Using ISA Server with POP3 and IMAP4

Applies to: Exchange Server 2010

You can use Microsoft Internet Security and Acceleration (ISA) Server 2006 with POP3 and IMAP4. We recommend that you use ISA Server 2006 for all your client-to-server connections in Microsoft Exchange Server 2010. When you publish POP3 and IMAP4 client access with ISA Server 2006, communications from the POP3 or IMAP4 clients that are located on the Internet to the ISA Server computer and from the ISA Server computer to the Client Access server are encrypted by using Secure Sockets Layer (SSL).

ISA Server 2006 Features for POP3 and IMAP4 Access

The following table describes several benefits of using ISA Server 2006 to protect POP3 and IMAP4 client access to your Exchange deployment. The links in the "More information" column of the table also apply when you're using ISA Server 2006 with Exchange 2010.

ISA Server 2006 benefits for POP3 and IMAP4

Feature Description More information

Exchange server locations are hidden

When you publish an application through ISA Server, you're protecting the server from direct external access, because the name and IP address of the server can't be accessed by the user. The user accesses the ISA Server computer. This computer forwards the request to the Exchange server according to the conditions of the server publishing rule.

Publishing Exchange Server 2007 with ISA Server 2006

SSL bridging and inspection

SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts it, inspects it, and then ends the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request by using secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires the published Web server to respond with a server-side certificate.

Best Practices for Performance in ISA Server 2006

Install a Server Certificate for ISA Server 2006

To enable an encrypted channel using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer.

For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006. This information also applies to installing a server certificate on ISA Server 2006 when you're using Exchange 2010.

How to Deploy ISA Server 2006 for POP3 and IMAP4

You can run the Exchange Publishing Rule Wizard to provide POP3 and IMAP4 access to your Exchange deployment by following these steps:

  1. Create a server farm (optional)   When you have more than one Exchange Client Access server, you can use ISA Server to provide load balancing for these servers. The settings you configure allow you to specify the following:
    • The servers that are included in the server farm.
    • The connectivity verification method that ISA Server will use to confirm that the servers are functioning.
  2. Create a Web listener   When you create a Web publishing rule, you must specify a Web listener to use. The settings you configure allow you to specify the following:
    • IP addresses and ports on the specified networks that the ISA Server computer uses to listen for Web requests (HTTP or HTTPS).
    • Server certificates to use with IP addresses.
    • The authentication method to use.
    • The number of concurrent connections that are allowed.
    • Single sign-on settings.
  3. Create an Exchange Web client access publishing rule   When you create an Exchange Web client access publishing rule, you protect the Web server from direct external access because the Web server name and IP address are hidden from the user. The user accesses Exchange through the ISA Server computer. The ISA Server computer forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange Client Access.

For more information about how to use the New Exchange Publishing Rule Wizard, see Publishing Exchange Server 2007 with ISA Server 2006. This information also applies to publishing Exchange 2010 with ISA Server 2006.