Chapter 14: Publishing the Exchange Outlook Web Access, SMTP Server and POP3 Server Sites

  • Article

One of the main reasons to deploy a ISA Server 2004 firewall is to protect Microsoft Exchange Servers. ISA Server 2004 includes a number of technologies focused on providing enhanced support to protect Microsoft Exchange Services published to the Internet. This increased level of protection for remote access to Microsoft Exchange Server services puts the ISA Server 2004 firewall in a unique position to be the firewall for Microsoft Exchange Server.

Providing secure remote access to Microsoft Exchange Server services is a complex process. Fortunately, ISA Server 2004 includes a number of wizards that walk the firewall administrator through the process of providing secure remote to Microsoft Exchange, simplifying the procedure.

In this ISA Server 2004 Configuration Guide document, we discuss methods you can use to provide secure remote access to the Exchange Outlook Web Access (OWA) site, the Exchange SMTP service and the Exchange POP3 service. We will assume that you have issued a Web site certificate to the OWA site, exported the certificate to a file (including the private key), and imported the Web site certificate to the ISA Server 2004 firewall’s machine certificate store. In addition, we will assume that the external client that connects to the OWA Web site through the ISA Server 2004 firewall has the CA certificate of the CA that issued the OWA site’s Web site certificate imported into its Trusted Root Certification Authorities certificate store.

Note

Certificate issuance and deployment is beyond the scope of this ISA Server 2004 Configuration Guide document. For detailed information on deploying Web site and root CA certificates, please refer to the ISA Server 2004 Exchange Deployment Kit.

The following walkthrough discusses basic methods used to provide remote access to the OWA, SMTP and POP3 services on the Internal network Exchange Server. . In a production environment, remote access to the SMTP service would be secured using SSL and requiring use authentication. Similarly, remote access to the POP3 service would also require a secure SSL connection. We limit our discussion to non-SSL connections in the following walkthrough, for demonstration purposes only.

In addition, a number of procedures have been effected on the Exchange Server to optimize it for secure remote access OWA connections. The first chapter of this ISA Server 2004 Configuration Guide outlines these procedures. Also, the Exchange POP3 service is disabled by default and must be manually enabled.

You will need to perform the following procedures to configure the ISA Server 2004 firewall to allow remote access connections to the Exchange Server service:

  • Restore the system to its post-installation state
  • Create the OWA Web Publishing Rule
  • Create the SMTP Server Publishing Rule
  • Create the POP3 Server Publishing Rule
  • Test the connection

Restore the System to its Post-installation State

To fully test the inbound and outbound SMTP relay configuration in this scenario, we will return the machine to its post-installation state so that other Access Rules do not interfere with the scenario development. In a production environment, you would leave your current Access Rules intact and add the Server Publishing Rules required to create the inbound and outbound SMTP relays.

Perform the following steps to restore the ISA Server 2004 firewall machine to its post-installation state:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and right-click the server name. Click the Restore command.
  2. In the Restore Configuration dialog box, select the backup file you created earlier and click Restore.
  3. In the Type Password to Open File dialog box, enter the password you assigned to the file in the Password text box and click OK.
  4. Click OK in the Importing dialog box after you see the message The configuration was successfully restored.
  5. Click Apply to save the changes and update the firewall policy.
  6. Select Save the changes and restart the service(s) in the ISA Server Warning dialog box, and click OK.
  7. Click OK in the Apply New Configuration dialog box.

Create the OWA Web Publishing Rule

You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configured to support secure SSL connections. These procedures include forcing SSL on the OWA directories and allowing the directories to accept only basic authentication.

Perform the following steps to create the Outlook Web Access Web Publishing Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
  2. Right-click the Firewall Policy node, point to New and click Mail Server Publishing Rule.
  3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we will call it OWA Web Site. Click Next.
  4. On the Select Access Type page, select Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync and click Next.
    Cc302552.7043ff8f-433d-4efe-b2f3-5ad439684ca4(en-us,TechNet.10).gif
  5. On the Select Services page, put a check mark in the Outlook Web Access check box. Confirm that a check mark appears in the Enable high bit characters used by non-English character sets. Click Next.
    Cc302552.2e4e8f7e-dc93-4efb-9690-215f7c268bb4(en-us,TechNet.10).gif
  6. On the Bridging Mode page, select Secure connection to clients and mail server and click Next.
    Cc302552.4319915b-0368-4cc2-8a28-22e7759646a2(en-us,TechNet.10).gif
  7. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example, we will use the name owa.msfirewall.org. Click Next.
    Cc302552.6a14e0cc-ffc0-4a05-8283-5b1056bef8c3(en-us,TechNet.10).gif
  8. On the Public Name Details page, select This domain name (type below) in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Click Next.
    Cc302552.0a782499-1c42-47c1-badd-34ce8611d2da(en-us,TechNet.10).gif
  9. On the Select Web Listener page, click New.
  10. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will use the name OWA SSL Listener. Click Next.
  11. On the IP Addresses page, put a check mark in the External check box. Click the Address button.
  12. In the External Network Listener IP Selection dialog box, select Specified IP addresses on the ISA Server computer in the select network. Click the external IP address configured on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select the 192.168.1.70 entry. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
  13. Click Next on the IP Addresses page.
  14. On the Port Specification page, remove the check mark from the Enable HTTP check box. Place a check mark in the Enable SSL check box. Leave the SSL port number at 443.
  15. Click the Select button. In the Select Certificate dialog box, click the OWA Web site certificate that you imported into the ISA Server 2004 firewall’s machine certificate store and click OK.
  16. Click Next on the Port Specification page.
  17. Click Finish on the Completing the New Web Listener page.
  18. The details of the Web listener now appear on the Select Web Listener page. Click Edit.
  19. In the OWA SSL Listener Properties dialog box, click the Preferences tab.
    Cc302552.21726769-ad30-4ad8-89a7-0f734961b9ae(en-us,TechNet.10).gif
  20. On the Preferences tab, click the Authentication button.
  21. In the Authentication dialog box, remove the check mark from the Integrated check box. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that the no authentication methods are currently configured.
  22. Place a check mark in the OWA Forms-Based authentication check box. Click OK.
    Cc302552.28a5683b-5849-4377-b246-bbe0bd611a5a(en-us,TechNet.10).gif
  23. Click Apply and then click OK in the OWA SSL Listener Properties dialog box.
  24. Click Next on the Select Web Listener page.
    Cc302552.713f10ea-2ef5-4b60-943f-c0115117814d(en-us,TechNet.10).gif
  25. On the User Sets page, accept the default entry, All Users, and click Next.
  26. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
  27. Click Apply to save the changes and update the firewall policy.
  28. Click OK in the Apply New Configuration dialog box.

The next step is to create a HOSTS file entry on the ISA Server 2004 firewall machine so that it resolves the name owa.msfirewall.org to the IP address of the Exchange Server on the Internal network.

  1. Click Start and Run. In the Run dialog box, enter notepad in the Open text box and click OK.
  2. Click the File menu and then click Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
    Cc302552.bf0832de-f147-44c5-a126-9faef5c66e4d(en-us,TechNet.10).gif
  3. Add the following line to the HOSTS file:
    10.0.0.2 owa.msfirewall.org
    Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and Exit. In the Notepad dialog box, click Yes to indicate that you want to save the changes.
    Cc302552.d3fbc0b5-e267-4d8c-82b6-b0956818f133(en-us,TechNet.10).gif

Create the SMTP Server Publishing Rule

You can create an SMTP Server Publishing Rule to provide external users and servers access to the Microsoft Exchange SMTP service. In general, you will prefer to use the ISA Server 2004 firewall as a secure SMTP filtering relay to prevent external users and servers from directly connecting to the Exchange Server. The Server Publishing Rule discussed in the following walkthrough is best used to provide external SMTP servers access to the Exchange Server so they can send mail to e-mail under your administrative control.

Perform the following steps to create the SMTP Server Publishing Rule:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, and expand the server name in the left pane of the console. Click the Firewall Policy node.
  2. Right-click the Firewall Policy node and point to New. Click Server Publishing Rule.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule SMTP Server. Click Next.
  4. On the Select Server page, enter the IP address of the Exchange Server on the Internal network. In our current example, the IP address is 10.0.0.2. Enter 10.0.0.2 into the text box. Click Next.
  5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Click Next.
    Cc302552.eb5b6313-7139-4c5e-9256-94005296c5b0(en-us,TechNet.10).gif
  6. On the IP Addresses page, put a check mark in the External check box and click the Address button.
  7. In the External Network Listener IP Selection dialog box, select Specified IP addresses on the ISA Server computer in the selected network. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
    Cc302552.abad60e5-3d55-48c4-a152-3a47d8e4ae8f(en-us,TechNet.10).gif
  8. Click Next on the IP Addresses page.
  9. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Create the POP3 Server Publishing Rule

Remote access to the Exchange Server POP3 service allows users located away from the office to download their mail from the Exchange Server to virtually any e-mail client application. Users must provide a user name and password when they connect to the POP3 service. They download e-mail into their e-mail client application after sending their credentials. These user credentials are sent in clear text. In a production environment, you would require an SSL-secured POP3 connection so that user name and password are not easily accessible to Internet intruders.

Perform the following steps to create the POP3 Server Publishing Rule:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, and expand the server name in the left pane of the console. Click the Firewall Policy node.
  2. Right-click the Firewall Policy node and point to New. Click Server Publishing Rule.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule POP3 Server. Click Next.
  4. On the Select Server page, enter the IP address of the Exchange Server on the Internal network. In our current example, the IP address is 10.0.0.2. Enter 10.0.0.2 into the text box. Click Next.
  5. On the Select Protocol page, select the POP3 Server protocol from the Selected protocol list. Click Next.
  6. On the IP Addresses page, put a check mark in the External check box and click the Address button.
  7. In the External Network Listener IP Selection dialog box, select Specified IP addresses on the ISA Server computer in the selected network. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
    Cc302552.b3cc7249-2282-49fd-b599-fbf83a101905(en-us,TechNet.10).gif
  8. Click Next on the IP Addresses page.
  9. Click Finish on the Completing the New Server Publishing Rule Wizard page.

Test the connection

We are now ready to test the OWA, SMTP and POP3 connections to the Exchange Server located behind the ISA Server 2004 firewall. The first step is to create a HOSTS file entry on the client so that it correct resolves the name of the OWA site. In a production environment, you would create a public DNS resource record that correctly resolves this name for external network clients.

Perform the following steps to test the Outlook Web Access connection:

  1. The first step is to add a HOSTS file entry on the external client machine. Click Start and Run. In the Run dialog box, enter notepad in the Open text box and click OK.
  2. Click the File menu and Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
    Cc302552.dbea1691-e2d2-4ecf-be63-10358fff9fec(en-us,TechNet.10).gif
  3. Add the following line to the HOSTS file:
    192.168.1.70 owa.msfirewall.org
    Press ENTER at the end of the line so that the insertion point sits on the next line. Click File and Exit. In the Notepad dialog box, click Yes to indicate that you want to save the changes.
  4. Open Internet Explorer on the external client machine. Enter https://owa.msfirewall.org into the Address bar and press ENTER.
  5. In the Outlook Web Access Log on form, enter the user name in the Domain\user name text box, and the password in the Password text box. Select the Premium client type and the Private computer Security type. In the current example, we will enter the user name MSFIREWALL\Administrator and the Administrator’s password. Click Log On.
    Cc302552.1cd3b798-688e-4da0-9098-d5471e6ebfd2(en-us,TechNet.10).gif

Next, we will test the POP3 and SMTP functionality using Outlook Express:

  1. On the external client machine, open Outlook Express. Click Tools and Accounts.
  2. In the Internet Accounts dialog box, click the existing account and Remove. Click Yes in the Internet Accounts dialog box asking if you are sure you want to delete the account.
  3. Click Add and then click Mail.
  4. On the Your Name page, enter the name Administrator in the Display name text box. Click Next.
  5. On the Internet E-mail Address page, enter the address administrator@msfirewall.org in the E-mail address text box. Click Next.
  6. On the E-mail Server Names page, select the POP3 entry in the My incoming mail server is a x server list. Enter 192.168.1.70 in the Incoming mail (POP3, IMAP or HTTP) server text box. Enter 192.168.1.70 in the Outgoing mail (SMTP) server text box. Click Next.
    Cc302552.78bff314-0ebf-4620-bf97-a55b362015d8(en-us,TechNet.10).gif
  7. On the Internet Mail Logon page, enter Administrator in the Account name text box and the administrator’s password in the Password text box. Click Next.
  8. Click Finish on the Congratulations! page.
  9. Click Close on the Internet Accounts dialog box.
  10. Close Outlook Express and then open it again. Click the Create Mail button and address a message to administrator@msfirewall.org. Enter a subject and text and click the Send button. To receive the mail from the POP3 server, click Send/Recv. The message you send appears in the Inbox.
  11. Close Outlook Express.

Conclusion

In this ISA Server 2004 Configuration Guide document, we discussed how to publish a Microsoft Exchange Outlook Web Access (OWA) site and how to publish the Exchange POP3 and SMTP services. In the next document in this ISA Server 2004 Configuration Guide series, we will discuss how the firewall can be used to publish an array of Exchange Server services.