Step 4: Install and Configure ISA Server 2006 SP1 or Other Firewall

  • Article

7/2/2010

Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Exchange Server 2010 are designed to work closely together in your network to help provide a more secure mobile messaging environment.

ISA Server 2006 SP1 is the security gateway that helps protect your applications from Internet-based threats. ISA Server enables your business to do more, by helping to secure access to Microsoft applications and data.

The Microsoft preferred topology for a mobile messaging environment is the use of ISA Server 2006 SP1 with Exchange Server 2010. Before attempting to install ISA Server 2006 SP1, Microsoft strongly recommends that you review the following articles:

ISA Server 2006 SP1 Documentation

Publishing Exchange Server 2007 with ISA Server 2006

Best Practices for Performance in ISA Server 2006

ISA Server 2006 Enterprise Edition Installation Guide

ISA Server 2006 Standard Edition Installation Guide

Authentication in ISA Server 2006

Firewall Policy Best Practices for ISA Server 2006

Note   If a third-party firewall is utilized, the only additional required step is to set the idle session timeout for all firewalls and network appliances to 1800 seconds (30 minutes). Refer to the firewall vendor's documentation for the proper procedure. To read more on Direct Push best practices for your firewall, see Understanding Direct Push and Exchange Server 2010.

Procedures

During this part of the process, you will:

  • Install ISA Server 2006 SP1
  • Install a server certificate on the ISA server
  • Update Public DNS
  • Create the Exchange ActiveSync publishing rule using Web publishing

Note

An available update for ISA Server 2006 facilitates the step of creating an Exchange ActiveSync publishing rule and Web Listener. To download this update, go to this Microsoft Web site.

  • Configure the ISA server with your Active Directory (LDAP) or RADIUS server set

Note

This step is required only if ISA is not a domain member. Also, RADIUS does not support user-to-group mapping.

  • Set all firewalls and proxy server idle session timeouts to 1800 seconds (30 minutes)

Note

Increasing the timeout values helps maximize performance of the Direct Push Technology and helps optimize phone battery life. The default value for all ISA Server 2006 SP1 Web listeners is 1800 seconds (30 minutes).

  • Test Outlook Web Access (OWA) and Exchange ActiveSync.

Install ISA Server 2006 SP1

Important

Before attempting to install ISA Server 2006 SP1, Microsoft strongly recommends that you read the ISA Server 2006 SP1 Enterprise Edition Installation Guide or the ISA Server 2006 SP1 Standard Edition Installation Guide, depending on the edition you are installing.

To install ISA Server 2006 SP1

  1. Install and configure Microsoft Windows Server 2008 on the firewall computer.
  2. Install ISA Server 2006 SP1.
  3. Go to Microsoft Update and install all updates and service packs for ISA Server 2006 SP1.

Note

Considerations for installing ISA Server 2006 SP1 in a workgroup or domain joined are discussed in Network Architecture Scenarios and Exchange Server 2010. Microsoft recommends that you read these scenarios before installing ISA Server 2006 SP1 in either a workgroup or domain. Your final implementation strategy should be influenced by the security and performance requirements of your network.

  1. Export the OWA SSL Certificate from the Exchange Client Access server to a file.

Install a Server Certificate on the ISA Server Computer

To enable a more secure connection between phones and the ISA Server computer, you must install a server certificate on the ISA server computer. This certificate should be issued by a public Certification Authority because it will be accessed by users on the Internet. If a private Certification Authority is used, the root Certification Authority certificate from the private Certification Authority must be installed on any computer that will need to create a secure (HTTPS) connection to the ISA server computer, as well as the ISA local machine store.

You may perform the following procedures on any server that has IIS installed. Use the following procedures to import a certificate on the ISA server computer.

In this section, you will:

  • Request and install a server certificate from a public Certification Authority
  • Export the server certificate to a file
  • Import the server certificate to the ISA server computer

Note

For a list of public certificate vendors, see Step 6: Certificate Enrollment and Device Provisioning.

Request and Install a Server Certificate from a Public Certification Authority

Perform the following procedure to request and install a server certificate on a computer with IIS installed.

To request and install a server certificate from a public Certification Authority

  1. In IIS, create a new Web site, pointing the Web site to a new, empty directory.

In IIS Manager, expand the local computer, right-click the Web Sites folder, click New, and then click Web Site to start the Web Site Creation Wizard.

  1. Click Next on the Welcome page.
  2. Type a name for the Web site in the Description field. For example, type ISA Cert Site, and then click Next
  3. Accept the default settings on the IP Address and Port Settings page.
  4. Enter a path for the Web site on the Web Site Home Directory page. For example, enter c:\temp.
  5. Accept the default settings on the Web Site Access Permissions page and click Next.
  6. Click Finish to complete the Web Site Creation Wizard.

Important

By default, the new Web site is stopped. You should leave this Web site in the stopped state. There is no reason to start this Web site.

Note

For more information about creating a new Web site, see IIS product documentation.

  1. Follow the steps provided by the public Certification Authority to create and install a server certificate using the Web site you created in Step 1.

Important

The important information in the certificate is the common name, or FQDN. Enter the FQDN that will be used by Internet users to connect to the Exchange Outlook Web Access site.

Note

Confirm that the private key for the certificate that you will install is exportable.

Export the Server Certificate to a File

After the certificate is installed on the Web site that you just created, you will export the certificate to a file. You will then copy this file and import it to the ISA server computer.

Perform the following procedure to export the server certificate that you just installed.

To export the server certificate to a .pfx file

  1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.
  2. Right-click the Web site for the Exchange front-end services, by default the Default Web Site, and then click Properties
  3. On the Directory Security tab, under Secure communications, click Server Certificate to start the Web Server Certificate Wizard.
  4. Click Next on the Welcome page.
  5. Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.
  6. Type the path and file name on the Export Certificate page. For example, type c:\certificates\mail_isa.pfx, and then click Next.
  7. Enter a password for the .pfx file. This password will be requested when a user is importing the .pfx file. Microsoft recommends that you use a strong password because the .pfx file also has the private key.

Note

Transfer the .pfx file to the ISA server computer in a secure fashion; it contains the private key for the certificate to be installed on the ISA server computer.

Import the Server Certificate on the ISA Server Computer

Perform the following procedure on the ISA server computer to import the server certificate to the local computer store.

To import a server certificate on the ISA server computer

  1. Copy the .pfx file created in the previous section to the ISA server computer in a secure fashion.
  2. Click Start, and then click Run. In Open, type MMC, and then click OK.
  3. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-in dialog box, click Add to open the Add Standalone Snap-in dialog box.
  4. Select Certificates, click Add, select Computer account, and then click Next.
  5. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.
  6. Expand the Certificates node, and right-click the Personal folder.
  7. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.
  8. On the Welcome page, click Next
  9. On the File to Import page, browse to the file that you previously created and copied to the ISA Server computer, and then click Next.
  10. On the Password page, type the password for this file, and then click Next.

Note

The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA server computer, do not select this option.

  1. On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Place Cert Automatically, and then click Next.
  2. On the wizard completion page, click Finish.
  3. Verify that the server certificate was properly installed. Click Certificates, and then double-click the new server certificate. On the General tab, there should be a note that shows you have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the Certification Authority, and a note that shows This certificate is OK.

Update Public DNS

Create a new DNS host record in your domain's public DNS servers. Users will initiate a connection using the name of the Web site. This name must match the common name, or Fully Qualified Domain Name (FQDN), used in the certificate installed on the ISA server computer. For example, a user might browse to https://mail.contoso.com/exchange. In this case, the following conditions must be met for the user to successfully initiate a connection:

  • The FQDN used in the server certificate installed on the ISA server computer must be mail.contoso.com.

Important

Contoso.com is a fictitious company domain name used for demonstration purposes in this section, and is not relevant to your specific network. The certificate common name must match the FQDN.

  • The user needs to resolve mail.contoso.com to an IP address
  • The IP address that mail.contoso.com resolves to must be configured on the external network of the ISA server computer.

Note

For ISA Server Enterprise Edition, if you are working with an NLB-enabled array, the IP address may be a virtual IP address configured for the array. For more information about NLB, see Microsoft ISA Server 2006 Help on the Microsoft TechNet Web site.

Create the Exchange ActiveSync Publishing Rule

Now that the Exchange Client Access server and the ISA server have been properly configured and have the proper server certificates installed, you can start the procedures to publish the Exchange Client Access server. Using the Exchange Publishing Wizard, you can provide more secure access to your Exchange Client Access server.

Note

The process of creating an Exchange ActiveSync Publishing Rule and Web Listener may be facilitated by using the new update for ISA server at this Microsoft Web site.

The following procedures are used to publish your Exchange Client Access server:

  • Create a Web listener
  • Create an Exchange Web client access publishing rule

Create a Web Listener

When you create a Web publishing rule, you must specify a Web listener. The Web listener properties determine the following:

  • IP addresses and ports on the specified networks that the ISA server computer uses to listen for Web requests (HTTP or HTTPS)
  • Server certificates to use with IP addresses
  • Authentication method
  • Number of concurrent connections allowed
  • Single sign on (SSO) settings

Collect the following information for use when you use the New Web Listener Wizard:

Property Value

Web listener name

Name: ________________________

Client connection security

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the client will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the ISA Server computer.

HTTPS or HTTP (circle one)

Important:
Although it is possible to use HTTP for plaintext data transfer, Microsoft strongly recommends the HTTPS option for configuring the Web listener.

Web listener IP address

Network: ___________________

Optional

Specific IP address: ___.___.___.___

Note:
If this specific IP address is not the primary network adapter IP address, a secondary IP address needs to be configured on the ISA server computer before creating the Web listener.

Authentication settings for the Web listener SSL certificate

Note:
This is only required if HTTPS has been selected for client connectivity security.

___Use a single certificate for this Web listener.

Certificate issued to: _______________________

___Assign a certificate for each IP address. (This option will only be available if a specific IP address has been assigned to the Web listener. It is only required if the listener uses more than one IP address.)

Certificate issued to: _______________________

Authentication

For forms-based authentication, you have options to authenticate your users to ISA Server. Select the authentication method that best suits your authentication requirements.

For more information about authentication, see Authentication with ISA Server 2006 at this Microsoft Web site.

Single sign on settings

(Appropriate for Forms Based Authentication (FBA) only.)

___Enable single sign on.

Single sign on domain name:

___________________________

Create a Web listener with the information on the worksheet, and then perform the following procedure.

To create a Web listener

  1. In the console tree of ISA Server Management, click Firewall Policy:

    • For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.

  2. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table.

    Page Field or property Setting

    Welcome

    Web listener name

    Type a name for the Web listener. For example, type Exchange FBA.

    Client Connection Security

    Select what type of connections this Web listener will establish with clients

    Select Require SSL secured connections with clients.

    Web Listener IP

    Addresses

    Listen for incoming Web requests on these networks

    ISA server will compress content sent to clients

    Select the External network.

    Check box should be selected (default).

    Click Select IP Addresses.

    External Network Listener IP Selection

    Listen for requests on

    Available IP Addresses

    Select Specified IP addresses on the ISA Server computer in the selected network.

    Select the correct IP address and click Add.

    Note:
    For ISA Server Enterprise Edition with an NLB-enabled array, you should select a virtual IP address.

    Listener SSL Certificates

    Select a certificate for each IP address, or specify a single certificate for this Web listener

    Select Assign a certificate for each IP address.

    Select the IP address you just selected and click Select Certificate.

    Select Certificate

    Select a certificate from the list of available certificates

    Select the certificate that you just installed on the ISA server computer. For example, select mail.contoso.com, and click Select. The certificate must be installed before running the wizard.

    Authentication Settings

    Select how clients will provide credentials to ISA server

    Select how ISA server will validate client credentials

    Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA server will use to validate the client's credentials.

    For example, select LDAP Authentication if you are installing in workgroup mode. Select Windows (Active Directory) if your ISA server computer is in a domain configuration.

    Single Sign on Settings

    Enable SSO for Web sites published with this Web listener

    SSO domain name

    Leave the default setting to enable SSO.

    To enable SSO between two published sites such as portal.contoso.com and mail.contoso.com, type .contoso.com.

    Completing the New Web Listener Wizard

    Completing the New Web Listener Wizard

    Review the selected settings, and click Back to make changes or Finish to complete the wizard.

Create an Exchange Web Client Access Publishing Rule

Publishing an internal Exchange Client Access server through ISA Server 2006 SP1 is designed to protect the Web server from direct external access by making the name and IP address of the server inaccessible to the user. The user accesses the ISA server computer, which then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Web client access.

Collect the following information to use when you use the New Exchange Publishing Rule Wizard:

Property Value

Exchange publishing rule name

Name: ________________________

Services

Note:
You can publish multiple services in a single rule using the same Web listener configured with forms-based authentication. ISA Server 2006 SP1 will use Basic authentication for services that do not support forms-based authentication.

Exchange version: ____________

__Outlook Web Access

__Outlook RPC over HTTP

__Outlook Mobile Access

_X_Exchange ActiveSync

Publishing type

__Publish a single Web site

or

__Publish a server farm of load balanced servers

and

Server farm name:_____________

Server connection security

HTTPS or HTTP (circle one)

Note the following:

  • If HTTP is selected, information between the ISA Server computer and the Web server will be transferred in plaintext.
  • If HTTPS is selected, a server certificate needs to be installed on the Exchange front-end server.

Internal publishing details

Internal site name (FQDN): ______________________

If the FQDN is not resolvable by the ISA Server computer:

Computer name or IP address:_____________________

Note:
Must match the upstream certificate common name.

Public name details

Accept request for:

__This domain name:______________

or

__Any domain name

Select Web listener

Web listener:________________

User set

List user sets that will have access to this rule:

_________________

__________________

Important:
Must be non-Windows user sets if ISA server is not configured as a domain member and RADIUS is used.

In the next procedure, you'll use the information on the worksheet to create an Exchange Web client access publishing rule.

New Exchange Publishing Rule Wizard for a Single Web Site

To create an Exchange Web client access publishing rule

  1. In the console tree of ISA Server Management, click Firewall Policy:
    • For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
    • For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  2. On the Tasks tab, click Publish Exchange Web Client Access. Use the wizard to create the rule as outlined in the following tables.

For a single Web server, use the table in New Exchange Publishing Rule Wizard for a single Web site.

New Exchange Publishing Rule Wizard for a Single Web Site

Page Field or property Setting

Welcome

Exchange Publishing rule name

Type a name for the rule. For example, type Exchange Web Client Publishing.

Select Services

Exchange version

Web client mail services

Select the proper version of Exchange.

Select the desired access methods.

Publishing Type

Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites

Select Publish a single Web site or load balancer.

Server Connection Security

Choose the type of connections ISA server will establish with the published Web server or server farm

Select Use SSL to connect to the published Web server or server farm.

Note:
A server certificate must be installed on the published Exchange front-end server, and the root Certification Authority certificate of the Certification Authority that issued the server certificate on the Exchange front-end server must be installed on the ISA server computer.

Internal Publishing Details

Internal site name

Type the internal FQDN of the Exchange Client Access server. For example, type exchfe.corp.contoso.com.

Important:
The internal site name must match the name of the server certificate that is installed on the internal Exchange Client Access server.
Note:
If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA server computer.

Public Name Details

Accept requests for

Public name

This domain name (type below)

Type the domain name for which you want ISA server to accept the connection. For example, type mail.contoso.com.

Select Web Listener

Web listener

Select the Web listener you created previously. For example, select Exchange FBA.

Authentication Delegation

Select the method used by ISA server to authenticate to the published Web server

Select Basic authentication.

User Sets

This rule applies to requests from the following user sets

Select the user set approved to access this rule.

Completing the New Exchange Publishing Wizard

Completing the New Exchange Publishing Rule Wizard

Review the selected settings, and click Back to make changes and Finish to complete the wizard.

Configure ISA Server 2006 SP1 for LDAP Authentication

Note

This is only required when ISA Server 2006 SP1 is not a domain member.

Lightweight Directory Access Protocol (LDAP) authentication is similar to Active Directory authentication, except that the ISA server computer does not have to be a member of the domain. ISA Server 2006 SP1 connects to a configured LDAP server over the LDAP protocol to authenticate the user. Windows domain controllers are also LDAP servers, by default, with no additional configuration changes required. LDAP authentication offers these benefits:

  • ISA Server 2006 SP1 Standard Edition or ISA Server 2006 SP1 Enterprise Edition array members in workgroup mode.
  • Authentication of users in a domain with which there is no trust relationship.

In this section you will:

  • Create an LDAP Server Set
  • Create an LDAP User Set

Create an LDAP Server Set

Perform the following procedure to create an LDAP Server set:

  • For ISA Server 2006 SP1 Standard Edition, perform the following procedure on computer isa01
  • For ISA Server 2006 SP1 Enterprise Edition, perform the following procedure on computer storage01

To create an LDAP server set

  1. In the console tree of ISA Server Management, click General:
    • For ISA Server 2006 SP1 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand isa01, expand Configuration, and then click General.
    • For ISA Server 2006 SP1 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Main, expand Configuration, and then click General.
  2. In the Details pane, click Specify RADIUS and LDAP Servers.
  3. On the LDAP Servers Sets tab, click Add to open the Add LDAP Server Set dialog box.
  4. In LDAP server set name, type CorpLDAP.
  5. Click Add, to add each LDAP server name or IP address.
  6. In Server name, type dc01 and click OK.
  7. Click OK to close the Add LDAP Server Set dialog box.
  8. Click New to open the New LDAP Server Mapping dialog box.
  9. In Login expression, type corp\*. In LDAP server set, select CorpLDAP, and click OK.
  10. Click Close to close the Authentication Servers window.

Create an LDAP User Set

To authenticate users through LDAP, you need to determine which users to authenticate and who authenticates the users. To do this, you need to create an LDAP user set.

Perform the following procedure to create an LDAP user set:

  • For Standard Edition, perform the following procedure on computer isa01
  • For Enterprise Edition, perform the following procedure on computer storage01

To create an LDAP user set:

In the console of ISA Server Management, click Firewall Policy:

Page Field or property Setting

Welcome

User set name

Type LDAPUsers.

Users

Select the users to include in this user set.

Click Add, and select LDAP.

Add LDAP User

LDAP server set

User name

From the drop-down list, select CorpLDAP, the LDAP server set.

Select All Users in this namespace.

Note:
You can also specify user groups or specific user accounts if you do not want all users to be part of this LDAP user set.

Completing the New User Set Wizard

Review settings.

Click Back to make changes and Finish to complete the wizard.

Upon finishing the above wizard, click the Apply button in the details pane to save the changes and update the configuration.

Set the Idle Session Timeout for Firewalls and Network Appliances to 1800 Seconds

In this step, you will modify idle session timeout times on all firewalls, proxy servers, and other network appliances to accommodate the time required for successful functioning of the Direct Push technology.

Note

The default idle session timeout in ISA Server 2006 SP1 is set at the Microsoft recommended 1800 seconds (30 minutes), so you do not need to modify it.

For more information about modifying the idle session timeout time, see "Best Practice: Configuring your Firewall for Optimal Direct Push Performance" in Best Practices for Mobile Messaging Deployment with Exchange Server 2010 and Understanding Direct Push and Exchange Server 2010.

To confirm the firewall Idle Session Timeout

  1. In the console tree of ISA Server Management, click Firewall Policy.
  2. On the Toolbox tab, click Network Objects.
  3. From the list of folders, expand the Web Listeners node, and view the Properties of the appropriate Web Listener
  4. Select the Connections tab and then click the Advanced… button.
  5. Make sure the Connection Timeout is set at 1800 seconds (30 minutes). Change it if needed.
  6. Click OK twice to accept any change.
  7. Click Apply to make these changes.

Test Exchange Publishing Rule

In this section, you will test the new Exchange publishing rule that you just created.

Test Exchange ActiveSync

Configure a phone to connect to your Exchange server using Microsoft Exchange ActiveSync, and make sure that the ISA server and Exchange ActiveSync are working properly. When configuring your phone and you are prompted to enter a name in the server name field, type the name of the Exchange ActiveSync server that was just published, such as https://mail.contoso.com/owa.

Note

You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA server and Exchange ActiveSync are working together properly.

See Also

Concepts

Windows Mobile 6.5 and Microsoft Exchange Server 2010 Deployment Procedures