Step 4: Install and Configure ISA Server 2006 SP1 or Other Firewall
7/2/2010
Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Exchange Server 2010 are designed to work closely together in your network to help provide a more secure mobile messaging environment.
ISA Server 2006 SP1 is the security gateway that helps protect your applications from Internet-based threats. ISA Server enables your business to do more, by helping to secure access to Microsoft applications and data.
The Microsoft preferred topology for a mobile messaging environment is the use of ISA Server 2006 SP1 with Exchange Server 2010. Before attempting to install ISA Server 2006 SP1, Microsoft strongly recommends that you review the following articles:
ISA Server 2006 SP1 Documentation |
---|
Note If a third-party firewall is utilized, the only additional required step is to set the idle session timeout for all firewalls and network appliances to 1800 seconds (30 minutes). Refer to the firewall vendor's documentation for the proper procedure. To read more on Direct Push best practices for your firewall, see Understanding Direct Push and Exchange Server 2010.
Procedures
During this part of the process, you will:
- Install ISA Server 2006 SP1
- Install a server certificate on the ISA server
- Update Public DNS
- Create the Exchange ActiveSync publishing rule using Web publishing
Note
An available update for ISA Server 2006 facilitates the step of creating an Exchange ActiveSync publishing rule and Web Listener. To download this update, go to this Microsoft Web site.
- Configure the ISA server with your Active Directory (LDAP) or RADIUS server set
Note
This step is required only if ISA is not a domain member. Also, RADIUS does not support user-to-group mapping.
- Set all firewalls and proxy server idle session timeouts to 1800 seconds (30 minutes)
Note
Increasing the timeout values helps maximize performance of the Direct Push Technology and helps optimize phone battery life. The default value for all ISA Server 2006 SP1 Web listeners is 1800 seconds (30 minutes).
- Test Outlook Web Access (OWA) and Exchange ActiveSync.
Install ISA Server 2006 SP1
Important
Before attempting to install ISA Server 2006 SP1, Microsoft strongly recommends that you read the ISA Server 2006 SP1 Enterprise Edition Installation Guide or the ISA Server 2006 SP1 Standard Edition Installation Guide, depending on the edition you are installing.
To install ISA Server 2006 SP1
- Install and configure Microsoft Windows Server 2008 on the firewall computer.
- Install ISA Server 2006 SP1.
- Go to Microsoft Update and install all updates and service packs for ISA Server 2006 SP1.
Note
Considerations for installing ISA Server 2006 SP1 in a workgroup or domain joined are discussed in Network Architecture Scenarios and Exchange Server 2010. Microsoft recommends that you read these scenarios before installing ISA Server 2006 SP1 in either a workgroup or domain. Your final implementation strategy should be influenced by the security and performance requirements of your network.
- Export the OWA SSL Certificate from the Exchange Client Access server to a file.
Install a Server Certificate on the ISA Server Computer
To enable a more secure connection between phones and the ISA Server computer, you must install a server certificate on the ISA server computer. This certificate should be issued by a public Certification Authority because it will be accessed by users on the Internet. If a private Certification Authority is used, the root Certification Authority certificate from the private Certification Authority must be installed on any computer that will need to create a secure (HTTPS) connection to the ISA server computer, as well as the ISA local machine store.
You may perform the following procedures on any server that has IIS installed. Use the following procedures to import a certificate on the ISA server computer.
In this section, you will:
- Request and install a server certificate from a public Certification Authority
- Export the server certificate to a file
- Import the server certificate to the ISA server computer
Note
For a list of public certificate vendors, see Step 6: Certificate Enrollment and Device Provisioning.
Request and Install a Server Certificate from a Public Certification Authority
Perform the following procedure to request and install a server certificate on a computer with IIS installed.
To request and install a server certificate from a public Certification Authority
- In IIS, create a new Web site, pointing the Web site to a new, empty directory.
In IIS Manager, expand the local computer, right-click the Web Sites folder, click New, and then click Web Site to start the Web Site Creation Wizard.
- Click Next on the Welcome page.
- Type a name for the Web site in the Description field. For example, type ISA Cert Site, and then click Next
- Accept the default settings on the IP Address and Port Settings page.
- Enter a path for the Web site on the Web Site Home Directory page. For example, enter c:\temp.
- Accept the default settings on the Web Site Access Permissions page and click Next.
- Click Finish to complete the Web Site Creation Wizard.
Important
By default, the new Web site is stopped. You should leave this Web site in the stopped state. There is no reason to start this Web site.
Note
For more information about creating a new Web site, see IIS product documentation.
- Follow the steps provided by the public Certification Authority to create and install a server certificate using the Web site you created in Step 1.
Important
The important information in the certificate is the common name, or FQDN. Enter the FQDN that will be used by Internet users to connect to the Exchange Outlook Web Access site.
Note
Confirm that the private key for the certificate that you will install is exportable.
Export the Server Certificate to a File
After the certificate is installed on the Web site that you just created, you will export the certificate to a file. You will then copy this file and import it to the ISA server computer.
Perform the following procedure to export the server certificate that you just installed.
To export the server certificate to a .pfx file
- In IIS Manager, expand the local computer, and then expand the Web Sites folder.
- Right-click the Web site for the Exchange front-end services, by default the Default Web Site, and then click Properties
- On the Directory Security tab, under Secure communications, click Server Certificate to start the Web Server Certificate Wizard.
- Click Next on the Welcome page.
- Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.
- Type the path and file name on the Export Certificate page. For example, type c:\certificates\mail_isa.pfx, and then click Next.
- Enter a password for the .pfx file. This password will be requested when a user is importing the .pfx file. Microsoft recommends that you use a strong password because the .pfx file also has the private key.
Note
Transfer the .pfx file to the ISA server computer in a secure fashion; it contains the private key for the certificate to be installed on the ISA server computer.
Import the Server Certificate on the ISA Server Computer
Perform the following procedure on the ISA server computer to import the server certificate to the local computer store.
To import a server certificate on the ISA server computer
- Copy the .pfx file created in the previous section to the ISA server computer in a secure fashion.
- Click Start, and then click Run. In Open, type MMC, and then click OK.
- Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.
- Select Certificates, click Add, select Computer account, and then click Next.
- Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.
- Expand the Certificates node, and right-click the Personal folder.
- Select All Tasks, and then click Import. This starts the Certificate Import Wizard.
- On the Welcome page, click Next
- On the File to Import page, browse to the file that you previously created and copied to the ISA Server computer, and then click Next.
- On the Password page, type the password for this file, and then click Next.
Note
The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA server computer, do not select this option.
- On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Place Cert Automatically, and then click Next.
- On the wizard completion page, click Finish.
- Verify that the server certificate was properly installed. Click Certificates, and then double-click the new server certificate. On the General tab, there should be a note that shows you have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the Certification Authority, and a note that shows This certificate is OK.
Update Public DNS
Create a new DNS host record in your domain's public DNS servers. Users will initiate a connection using the name of the Web site. This name must match the common name, or Fully Qualified Domain Name (FQDN), used in the certificate installed on the ISA server computer. For example, a user might browse to https://mail.contoso.com/exchange. In this case, the following conditions must be met for the user to successfully initiate a connection:
- The FQDN used in the server certificate installed on the ISA server computer must be mail.contoso.com.
Important
Contoso.com is a fictitious company domain name used for demonstration purposes in this section, and is not relevant to your specific network. The certificate common name must match the FQDN.
- The user needs to resolve mail.contoso.com to an IP address
- The IP address that mail.contoso.com resolves to must be configured on the external network of the ISA server computer.
Note
For ISA Server Enterprise Edition, if you are working with an NLB-enabled array, the IP address may be a virtual IP address configured for the array. For more information about NLB, see Microsoft ISA Server 2006 Help on the Microsoft TechNet Web site.
Create the Exchange ActiveSync Publishing Rule
Now that the Exchange Client Access server and the ISA server have been properly configured and have the proper server certificates installed, you can start the procedures to publish the Exchange Client Access server. Using the Exchange Publishing Wizard, you can provide more secure access to your Exchange Client Access server.
Note
The process of creating an Exchange ActiveSync Publishing Rule and Web Listener may be facilitated by using the new update for ISA server at this Microsoft Web site.
The following procedures are used to publish your Exchange Client Access server:
- Create a Web listener
- Create an Exchange Web client access publishing rule
Create a Web Listener
When you create a Web publishing rule, you must specify a Web listener. The Web listener properties determine the following:
- IP addresses and ports on the specified networks that the ISA server computer uses to listen for Web requests (HTTP or HTTPS)
- Server certificates to use with IP addresses
- Authentication method
- Number of concurrent connections allowed
- Single sign on (SSO) settings
Collect the following information for use when you use the New Web Listener Wizard:
Property | Value |
---|---|
Web listener name |
Name: ________________________ |
Client connection security Note the following:
|
HTTPS or HTTP (circle one)
Important:
Although it is possible to use HTTP for plaintext data transfer, Microsoft strongly recommends the HTTPS option for configuring the Web listener.
|
Web listener IP address |
Network: ___________________ Optional Specific IP address: ___.___.___.___
Note:
If this specific IP address is not the primary network adapter IP address, a secondary IP address needs to be configured on the ISA server computer before creating the Web listener.
|
Authentication settings for the Web listener SSL certificate
Note:
This is only required if HTTPS has been selected for client connectivity security.
|
___Use a single certificate for this Web listener. Certificate issued to: _______________________ ___Assign a certificate for each IP address. (This option will only be available if a specific IP address has been assigned to the Web listener. It is only required if the listener uses more than one IP address.) Certificate issued to: _______________________ |
Authentication For forms-based authentication, you have options to authenticate your users to ISA Server. Select the authentication method that best suits your authentication requirements. |
For more information about authentication, see Authentication with ISA Server 2006 at this Microsoft Web site. |
Single sign on settings (Appropriate for Forms Based Authentication (FBA) only.) |
___Enable single sign on. Single sign on domain name: ___________________________ |
Create a Web listener with the information on the worksheet, and then perform the following procedure.
To create a Web listener
In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
- For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.
Page Field or property Setting Welcome
Web listener name
Type a name for the Web listener. For example, type Exchange FBA.
Client Connection Security
Select what type of connections this Web listener will establish with clients
Select Require SSL secured connections with clients.
Web Listener IP
Addresses
Listen for incoming Web requests on these networks
ISA server will compress content sent to clients
Select the External network.
Check box should be selected (default).
Click Select IP Addresses.
External Network Listener IP Selection
Listen for requests on
Available IP Addresses
Select Specified IP addresses on the ISA Server computer in the selected network.
Select the correct IP address and click Add.
Note:For ISA Server Enterprise Edition with an NLB-enabled array, you should select a virtual IP address.Listener SSL Certificates
Select a certificate for each IP address, or specify a single certificate for this Web listener
Select Assign a certificate for each IP address.
Select the IP address you just selected and click Select Certificate.
Select Certificate
Select a certificate from the list of available certificates
Select the certificate that you just installed on the ISA server computer. For example, select mail.contoso.com, and click Select. The certificate must be installed before running the wizard.
Authentication Settings
Select how clients will provide credentials to ISA server
Select how ISA server will validate client credentials
Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA server will use to validate the client's credentials.
For example, select LDAP Authentication if you are installing in workgroup mode. Select Windows (Active Directory) if your ISA server computer is in a domain configuration.
Single Sign on Settings
Enable SSO for Web sites published with this Web listener
SSO domain name
Leave the default setting to enable SSO.
To enable SSO between two published sites such as portal.contoso.com and mail.contoso.com, type .contoso.com.
Completing the New Web Listener Wizard
Completing the New Web Listener Wizard
Review the selected settings, and click Back to make changes or Finish to complete the wizard.
Create an Exchange Web Client Access Publishing Rule
Publishing an internal Exchange Client Access server through ISA Server 2006 SP1 is designed to protect the Web server from direct external access by making the name and IP address of the server inaccessible to the user. The user accesses the ISA server computer, which then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Web client access.
Collect the following information to use when you use the New Exchange Publishing Rule Wizard:
Property | Value |
---|---|
Exchange publishing rule name |
Name: ________________________ |
Services
Note:
You can publish multiple services in a single rule using the same Web listener configured with forms-based authentication. ISA Server 2006 SP1 will use Basic authentication for services that do not support forms-based authentication.
|
Exchange version: ____________ __Outlook Web Access __Outlook RPC over HTTP __Outlook Mobile Access _X_Exchange ActiveSync |
Publishing type |
__Publish a single Web site or __Publish a server farm of load balanced servers and Server farm name:_____________ |
Server connection security |
HTTPS or HTTP (circle one) Note the following:
|
Internal publishing details |
Internal site name (FQDN): ______________________ If the FQDN is not resolvable by the ISA Server computer: Computer name or IP address:_____________________
Note:
Must match the upstream certificate common name.
|
Public name details |
Accept request for: __This domain name:______________ or __Any domain name |
Select Web listener |
Web listener:________________ |
User set |
List user sets that will have access to this rule: _________________ __________________
Important:
Must be non-Windows user sets if ISA server is not configured as a domain member and RADIUS is used.
|
In the next procedure, you'll use the information on the worksheet to create an Exchange Web client access publishing rule.
New Exchange Publishing Rule Wizard for a Single Web Site
To create an Exchange Web client access publishing rule
- In the console tree of ISA Server Management, click Firewall Policy:
- For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
- For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
- On the Tasks tab, click Publish Exchange Web Client Access. Use the wizard to create the rule as outlined in the following tables.
For a single Web server, use the table in New Exchange Publishing Rule Wizard for a single Web site.
New Exchange Publishing Rule Wizard for a Single Web Site
Page | Field or property | Setting |
---|---|---|
Welcome |
Exchange Publishing rule name |
Type a name for the rule. For example, type Exchange Web Client Publishing. |
Select Services |
Exchange version Web client mail services |
Select the proper version of Exchange. Select the desired access methods. |
Publishing Type |
Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites |
Select Publish a single Web site or load balancer. |
Server Connection Security |
Choose the type of connections ISA server will establish with the published Web server or server farm |
Select Use SSL to connect to the published Web server or server farm.
Note:
A server certificate must be installed on the published Exchange front-end server, and the root Certification Authority certificate of the Certification Authority that issued the server certificate on the Exchange front-end server must be installed on the ISA server computer.
|
Internal Publishing Details |
Internal site name |
Type the internal FQDN of the Exchange Client Access server. For example, type exchfe.corp.contoso.com.
Important:
The internal site name must match the name of the server certificate that is installed on the internal Exchange Client Access server.
Note:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA server computer.
|
Public Name Details |
Accept requests for Public name |
This domain name (type below) Type the domain name for which you want ISA server to accept the connection. For example, type mail.contoso.com. |
Select Web Listener |
Web listener |
Select the Web listener you created previously. For example, select Exchange FBA. |
Authentication Delegation |
Select the method used by ISA server to authenticate to the published Web server |
Select Basic authentication. |
User Sets |
This rule applies to requests from the following user sets |
Select the user set approved to access this rule. |
Completing the New Exchange Publishing Wizard |
Completing the New Exchange Publishing Rule Wizard |
Review the selected settings, and click Back to make changes and Finish to complete the wizard. |
Configure ISA Server 2006 SP1 for LDAP Authentication
Note
This is only required when ISA Server 2006 SP1 is not a domain member.
Lightweight Directory Access Protocol (LDAP) authentication is similar to Active Directory authentication, except that the ISA server computer does not have to be a member of the domain. ISA Server 2006 SP1 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Windows domain controllers are also LDAP servers, by default, with no additional configuration changes required. LDAP authentication offers these benefits:
- ISA Server 2006 SP1 Standard Edition or ISA Server 2006 SP1 Enterprise Edition array members in workgroup mode.
- Authentication of users in a domain with which there is no trust relationship.
In this section you will:
- Create an LDAP Server Set
- Create an LDAP User Set
Create an LDAP Server Set
Perform the following procedure to create an LDAP Server set:
- For ISA Server 2006 SP1 Standard Edition, perform the following procedure on computer isa01
- For ISA Server 2006 SP1 Enterprise Edition, perform the following procedure on computer storage01
To create an LDAP server set
- In the console tree of ISA Server Management, click General:
- For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
- For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Main, expand Configuration, and then click General.
- In the Details pane, click Specify RADIUS and LDAP Servers.
- On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.
- In LDAP server set name, type CorpLDAP.
- Click Add, to add each LDAP server name or IP address.
- In Server name, type dc01 and click OK.
- Click OK to close the Add LDAP Server Set dialog box.
- Click New to open the New LDAP Server Mapping dialog box.
- In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and click OK.
- Click Close to close the Authentication Servers window.
Create an LDAP User Set
To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.
Perform the following procedure to create an LDAP user set:
- For Standard Edition, perform the following procedure on computer isa01
- For Enterprise Edition, perform the following procedure on computer storage01
To create an LDAP user set:
In the console of ISA Server Management, click Firewall Policy:
Page | Field or property | Setting |
---|---|---|
Welcome |
User set name |
Type LDAPUsers. |
Users |
Select the users to include in this user set. |
Click Add, and select LDAP. |
Add LDAP User |
LDAP server set User name |
From the drop-down list, select CorpLDAP, the LDAP server set. Select All Users in this namespace.
Note:
You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.
|
Completing the New User Set Wizard |
Review settings. |
Click Back to make changes and Finish to complete the wizard. |
Upon finishing the above wizard, click the Apply button in the details pane to save the changes and update the configuration.
Set the Idle Session Timeout for Firewalls and Network Appliances to 1800 Seconds
In this step, you will modify idle session timeout times on all firewalls, proxy servers, and other network appliances to accommodate the time required for successful functioning of the Direct Push technology.
Note
The default idle session timeout in ISA Server 2006 SP1 is set at the Microsoft recommended 1800 seconds (30 minutes), so you do not need to modify it.
For more information about modifying the idle session timeout time, see "Best Practice: Configuring your Firewall for Optimal Direct Push Performance" in Best Practices for Mobile Messaging Deployment with Exchange Server 2010 and Understanding Direct Push and Exchange Server 2010.
To confirm the firewall Idle Session Timeout
- In the console tree of ISA Server Management, click Firewall Policy.
- On the Toolbox tab, click Network Objects.
- From the list of folders, expand the Web Listeners node, and view the Properties of the appropriate Web Listener
- Select the Connections tab and then click the Advanced… button.
- Make sure the Connection Timeout is set at 1800 seconds (30 minutes). Change it if needed.
- Click OK twice to accept any change.
- Click Apply to make these changes.
Test Exchange Publishing Rule
In this section, you will test the new Exchange publishing rule that you just created.
Test Exchange ActiveSync
Configure a phone to connect to your Exchange server using Microsoft Exchange ActiveSync, and make sure that the ISA server and Exchange ActiveSync are working properly. When configuring your phone and you are prompted to enter a name in the server name field, type the name of the Exchange ActiveSync server that was just published, such as https://mail.contoso.com/owa.
Note
You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA server and Exchange ActiveSync are working together properly.
See Also
Concepts
Windows Mobile 6.5 and Microsoft Exchange Server 2010 Deployment Procedures