ISA Server 2000 Feature Pack 1

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

Microsoft Exchange Server provides vital information to users. Having access not only to e-mail, but also to contact information, task lists, and public folder information is key to productivity and performance. Being outside the company's network often means that access to this information is especially important. The only way to have access to the full features of Exchange is through Microsoft Outlook 2000 or Outlook 2002 clients.

Providing access to an Exchange server through a firewall can be a risky practice, because most firewalls rely on statically mapping ports. ISA Server provides the ability to securely publish an Exchange server through the use of its RPC application filter.

This document describes step-by-step procedures to configure ISA Server so that Outlook 2000 and Outlook 2002 clients can securely connect to an Exchange 2000 Server computer located behind an ISA Server firewall.

The ISA Server configuration considered for this scenario is an Exchange Server computer located behind an ISA Server computer.

Procedures

The following sections detail the steps required to configure ISA Server to allow RPC connectivity:

Configure the Domain Name System (DNS)
Configure the Exchange server as a SecureNAT client
Review the local address table (LAT)
Create a site and content rule
Configure a client address set
Create protocol rules
Change the authentication method
Create a server publishing rule

Before You Begin

Gather the following information before you begin:

The internal and external IP addresses of your ISA Server computer
The IP addresses for your internal and external DNS servers
The name of your Exchange server
Your Exchange Server logon ID and password

Note: Unsupported Configurations

An Exchange 2000 front-end server does not process MAPI remote procedure calls. All MAPI-based connectivity must route communication from the Outlook client to the back-end Exchange server.
MAPI clients cannot access Exchange using RPC when Exchange and ISA Server are installed on the same computer.

Step 1. Configure DNS

Before you begin configuring any ISA Server components, you must ensure that your DNS infrastructure will support MAPI client access. Check DNS to ensure that a Host (A) record for your Exchange server exists on your external DNS server.

To configure DNS

On the DNS server, click Start, click Settings, and then click Administrative Tools.
Click the DNS icon.
Expand the external DNS server node.
Expand the namespace within which you are working, for example, exchange.nwtraders.com.
Double-click the record for your Exchange server.
Ensure the host name of the Exchange server is pointing to the external IP address of the ISA Server computer.

Note: If the host name of the Exchange server is not the same on both the internal and external DNS computers, create an entry in the Hosts file on the client computer that will resolve the NetBIOS name for the Exchange server with the external IP address for the ISA Server computer.

Step 2. Configure the Exchange server as a SecureNAT client

For the Exchange server to communicate successfully, it must be configured as a SecureNAT (Network Address Translation) client. This type of client routes Internet traffic using its default gateway.

To configure the Exchange server as a SecureNAT client

On the Exchange server, click Start, click Settings, and then click Control Panel.
Open the Network and Dial Up Connections applet.
Right-click the LAN connection of the Exchange server, and click Properties. The connection's Internet Connection Properties page appears.
Highlight the Internet Protocol (TCP/IP) option, and then click Properties.
If you are configuring a simple network, in which no routers separate the Exchange server from the ISA Server computer, set the Default Gateway to be the ISA Server computer's internal IP address.
If you are configuring a complex network, in which routers separate the Exchange server from the ISA Server computer, configure the Default Gateway of the Exchange server to the IP address of the local segment's router. Additionally, ensure that all traffic bound for the Internet is routed to the internal interface of the ISA Server computer.

Adding Routes

For a complex network, it is recommended that the ISA Server have a route defined for all network segments on your internal network. The routing table can be manually populated using the ROUTE ADD command, or by using a dynamic routing protocol such as Routing Information Protocol (RIP).

The syntax for the ROUTE ADD command is as follows:

ROUTE ADD "destination network ID" MASK "Default Gateway IP Address"

Note: If your Exchange server receives a reserved IP address from a DHCP server, you need to change the default gateway in the scope properties.

Step 3. Review the local address table

Because the local address table (LAT) defines what servers are located on your internal network, it is the basic requirement for a secure environment. You need to ensure that all servers that are required to make Exchange services available are located in the LAT.

To review the LAT

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Network Configuration tree, and then click Local Address Table (LAT).

The LAT is configured when ISA Server is installed. In the details pane, you will see a range of IP addresses that define the internal network.
Confirm that the IP addresses for the Exchange server, the SMTP server, Active Directory domain controllers, and an internal DNS server are all in the LAT.
If you need to add an additional address or set of addresses, follow these steps:
1. Right-click the Local Address Table (LAT) folder, click New, and then click LAT Entry...
2. Enter the range of IP addresses in the From and To fields. If you want to define individual servers, type the same IP address in both fields.
3. Provide a Description for the entry, and then click OK.

Step 4. Create a site and content rule

Create a site and content rule that allows internal clients access to all Internet sites and to all Internet content.

To create a site and content rule

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Right-click Site and Content Rules. The Site and Content Wizard appears.
Type a name for the new site and content rule, for example Allow All, then click Next.
On the Rule Action page of the wizard, select Allow for the Response to client requests for access option, and then click Next.
On the Rule Configuration tab, select Allow access based on destination, and click Next.
On the Destination Sets tab, select Apply this rule to All destinations, and then click Next.
Review your choices to confirm they are correct, and then click Finish.

Step 5. Configure a client address set

Create a client address set to specify the internal Exchange servers, which the protocol rule (explained in Step 6. Create protocol rules) will use.

To configure a client address set

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Policy Elements tree, and then select the Client Address Sets folder.
Right-click the Client Address Sets folder, click New, and click Set.
Type a Name for the client address set, for example Microsoft Exchange Servers.
Click the Add button.
Type the IP addresses for your Exchange server, and then click OK twice to close both dialog boxes.

Step 6. Create protocol rules

Configure a protocol rule that enables your internal Exchange servers to communicate with external servers and clients. This rule will allow two outbound protocols, DNS and SMTP, and will apply only to the client address sets you created for your internal Exchange servers.

To create protocol rules

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Right-click Protocol Rules, click New, and then click Rule.
Type a protocol rule name to describe the Exchange server protocol, and then click Next.
Select Allow, and then click Next.
In Apply this rule to, choose the Selected Protocols option.
Choose the DNS Query and SMTP options from the Protocols box, and then click Next.
Select Always, and then click Next.
In the Client Type dialog box, for the Apply the rule to requests from option, select Specific computers (client address sets), and then click Next.
In the Client Sets dialog box, click the Add button, choose the client address set that defines your Exchange server, and then click the Add button.
Click OK, and then click Next.
Review your selections on the Completing the New Protocol Rule Wizard dialog box, and then click Finish.

Step 7. Change the authentication method

To authenticate the Outlook client with an internal domain controller, you must configure the Exchange server to act as a proxy for the Outlook client.

To change the authentication method

On the Exchange Server computer, click the Start button, and click Run.
Type regedit and click OK.
Go to the HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters key.
Right-click the Parameters key.
Choose the New option, and then choose DWORD Value.
Type No RFR Service.
Set the value to 1.

Step 8. Create a server publishing rule

Next, ISA Server requires a server publishing rule that provides external MAPI Outlook clients connectivity to the internal Exchange server.

To create a server publishing rule

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Publishing folder, and right-click the Server Publishing Rules folder. Click New, and then click Rule. You will see the New Server Publishing Rule Wizard dialog box appear.
Type a Server publishing rule name, and then click Next.
In the Address Mapping dialog box, type the internal and external address of the ISA Server computer in the appropriate fields.
In the Protocol Settings dialog box, for the Apply the rule to requests from option, choose the Exchange RPC Server protocol, and then click Next.
Choose the default Any request from the Client Type dialog box, and then click Next.
Review your choices for accuracy in the Complete the New Server Publishing Rule Wizard dialog box, and click Finish.

Configure the Clients

This section describes how to configure Outlook clients to enable connectivity to the Exchange server, and work around issues with new mail notification.

By publishing the Exchange server, clients can use the same configuration when connecting by means of the Internet as they would when connecting locally. However, if the internal and external names of the Exchange server differ, you may need to create a separate profile.

To configure Outlook 2000 clients

Right-click the Microsoft Outlook icon on the desktop, and then click Properties.
If a profile does not exist, click the Add button, choose Microsoft Exchange Server, and then click Next. Enter the name of the Exchange server, and then click Next. Click the Finish button.
If a profile already exists, click the Show Profiles... button.
Choose the appropriate profile, and then click Properties. You will see the Properties page for the profile. Highlight the Microsoft Exchange Server information service, and then click Properties.
On the General tab, verify that the Exchange server can resolve the name of your mailbox, by selecting the Check Name button.
If you cannot connect, create an entry in the local Hosts file that maps the external IP address for the Exchange server to its NetBIOS name.
Click the Advanced tab. Choose Encrypt information both when using the network and when using dial-up networking.
Select the Enable offline use box, and then click OK. Click OK to close the profile's Properties box.

To configure Outlook 2002 clients

Go to the Mail applet in Control Panel. You will see the Mail Setup - Outlook dialog box.
Click the Show Profiles button.
If a profile does not exist, follow these steps:
1. Click the Add... button, and then enter a name for the profile.
2. Select the Add a new e-mail account option button, and then click Next.
3. Select the Microsoft Exchange Server option, and then click Next.
4. Type the name of the Microsoft Exchange server and the User Name of your mailbox. When prompted, enter your password.
5. Click Next, and then click Finish.
If a profile already exists, choose the profile for your Exchange server.
Click the E-mail Accounts... button.
Select the View or change existing e-mail accounts option button, and then click Next.
Choose the e-mail account for your Exchange server, and then click the Change button.
On the General tab, verify that the Exchange server can resolve the name of your mailbox by retyping your mailbox name, and then clicking the Check Name button.
If you cannot connect, create an entry in the local Hosts file that maps the external IP address for the Exchange server address to its NetBIOS name.
Click the More Settings button.
Click the Advanced tab. Select Encrypt information both when using the network and when using dial-up networking.
Click OK to close the Microsoft Exchange Server dialog box, and return to the E-mail Accounts dialog box.
Click Next, and then click Finish.
Click the Close button on the Mail Setup dialog box, and then click OK to close the Mail dialog box.

ISA Server Feature Pack 1 for RPC Publishing

Using the new feature pack, you can make Exchange 2000 Server available more quickly to your Outlook clients. These features make using RPC publishing over the Internet easier and more useful:

Exchange RPC filter enhancements. The ISA Server Exchange RPC filter has two major enhancements so that Outlook can now connect securely to Exchange 2000 Server through a firewall.
RPC Filter Configuration Add-in Wizard. In the past, to provide RPC access, the All RPC servers option was used. Because the wizard has more granularity, you can create new ISA Server protocol definitions that include one or more RPC interface UUIDs. These protocol definitions are used in server publishing rules for ISA Server so that external clients can access the UUID interfaces on the internal RPC server.

Encryption Enforcement

Administrators who publish Exchange for Outlook clients on the Internet can now require Outlook to use encryption. Previously, administrators had to rely on users configuring Outlook on their own.

To enforce encryption

Click Start, and then click Run. Type regedit, and then click OK.
Open HKEY_LOCAL_MACHINE\Software\Microsoft\FPC\PluginRPC.
Change the value of MinimumAuthenticationLevel from 1 to 6.

Outbound RPC

Outlook clients behind an ISA Server computer can now access Exchange 2000 Server computers in front of the ISA Server computer. When you install the feature pack, a new protocol definition is created called RPC. You can use this protocol rule so that internal clients can access Exchange servers outside the firewall.

To configure outbound RPC

Open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Right-click the Protocol Rules folder, click New, and then click Rule...
On the Welcome page, type a name for the protocol rule. For example, type Allow outbound RPC. Then, click Next.
On the Rule Action page, select Allow. Then, click Next.
On the Protocols page, in Apply this rule to, select Selected protocols. Then, in Protocols, select RPC. Then click Next.
On the Schedule page, select the appropriate schedule. Then click Next.
On the Client Type page, select the appropriate client type. Then click Next.
Click Finish.

Additional Resources

The following documents can be used as references when configuring these scenarios:

Configuring and Securing Microsoft Exchange 2000 Server and Clients — https://www.microsoft.com/isaserver/techinfo/default.mspx
ISA Server and Acceleration Resource Site — https://www.isaserver.org/
Shinder, Thomas. "Configuring Exchange RPC Publishing in a Back to Back ISA Server Environment." https://www.isaserver.org/tutorials/Using_the_Exchange_RPC_Filter_to_Publish_Microsoft_Exchange.html
Shinder, Thomas. "Using the Exchange RPC Filter to Publish Microsoft Exchange." https://www.isaserver.org/tutorials/Configuring_Exchange_RPC_Publishing_in_a_Back_to_Back_ISA_Server_Environment.html
ISA Server Home - https://www.microsoft.com/ISAServer/
155831 - XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall
256976 - XCLN: How MAPI Clients Access Active Directory
270836 - XCLN: Exchange 2000 Static Port Mappings
280132 – XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls
291000 - External MAPI Clients Cannot Connect with RPC
298369 - XADM: How to Configure a Global Catalog Server to Use a Specific Port When Servicing MAPI Clients
305572 - OL2002: You Cannot Receive New E-mail Notifications in Environments That Use the Network Address Translation
308599 – XCCC: How to Configure Internet Security and Acceleration Server to Publish an Internal Exchange Server

Appendix A - Publish in a Back-to-Back ISA Server

In a back-to-back ISA Server situation, take the following steps to configure the external ISA Server computer:

Create a client address set
Create a site and content rule
Create a server publishing rule

Figure 2 Back-to-Back ISA Configuration to Allow MAPI Client Access

Step A-1. Create a client address set defining the internal ISA Server computer

To create a client address set

On the external ISA Server computer, open ISA Management.
For enterprise installations, expand the Enterprise tree, and choose the appropriate enterprise policy.

For stand-alone installations, expand the Servers and Arrays tree, and then expand the appropriate server or array.
Expand the Policy Elements tree, and then select the Client Address Sets folder.
Right-click the Client Address Sets folder, click New, and then click Set.
Type a Name for the client address set, for example Internal ISA Server.
Click the Add button.
Type the IP addresses of the external interface of your internal ISA Server computer, and then click OK twice to close both dialog boxes.

Step A-2. Create a site and content rule