default) result pane, on the Toolbox tab on the right side of the result pane, select Network Objects, click New, and then click Web Listener.

    4333ee76-6158-4efe-b203-8099a63e90c6

  3. On the Welcome page, type ssoServer in the Web listener name box, and then click Next.

    356fc609-514f-4ae8-a059-14c1822562f0

  4. On the Client Connection Security page, accept the default Require SSL secured connections with clients, and then click Next.

    8785f051-1f4f-4793-b255-ce5eed184968

  5. On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, select the External check box, and then click Select IP Addresses.

    ede5f494-ce3f-48aa-a6b9-e7058b7a18d1

  6. On the External Network Listener IP Selection page, select Specified IP addresses on the ISA Server computer in the selected network.

    eb5aef67-b56d-4455-bf43-1e44d7ce7bb4

  7. Select the item in the Available IP Addresses list box.

    eb5aef67-b56d-4455-bf43-1e44d7ce7bb4

  8. Click Add, and then click OK.

    c3cb5dc4-e69b-49fb-b881-3e61ac17fc9b

  9. On the Web Listener IP Addresses page, click Next.

    ede5f494-ce3f-48aa-a6b9-e7058b7a18d1

  10. On the Listener SSL Certificates page, click Select Certificate.

    07f1c8ff-ffdb-4b9a-a0f5-8e2e5eb95dbe

  11. On the Select Certificate page, select the certificate you created for the ssoServer Web listener. This certificate should have the FQDN of the URL used to access the ssoServer listener; in this case, cwa.contoso.com. Click Select.

    0728c85e-ee8f-4854-95e7-423b1ed96552

  12. On the Listener SSL Certificates page, click Next.

    07f1c8ff-ffdb-4b9a-a0f5-8e2e5eb95dbe

  13. On the Authentication Settings page, select HTML Form Authentication, select LDAP (Active Directory), and then click Next.

    faaae9b4-c1cd-49f0-a351-1d7c7f772373

  14. On the Single Sign On Settings page, select the Enable SSO check box. In the SSO domain name box, type .contoso.com (notice the leading period in .contoso.com), and then click Next.

    f57f49c2-8b19-477e-82d7-27b5fe90b06c

  15. If you did not configure the LDAP verification server before creating the Web listener, you can configure it now on the page that appears. If you have already configured the server, skip to the next step.

  16. On the Completing the New Web Listener Wizard page, click Finish.

    03313514-81df-44d5-9da9-0b47c7a487c3

  17. In the ISA MMC Firewall Policy result pane, click Apply.

    4d1ee2cb-6a64-4fb6-aa60-cf164bdbe9d9

  18. On the Saving Configuration Changes page, click OK.

    a27fd256-2a7e-4c1d-b7c7-7aacb5219c2a

  19. In the ISA Server snap-in, right-click the Server node in the scope pane, and then click Refresh.

Publish the Communicator Web Access ssoServer Virtual Server

Use the following procedure to create an SSL Web publishing rule for the Communicator Web Access ssoServer virtual server that is configured for custom authentication, and then attach the listener to that publishing rule.

To publish the Communicator Web Access ssoServer site

  1. In the scope pane of the ISA Server snap-in, click the Firewall Policy node.

  2. Click the Tasks tab, and then click Publish Web Sites.

    a7f39e03-5627-47de-b4b9-a254c46547e5

  3. On the Welcome page, in the Web publishing rule name box, type ssoCWA, and then click Next.

    2669c33f-d177-4a55-be49-62a1babaf62a

  4. On the Select Rule Action page, click Allow, and then click Next.

    b9c1e828-fb5c-4f9b-8e10-900bf7a53c36

  5. On the Publishing Type page, verify that Publish a single Web site or load balancer is selected, and then click Next.

    45177904-b880-4db1-b174-15fd09813a2e

  6. On the Server Connection Security page, select the Use SSL to connect to the published Web server or server farm check box, and then click Next. Using SSL is required.

    9c419808-da9a-46ac-a173-f9705aedc3ff

  7. On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site (cwaserver.contoso.com).If necessary, specify the computer name or IP address: select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type cwaserver.contoso.com. When this page is as you want it, click Next.

    28c4231b-8402-4f5e-bc16-70555f68e889

  8. On the next page, which is also titled Internal Publishing Details, type /* and then click Next.

    97796fc5-c2e9-4a89-8eda-c4b4169a8d3f

  9. On the Public Name Details page, in the Public name box, type cwa.contoso.com, and then click Next.

    f52fa3fe-d955-4be6-9d31-bf7fa511f12a

  10. On the Select Web Listener page, in the Web listener list, click ssoServer, and then click Next.

    5a81525d-b974-4932-a839-2c123b111f1f

  11. On the Authentication Delegation page, click Basic authentication, and then click Next.

    fb386c5a-d7f7-4dae-aa3b-de56a6a130e6

  12. On the User Sets page, click Next.

    8133b626-2a01-42ec-ab27-dfb426d6eda1

  13. On the Completing the New Web Publishing Rule Wizard page, click Finish.

    44d4a001-74be-4c46-9df9-901436180b1b

  14. In the snap-in, click Apply, click OK, and then refresh the ISA server node: in the scope pane, right-click the server node, and then click Refresh.

Configure ISA Server to Redirect ssoServer Traffic to Port 444

Now configure ISA Server to redirect ssoServer traffic from port 443 to the Communicator Web Access ssoServer virtual server that is running on port 444 on cwaserver.contoso.com.

To configure ISA to redirect https://cwa.contoso.com requests to port 444 on cwaserver

  1. In the ISA Server Management scope pane, click the Firewall Policy node.

  2. In the result pane, right-click the ssoServer Web Publishing rule, and then click Properties.

  3. On the ssoServer Properties page, click the Bridging tab.

  4. On the Bridging tab, click Web server.

  5. Clear the Redirect requests to HTTP port check box, click Redirect requests to SSL port, and then type 444 in box next to it. You do not need to select a certificate on this page.

  6. Click Apply, and then click OK.

  7. On the main ISA management console, click Apply to commit the changes.

  8. On the Apply New Configuration confirmation box, click OK.