Deploy ISA Server 2006 for Outlook Web App
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
When you deploy ISA Server 2006 for Outlook Web App, you use the New Exchange Publishing Rule wizard on the firewall policy tasks. This wizard shows you the specific settings that you must configure to enable access to Exchange.
|If you have multiple versions of Exchange in your organization, you must create an Exchange publishing rule for each version that you support.|
Here are the basic steps for deploying ISA Server 2006 for Outlook Web App:
Step 1: Create a new Exchange publishing rule
Step 2: Configure additional options
Step 3: Install a server certificate for ISA Server 2006
See the following sections for information about each step.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "ISA Server 2006" entry in the Client Access Permissions topic.
During this process, you must provide the following information:
- Exchange publishing rule name Provide a friendly name for your publishing rule, such as "Exchange E-mail Access".
- Supported client access services On the Select Services page, select the version of Exchange that you're deploying and the client access services that you want to support for your users. By default, when you select Exchange 2010, Outlook Web App is selected.
- Publishing type On the Publishing Type page, select an option to use depending on whether you plan to publish a single site or an external load balancer, a Web server farm, or multiple Web sites.
- Server connection security This page lets you select whether to use SSL or non-secured connections from the ISA Server computer to Exchange.
- Internal publishing details On the Internal Publishing Details page, enter the internal site name of Outlook Web App or select the option to use a computer name or IP address to connect to Exchange.
- Public name details The Public name details page lets you select which domains you will accept requests from. You must also provide a public name, for example, www.contoso.com.
- Select web listener The Select web listener page lets you specify the listener for the Exchange server to which you're connecting. A listener is used to specify the authentication type that will be used when the client first contacts the ISA Server computer. The listener contains information about how the ISA Server computer accepts requests from clients, such as the encryption, compression, and authentication that's used on the external connection. You can use this page to create a new listener or edit existing listeners.
- Authentication delegation The Authentication delegation page lets you specify the type of authentication mechanism that the Client Access server should expect from ISA Server. Select from the following:
No delegation, but client may authenticate directly
Kerberos constrained delegation
- No delegation, but client may authenticate directly
- User sets The User sets page lets you select which users can use this rule to connect to Exchange.
If you have configured the ISA Server computer to authenticate users, you should configure the Outlook Web App virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication on the Outlook Web App virtual directories together with ISA Server 2006 authentication, users are prompted for their sign in information only one time.
|If you select forms-based authentication for the ISA Server listener, the user will be prompted to reenter authentication credentials if the Outlook Web App session times out.|
However, Integrated Windows authentication disallows access from Outlook Web App to documents on Windows file shares or in Windows SharePoint Services document libraries. If you must access documents from Outlook Web App, you must use Basic authentication on the Outlook Web App virtual directory.
After you complete the wizard, the wizard creates the Exchange publishing rule. The rule you create appears in the Firewall Policy Rules list on the Firewall Policy tab.
|After you finish creating your publishing rule, you must wait for the settings to take effect. You can monitor ISA Server 2006 publishing rule progress by using the Monitoring node in the ISA Server 2006 Management console.|
You can configure additional features, such as link translation and HTTP compression, for the new rule that you created in the ISA Server 2006 Management console. Additional settings for link translation and HTTP compression are managed under the General node on the ISA Server 2006 Management console.
- Configure Link Translation To configure link translation, you must select the Exchange publishing rule that you created, and then click Edit Selected Rule under Policy Editing Tasks. On the Link Translation tab, you can configure link translation based on the needs of your users.
- Configure HTTP Compression The HTTP compression option can be configured in the General node under Configuration in the ISA Server 2006 Management console. Click Define HTTP compression preferences, and then select the options that you want to support for your users.
After you finish configuring these options, the ISA Server configuration for Exchange is complete.
To enable an encrypted channel by using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer. Otherwise, users will receive a warning that the certificate isn't trusted.
For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.
After you deploy ISA Server, you may also want to Configure Reverse Proxy Servers for Outlook Web App.