Outlook Web Access Server Publishing in ISA Server 2004: Client Certificates and Forms-based Authentication

  • Article

Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition work with Microsoft Office Outlook Web Access for Exchange Server 2003 to enhance security for Outlook Web Access servers. Outlook Web Access provides Web browser access to e-mail, scheduling (including group scheduling), contacts, and collaborative information stored in Exchange store folders. Outlook Web Access is used by remote, home, and roving users.

When you publish Outlook Web Access servers through ISA Server, you are protecting the Outlook Web Access server from direct external access because the name and Internet Protocol (IP) address of the Outlook Web Access server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the Outlook Web Access server according to the conditions of your mail server publishing rule.

ISA Server allows you to implement a variety of authentication methods for accessing Outlook Web Access servers. This document describes how to securely publish Outlook Web Access using client certification to authenticate users at the ISA Server computer, and using forms-based authentication on the Outlook Web Access server.

Scenario

Solution

Network Topology

Walkthrough

Deploying client certificates using a Local Certification Authority

Additional Information

Appendix A: Configuring NLB on the ISA Server Array

Client Certificate Authentication

Requiring a client certificate can help increase the security of your Outlook Web Access publishing configuration. It ensures that only users presenting a valid certificate can submit credentials to the Outlook Web Access site.

Users can obtain client certificates from a commercial certification authority (CA), or from an internal CA in your organization. When users make a request to Outlook Web Access resources, they select a client certificate to send to the ISA Server computer for the purpose of authentication. ISA Server passes the client certificate provided to a domain controller. (ISA Server must be a domain member.) The Active Directory directory service determines the match between certificates and accounts, and passes the information back to ISA Server for application of relevant firewall policy rules. Note that ISA Server cannot pass client certificates to an internal Web server. Once a client has authenticated with ISA Server through use of the certificate, the user can provide the credentials needed by the Outlook Web Access server, using forms-based authentication.

Forms-Based Authentication

In forms-based authentication, users are directed to a Hypertext Markup Language (HTML) form. After the user provides credentials in the form, the system issues a cookie containing a ticket. On subsequent requests, the system first checks the cookie to verify if the user was already authenticated, so that the user does not have to supply credentials again. Advantages of forms-based authentication include the following:

  • Credential information is not cached on the client computer. This is particularly important in a scenario where users are connecting to your Outlook Web Access server from public computers. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another Web site.
  • You can configure a maximum idle session time-out, so that if a user is idle for a prolonged period of time, the session expires, and reauthentication is required.
  • Users cannot use the Remember my password option in Internet Explorer.
  • Outlook Web Access includes optional functionality that allows a user to change the password. If a user changes the password during an Outlook Web Access session, the cookie provided after the user initially logged on will no longer be valid. When forms-based authentication is configured on ISA Server, the user who changes the password during an Outlook Web Access session will receive the logon page the next time a request is made.

In an ISA Server 2004 Enterprise Edition scenario involving multi-server ISA Server arrays, you must ensure that client requests for a particular session are handled by the same array member, so that the client’s cookie is recognized. If the request is received by a different member, the cookie will not be recognized and the request will be dropped by that ISA Server member. An effective way to ensure that the requests are handled by the same server member is to enable integrated Network Load Balancing (NLB) on the ISA Server array. For more information, see Appendix A Configuring NLB on the ISA Server Array.

Scenario

Using Internet Security and Acceleration (ISA) Server 2004, you want to publish an Outlook Web Access server so that employees can access their e-mail messages from home computers and from Internet kiosks. You want a secure connection from clients to the Outlook Web Access server, and to ensure that only authenticated users are prompted for credentials. You do not want credentials or proprietary information stored on the client computers.

Solution

The solution described in this document can be summarized as follows:

You publish an Outlook Web Access server through Internet Security and Acceleration (ISA) Server 2004 using a mail server publishing rule. Communication from external clients to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server is over Secure Hypertext Transfer Protocol (HTTPS) for a Secure Sockets Layer (SSL) connection through to the Outlook Web Access server. External client requests must be authenticated by means of a client certificate. Forms-based authentication is enabled on the Outlook Web Access server. Only clients who are authenticated successfully with the client certificate are prompted with a form to provide credentials to the Outlook Web Access server. ISA Server is installed as a domain member.

Network Topology

The following topology is recommended necessary to deploy the solution outlined in this document:

  • A computer serving as the Outlook Web Access server on the Internal network. The Outlook Web Access server should run Microsoft Windows Server 2003 or Windows 2000 Server with Service Pack 3.
  • A local CA computer in the same domain as ISA Server.
  • In ISA Server 2004 Standard Edition:
    • A computer running ISA Server 2004 Standard Edition, installed in a domain.
  • In ISA Server 2004 Enterprise Edition:
    • A computer serving as the ISA Server Configuration Storage server.
    • A minimum of two computers running ISA Server services in an array.
    • Array computers and the Configuration Storage server belong to the same domain.
    • A computer on the External network to test the solution.

This walk-through assumes that you have installed ISA Server 2004 Standard Edition or ISA Server 2004 Enterprise Edition. In the case of Enterprise Edition, you should have installed a Configuration Storage server, and at least one ISA Server array, through which you are going to publish the Outlook Web Access server. Installation of these ISA Server components is described in ISA Server online Help, and in the Getting Started Guide.

Walkthrough

This walkthrough describes the following steps:

  • Deploying client certificates using a local CA. Install an enterprise CA. Create a user account in Active Directory. This is more efficient that obtaining a client certificate for each individual user account. Then, using the Certificates Request Wizard, request a client certificate using this account. When you request a certificate it is automatically associated with the account that requested it, but in addition you should map the certificate to the user account. This is known as one-to-one mapping. When a client presents a certificate, the mapping is examined to determined which user account should be logged on. Then export the certificate and the private key, and install it on client computers that must authenticate for Outlook Web Access resources published by ISA Server.
  • Configuring server certificates. Server certificates are required on the ISA Server computer for authentication to external clients, Internet Information Services (IIS) is not usually installed on the ISA Server computer, and to install a server certificate on the ISA Server computer you request a server certificate on the Web server, and import it to ISA Server. You cannot install certificates directly to the ISA Server computer. For most Web publishing scenarios, you install a certificate from a commercial CA on the ISA Server computer. When ISA Server authenticates to external clients using a server certificate, the clients require a root certificate from the CA that issued the server certificate, to indicate that the CA is trusted. Many commercial CA root certificates are installed by default on client computers. In the scenario described in this document, requests only come from authenticated clients, and you may consider using a server certificate issued by a local CA, and issuing root certificates to clients from this CA.
  • You also require a certificate on the Outlook Web Access server to authenticate it to ISA Server. For this purpose, request a server certificate from the internal enterprise CA.
  • Publishing Outlook Web Access. Back up your current configuration before making changes. Configure client certificate authentication on the Web listener, and create a mail publishing rule.
  • Configure Exchange and an Outlook Web Access site. Configure attachments to be saved in Exchange, require SSL on the Outlook Web Access IIS Web site, configure forms-based authentication.
  • Test client certificate authentication. Test the deployment.

Deploying client certificates using a Local Certification Authority

Certificate Services offers two types of CAs that have different feature sets: enterprise CAs and standalone CAs. Enterprise CAs offer the benefit of Active Directory integration. In the scenario described in this document, client certificates require mapping to Active Directory, and thus require an Enterprise CA. For a detailed comparison, see Best Practices for Implementing a Windows Server 2003 Public Key Infrastructure. Note that ISA Server and the enterprise root CA should be in the same domain.

This section consists of the following procedures:

  • Install an Enterprise CA
  • Create an account in Active Directory
  • Request a client certificate
  • Map the client certificate to the account
  • Install the certificate on client computers

Deploying Client Certificates Procedure 1: Install an Enterprise CA

On a domain member computer running Windows Server 2003 or Windows 2000 Server, install Certificate Services. To use Web enrolment you must install IIS and Active Server components on the computer.

  1. In Control Panel, double-click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. Double-click Application Server.
  4. Double-click Internet Information Services (IIS).
  5. Double-click World Wide Web Service.
  6. Select Active Server Pages.
  7. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.
  8. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.
  9. On the CA Type page, choose Enterprise-root CA. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller). Then click Next.
  10. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.
  11. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next. If Internet Information Services (IIS) is running, a message prompts you to stop the service. To stop IIS, choose Yes.
  12. While the Windows Component Wizard is installing Microsoft Certificate Services, a message will appear notifying you that Active Server Pages must be enabled to provide Web enrollment services. To enable ASP, choose Yes.
  13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

Deploying Client Certificates Procedure 2: Create an Account in Active Directory

If you do not have an account under which you want to request the certificate, you must create one, as follows:

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand the domain in the right pane of the snap-in, and then right-click the folder in which you want to create the new user account.
  3. Point to New, and then click User.
  4. In the New Object - User dialog box, fill in the user details.
  5. Clear User must change password at next logon. Then click Next.
  6. In Password,and in Confirm Password, enter a password. Select User cannot change password, and Password never expires. Then click Next.
  7. Clear Create an Exchange mailbox, because no Exchange Server mailbox is required for this.
  8. Check that settings are accurate, and then click Finish.

Deploying Client Certificates Procedure 3: Request a Client certificate

You can now request a client certificate using the account you created. When requesting certificates from a Windows Server 2003 enterprise CA in a domain, you can use the Certificate Request Wizard located in the Certificates snap-in. You can run this wizard on the CA itself, or on any domain member.

To request a certificate for an account, do the following:

  1. Log onto the computer using the Active Directory account you created.

  2. Open the Certificates snap-in, and in the console tree, click Certificates - Current User.

  3. Right-click the Personal folder, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.

  4. On the Welcome page of the Certificate Request Wizard, click Next.

  5. In the Certificate Types page, click User. Select the Advanced check box. Then click Next.

  6. In Cryptographic Service Provider, click Mark this key as exportable. Then click Next.

  7. On the Certification Authority page, ensure that the enterprise CA name is displayed. Then click Next.

  8. In Certificate Friendly Name and Description, type a friendly name for the certificate. You can select any name, because it has no bearing on certificate functionality. Then click Next.

  9. In the final page of the wizard, check certificate settings, and then click Finish.

  10. If a confirmation dialog appears, click OK.

    Note

    To open the Certificates snap-in, click Start, click Run, type mmc, and then click OK. On the File menu, click Open. Click the snap-in you want to open, and click Open. In the console tree, click Certificates.

Deploying Client Certificates Procedure 4: Map the Client Certificate to the Account

You now need to map the client certificate to the Active Directory account as follows:

  1. Log on to the computer with an administrator account.
  2. On the domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  3. Right-click on the account you created, and then click Properties.
  4. Click the Published Certificates tab.
  5. In List of X509 certificates published for this user account, click Copy to File. In Save certificate to a file, specify a name for the certificate in File name, and then click Save. Click OK to close the Properties dialog box.
  6. Right-click the user account, and then click Name Mappings.
  7. In Security Identify Mapping, click the X.509 Certificates tab, and then click Add.
  8. In Add Certificate, select the certificate (.cer), and then click Open. Review the certificate configuration settings, ensuring that Use Subject for alternate security identity is selected. When the certificate appears in the X-509 Certificates list, click OK.

Deploying Client Certificates Procedure 5: Export the Client Certificate

You must export the client certificate to deploy it on client computers requiring access to Outlook Web Access resources. The certificate contains the private key for the account to which the certificate is mapped.

On the computer from which you requested the client certificate, do the following:

  1. Open Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Content tab, click Certificates.
  3. In the Certificates dialog box, on the Personal tab, click the certificate, and then click Export.
  4. In Welcome to the Certificate Export Wizard, click Next.
  5. In Export Private Key, select Yes, export private key, and then click Next.
  6. In Export File Format, select Personal Information Exchange - PKCS #12 (.pfx). Select Include all certificates in the certification path if possible. Clear all other options. Then click Next.
  7. In Password, specify and confirm a password. Then click Next.
  8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key. Then click Next.
  9. Review all settings, and then click Finish.
  10. When you receive a message that the export was successful, click OK.
  11. Click Close to close the Certificates dialog box.
  12. Click OK to close Internet Options.

Deploying Client Certificates Procedure 6: Install the Certificate on Client Computers

On each computer that requires the client certificate to access Outlook Web Access, install the client certificate as follows:

  1. Log on under the account that the user will be using for Outlook Web Access.
  2. Open Internet Explorer, click the Tools menu, and then click Internet Options.
  3. On the Content tab, click Certificates.
  4. In the Certificates dialog box, on the Personal tab, click Import.
  5. On the Welcome to the Certificate Import Wizard page, click Next.
  6. On the File to Import page, enter the name and location in File name, or use the Browse button to locate the file. Then click Next.
  7. In Password, specify the password you assigned to the certificate file when you exported it. Do not select Enable strong private key protection, because users will not be able to log on to the Outlook Web Access site. Do not select Mark the private key as exportable. You do not want to allow users to export the certificate with the private key.
  8. In Certificate Store, select Automatically select the certificate store based on the type of certificate. Then click Next.
  9. Review the settings, and then click Finish.
  10. When a message appears showing that the import was successful, click OK.
  11. Click Close to close the Certificates dialog box.
  12. Click OK to close Internet Options.

Deploying Server Certificates

The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication from the external client to ISA Server, and from the ISA Server computer to the Outlook Web Access Server. ISA Server does not support Outlook Web Access publishing rules that forward HTTP requests as HTTPS. If you create a publishing rule that forwards HTTPS requests from external clients as HTTP, do not enable link translation. In this SSL to SSL configuration, you require a server certificate in two locations:

  • On the ISA Server computer to authenticate it to the requesting client.
  • On the Outlook Web Access server to authenticate it to the ISA Server computer.

This section consists of the following procedures:

  • Obtain a server certificate on the ISA Server computer.
  • Obtain a server certificate on the Outlook Web Access server.

Deploying Server Certificates Procedure 1: Obtain a Server Certificate on the ISA Server Computer

To obtain a certificate for ISA Server, do the following:

  1. Request a server certificate from a commercial CA or from the Local CA, on the Outlook Web Access server running IIS.
  2. Export this certificate, together with its private key.Import the certificate to ISA Server.

For ISA Server 2004 Enterprise Edition, you will need to prepare and install an identical server certificate on each array member.

For detailed information and instructions on configuring server certificates, see Digital Certificates for ISA Server 2004.

Deploying Server Certificates Procedure 2: Obtain a Server Certificate on the Outlook Web Access Server

A server certificate is required on the Outlook Web Access server to authenticate it across an SSL connection to the ISA Server computer. Because this is internal only - the simplest and least expensive method is to obtain a server certificate from the local CA for this requirement, as follows:

  1. On the Outlook Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand the Web Sites node, and then click Default Web Site. Right-click Default Web Site, and then click Properties.

  3. On the Default Web Site Properties dialog box, click the Directory Security tab.

  4. On the Directory Security tab, click Server Certificate.

  5. On the Welcome to the Web Server Certificate Wizard page, click Next.

  6. Select Create a New Certificate, and then click Next.

  7. Select Send the request immediately to an online certification authority. Then click Next.

  8. In Name, specify a friendly name for the site. (This can be any name, and does not affect certificate functionality.) In Bit length, specify the bit length of the key you want to use. Then click Next.

  9. In Organization Information, specify your information in Organization (O) and in Organizational Unit (OU). For example, if your company is called Fabrikam and you are setting up a Web server for the Sales department, you would enter Fabrikam for the organization and Sales for your OU. Click Next when complete.

  10. In Your Site’s Common Name, specify a common name for your site in Common name. The common name you specify should be the name by which ISA Server refers to the Outlook Web Access server (specified on the To tab of the publishing rule). Then click Next.

  11. Input your information in Country/Region, City, and State. It is very important that you do not abbreviate the names of the state or city. Then, click Next.

  12. Choose a name for the certificate request file you are about to create. This file will contain all the information you created, as well as your public key for your site. You can browse the file name if you want. This creates a .txt file when the steps are completed. The default name for the file is Certreq.txt. When you have finished this step, click the Finish button.

  13. You will now be presented with a summary screen with all the information you entered. Verify that all of this information is correct, and then click Finish.

    Note

    ISA Server requires a root certificate from the local CA in its trusted root store. When ISA Server is a member of the same domain as the enterprise CA, it will automatically have the enterprise CA’s certificate in its Trusted Root Certification Authorities store.

Publish Outlook Web Access

This section consists of the following procedures:

  • Backup your current configuration
  • Create a Web listener
  • Configure client certificate authentication on the Web listener
  • Create a mail publishing rule

Publishing Outlook Web Access Procedure 1: Back Up Your Current Configuration

We recommend that you back up your server before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous, backup configuration. To back up the complete configuration of your ISA Server computer to an .xml document, use the following procedure:

For Standard Edition do the following:

  1. Open Microsoft ISA Server Management.
  2. Expand Microsoft Internet Security and Acceleration Server 2004. Right-click Server_Name, and then click Export.
  3. In the Export Configuration dialog box, in Save in, specify the folder in which the export file will be saved. In File name, type a name for the exported file. Choose a meaningful name, and consider including the date in the name of the file.
  4. You can select the following options, and then click Export:
    • You can choose to export user permission settings, by selecting Export user permission settings. User permission settings contain the security roles of ISA Server users, for example, indicating who has administrative rights.
    • You can choose to export confidential information. If you do, it will be encrypted during export. If you want to export confidential information, select Export confidential information. After you click Export, in the Set Password dialog box, provide and confirm a password, and then click OK.
  5. When the export has completed, click OK.

For Enterprise Edition do the following:

  1. Open Microsoft ISA Server Management.

  2. Expand Microsoft Internet Security and Acceleration Server 2004. Expand Arrays, right-click the array through which you are going to publish Outlook Web Access, and then click Export (Back Up) to start the Export Wizard.

  3. On the Welcome page, click Next.

  4. On the Export Preferences page, you can select the following options, and then click Next.

    • You can choose to export confidential information. If you do, it will be encrypted during export. If you want to export confidential information, select Export confidential information. After you click Export, in the Set Password dialog box, provide and confirm a password.
    • You can choose to export user permission settings, by selecting Export user permission settings. User permission settings contain the security roles of ISA Server users, for example, indicating who has administrative rights.
      When the export has completed, click OK

  5. On the Export File Location page, provide the location and name of the file to which you want to save the configuration. Choose a meaningful name, and consider including the date in the name of the file. Click Next.

  6. On the Completing the Export Wizard page, click Finish.

  7. When the export has completed, click OK.

    Note

    Because the .xml document is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Publishing Outlook Web Access Procedure 2: Create a Web Listener

Create a Web listener to listen for Outlook Web Access requests on the specified network (in our example, the External network). The Web listener listens for HTTPS requests only, and will use client certificate authentication.

To create a Web listener, do the following:

  1. In ISA Server Management, click the Firewall Policy node, as follows:

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects. On the toolbar beneath Network Objects, click New, and then click Web Listener.

  3. On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for internal Web publishing, and then click Next.

  4. On the IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapters of ISA Server. Therefore, select External. Do not click Next.

  5. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network.

    Note

    In ISA Server 2004 Enterprise Edition, where NLB is enabled, this will include both dedicated IP addresses and virtual IP addresses.

    We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default IP addresses on the network adapters of the ISA Server computer in ISA Server 2004 Standard Edition, or the default IP addresses on the network adapters of the ISA Server array in ISA Server 2004 Enterprise Edition. In an Enterprise Edition NLB scenario, this will select the default virtual IP address.
    If you have enabled NLB and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.
    Cc302572.c35112e5-9a37-453f-b9cb-bb1b0dfc1615(en-us,TechNet.10).gif

  6. Click OK, and on the IP Addresses page, click Next.

  7. On the Port Specification page, clear Enable HTTP. Select Enable SSL, and verify that the SSL port is set to 443 (default setting). Provide the server certificate name in the Certificate field. To do this, click Select, and select the server certificate you installed on the ISA Server computer. Click OK, and then click Next.
    Cc302572.a1b730fb-a50e-44b5-b67c-6296ff450cf4(en-us,TechNet.10).gif

    Important

    Use only the standard port numbers (the default settings, for Outlook Web Access publishing.

  8. On the Completing the New Web Listener Wizard page, review the settings, and click Finish.

Publishing Outlook Web Access Procedure 3: Configure Client Certificate Authentication on the Web Listener

To configure client certificate authentication on the Web listener, do the following:

  1. In ISA Server Management, right-click the Firewall Policy node, as follows:
    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then right-click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then right-click Firewall Policy.
  2. On the Toolbox tab, click Network Objects. Expand Web Listeners. Double-click to open the properties of the Web listener you created for Outlook Web Access.
  3. On the Preferences tab, under Configure allowed authentication methods, click Authentication.
  4. In the list of authenticated methods, select SSL certificate. Clear all other authentication methods. Then select Require all users to authenticate.
  5. Click OK to close the Web listener properties. In the Firewall Policy details pane, click Apply to apply the changes that you made.

Publishing Outlook Web Access Procedure 4: Create a Mail Publishing Rule

Create a new mail publishing rule using the New Mail Server Publishing Rule Wizard. Follow these steps:

  1. In ISA Server Management, click the Firewall Policy node, as follows:

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name (the array that will publish Outlook Web Access), and then click Firewall Policy.

  2. In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.

  3. On the Welcome page of the wizard, provide a name for the rule, and then click Next.

  4. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync, and then click Next.
    Cc302572.e006a5b3-bb4a-4678-8c00-0b45baa2dea5(en-us,TechNet.10).gif On the Select Services page, select Outlook Web Access.

    Note

    Enable high bit characters used by non-English character sets is enabled by default. This allows DBCS or Latin 1 characters, used in some non-English languages. If you clear this selection, requests using those characters will be blocked.

  5. On the Bridging Mode page, select Secure connection to clients and mail server, so that both portions of the communications pathway are secured by digital certificates. Click Next.
    Cc302572.b8ee7d76-9477-478c-abdc-64d3a4ef5f15(en-us,TechNet.10).gif

  6. On the Specify the Web Mail Server page, enter the full qualified domain name (FQDN) or IP address of the Outlook Web Access server. This name must match the name on the Outlook Web Access server digital certificate. Click Next.

  7. On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Outlook Web Access server. In Accepts requests for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your Outlook Web Access server. If you select This domain name and provide a specific domain name, such as mail.fabrikam.com, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer, only requests for https://mail.fabrikam.com will be forwarded to the Outlook Web Access server. Click Next.

    Note

    The public name must match the name of the digital certificate on the ISA Server.

  8. On the Select Web Listener page, select the secure Web listener you created previously, and then click Next.

  9. On the User Sets page, select All Users, and then click Remove.

  10. Click Add, and in the Add Users dialog box, select AllAuthenticated Users. Click Add, click Close, and then click Next.

  11. On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.

  12. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Configure Exchange and Outlook Web Access Site

This section consists of the following procedures:

  • Require the saving of attachments in Exchange
  • Require SSL on the Outlook Web Access Web site
  • Configure forms-based authentication
  • Test client certificate authentication

Configuring Exchange Procedure 1: Require the Saving of Attachments in Exchange

You can completely block attachments received through Outlook Web Access, so that the user cannot open or save any attachments.

If you do not block attachments, note that some attachments, such as Microsoft Windows Media files and Microsoft Office Excel 2003 spreadsheets, cannot be opened directly by a client connected remotely to an Outlook Web Access server. An attempt to open such a file will result in a failure of the application associated with the file. Those files must be saved locally and can then be opened. You can avoid this problem by configuring Exchange Server 2003 and Exchange 2000 Server to force users to save attachments. This feature is not available in Exchange Server version 5.5.

To force users to save attachments, configure the following registry key on the Exchange Server computer:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA\Level2FileTypes

This registry value specifies a set of file extensions that are potentially dangerous as attachments. Attachments matching these types will not be opened automatically. Instead, users will be prompted to save the attachments locally on their computers.

Configuring Exchange Procedure 2: Require SSL on the Outlook Web Access IIS Web site

On the Outlook Web Access server, configure IIS for SSL communications only, as follows:

  1. Open the Internet Services Manager or your custom IIS snap-in. Expand the server node, expand the Default Web Site node, select virtual path /Exchange, and then click Properties.
  2. Click the Directory Security tab and under Secure Communications, click Edit.
  3. In the Secure Communications dialog box, select the Require secure channel (SSL) check box, and then click OK twice.
  4. Repeat these steps for the virtual path /public.
  5. Repeat these steps for the virtual path /exchweb, but select Enable anonymous access and clear all other authenticated access check boxes.

Configuring Exchange Procedure 2: Configure Forms-Based Authentication

After configuring SSL on the Outlook Web Access site, you now need to enable forms-based authentication on the HTTP virtual server in Exchange System Manager, as follows:

  1. Open Exchange System Manager.
  2. Navigate to your server object.
  3. Expand your server object, and expand Protocols.
  4. Expand HTTP.
  5. Right-click Exchange Virtual Server and select Properties.
  6. On the Settings tab, select the Enable Forms Based Authentication check box.
  7. Click OK, and click OK again to dismiss the warning message.
  8. Restart the IIS either from the Services snap-in, or from the IIS Admin snap-in.

Testing Client Certificate Authentication

To test that the configuration is working as expected, do the following:

  1. Open Internet Explorer, and type in the URL of the Outlook Web Access site. You should see a Client Authentication dialog box. Select the client certificate you want to use to authenticate, and click OK.
  2. You should then be presented with a logon page provided by the forms-based authentication. Specify credentials, and then click OK.
  3. You should now be connected to the Exchange server (with a padlock on the page to indicate an SSL link).
  4. Click the Log Off button to log off.

Additional Information

The following additional resources are available:

Appendix A Configuring NLB on the ISA Server Arrayppendix A Configuring NLB on the ISA Server Array

NLB is supported in ISA Server 2004 Enterprise Edition. You can configure NLB in integrated or non-integrated mode. In integrated mode, you use ISA Server Management to configure NLB. This mode allows you to configure NLB for specific networks, and NLB will automatically be configured in unicast mode, with single affinity. Single affinity ensures that all network traffic from a particular client be directed to the same host. This procedure takes place on a computer in an ISA Server array. You must be logged on as an array or enterprise administrator.

To configure integrated NLB on ISA Server networks, do the following:

  1. On one of the ISA Server array members, expand Arrays, expand the array node, expand Configuration, and click Networks.
  2. In the details pane, verify that the Networks tab is selected.
  3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration to start the Network Load Balancing Integration Wizard. On the Welcome page, click Next.
  4. On the SelectLoad Balanced Networks page, select the networks for which NLB will be enabled. We recommend that you enable NLB on the Outlook Web Access servers network, and on the External network. Select those networks. Do not click Next.
  5. Before you click Next, you must set the virtual IP address for each network. To set the virtual IP address, after you select the network, click Set Virtual IP. In the Set Virtual IP Address dialog box, provide the IP address and subnet mask for the virtual IP address you will use. Note that this IP address must be a valid static IP address (that cannot be assigned by your DHCP server), and must belong to the network you are configuring. Click Next.
  6. On the summary page, click Finish.
  7. In the details pane, click Apply.