Outlook Web Access Server Publishing in ISA Server 2004: RADIUS and Forms-based Client Authentication

  • Article

Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition work with Microsoft Office Outlook Web Access for Exchange Server 2003 to enhance security for Outlook Web Access servers. Outlook Web Access provides Web browser access to e-mail, scheduling (including group scheduling), contacts, and collaborative information stored in Microsoft Exchange Storage System folders. Outlook Web Access is used by remote, home, and roving users.

When you publish Outlook Web Access servers through ISA Server, you are protecting the Outlook Web Access server from direct external access because the name and IP address of the Outlook Web Access server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the Outlook Web Access server according to the conditions of your mail server publishing rule.

ISA Server allows you to implement a variety of authentication methods for accessing Outlook Web Access servers. This document describes a scenario in which you securely publish Outlook Web Access servers with mail server publishing rules using forms-based authentication to authenticate Outlook Web Access requests from external clients. ISA Server authenticates against a RADIUS server and is not a domain member.

Forms-Based Authentication

Scenario

Solution

Network Topology

Testing and Monitoring the Deployment

Additional Information

Appendix A: Configuring NLB on the ISA Server Array

Forms-Based Authentication

With forms-based client authentication, an unauthenticated user is directed to an HTML form. After the user provides credentials in the form, the system issues a cookie containing a ticket. On subsequent requests, the system first checks the cookie to see if the user was already authenticated, and if so, that user does not have to supply credentials again. Advantages of forms-based authentication include the following:

  • Credential information is not cached on the client computer. This is particularly important when users connect to your Outlook Web Access server from public computers. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another Web site.
  • You can configure a maximum idle session time-out. If a user is idle for a prolonged period of time, the session expires and reauthentication is required.
  • Users cannot use the Remember my password option in Internet Explorer.

The following considerations are important when planning forms-based authentication on ISA Server for Outlook Web Access:

  • You can enable forms-based authentication on ISA Server when publishing Outlook Web Access for Exchange Server 2003, Exchange 2000 Server, and Exchange Server 5.5.
  • You can enable forms-based authentication on Exchange Server 2003 only. Forms-based authentication is not supported on Exchange 2000 Server or Exchange Server 5.5.
  • When configuring ISA Server 2004 with Exchange Server 2003, you can enable forms-based authentication on ISA Server or on the Exchange server, but not on both. When deciding where to enable forms-based authentication in this scenario, consider the following:
    • When you enable forms-based authentication on ISA Server, you retain the ability of ISA Server to inspect response bodies, as well as request URLs, request headers, request bodies, and response headers.
    • ISA Server forms-based authentication allows you to authenticate users at the edge of the network, and you can use RADIUS-based authentication without domain membership.
    • If you use ISA Server forms-based authentication, you cannot use the Exchange data compression feature.
    • If you use Exchange Server 2003 forms-based authentication, ISA Server inspects request URLs, request headers, request bodies, and response headers, but does not inspect response bodies. However, the Exchange data compression feature is available.
    • Outlook Web Access includes optional functionality that allows a user to change the password. If a user changes the password during an Outlook Web Access session, the cookie provided after the user initially logged on will no longer be valid. When forms-based authentication is configured on ISA Server, the user who changes the password during an Outlook Web Access session will receive the logon page the next time a request is made.

In an ISA Server 2004 Enterprise Edition scenario involving multiple ISA Server array members, you must ensure that client requests for a particular session are handled by the same array member so that the client’s cookie is recognized. If the request is received by a different member, the cookie will not be recognized and the request will be dropped by that ISA Server member. An effective way to ensure that the requests are handled by the same server member is to enable integrated Network Load Balancing (NLB) on the ISA Server array. For more information, see Appendix A: Configuring NLB on the ISA Server Array.

Authenticating Client Requests Against a RADIUS Server

ISA Server 2004 can authenticate users against local accounts on the ISA Server computer, communicate with the Active Directory directory service servers (for Microsoft Windows authentication) with RSA Authentication Managers (for RSA SecurID authentication) and with Remote Authentication Dial-In User Service (RADIUS) servers.

RADIUS is an industry-standard authentication protocol that authenticates users through a series of communications between RADIUS clients and the RADIUS server. A RADIUS client (in this case, ISA Server) passes information about a user to a designated RADIUS server, and then acts on the response that the RADIUS server returns. Transactions between the RADIUS client and the RADIUS server are encrypted using a shared secret, which is never sent over the network. When you create publishing rules that require RADIUS user authentication, ISA Server challenges the client for credentials, and then creates an access request to the RADIUS server with the user information. For more information about RADIUS authentication, see RFC 2865 and RFC 2866.

There are a number of advantages when ISA Server uses a RADIUS server to authenticate client requests:

  • RADIUS servers do not require that RADIUS clients belong to a domain. Therefore, when ISA Server is set up as a RADIUS client, ISA Server does not need to belong to a domain for authentication purposes.
  • The RADIUS protocol is limited to a single User Datagram Protocol (UDP) connection. Added to the fact that ISA Server does not have to be a domain member for authentication purposes, this makes RADIUS useful in a perimeter network (also known as DMZ, demilitarized zone, or screened subnet) configuration.
  • Remote access policies can be defined on the RADIUS server. For example, you can specify that a remote access policy should only allow access to a particular Windows group.

There are also a number of limitations when ISA Server uses a RADIUS server to authenticate client requests:

  • For incoming Web requests, only unencrypted Password Authentication Protocol (PAP) authentication can be used.
  • When you create a publishing rule with RADIUS authentication, you can either specify that the rule applies to specific users or to all users in the RADIUS namespace. This may be a limitation if you wish to control access for a particular group of users. You can work around this limitation by configuring a remote access policy on the RADIUS server to specify access for a particular group of users.

For more information about deploying a RADIUS server securely with ISA Server, see Appendix B: Best Practices for RADIUS Server Configuration.

Scenario

Using ISA Server 2004, you want to publish an Outlook Web Access server so that users can access their e-mail messages from home computers and from Internet kiosks. You want the connection to the Outlook Web Access server to be secure, so that only authenticated users are allowed access. You do not want credentials or proprietary information stored on the client computers. ISA Server is configured in workgroup mode and not as part of a domain.

Solution

The solution documented in this paper is to publish Outlook Web Access server through Internet Security and Acceleration (ISA) Server 2004 using a mail server publishing rule. Communication from external clients to the ISA Server computer, and from the ISA Server computer to the Outlook Web Access server, will be encrypted using Secure Sockets Layer (SSL). Forms-based authentication will be enabled on the ISA Server Web listener that listens for Outlook Web Access requests. ISA Server is installed in workgroup mode. Incoming requests from external users will be authenticated against a RADIUS server.

Network Topology

The following computers are necessary to deploy this solution:

  • A computer set up as the Outlook Web Access server on the Internal network. The Outlook Web Access server should run Microsoft Windows Server 2003 or Windows 2000 Server with Service Pack 3.

  • A RADIUS server (IAS in this scenario) on the Internal network.

  • For ISA Server 2004 Standard Edition:

    • A computer running ISA Server 2004 Standard Edition

  • or ISA Server 2004 Enterprise Edition:

    • A computer for ISA Server Configuration Storage server.
    • A minimum of two computers running ISA Server services in an array.

  • A computer on the External network to test the solution.

    Note

    When deploying ISA Server 2004 Enterprise Edition, you can use a single computer to host both the Configuration Storage server and ISA Server services. This configuration will not allow you to use network load balancing (NLB)

This walkthrough assumes that you have installed ISA Server 2004 Standard Edition or ISA Server 2004 Enterprise Edition. In the case of Enterprise Edition, you should have installed a Configuration Storage server and at least one ISA Server array, through which you are going to publish the Outlook Web Access server. Installation of these ISA Server components is described in the product documentation and in the ISA Server 2004 Getting Started Guide, available on the ISA Server CD, or for download from the Product Documentation page.

This scenario also presumes the use of IAS as the RADIUS server.

Walkthrough

Planning, installing, configuring, and deploying the solution described in this document includes the following outlined steps.

  • Configure the RADIUS server. Configure ISA Server as a RADIUS client in IAS, and specify a shared secret. Configure a RADIUS Remote Access Policy for unencrypted (PAP) authentication. Only unencrypted authentication is supported for incoming Web requests. For ease of management, create an Active Directory for a group of the user accounts to which you want to allow access, and add a condition on the Remote Access Policy to allow access to this group. All user accounts in the group should have dial-in properties set to Control access through Remote Access Policy.

  • Set up the Outlook Web Access server. Install a server certificate on the Outlook Web Access server, to authenticate it to the ISA Server computer for the HTTPS-to-HTTPS connection. Configure IIS on the Outlook Web Access Server to support SSL connections and to block attachments for public (shared) or private computers.

  • Configure ISA Server. Obtain a server certificate on the ISA Server computer, to authenticate it to the requesting clients for the HTTPS-to-HTTPS connection. Configure RADIUS setting in ISA Server, and specify the same shared secret that you configured on the RADIUS server. Enable forms-based and RADIUS authentication on the Web listener. Then create a mail server publishing rule to publish the Outlook Web Access server and configure caching. When you use ISA Server forms-based authentication, no objects are cached from the Outlook Web Access server. To take advantage of the ISA Server caching feature, you can create a cache rule to enable caching of the images served by Outlook Web Access. Do not enable caching of other objects because this can lead to unexpected logging off of users.

  • Test the deployment.

    Important

    To enable forms-based authentication and RADIUS authentication together in ISA Server 2004 Standard Edition, you must install ISA Server 2004 Standard Edition Service Pack 1, and then change the registry key as described in the Resolution section of Knowledge Base article 884560.
    To enable forms-based authentication and RADIUS authentication together in ISA Server 2004 Enterprise Edition, change the registry key as described in the Resolution section of Knowledge Base article . You do not need to install any other update.

Configuring IAS

This section consists of the following procedures:

  • Install IAS Server 2004
  • Configure ISA Server as a RADIUS client. This includes specifying a shared secret that you will also configure on the ISA Server computer.
  • Configure an Active Directory user account for users allowed access to the Outlook Web Access server.
  • Edit the Remote Access Policy. Configure the Remote Access Policy for unencrypted (PAP) authentication, which is the only type of authentication supported for incoming Web requests.
  • Specify access permissions on the Remote Access Policy. Add a condition on the Remote Access Policy to allow access to the user account you created.

Procedure 1: Install IAS Server

IAS Server 2004 is installed as a Windows component. For instructions, see Install IAS in Windows Server 2003 online Help. If IAS Server is a domain member after installation, you must register it in Active Directory. For instructions, see Enable the IAS server to read user accounts in Active Directory in Windows Server 2003 online Help.

Procedure 2: Configure ISA Server as a RADIUS client

When configuring ISA Server as a RADIUS client, make sure that the settings you specify on the RADIUS server are the same as those you will later specify when configuring the IAS server in the ISA Server Management console.

To configure ISA Server as a RADIUS client

  1. On the computer running IAS, click Start, point to Administrative Tools, and then click Internet Authentication Service.

  2. If the RADIUS server is a domain member, check that it is registered in Active Directory. To do this, right-click the root node Internet Authentication Service, and then click Register server in Active Directory.

  3. From the Internet Authentication Service management console, right-click the RADIUS Clients folder, and then click New RADIUS Client.

  4. On the Name and Address page, in Friendly name, enter a name for the ISA Server computer.

  5. In Client address (IP or DNS), enter the IP address of the adapter through which ISA Server will access the RADIUS server (usually the ISA Server internal adapter).

    Note

    In a multiple server array ISA Server 2004 Enterprise Edition environment, define each array member as a RADIUS client.
    You can specify IP addresses or DNS names for RADIUS clients. In most cases, it is more efficient to specify IP addresses because this prevents IAS from needing to resolve client names at startup. If you are using Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, you can specify a RADIUS client by using an IP address range. All of the RADIUS clients in the range must use the same configuration and shared secret. For more information about expressing this type of address range for RADIUS clients, see in Windows Server 2003 online Help.

  6. Click Next.

  7. On the Additional Information page, in Client-Vendor, ensure that RADIUS Standard is selected. In Shared secret, specify a password, and in Confirm shared secret, confirm the password.

  8. Optionally, select Request must contain the Message Authenticator attribute.

  9. Click Finish.

    Note

    Controlling access by means of the Remote Access Policy on the IAS computers allows more flexibility than controlling user access on the publishing rule alone. When you create a publishing rule with RADIUS authentication, you can specify that a rule should apply to a specific user, or to all users in the RADIUS namespace. If you want to apply a rule to a specific group of users, configuring access permissions on the Remote Access Policy is a useful way to do this.

Procedure 3: Configure an Active Directory User Account

For ease of access control management, you will create a Window group account containing the user accounts that will be allowed access to the Outlook Web Access server. Then assign dial-in permissions to the group account.

To configure an Active Directory user account for ISA Server

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, click to expand the domain name in which you want to add the new group.

  3. Right-click Users, point to New, and then click Group.

  4. Type a name for the new group, such as OWA_Clients.

  5. In Group scope, select Global Domain.

  6. In Group Type, select Security.
    Now you will assign dial-in permissions to the user accounts you want to add to the group.

  7. In the console tree of Active Directory Users and Computers, click the domain name in which the users you want to add to the group are located.

  8. For each user you want to add to the OWA_Clients group, do the following:

    • Right-click the user name, and then click Properties.
    • On the Dial-in tab, check that Control access through Remote Access Policy is selected, and then click OK.
      Now you will add the user accounts to the group.

  9. In the console tree of Active Directory Users and Computers, click the domain name in which the group account is located.

  10. In the details pane, right-click the group, and then click Properties.

  11. On the Members tab, click Add.

  12. In Enter the object names to select, type the names of the users that you want to add to the group, and then click OK.

    Note

    The option of controlling user access through Remote Access Policy is only available in Windows Server 2003 domains or Windows 2000 native mode.

Procedure 4: Verify Remote Access Policy

In this procedure, you will modify the Connections to other access servers default access policy.

To verify remote access policy

  1. In the Internet Authentication Service console, click Remote Access Policies, and then in the details pane, double-click Connections to other access servers.

  2. On the Settings tab, click Edit Profile.

  3. On the Authentication tab, verify that Unencrypted authentication (PAP, SPAP) is selected, and then click OK.

    Note

    Enabling IAS for PAP is a per-profile IAS setting.
    Only unencrypted authentication is available for incoming Web requests.

Procedure 5: Specify Access Permissions on Remote Access Policy

To set access permissions on remote access policy

  1. In the Internet Authentication Service console, click Remote Access Policies, and then in the details pane, double-click the Connections to other access servers remote access policy.
  2. On the Settings tab, click Grant remote access permission.
  3. On the Settings tab, click Add.
  4. In the Attribute types list, click Windows-Groups, and then click Add.
  5. In the Groups dialog box, click Add.
  6. In the Select Groups dialog box, specify the groups to be allowed access (in this case, the OWA_Clients group you configured in Active Directory). Click OK to close the dialog box.
  7. Click OK to close the Groups dialog box, and then click OK to close the remote access policy properties.
  8. R0lGODlhCgAKALP/AI2Mjf//zP/MAP8FBf9dXcDAwNPT08DAwIWFhQICAgAAAAAAAAAAAAAAAAAA AAAAACH5BAEAAAUALAAAAAAKAAoAQAQoEMhpDhkg6J1KyRoiJIYHcuMXGlqnbq2AwUn6GgkSICbc eomgMOiJAAA7   Note
  9. You can also select Deny remote access permission as a way of denying access to specified Windows groups. For example, you can set the Outlook Web Access publishing rule to allow access to all users in the RADIUS namespace, and then set the Remote Access Policy to exclude specific groups.

Configuring Outlook Web Access

This section consists of the following procedures:

  • Configure a server certificate on the Outlook Web Access server
  • Require SSL for connection to the Outlook Web Access server

Procedure 1: Configure a Server Certificate on Outlook Web Access Server

In this scenario, an SSL connection is preserved from the external client to the ISA Server, and from the ISA Server to the published Outlook Web Access server. A server certificate is required to authenticate ISA Server to external clients, and a server certificate is needed on the Outlook Web Access server to authenticate it to the ISA Server. For information and instructions on configuring server certificates, see Digital Certificates for ISA Server 2004.

Note

The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer, and from the ISA Server computer to the Outlook Web Access server. ISA Server does not support Outlook Web Access publishing rules that forward HTTP requests from the external client to the Outlook Web Access server as HTTPS. If you create a publishing rule that forwards HTTPS requests from the external clients to the Outlook Web Access server as HTTP, do not enable link translation.

Procedure 2: Enable SSL on IIS

On the Outlook Web Access server, configure IIS for SSL communications only.

To configure IIS for SSL communications

  1. Open the Internet Services Manager console or your custom Microsoft Management Console (MMC) containing the Internet Information Services (IIS) snap-in. Expand the server node, expand the Default Web Site node, select virtual path /Exchange, and then click Properties.

  2. Click the Directory Security tab, and in the Secure Communications group, click Edit.

  3. In the Secure Communications dialog box, select the Require secure channel (SSL) check box, and then click OK.

  4. Repeat these steps for the virtual path /public.

  5. Repeat these steps for the virtual path /exchweb. In addition, set the following property for /exchweb:

    • In the Authentication and Access control group on the Directory Security tab, click Edit. Verify that Enable anonymous access is selected, and that all other authenticated access check boxes are cleared.

    Important

    Exchange Server 2003 provides an option of enabling forms-based authentication. Do not select this option because it will not work with ISA Server mail publishing rules. Forms-based authentication should be configured on the ISA Server computer.

Configuring ISA Server

This section consists of the following procedures:

  • Back up your current configuration settings. It is recommended that you back up your array configuration before making any changes. If the changes you make result in unexpected behavior, you can revert to the previous backup configuration.
  • Install a server certificate on the ISA Server computer. IIS is not installed on ISA Server and you cannot request a certificate directly in ISA Server Management console. Instead, request a certificate for ISA Server on the Outlook Web Access server, export it, and then import the certificate and the private key to the ISA Server computer.
  • Configure RADIUS server settings. Specify the RADIUS server that ISA Server should use for authentication, the shared secret for the servers (which must be identical on the ISA Server and on the RADIUS server), the port used by the RADIUS server for incoming authentication requests (UDP port 1812 by default), the time-out for retrying requests, and whether message authenticator should be used.
  • Enable system policy. You must enable the RADIUS system policy rule to allow RADIUS traffic from the ISA Server computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network. You can modify this rule to indicate the specific RADIUS server rather than the entire Internal network.
  • Create a Web listener. Create a Web listener to listen for Outlook Web Access requests on the specified network (in this example, External). Configure the Web listener to listen for secure HTTPS requests only.
  • Configure authentication and forms-based settings on the Web listener. Require forms-based authentication with RADIUS on the Web listener, and specify settings for the forms-based authentication dialog box.
  • Require users to save attachments in Exchange if required. When configuring forms-based settings, you can completely block attachments received through Outlook Web Access, so that the user cannot open or save any attachments. If you do not want to block attachments, note that some attachments (such as Windows Media files and Excel spreadsheets) cannot be opened directly by a client connected remotely to an Outlook Web Access server. These files must be saved locally and then opened. You can avoid this issue by configuring Exchange Server 2003 and Exchange 2000 Server to force users to save attachments. This feature is not available in Exchange Server 5.5.
  • Create a user set for RADIUS users. RADIUS authentication does not recognize Windows security groups. Instead, create a RADIUS user set for the publishing rule.
  • Create a mail server publishing rule. Create a rule to publish the Outlook Web Access server to the Internet.
  • Create a cache rule. When you use ISA Server forms-based authentication, no objects are cached from the Outlook Web Access server. To take advantage of the ISA Server caching feature, you can create a cache rule to enable caching of images served by Outlook Web Access. Do not enable caching of other objects because this can lead to unexpected logging off of users.

Procedure 1: Back Up Your Current Configuration Settings

In this procedure, you will back up the complete configuration of your ISA Server computer to an .xml document.

To back up current configuration settings

  1. In ISA Server Management console, expand Microsoft Internet Security and Acceleration Server 2004.

    • For Standard Edition, right-click Server_Name, and then click Export to start the Export Wizard.
    • For Enterprise Edition, expand Arrays, right-click the array through which you are going to publish Outlook Web Access, and then click Export (Back Up) to start the Export Wizard.

  2. On the Welcome page, click Next.

  3. On the Export Preferences page, select the following options:

    • You can choose to export confidential information. If you do, it will be encrypted during export. If you want to export confidential information, select Export confidential information and provide a password.
    • You can choose to export user permission settings by selecting Export user permission settings. User permission settings contain the security roles of ISA Server users (for example, indicating who has administrative rights.

  4. Click Next.

  5. On the Export File Location page, provide the location and name of the file to which you want to save the configuration. Choose a meaningful name, and consider including the date in the name of the file. Click Next.

  6. On the Completing the Export Wizard page, click Finish.

  7. When the export is complete, click OK.

    Note

    Because the .xml document is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Procedure 2: Install a Server Certificate on ISA Server computer

In this scenario, an SSL connection is preserved from the external client to the ISA Server, and from the ISA Server to the published Outlook Web Access server. In such a scenario, a server certificate is required to authenticate ISA Server to external clients. This is usually done with a certificate from a Commercial Authority (CA). A server certificate is also needed to authenticate the Outlook Web Access server to the ISA Server. For ISA Server 2004 Enterprise Edition, you will need to prepare and install an identical server certificate on each array member. For information and instructions on configuring server certificates, see Digital Certificates for ISA Server 2004.

Procedure 3: Configure RADIUS Server Settings

The following procedure will guide you through configuring the RADIUS server in ISA Server Management console. RADIUS servers are configured at the array-level, which means that you do not specify RADIUS servers for a specific array member.

To configure RADIUS server settings

  1. In ISA Server Management console, click the General node.

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click General.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click General.

  2. In the details pane, click Define RADIUS Servers.

  3. On the RADIUS Servers tab, click Add.

  4. In Server name, type the name or IP address of the RADIUS server to be used for authentication. (In this case, the IAS server is in the Internal network with an IP address of 10.0.0.1).

  5. Click Change, and in New secret and Confirm new secret, type the shared secret to be used for communications between the ISA Server computer and the RADIUS server. Be sure to specify the same secret you entered when configuring ISA Server as a client on the RADIUS server.

  6. In Port, specify the UDP port used by the RADIUS server for incoming RADIUS authentication requests. The default value of 1812 is based on RFC 2138.

  7. In Time-out (seconds), specify the time (in seconds) that ISA Server should try to obtain a response from the RADIUS server before trying an alternate server.

    Note

    The RADIUS server settings you specify are applied to all Web listeners or network objects that use RADIUS authentication.

Procedure 4: Enable System Policy

To enable system policy for ISA Server

  1. In ISA Server Management console, right-click the Firewall Policy node.
    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then right-click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then right-click Firewall Policy.
  2. On the Tasks tab, click Edit System Policy.
  3. In the Authentication Services section of the Configuration Groups list, click RADIUS.
  4. On the General tab, ensure Enable is selected.

Procedure 5: Create a Web Listener

To create a new Web listener

  1. In ISA Server Management console, right-click the Firewall Policy node.

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then right-click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then right-click Firewall Policy.

  2. On the Toolbox tab, click Network Objects. On the toolbar beneath Network Objects, click New, and then click Web Listener.

  3. On the Welcome page of the New Web Listener Wizard, type the name of the new listener (such as Listener on External network for internal Web publishing), and then click Next.

  4. On the IP Addresses page, select the network that will listen for Web requests. In this case, ISA Server will receive requests from the External network, so you should select one or more IP address on the External networks adapters of ISA Server. To do this, select External. Do not click Next.

  5. Click the Address button to select specific addresses on the External network. The default selection is to listen on all IP addresses on the network.
    Cc302660.9f8bb5cf-4b6a-409b-8df8-1842e6422945(en-us,TechNet.10).gif

    Note

    In ISA Server 2004 Enterprise Edition, where NLB is enabled, the list of IP addresses includes both dedicated IP addresses and virtual IP addresses.
    The recommendation is that you select Default IP address(es) for network adapter(s) on this network. This will select the default IP addresses on the network adapters of the ISA Server in ISA Server 2004 Standard Edition, or the default IP addresses on the network adapters of the ISA Server array in ISA Server 2004 Enterprise Edition. In an Enterprise Edition NLB scenario, this will select the default virtual IP address.
    If you have enabled NLB and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list.

  6. Click OK, and then click Next on the IP Addresses page.

  7. On the Port Specification page, clear Enable HTTP.

  8. Select Enable SSL and verify that the SSL port is set to 443 (default setting).

  9. Provide the certificate name in the Certificate field. To do this, click Select, select the certificate you installed, click OK, and then click Next.
    Cc302660.e84f8889-ea0b-48df-a95c-f808a8e4e5dd(en-us,TechNet.10).gif

    Important

    Use only the standard port numbers (the default settings) for Outlook Web Access publishing.

  10. On the Completing the New Web Listener Wizard page, review the settings, and then click Finish.

Procedure 6: Configure Authentication on Web Listener

To configure authentication on the Web listener

  1. In ISA Server Management console, right-click the Firewall Policy node, as follows:

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then right-click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then right-click Firewall Policy.

  2. On the Toolbox tab, click Network Objects. Expand Web Listeners. Double-click the Web listener you created for Outlook Web Access to open the properties page.

  3. On the Preferences tab, under Configure allowed authentication methods, click Authentication.

  4. In the list of authenticated methods, clear all authentication methods except for OWA forms-based.

    Important

    You cannot select the OWA forms-based and RADIUS authentication methods together in ISA Server Management console. The workaround to use forms-based authentication with a RADIUS server is as follows:
    To enable forms-based authentication and RADIUS authentication together in ISA Server 2004 Standard Edition, you must install , and then change the registry key as described in the Resolution section of Knowledge Base article .
    To enable forms-based authentication and RADIUS authentication together in ISA Server 2004 Enterprise Edition, change the registry key as described in the Resolution section of Knowledge Base article . You do not need to install any other update.

  5. Next to Select RADIUS servers for authentication, click RADIUS Servers, and ensure all configuration settings are specified correctly. Click OK to close the dialog box.

  6. Next to Configure OWA forms-based authentication, click Configure to open the OWA Forms-Based Authentication dialog box.

  7. Under Idle Session Timeout, configure the maximum time that clients can remain idle without being disconnected. Typically, you should configure Clients on public machines to have a shorter allowed idle time than Clients on private machines. This will reduce the risk that someone can access the e-mail account of a user who leaves the public computer and forgets to log off. Note that this is a global setting for all Web listeners.

  8. Under E-mail Attachments, you can select to block e-mail attachments for public and private computers. Opening attachments at public Internet terminals could potentially compromise corporate security, so you may want to block that access.

  9. You can select Log off OWA when the user leaves the OWA site if you want users to be automatically logged off when they close the Internet Explorer window, refresh the window, or navigate to another Web site. This provides another layer of security, so that if your user navigates away from the Outlook Web Access site but does not log off or close the browser, another user will not have access to corporate mail.

  10. Click OK to close the Web listener properties. In the Firewall Policy details pane, click Apply to apply the changes that you made.

Procedure 7: Require Saving of Attachments in Exchange

As described in the previous procedure, you can completely block attachments received through Outlook Web Access so that the user cannot open or save any attachments.

If you do not block attachments, note that some attachments (such as Windows Media files and Excel spreadsheets) cannot be opened directly by a client connected remotely to an Outlook Web Access server. Any attempt to open such a file will result in a failure of the application associated with the file. Those files must be saved locally and can then be opened. You can avoid this problem by configuring Exchange Server 2003 and Exchange 2000 Server to force users to save attachments. This feature is not available in Exchange Server 5.5.

To force users to save attachments, configure the following registry key on the Exchange Server computer:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA\Level2FileTypes

This registry value specifies a set of file extensions that are potentially dangerous as attachments. Attachments matching these types will not be opened automatically. Instead, users will be prompted to save the attachments locally on their computers.

Note

You cannot configure Exchange Server 5.5 to require the saving of attachments.

Procedure 8: Create a User Set for RADIUS users

RADIUS authentication does not recognize Windows security groups. Instead, create a RADIUS user set to use in the publishing rule.

To create a user set for RADIUS users

  1. In ISA Server Management console, click the Firewall Policy node.

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then right-click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then right-click Firewall Policy.

  2. On the Toolbox tab, click Users, then click the New menu.

  3. In the Welcome page of the New User Sets Wizard, type in a name for the new group. For example, RADIUS_Users.

  4. On the Users page, click Add, and then click RADIUS.

  5. In the Add User dialog box, click All Users in Namespace, and then click OK.

    Note

    To add an individual user (rather than all RADIUS users), you must type in a specific user name in exactly the same way that the user will type credentials in the authentication page (for example, Domain\UserName, or UserName.

  6. Click Next, and then click Finish to complete the wizard.

  7. Click Apply to apply changes.

    Note

    When you create a RADIUS user set for All Users in the Namespace and then specify it in a rule, if RADIUS does not have an access restriction configured on a Remote Access Policy, it will allow any user that it can successfully authenticate in either Active Directory (if IAS is a domain member), or locally (if IAS is in workgroup mode). In the scenario described in this document, this rule is applied to All Users in the Namespace, and a restriction is created on the Remote Access Policy to allow access only to a particular Windows group.

Procedure 9: Create a Mail Publishing Rule

In this procedure, you will create a new mail publishing rule using the New Mail Server Publishing Rule Wizard.

To create a mail publishing rule

  1. In ISA Server Management console, click the Firewall Policy node, as follows:

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name (the array that will publish Outlook Web Access), and then click Firewall Policy.

  2. In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.

  3. On the Welcome page of the wizard, provide a name for the rule, and then click Next.

  4. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync, and then click Next.
    Cc302660.5f914e6d-0fb8-4da4-a8cd-e6ea59f1e87a(en-us,TechNet.10).gif

  5. On the Select Services page, select Outlook Web Access.

    Note

    Enable high bit characters used by non-English character sets is enabled by default. This allows DBCS or Latin 1 characters, used in some non-English languages. If you clear this selection, requests using those characters will be blocked.

  6. On the Bridging Mode page, select Secure connection to clients and mail server so that both portions of the communications pathway are secured by digital certificates. Click Next.
    Cc302660.f390dbc2-9676-4eec-84cf-1a2aa5e5cdd8(en-us,TechNet.10).gif

  7. On the Specify the Web Mail Server page, enter the FQDN or IP address of the Outlook Web Access server. This name must match the name on the Outlook Web Access server digital certificate. Click Next.

  8. On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Outlook Web Access server. In Accepts requests for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your Outlook Web Access server. If you select This domain name and provide a specific domain name such as mail.fabrikam.com (assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer), only requests for https://mail.fabrikam.com will be forwarded to the Outlook Web Access server. Click Next.

    Note

    The public name must match the name of the digital certificate on the ISA Server array.

  9. On the Select Web Listener page, select the secure Web listener you created previously, and then click Next.

  10. On the User Sets page, select All Users, and then click Remove.

  11. Click Add, and in the Add Users dialog box, select the RADIUS users group you created. Click Add, and then click Close. Click Next.

  12. On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly. Click Finish.

  13. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Procedure 10: Create a Cache Rule

To create a cache rule

  1. In ISA Server Management console, click the Cache node.
    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, expand Configuration, and then click Cache.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, expand Configuration, and then click Cache.
  2. In the details pane, click the Cache Rules tab.
  3. In the task pane, on the Tasks tab, select Create a Cache Rule to start the New Cache Rule Wizard.
  4. On the Welcome page of the wizard, provide a name for the rule, and then click Next.
  5. On the Cache Rule Destination page, specify a URL set containing only https://NameOfOutlookWebAccessServer/exchweb/img/*.
  6. On the Content Retrieval page, leave the default selection Only if a valid version of the object exists in the cache, and then click Next.
  7. On the Cache Content page, select If source and request headers indicate to cache and Content requiring user authentication for retrieval. Leave all other options with default settings. Then click Next.
  8. You can use the default selections on the remaining wizard pages. Review the information on the wizard summary page, and then click Finish.

Testing and Monitoring the Deployment

This section consists of the following procedures:

  • Test external client access to the Outlook Web Access server
  • Test Outlook mobile access.
  • Test Exchange ActivSync

Procedure 1: Test Outlook Web Access

Testing Outlook Web Access

An external client can access the Outlook Web Access server provided that it can resolve a fully qualified domain name to the external IP address of the ISA Server computer. This is usually achieved by registering a public Internet domain name with a public DNS server that maps the Web site name to the external IP address of ISA Server. To test the deployment in a lab environment, you can specify the Web site host name resolution information using Microsoft Notepad, in the client hosts file located under the following path: \system32\drivers\etc\hosts in the Windows installation directory.

To connect to the Outlook Web Access site from the external client, type the Web address, such as https://mail.fabrikam.com/exchange. Be certain to specify https in the URL, as shown.

When you connect, you should see a logon page requesting credentials and the session type (public or private). You must provide this information before you can access your mailbox.

If you have set time-outs or blocked attachments, you can test those features by leaving the browser inactive for a period of time and then trying to access mail, and by trying to open or save attachments.

Procedure 2: Test Outlook Mobile Access

From a computer with Internet access, use Internet Explorer to connect to your Outlook Mobile Access DNS address and make sure that Outlook Mobile Access is working properly.

Note

Although Internet Explorer is not a supported client for Outlook Mobile Access, it is useful to test whether you can communicate with your Exchange front-end server. For more information, see Configuring Outlook Mobile Access.

After you successfully connect to your Exchange server using Outlook Mobile Access, verify that you can connect to your Exchange server using a supported mobile device with Internet connectivity.

Procedure 3: Test Exchange ActiveSync

Configure a mobile device to connect to your Exchange server using Exchange ActiveSync to make sure that ISA Server and Exchange ActiveSync are working properly. For instructions, see How to Configure a Mobile Device to use Exchange ActiveSync.

Note

You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA Server and Exchange ActiveSync are working together properly.

Procedure 4: View Outlook Web Access Session Information in ISA Server Logs

ISA Server will log the requests that match the mail server publishing rule, if Log requests matching this rule is selected on the Action tab of the rule properties. (This is the default condition.)

To check the logging properties of the mail server publishing rule

  1. In the ISA Server Management console, click the Firewall Policy node.
    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand the Array_Name, and then click Firewall Policy.
  2. In the details pane, double-click the mail server publishing rule to open the Outlook Web Access Properties dialog box.
  3. Select the Action tab, and confirm that Log requests matching this rule is selected.
    Cc302660.8dfcad46-86e3-44a9-8862-bc07c67dde44(en-us,TechNet.10).gif
  4. Click OK to close the Outlook Web Access Properties dialog box.

To view the mail server publishing rule log

  1. In ISA Server Management console tree, select Monitoring.
  2. In the Monitoring details pane, select Logging.
  3. Create a filter so that you receive only the log information regarding Outlook Web Access access attempts. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has three default conditions, specifying that the log time is live, that log information from both the firewall and the Web Proxy should be provided, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query.
  4. Select Log Time. From the Condition drop-down menu, select Last 24 Hours, and then click Update.
  5. You can add another expression by selecting an item from the Filter by drop-down menu, and then provide a Condition and Value. For example, to limit the log to display access to your published Web servers, use these expressions: Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, and Filter by: Service, Condition: Equals, Value: Reverse Proxy. This will limit the log to items that match Web publishing rules, including the Outlook Web Access publishing rule.
  6. After you have created an expression, click Add To List to add it to the query list, and then click Start Query. The Start Query command is also available in the task pane on the Tasks tab.

Procedure 5: Monitor RADIUS servers

To monitor RADIUS servers for ISA Server

  1. In ISA Server Management console, click the Monitoring node.

    • For Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Monitoring.
    • For Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Monitoring.

  2. In the details pane, click the Connectivity tab.

  3. In the task pane, on the Tasks tab, click Create New Connectivity Verifier.

  4. On the Welcome page of the wizard, type a name for the connectivity verifier, and then click Next.

  5. On the Connectivity Verification Details page, do the following:

    • In Monitor connectivity to this server or URL, type the name of the RADIUS server.
    • In Verification method, select Send a Ping request.
    • Click Next, and then click Finish.

  6. In the details pane, select the rule you just created.

  7. On the Tasks tab, click Edit Selected Verifier.

  8. On the Properties tab, verify that Trigger an alert if the serve response is not within the specified timeout is selected.

  9.   Note

    Note

    If you cannot communicate with RADIUS server, check that the Windows Firewall is not blocking traffic on the computer running the RADIUS server. For more information, see Windows Firewall: IAS.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page.

For information about how to deploy Outlook Web Access in Exchange Server 2003, see the Exchange 2003 Deployment Guide

For information about how to deploy Outlook Web Access in Exchange 2000 Server, see the document Outlook Web Access in Exchange 2000 Server, and Customizing Microsoft Outlook Web Access.

Appendix A: Configuring NLB on the ISA Server Array

Follow this procedure to configure Network Load Balancing (NLB) for an array. NLB will be automatically configured in unicast mode and single affinity. Single affinity ensures that all network traffic from a particular client be directed to the same host. This procedure takes place on a computer in an ISA Server array. You must be logged on as an array or enterprise administrator.

To configure NLB on an ISA Server array

  1. On one of the ISA Server array members, expand Arrays, expand the array node, expand Configuration, and click Networks.
  2. In the details pane, verify that the Networks tab is selected.
  3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration to start the Network Load Balancing Integration Wizard. On the Welcome page, click Next.
  4. On the Select Load Balanced Networks page, select the networks for which NLB will be enabled. you enable NLB on the Outlook Web Access servers network and on the External network. Select those networks. Do not click Next.
  5. Before you click Next, you must set the virtual IP address for each network. To set the virtual IP address, first select the network, and then click Set Virtual IP. In the Set Virtual IP Address dialog box, provide the IP address and subnet mask for the virtual IP address you will use. Note that this IP address must be a valid static IP address (that cannot be assigned by your DHCP server), and must belong to the network you are configuring. Click Next.
  6. On the summary page, click Finish.
  7. In the details pane, click Apply.

Appendix B: Best Practices for Configuring RADIUS Servers

This section contains several tips and hints that will help you securely and efficiently deploy RADIUS with ISA Server.

  • Shared secret. A shared secret is a text string that serves as a password between a RADIUS client and a RADIUS server. When a password-based authentication method is used between a RADIUS client and server, the RADIUS server encrypts the passwords by using the shared secret, and sends it in the Access-Request packet. Use the following tips when creating and using a shared secret:
    • You must use the same case-sensitive shared secret on both the RADIUS server and the RADIUS client.
    • Use a different shared secret for each RADIUS server–RADIUS client pair.
    • To ensure a random shared secret, generate a random sequence at least 22 characters long.
    • You can use any standard alphanumeric and special characters for a shared secret.
    • You can use a shared secret of up to 128 characters in length. To protect your IAS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
    • Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your IAS server and your RADIUS clients from dictionary attacks.
  • Message authenticator. Shared secrets are used to verify that RADIUS messages (except for the Access-Request message) are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). By default, there is no cryptographic verification of the incoming Access-Request message. The RADIUS server verifies that the message originated from an IP address for a configured RADIUS client, but source IP addresses can be spoofed. The solution is to require the message authenticator attribute in all Access-Request messages. The message authenticator attribute is the Message Digest-5 (MD5) hash of the entire Access-Request message using the shared secret as the key. Note that if you select Always use message authenticator, make sure that your RADIUS server is capable of receiving message authenticators, and that it is configured to receive them as well.
  • Internet Protocol security (IPsec). IPsec provides you with the ability to secure RADIUS servers against unwanted traffic by filtering specific network adapters (allowing or blocking specific protocols) and enabling you to choose source IP addresses from which traffic is allowed. For organizational units, you can create IPsec policies, which are stored in Active Directory. Or, you can create local policies on RADIUS servers, and apply these policies to specific computers. Use IPsec to provide additional security for RADIUS clients and servers. For more information, see Configure IPSec Protection of ISA Server 2004 Traffic on Technet.
  • Remote Access Policies. If you are using RADIUS in ISA Server for VPN client authentication in addition to publishing, you may want to split the remote access policies to prevent your VPN clients from using PAP.
  • Client Reauthentication. Every time a rule is encountered by a client, RADIUS reauthenticates the client. This potentially causes heavy RADIUS traffic on busy sites instead of regular domain authentications. An ISA Server COM setting is available to reduce this traffic. SingleRADIUSServerAuthPerSession is a property of the FPCWebListener object that is valid for both network objects and Web listener objects. If you change the property from its default FALSE value to TRUE, user credentials sent to ISA Server and successfully validated by a RADIUS server are cached. For subsequent requests from the user on the same TCP connection, credentials sent to ISA Server are compared with credentials stored for that connection in the cache, rather than re-validating with the RADIUS server.
  • Information in Access-Request packet. ISA Server does not include much information in the Access-Request packet (for example, NAS IP, NAS Port, Username, and Password), so differentiation between ISA Server and other services may occur based on extra information included by those services if they are run from the same computer. For example, Routing and Remote Access acting as a VPN server provides more information in the Access-Request packet than ISA Server. So if you need different VPN and Outlook Web Access authentication policies on the same ISA Server computer, you may need to resolve the differences between the two request types.

Appendix C: Internet Authentication Service (IAS)

Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server. IAS performs centralized connection authentication and authorization. When you install IAS as an Active Directory domain member, IAS validates credentials against user accounts in Active Directory. An IAS server can authenticate credentials for user accounts in the domain of which it is a member, and for user accounts in all domains that have a two-way trust relationship. For increased performance, you can install IAS on a domain controller, but this is not necessary. If you install IAS in workgroup mode and not as a domain member, IAS validates credentials against user accounts in the local Security Accounts Manager (SAM). For more information about configuring IAS as a RADIUS server, see IAS Concepts, and Overview of IAS deployment in the Microsoft Windows Server 2003 documentation.

The authentication process for Web proxy requests can be summarized as follows:

  1. The user submits an access request to ISA Server.
  2. ISA Server tries to match the request with an access rule.
  3. If there is a match and RADIUS authentication is enabled, the browser prompts the user for a user name and password.
  4. When ISA Server receives the credentials, it sends the authentication request to the IAS server in the form of a RADIUS Access-Request packet. The Access-Request message is submitted to the RADIUS server over the network, and any user password between the client and server is encrypted using the shared secret. Each IAS server must have a shared secret for each RADIUS client, and the shared secret must be exactly the same for both server and client.
  5. When the RADIUS server receives the request, it first validates the RADIUS client by checking the source IP address of the request. If the RADIUS client cannot be validated, the RADIUS server does not respond, not even to reject the connection request. If the RADIUS client does not receive a response within its time-out period, it retires the request.
  6. If the Access-Request packet was sent by a valid RADIUS client and message authenticator (also known as the digital signature) is enabled for the RADIUS client, the digital signature in the packet is checked using the shared secret. If a digital signature is enabled and is not found, or fails, IAS silently discards the packet.
    To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the Message Authenticator attribute, which is a Message Digest 5 (MD5) hash of the entire RADIUS message with the shared secret as the key. Enable the use of the message authenticator on both the IAS server and on ISA Server.
  7. The RADIUS server checks the connection request against conditions of the remote access policy. In the example used in this document, the condition is that the user belongs to the WebProxy_Users group. If the connection attempt matches the conditions, the remote access permission of the remote access policy is checked. In an Active Directory environment, if the IAS server cannot connect to the domain controller or find the domain controller to which the user belongs, it silently discards the packet.
  8. The RADIUS server returns a response in the form of Access-Accept or Access-Deny to the client. The RADIUS response may carry authorization information in the form of access attributes as part of the response to the client. Typically RADIUS implementations apply these returned access restrictions. ISA Server does not support this functionality; it simply acts on the accept or deny response.
  9. If ISA Server receives an accept response, it does one of the following:
    • If the access rule applies to All users in the (RADIUS) namespace or All authenticated users, ISA Server allows access.
    • If the access rule applies to a Specific User Name and a case-insensitive string comparison between the specific user name specified in the rule and the credentials submitted succeeds, ISA Server allows access.
    • If ISA Server receives a deny response, it denies access. When ISA Server receives a deny response, this may indicate that the RADIUS server does not authorize the client. Even if the credentials have been authenticated, ISA Server may reject the client request based on the RADIUS server authorization policy.