ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

Overview

Microsoft Internet Security and Acceleration (ISA) Server 2000 allows you to securely publish servers, thereby making internal resources accessible to external users. By configuring Web publishing rules or server publishing rules, you can determine which servers are made available.

Web publishing rules are configured to make available HTTP content on Web servers, such as Internet Information Services (IIS) servers. Server publishing rules are configured to make any other content type available.

With the advent and widespread use of Outlook Web Access servers, many administrators are confronted with a new type of publishing paradigm. Outlook Web Access could be perceived as another Web publishing scenario. Alternatively, Outlook Web Access servers could be published as any other Exchange Server is published.

This document describes alternative methods of publishing Outlook Web Access servers. It overviews the methods, and provides step-by-step instructions on configuring the scenarios. The document focuses on these scenarios:

  • Server Publishing: In this scenario a Web browser establishes a direct SSL connection through ISA server (SSL Tunneling) to the OWA server. For maximum browser compatibility OWA will authenticate users by using IIS basic authentication embedded within the encrypted SSL traffic.

  • Web Publishing: In this scenario a Web browser establishes an SSL connection to the ISA server. If chosen ISA will authenticate the incoming request using basic authentication (embedded within the encrypted SSL traffic). In response, ISA will establish a new SSL connection to OWA and forward the request. OWA will authenticate the request for mailbox access using IIS basic authentication embedded within the encrypted SSL traffic.

If you are using a bridging configuration (and ISA Server is an SSL endpoint for the client accessing the OWA server), then you should use the OWA wizard to configure server publishing, as described in the ISA Server Feature Pack 1 documentation.

Server publishing and Web Publishing

You can use server publishing rules or Web publishing rules to make an Outlook Web Access server publicly available. Depending on your specific network needs, decide which method is preferable. This section describes some of the features pertinent to this decision.

Server publishing rules are easier to configure, and can be configured to restrict external communication to just the HTTPS protocol. Furthermore, external IP traffic that is destined for the OWA server is evaluated first at the ISA Server computer; this means that the ISA Server will protect against malicious attacks, such as attempts to construct malformed IP traffic attacks, for example, TCP SYN attacks.

Although Web publishing entails a somewhat more complex configuration process, it does include enhanced security features in addition to those provided by Server Publishing:

  • Content Filtering, such as "URLscan" enables scanning for application–layer vulnerabilities.

  • You can limit external access to specific areas within the Web site by specifying paths in the destination set.

  • You can authenticate external user requests before forwarding them to the OWA server. This protects the internal Web server from malicious – malformed authentication sessions.

  • External IP traffic designated for the OWA server is more rigorously evaluated at the ISA server computer. Only properly constructed HTTP requests will be allowed to pass to the internal OWA Web server.

  • Public OWA resources (such as icons) are cached by ISA server which enables an enhanced performance boost

Setting up the Scenario

This section describes two configuration methods for publishing an OWA Server: server publishing and Web publishing. First, the network topology used in the scenario is described. Next, configuration steps common to both scenarios are presented. Finally, step-by-step instructions for both Web publishing and server publishing are detailed.

Note that the Lab Architecture and the Configuring the OWA Server sections are relevant to both server publishing and Web publishing scenarios.

Lab Architecture

This section describes the network topology used in the OWA publishing scenarios.

In order to present a step-by-step walkthrough for configuring either of the above two publishing methods, the following network configuration will be used throughout the document to illustrate a real-world deployment scenario. All of the internal servers run Windows 2000 with Service Pack 3 (SP3). The OWA server site will be referenced by the client browser as: mail.fabrikam.com/exchange**.**

Although a private IP addressing scheme is used through the document, any such private reference may be substituted for a real-world addressing scheme.

This walkthrough assumes a new, default installation of all components. ISA server with SP1 and with ISA Server Feature Pack 1 and Exchange/OWA are correctly installed on the appropriate servers. For detailed installation instructions, refer to the corresponding product documentation or see the references in the appendix at the end of this document.

Configuring the OWA Server

In order to provide maximum privacy and browser compatibility OWA will be configured to support basic authentication encrypted within SSL communication. Perform the configuration procedures on the OWA server.

To configure the OWA Server

  1. Prepare and install a digital certificate as described in Appendix A – Installing a digital certificate

  2. Configure IIS to support SSL-encrypted Basic Authentication, by performing the following steps:

    1. Open the Internet Services Manager (or your custom MMC containing the IIS snap-in) and expand the server node, expand the Default Web Site node, select virtual path /Exchange and click Properties.

    2. Click the Directory security tab and click on Edit authentication control.

    3. Under the Authenticated access section select Basic Authentication and click edit to select the domain against which users should be authenticated. Disable Integrated Windows authentication if checked. (Disabling Integrated Authentication is required in order to force Internet Explorer browser to choose basic authentication as the preferred authentication scheme)

    4. Click OK (A dialog box will indicate that basic authentication method is unsecured. You will encrypt this authentication protocol using SSL so you may safely click Yes to continue.

    5. Click OK. A Dialog box may show-up prompting you to specify how the authentication setting should propagate to child nodes in the default site. Click Select All and click OK

    6. Under the Secure Communications section, click Edit, select the Require secure channel (SSL) checkbox, and click OK twice.

    7. Repeat the above steps from step 2.b for the virtual paths /public and /exchweb.

  3. Configure the OWA server to route incoming client requests back to the ISA Server.

In a Web publishing scenario ISA server will automatically change the source IP address of every packet that comes from an external source to the IP address of the internal interface of the ISA server computer. In server publishing ISA server will keep the original source IP address as originally defined by the external client. Using a registry update (described in How to Enable Translating Client Source Address in Server Publishing) you can cause ISA Server to automatically change the source IP address of every packet that comes from an external source to the IP address of the internal interface of the ISA server computer in server publishing.

If you don't use the registry update to handle the source IP addresses in server publishing as described, you will have to configure the default gateway for the OWA computer to reflect the IP address of the ISA server internal NIC address (in our example this is 10.0.0.1).

Choosing a Publishing Method

After you've set up the OWA server, you must configure the ISA Server computer using one of the following methods:

  • To publish the OWA server using server publishing rules, see the Configuring Server Publishing Rules topic.

  • To publish the OWA server using Web publishing rules, see the Configuring Web Publishing rules topic.

Configuring Server Publishing Rules

In order to provide maximum privacy and browser compatibility configure OWA to support basic authentication encrypted within SSL communication. The configuration procedures should be performed on the ISA server computer.

To configure a server publishing rule:

  1. Open the ISA Management console, and expand the Servers and Arrays node.

  2. Expand the ISA server computer node. Then expand the Publishing node

  3. Right-click on the Server Publishing Rules node, click the New command and then click Rule. The New Server Publishing Rule Wizard will appear.

  4. Type a friendly name for the rule such as "OWA server publishing rule" and click Next.

  5. Type in the IP of internal server field the IP address that corresponds to the OWA computer (in our example this is: 10.0.0.3) and the in the External IP address on ISA server field type the IP address that corresponds to ISA external interface. (in our example this is: 20.0.0.1) and click Next.

  6. In the protocol settings page select HTTPS Server from the drop-down menu and click Next.

  7. In the client type page leave the default Any request and click Next.

  8. Click Finish to end the Wizard.

Testing the deployment

An external client can access the OWA server provided that it can resolve a fully qualified domain name to the external IP address of the ISA server computer. This would normally be achieved by registering a public Internet domain name with a public DNS server that maps the Web site name to the external IP address of ISA server. To test the deployment in a lab environment you can specify the Web site host name resolution information using notepad, in the client hosts file located under the following path: \system32\drivers\etc\hosts in the windows installation directory. In our example our hosts file includes the following entry: "20.0.0.1 mail.fabrikam.com".

To connect to the OWA site from the external client type the following Web address: https://mail.fabrikam.com/exchange. Be certain to specify https in the URL.

Configuring Web Publishing rules

To configure Web publishing rules

  1. Configure ISA server internal name resolution

    Note: You can skip this step if you use your own DNS server for computer name resolution.

    The hosts file is located at: \system32\drivers\etc\hosts under the windows installation directory and should contain a mapping between the each server fully qualified host name and its corresponding IP address: In our example the OWA URL address as seen by clients would be specified as: "20.0.0.1 mail.fabrikam.com".

    On the ISA server computer edit the hosts file to allow correct name resolution for the following host names:

    • The internal OWA host name (in our example: owa.adatum.com)

    • The URL address external clients will type in their browser to access the OWA site (in our example: mail.fabrikam.com)

    • The internal domain controller host name (in our example: dc.adatum.com)

    In order to verify correct name resolution on the internal network use the ping utility on the ISA server computer to resolve all the computer FQDN names.

  2. Run the Outlook Web Access Wizard

    The Outlook Web Access Wizard does the following tasks: Installs a listener to accept incoming requests, defines an OWA-specific destination set and creates a Web publishing rule.

    1. Open the ISA Management console, and expand the Servers and Arrays node. Expand the ISA server computer node. Then expand the Publishing node. Right-click on the Server Publishing Rules node, click the New command and then click Publish Outlook Web Access server

    2. Type-in a descriptive name for the rule (in our example "OWA Rule") and Click Next

    3. Type-in the fully qualified host name of the OWA server as specified in step2 (in our example this is mail.fabrikam.com)

    4. Check the option Use an SSL connection from ISA Server to the OWA server and Click Next

    5. Type-in the fully qualified host name which external clients will use to access the OWA Web site. In our example this is: mail.fabrikam.com. Then click Next.

    6. Select the option Enable SSL and press the Select button. Choose the certificate that maps to the URL specified in the previous step. Click OK, then click Next

    7. Review the summary and Click Finish.

    8. Select Save changes and restart the services and click OK.

Modifying existing Web publishing rules

It is highly recommend that you use the Publish Outlook Web Access Server wizard to publish OWA servers. However, it is possible to modify existing Web publishing rules to publish an OWA Server.

To modify existing Web publishing rules

If you want to modify existing Web publishing rules to publish an OWA Server, perform the following steps:

  1. Create a destination set with the following destinations:

    • destination/exchange*

    • destination/public*

    • destination/exchweb

    where destination represents the fully qualified domain name that will be resolved to the external IP address of the ISA Server computer

  2. Modify the applicable Web publishing rule to apply to the destination set.

  3. Modify the rule to be recognized by ISA as an OWA rule, using the VBScript provided here. This is important in a situation where ISA is configured to bridge SSL requests from clients as HTTP, rather than as HTTPS. If ISA Server recognizes that a Web publishing rule is an OWA rule, then links returned to the client will be returned as HTTPS links. Otherwise, the links will be returned as HTTP links, and the client will fail to connect using those links.

    4. 



'Set a constant equal to the GUID for the publishing rules vendor
parameters set object
const strOWAGUID = "{5e302ed5-f5d5-4fad-9b8a-01c72e1569f3}"
'Create the root object
Set FPC = WScript.CreateObject( "FPC.Root" )
'Get the rule. "RuleName" is an example, and should be replaced
with the real name of the rule
Set wpRule =
FPC.Arrays.GetContainingArray.Publishing.WebPublishingRules("Rule Name")
'Get the FPCVendorParametersSet object for the rules
Set aSet = wpRule.VendorParametersSets.Add(strOWAGUID, False)
'Indicate that the rule is an OWA rule
aSet.Value("IsOWARule") = True
'Save the change
aSet.Save



    

  1. Verify that there is an incoming Web request listener that listens for Web requests on the external IP address of the ISA Server computer.
    2. 



Configuring ISA Authentication screening


It is possible to configure ISA Server to authenticate each incoming request prior to its arrival at the OWA server computer. This additional capability allows you to protect the Internal OWA server from malicious external authentication attempts that can result in incomplete logon session attacks. ISA authentication screening requires that the user provide credentials when a request arrives. Once a request is authenticated, the ISA server computer passes the request to the OWA server computer with the user-supplied credentials. This does not require the user to enter his password again. This new behavior is implemented by ISA Feature Pack and is called "basic delegation".


Configuring ISA authentication screening


To configure ISA to authenticate each incoming Web request before forwarding the request to the OWA server, take the following steps:


    

  1. Expand the Servers and Arrays icon, right-click the ISA Server-based server, and then click Properties.
    

    2. 

  2. Click the Incoming Web Requests tab, and then click Configure listeners individually per IP address.
    

    3. 

  3. Select the OWA Listener and click edit.
    

    4. 

  4. Under the authentication section enable only Basic with this domain and press the select button to choose the appropriate domain name. Note: the ISA server computer and the OWA server computer must have access to the same account database. It is recommended that the ISA server computer and the OWA server computer reside within the same domain. Click OK.
    

    5. 

  5. Click OK to return to the ISA Management console. You will be prompted with a dialog box, select Save the changes and restart the service and click OK.
    

    6. 

  6. Expand the Publishing node, and click on the Web Publishing Rules node.
    

    7. 

  7. On the right pane of the screen, double click the OWA rule you defined in the previous step (in our example: "OWA Rule").
    

    8. 

  8. Select the Action tab and select Allow basic delegation option.
    

    9. 

  9. Select the Applies to tab and select Users and groups specified below. Click Add to select users/groups that have permissions to access the OWA server. Click OK to save and close the rule properties windows.
    

    10. 



Testing the deployment


An external client can access the OWA server provided that it can resolve a fully qualified domain name to the external IP address of the ISA server computer. This would normally be achieved by registering a public Internet domain name at a public DNS server that maps the Web site name to the external IP address of ISA server. To test the deployment in a lab environment you can specify Web site name resolution information, using notepad, in the client "hosts" file located under the following path: \system32\drivers\etc\hosts under the windows installation directory. In our example our hosts file includes the following entry: "20.0.0.1 mail.fabrikam.com"


To connect to the OWA site from the external client type the following Web address: https://mail.fabrikam.com/exchange. Be certain to specify https in the URL.


Appendix A – Installing a digital certificate


In order to enable secure communication, OWA will support SSL communication with the client browser using a digital server certificate (also known as an SSL server certificate). The following section provides a step-by-step walkthrough on how to prepare and install a digital certificate to be used for establishing SSL connections. This procedure will be used in both the Server Publishing and Web Publishing OWA scenarios.


Deploying a digital certificate involves the following steps:


    

  1. Generating a certificate request file. This procedure will be done using the IIS Certificate Request Wizard.
    

    2. 

  2. Sending the certificate request file to a certificate authority to be digitally signed and approved.
    

    3. 



Choosing which certificate authority to contact is a business decision that is beyond the scope of this document. You can contact any of the commercial certificate authorities listed in Internet Explorer or you can choose to deploy your own Certificate Authority within your organization using Microsoft Certificate Server, which is included within Windows 2000 and Windows Server 2003. This document illustrates the use of Microsoft Certificate Server. To get a list of commercial certificate authorities through Internet Explorer do the following. At the Browser main menu click Tools, Internet Options, Content tab, Publishers and Trusted root Certification Authorities.


The following steps use IIS Certificate Wizard on the OWA server to request and install certificates for both Web and Server publishing scenarios. Since IIS is generally not installed on the ISA Server computer, create the ISA Server computer's certificate on the OWA server computer, and then export it to be installed on the ISA Server computer. Each step is described in detail later in this document.


Note: After you receive a valid certificate from the certificate authority you have to install the certificate on the same computer that was used to generate the request file. If the certificate will be used to identify a different computer (than the one that was used to request it,) then you will need to export the certificate data and copy it to the computer that will host the certificate, and there you will need to import the certificate data to be stored in the local computer certificate store.


Certificate Procedures for Publishing Scenarios


The procedures for obtaining and installing digital certificates differ for server publishing and Web publishing scenarios. However, since IIS is generally not installed on ISA server computers, all certificate requests are issued by IIS Certificate Wizard on the OWA server. The general steps required for each scenario are outlined in this topic. Detailed procedures for each step are provided later in this document.


Obtaining a certificate for a server publishing scenario


Take the following steps to obtain a certificate for a server publishing scenario:


    

  1. Install a trusted root certificate on the OWA server and any external client computers following certificate procedure 1, "Root certificate support".
    

    2. 

  2. Generate a Certificate Request File following the procedure in certificate procedure 2, "Generating a Certificate Request File".
    

      

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the Web address (FQDN host name) of the site that the user will input when requesting your Web site. In our example this is: mail.fabrikam.com.
      • 

    

    3. 

  3. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request file".
    

    4. 

  4. Install the certificate following certificate procedure 4, "Installing a certificate".
    

    5. 



Obtaining a certificate for a Web publishing scenario


Take the following steps to obtain a certificate for a Web publishing scenario:


    

  1. Install a trusted root certificate on ISA server, OWA server computer and on any client computer following certificate procedure 1, "Root certificate support".
    

    2. 

  2. Generate a Certificate Request for the ISA server computer following certificate procedure 2, "Generating a Certificate Request File".
    

      

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the fully qualified host name of URL that external clients will type in their Web browser to access the OWA site. In our example this is: mail.fabrikam.com.
      • 

    

    3. 

  3. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request File".
    

    4. 

  4. Install the certificate following certificate procedure 4, "Installing a certificate". Do not perform other steps until you've installed the certificate.
    

    5. 

  5. Export the certificate to a file and copy it to the ISA server computer following certificate procedure 5, "Exporting a certificate from OWA to ISA".
    

    6. 

  6. Install the certificate on the ISA server computer following certificate procedure 6, "Installing the certificate on ISA server".
    

    7. 

  7. Remove the certificate from the OWA server computer following certificate procedure 7, "Removing the certificate from the OWA server".
    

    8. 

  8. Generate a Certificate Request File for the OWA server computer following certificate procedure 2, "Generating a Certificate Request File".
    

      

    • In step 11 of the Generating a Certificate Request file procedure, where you have to provide a common name for the certificate, type the fully qualified host name of the OWA server.
      

      In our example this is: owa.adatum.com.
      

      • 

    

    9. 

  9. Process a Certificate Request File following certificate procedure 3, "Processing a Certificate Request File".
    

    10. 

  10. Install the certificate following certificate procedure 4, "Installing a certificate".
    

    11. 



1. Root certificate support


Establishing SSL connections between a client and a server requires installation of a root CA certificate that will validate the server certificate. Generally, if you are using a certificate from a commercial CA that is included in the computer's database of CAs, you do not have to perform this step since the root certificate is already installed. To see a list of installed root certificates, in the Internet Explorer menu choose Tools -> Internet Options. Select the Content tab, click Certificates, and select the Trusted Root Certification Authorities tab. If you choose to install Microsoft Certificate Server to be the CA in your organization to issue certificates, you will have to handle the installation of root certificates.


A root certificate must be installed on every client that will access a server using SSL. For example, in a scenario in which Server Certificate #1 is installed on the ISA Server computer, and Server Certificate #2 is installed on an internal Web server computer (behind the ISA Server computer), you will require the following root certificate installations:


    

  • External clients will require root certificates validating Server Certificate #1, as they are clients of the ISA Server computer
    

    • 

  • The ISA Server computer, as a client of the Web server computer, will require a root certificate validating Server Certificate #2.
    

    • 



In general, it is recommended that the certificates installed on the ISA Server computer and the published server in a server publishing scenario be issued by a commercial certification authority, so that they are easily trusted by clients attempting to establish a connection. However, in a Web publishing scenario the certificate on a Web server could be issued by an internal Microsoft Certificate Server, as it only has to be trusted by the ISA Server computer when it is trying to establish an SSL connection to the internal Web server.


Note: For more information on Microsoft Certificate Server see Creating Certificate Hierarchies with MS Certificate Server Version 1.0


To obtain a Microsoft Certificate Server root certificate


Note: The following steps assume no direct connectivity to the Certificate Server; all information exchange will be done using a floppy disk.


    

  1. On the Microsoft Certificate Server computer open Internet Explorer and type https://localhost/certsrv in the address field.
    

    2. 

  2. Select Retrieve the CA certificate or certificate revocation list and click Next.
    

    3. 

  3. Click on the link Download CA certification path and save the file to a floppy disk.
    

    4. 



To install the Microsoft Certificate Server Root certificate


    

  1. Copy the root certificate from the floppy disk to the appropriate computers.
    

    In case of server publishing this would include the external client computer and the OWA server. In Web publishing this would include the external client computer, OWA server computer and ISA server computer.
    

    2. 

  2. Go to each of the appropriate computers and open the MMC Certificate snap-in. Click Start, Run, MMC
    

    3. 

  3. Click Console, Add/Remove Snap-in. Click the Add button
    

    4. 

  4. Select Certificates, Click Add and choose Computer account, Click Next
    

    5. 

  5. Select Local Computer, Click Finish, Click Close and Click OK
    

    6. 

  6. Click the Trusted Root Certification Authorities folder.
    

    7. 

  7. Right-click All Tasks, and then click Import.
    

    8. 

  8. In the Import Wizard, click Next.
    

    9. 

  9. Make sure that your root certificate file is listed and select it. Click Next.
    

    10. 

  10. Click Next.
    

    11. 

  11. Click Finish.
    

    12. 

  12. Under the Trusted Root Certification Authorities, verify that you see the root certificate.
    

    13. 



2. Generating a Certificate Request File


You have to get a server certificate that will validate the OWA Web site FQDN address that is published to external users, for example mail.fabrikam.com. This is done by creating a request file.


Note: The certificate request fails if it contains non-alphanumeric characters.


Between creating the request file (that is, completing the following steps) and installing the certificate, do not perform any of the following actions:


    

  • Change the computer name or Web site bindings.
    

    • 

  • Apply service packs or security patches.
    

    • 

  • Change encryption levels (that is, apply the high encryption pack).
    

    • 

  • Delete the pending certificate request.
    

    • 

  • Change any of the Web site's Secure Communications.
    

    • 



To generate a Certificate Request File


To generate a new certificate request to be sent to a certification authority (CA) for processing, perform the following steps:


    

  1. Open the Internet Services Manager (or your custom MMC containing the IIS snap-in).
    

    2. 

  2. Select the default Website. Right-click and select Properties.
    

    3. 

  3. Click the Directory Security tab.
    

    4. 

  4. In the Secure Communications section, click Server Certificate. This starts the new Web Site Certificate Wizard.
    

    5. 

  5. Click Next.
    

    6. 

  6. Choose the Create a New Certificate option and click Next. (There may be a slight pause before the next screen appears.)
    

    7. 

  7. Choose the Prepare a New Request but Send it later option and click Next.
    

    Note: Send the request immediately to an online certification authority option is unavailable unless IIS has access to an Enterprise CA, which requires Certificate Server 2.0 to be installed in Microsoft Windows 2000 with Active Directory.
    

    8. 

  8. Choose a friendly name for the site (this can be any name, for example, the friendly name of the site in the MMC, or the name of the Web site owner).
    

    9. 

  9. Choose the bit length of the key you want to use and whether you want to use Server Gated Cryptography (SGC), and then click Next.
    

    Note: For more information on bit length and SGC, see the IIS Help that is located on the server at the following address:
    

    https://<servername>/iishelp/iis/htm/core/iistesc.htm
    

    Note that in order for this URL to work, you must replace server name with the name of your IIS server.
    

    10. 

  10. Input your Organization (O) and your Organizational Unit (OU). For example, if your company is called Fabrikam and you are setting up a Web server for the Sales department, you would enter Fabrikam for the Organization and Sales for your Organizational Unit. Click Next when complete.
    

    11. 

  11. Input the common name (CN) for your site. This should match the Web address you want to certify. In the case of server publishing this is the name users will input when requesting your Web site. In Web publishing this can also include the FQDN of the OWA server or OWA computer. When done, click Next.
    

    12. 

  12. Input your Country/Region, City, and State. It is very important that you do not abbreviate the names of the state or city. When done, click Next.
    

    13. 

  13. Choose a name for the certificate request file you are about to create. This file will contain all the information you created here, as well as your public key for your site. You can browse the file name if you want. This creates a .txt file when the steps are completed. The default name for the file is Certreq.txt. When you have finished this step, click the Finish button.
    

    14. 

  14. You will now be presented with a summary screen with all the information you entered. Verify that all of this information is correct, and then click Finish.
    

    15. 



You have now created your certificate request file.


3. Processing a Certificate Request File


In order for the certificate to be used on the Internet, submit the request file to a Certification Authority (online authority). They will generate a certificate response file, which contains your public key and which is digitally signed by the commercial Certification Authority.


For internal use purposes, such as deploying a certificate on the internal Outlook Web Access computer in a Web publishing scenario, you may want to install your own private certificate authority using Microsoft Certificate server.


To process a certificate request using Microsoft Certificate Server


Note: The following steps assume no direct connectivity to the Certificate Server; all information exchange will be done using a floppy disk.


    

  1. Copy the certificate request file to a floppy disk, take the disk to the Certificate Server and copy the file from the disk to a known location.
    

    2. 

  2. On the Microsoft Certificate Server computer, open Internet Explorer and type https://localhost/certsrv.
    

    3. 

  3. Click Request a Certificate and click Next.
    

    4. 

  4. Click Advanced Request and click Next.
    

    5. 

  5. Choose the second option, Submit a certificate request using a base64 encoded PKCS #10 file... and click Next.
    

    6. 

  6. Under the certificate template heading, select Web server.
    

    7. 

  7. Using Notepad, open the certificate request file and copy all of its contents to the Clipboard by typing CTRL+A and CTRL+C.
    

    8. 

  8. Paste the contents of the file into the Saved Request edit box in the browser page and click Submit.
    

    9. 

  9. Click the Download CA certificate link to save the response file to the floppy disk.
    

    10. 

  10. Take the floppy disk to the Outlook Web Access computer and copy the response file to a known location.
    

    11. 



4. Installing a certificate


When you receive your response file from the Certificate Authority, you have to install it on the OWA server. A certificate that will be exported to the ISA Server computer must first be installed on the OWA server, for which the certificate was requested.


To install the response file


    

  1. Open Internet Services Manager.
    

    2. 

  2. Expand Internet Information Services. Select the Default Web site that has a pending certificate request.
    

    3. 

  3. Right-click the Default Web Site and then click Properties.
    

    4. 

  4. Click the Directory Security tab.
    

    5. 

  5. In the Secure Communications section, click Server Certificate.
    

    6. 

  6. On the Web Site Certificate Wizard, click Next.
    

    7. 

  7. Choose to Process the Pending Request and Install the Certificate. Click Next.
    

    8. 

  8. Type the location of the certificate response file (you may also browse to the file), and then click Next.
    

    9. 

  9. Read the summary screen to be sure that you are processing the correct certificate, and then click Next.
    

    10. 

  10. You will see a confirmation screen. When you have read this information, click Next.
    

    11. 

  11. Click Yes on the Message box warning and then click Finish.
    

    12. 



5. Exporting a certificate from OWA to ISA


Follow this procedure to export a certificate from the OWA Server computer to the ISA Server computer


    

  1. Click Start, Run. In the Open field type MMC, then click OK.
    

    2. 

  2. Click Console, Add/Remove Snap-in. Click the Add button.
    

    3. 

  3. Select Certificates, Click Add and choose Computer account, Click Next.
    

    4. 

  4. Select Local Computer, Click Finish, Click Close and Click OK.
    

    5. 

  5. Expand the Personal folder, and then expand Certificates. A certificate with the name of your Web site appears in the Issued To column in the right pane.
    

    6. 

  6. Right-click your certificate, Click All Tasks, and then click Export.
    

    7. 

  7. In the Export window, click Next.
    

    8. 

  8. Click Yes, export the private key, and then click Next.
    

    Note: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
    

    9. 

  9. Select Personal Information Exchange. Maintain the default setting for all three checkboxes.
    

    10. 

  10. Assign a password to protect the exported file, and confirm it.
    

    11. 

  11. Assign a file name and location.
    

    12. 

  12. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
    

    13. 

  13. Copy the file that you created to the ISA Server computer.
    

    14. 



6. Installing the certificate on ISA server


Follow this procedure to install the certificate on the ISA Server computer.


    

  1. Click Start, Run. In the Open field type MMC, then click OK.
    

    2. 

  2. Click Console, Add/Remove Snap-in. Click the Add button.
    

    3. 

  3. Select Certificates, Click Add and choose Computer account, Click Next.
    

    4. 

  4. Select Local Computer, Click Finish, Click Close and Click OK.
    

    5. 

  5. Click the Personal folder.
    

    6. 

  6. Right-click All Tasks, and then click Import.
    

    7. 

  7. In the Import Wizard, click Next.
    

    8. 

  8. Make sure that your file is listed, and then click Next.
    

    9. 

  9. Type the password for this file.
    

    10. 

  10. Click to select the Mark the private key as exportable check box.
    

    11. 

  11. Click Next.
    

    12. 

  12. Click Finish.
    

    13. 

  13. Under the Personal folder, when you see a subfolder named Certificates, click the Certificates folder and verify that you see a certificate with the name of the OWA Web site address (in our example mail.fabrikam.com).
    

    14. 



7. Removing the certificate from the OWA Server computer


Follow this procedure to remove the certificate from the OWA Server computer


    

  1. On the OWA Server computer, open the Internet Services Manager.
    

    2. 

  2. Expand the server node and select the Default Web Site node. Click Properties.
    

    3. 

  3. Click the Directory security tab. In the Secure Communications section, click Server Certificate. This starts the new Web Site Certificate Wizard.
    

    4. 

  4. Click Next.
    

    5. 

  5. Select "remove the current certificate" and click Next
    

    6. 

  6. Click Next, then click Finish.
    

    7. 

  7. Close the Internet Services Manager.
    

    8. 



Appendix B – List of Installation Guides


ISA Server Installation and Deployment Guide:


https://www.microsoft.com/technet/isa/2000/deploy/isaentin.mspx


How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack


https://support.microsoft.com/default.aspx?scid=kb;en-us;313139&sd=tech


XADM: How to Set up Exchange 2000


https://support.microsoft.com/default.aspx?scid=kb;en-us;262068&sd=tech


Outlook Web Access Setup and Deployment:


https://www.microsoft.com/technet/community/events/office2000/tnq10110.mspx


The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.