Using Internet Security and Acceleration Server as a Gateway for Mobile Information Server 2002

  • Article

For the latest information, please see https://microsoft.com/miserver/.

On This Page

Introduction Introduction
Issues with Deploying MIS on the Internet Issues with Deploying MIS on the Internet
Solutions ISA Provides for MIS Deployments Solutions ISA Provides for MIS Deployments
Understanding the Flow of Data in an ISA Topology Understanding the Flow of Data in an ISA Topology
Deploying ISA as a Gateway Deploying ISA as a Gateway
Conclusion Conclusion
Additional Resources Additional Resources

Introduction

Microsoft® Mobile Information Server 2002 (MIS) provides wireless access to networked resources and services, such as Microsoft Exchange 2000 Server and other internal applications. MIS provides access to this data using Microsoft Internet Information Services (IIS) virtual directories. Users with wireless devices connect to the MIS server to access these virtual directories. Typically, users browse directly to the MIS server, which is located inside a perimeter network (a separate subnet bounded by a firewall and routers) and is connected to the Internet much like any other Web server. However, there are several drawbacks to deploying MIS in a perimeter network. This paper discusses how to use the standard edition of Microsoft Internet Security and Acceleration Server (ISA) to move your MIS server from a perimeter network into the corporate intranet.

The first drawback to deploying MIS in a perimeter network is that MIS requires many ports to be open on the internal router or firewall. A typical deployment with Exchange 2000 may require as many as 12 ports to be open in both directions on the intranet-facing router. The more ports that are open between the perimeter network and the intranet, the greater the chance of a malicious user compromising the internal network. Second, the MIS server itself is physically exposed to Internet traffic. Malicious users can launch attacks directly against the MIS server. Finally, because the MIS server is a member of a domain, malicious users who compromise the MIS server may gain access to other resources in the domain. If the MIS server is in a perimeter network accessible to mobile users and the perimeter network is already protected by firewalls instead of routers, there is still the drawback of having many ports open between the perimeter network and the corporate intranet and having a member server isolated in a perimeter network.

By deploying an ISA server with the MIS ISA filter in the perimeter network, you eliminate the need for a member server of the corporate domain to exist in the perimeter network, and you can open less ports than if the MIS server was deployed in the perimeter network. You also create a mobile gateway that allows only pre-authenticated users access to the MIS server. If you already have firewall protection for your MIS server, and you choose to move the MIS server to the corporate intranet without deploying ISA and the MIS ISA filter, there will be no initial authentication of traffic bound for the MIS server. Using ISA with the MIS ISA filter ensures that only authorized users can access data by means of MIS.

To benefit from using ISA with MIS, you need a thorough understanding of how ISA and MIS work together. This paper assumes that you are already familiar with standard Mobile Information Server concepts and deployment topologies, and that you have a basic understanding of ISA. If you are unfamiliar with MIS or ISA, you need to review the product documentation for both products before you implement the scenario described in this paper:

This paper will explain how to deploy MIS servers on the intranet using an ISA server as a front end in the perimeter network. The following topics are covered:

  • Issues with Deploying MIS on the Internet

  • Understanding the Data Flow of an ISA Deployment

  • Deploying ISA as a Gateway

  • Deploying MIS Inside the Intranet with ISA

Issues with Deploying MIS on the Internet

In a typical MIS deployment, users with wireless devices connect to the MIS server to access the IIS virtual directories for Microsoft Server ActiveSync® or browse for Exchange data. Figure 1 shows a typical deployment, with MIS providing Exchange 2000 access to a user with a Wireless Application Protocol (WAP) phone.

Figure 1: Standard MIS deployment for WAP browse access

In a standard MIS deployment (Figure 1), the MIS server is inside the perimeter network and mediates requests sent between the Internet and the intranet. The MIS server processes the WAP phone requests to browse an Exchange 2000 mailbox and retrieves the data from the Exchange 2000 server. In this configuration, additional traffic travels between the MIS server and the intranet Domain Name System (DNS) and domain controller servers. Because the request to access Exchange data does not contain a specific domain name, MIS assumes that requests are for Exchange servers that are in the same domain as the MIS server. This means that the MIS server must be a member server of the same domain as users' Exchange servers. The MIS server must also be able to communicate with the domain controllers and DNS servers so that it can retrieve information (such as user attributes and carrier and device information) from Microsoft Active Directory® directory service.

When you use MIS to connect your corporate network to the Internet, you allow users with Internet-capable wireless devices to access corporate information from any location where the device can acquire a signal. While this ability to access information anytime and anywhere gives incredible flexibility to users with wireless devices, it also creates increased security risks for your organization.

Exposing the MIS server to the Internet creates the following security concerns:

  • Physical Exposure to the Internet If a malicious user gains access to your network, the intent may not be to access sensitive information, but to access and use all open connections. This attack that results in the denial of service to corporate users exhausts the physical resources of the server so that corporate users with wireless devices cannot connect to the server or corporate network. To minimize this risk, install software that protects the server exposed to the Internet from this type of attack.

  • Logical Exposure of the Intranet The MIS server must be a member server of the corporate domain to communicate with the Exchange server. When the MIS server is deployed outside of the corporate firewall, it can expose the corporate network and any sensitive information on the network to malicious users who gain unauthorized access to the MIS server. To minimize this risk, the server exposed to the Internet must not be a member server of the corporate domain.

  • Port requirements The MIS server must have as many as 12 ports open to communicate with the intranet, increasing the chances that an unauthorized user will gain intranet access. To minimize the chance of network attacks and unauthorized access to sensitive information, you need to open as few ports as possible through the corporate firewall.

Solutions ISA Provides for MIS Deployments

If instead of deploying MIS in a perimeter network, you deploy an ISA server as a mobile gateway server in the perimeter network, you can move the MIS server inside the intranet. This deployment allows initial authorization to take place before requests reach the MIS server and allows you to reduce the number of ports open from the firewall to the Internet.

Figure 2 shows an MIS deployment similar to the previous one, but with ISA deployed as a mobile gateway server.

Figure 2: MIS deployment for WAP browse access with ISA as front end

In the ISA deployment scenario, the ISA server receives a user request, and then the MIS ISA filter authenticates the user by performing a Lightweight Directory Access Protocol (LDAP) bind to the corporate network. The ISA deployment does not expose Active Directory to the Internet because the LDAP bind returns only an "allow" or "deny" message, simply verifying whether the account credentials exist in Active Directory. No other information, such as permissions for the user account, is searched in Active Directory to validate the user.

If the MIS ISA filter used a more complete authentication method instead of using an LDAP bind, the MIS ISA filter would discover if the user account has permissions to not only log onto their account, but also which resources they are permitted to use. However, a more complete authentication of the user at this point is unnecessary because the MIS ISA filter does not retrieve the data requested by the user; the MIS server retrieves the data. All the MIS ISA filter does is forward a valid user's request to the MIS server. Also, if a complete authentication of the user's Microsoft Windows® 2000 account was performed by the MIS ISA filter, the corporate Active Directory would be exposed to malicious users. For these reasons, the MIS ISA filter performs only an LDAP bind to authenticate the user, leaving the complete authentication of the user's Windows account to be performed by the MIS server.

After the user's credentials are verified by the MIS ISA filter, the ISA server passes the user request through the firewall to the MIS server. Then, the MIS server authenticates the user and discovers the permissions for the user account safely inside the firewall on the corporate network.

This ISA deployment requires only the following ports to be open on the ISA server to traverse the firewall:

  • LDAP The MIS ISA filter requires the LDAP port (port 389) to bind to Active Directory and authenticate users.

  • HTTP and HTTPS The ISA server uses the HTTP port (port 80), and if you are using HTTP with Secure Sockets Layer (SSL) certificates, ISA uses the HTTPS port (port 443) to relay a user's request to the MIS server after the MIS ISA filter verifies whether the account credentials exist in Active Directory and are correct.

    Note: To deploy the most secure topology, port 80 (HTTP) must not be open on the internal firewall. You should secure all intranet sites using SSL certificates. If you do, all wireless requests will come in on port 443 (SSL), and you will only need to open port 80 if you have a public Web site. If you have a public Web site, port 80 is open only for inbound access on the internal firewall and for outbound access on both the internal and external firewalls.

  • DNS The ISA server uses the DNS port (port 53) to locate resources on the internal network.

In this topology, you will need to open only three ports (LDAP, HTTP, and DNS) on the ISA server to communicate through the internal firewall. If you use HTTPS, you will have to open a total of four ports (LDAP, HTTP, HTTPS, DNS) through the firewall. Compared with the 12 open ports that the MIS server requires, deploying ISA reduces the number of ports that can be compromised.

Understanding the Flow of Data in an ISA Topology

Before you configure the ISA server and install the MIS ISA filter, it is important to understand how deploying an ISA server affects the flow of data in your topology. Figure 3 shows how the ISA server authenticates a user when the MIS ISA filter is deployed.

Figure 3: Authentication process for ISA with the MIS ISA filter deployed

The following list corresponds to Figure 3 that illustrates the user authentication process for ISA with the MIS ISA filter deployed:

  1. User requests data. A user with a wireless device, such as a WAP phone, sends a request to browse their Inbox. Because ISA uses publishing rules that allow servers to appear to be directly connected to the Internet, the user can browse directly to https://mis_server.com/OMA. The request is sent to the WAP gateway, which forwards the request to the ISA server.

  2. MIS ISA filter creates a LDAP bind. The MIS ISA filter on the ISA server takes the user ID and password from the incoming HTTP header and uses those credentials to bind to Active Directory on the domain controller. The filter does a full LDAP bind instead of a simple LDAP bind. This means that the filter uses NTLM over port 389 to make the connection. You do not need to use SSL to encyrpt the user ID and password for the LDAP bind because NTLM encyrpts the information.

  3. MIS ISA filter pre-authenticates the user. If the user ID and password are not valid, the LDAP bind returns a "deny" message and the user receives an error. If the LDAP bind returns an "allow" message, this indicates that the specified user account is active and that the password supplied matches the password for that user account. No determination is made at this time as to what information the user account is authorized to access.

  4. ISA server forwards the request to the MIS server. If pre-authentication is successful, the ISA server uses a publishing rule to route the client request and the credentials supplied in the header to the MIS server.

    Note: When the ISA server sends the HTTP request to the MIS server, the user's password is not encrypted and can be potentially viewable if the packets are exposed, for example by using a Network Monitor capture. Therefore, it is recommended that you use SSL or some form of encryption to secure all communication between the ISA server and the MIS server. To do this, you can install an SSL certificate on your ISA or MIS server, and require a secure connection between the two servers. For detailed instructions, see the "Use SSL Certificates Between the ISA and MIS Servers" section later in this document.

  5. MIS server performs an authentication check using Kerberos. The MIS server reads the HTTP request to determine if the user supplied the appropriate credentials for the requested resource. For example, the MIS server checks to see if the request for the inbox of suzan@contoso.com (https://mobile01.contoso.com/oma/suzan) is from someone with Suzan's user ID and password.

  6. MIS accesses the Exchange data. If the user credentials supplied do not have permission to access the requested data, MIS returns an error to the user. If the user credentials have permission to access the data, the MIS server retrieves the requested data from the Exchange server and returns the data to the user.

The flow of data in an ISA scenario always occurs as follows: The ISA server receives the request. The MIS ISA filter creates an LDAP bind, and if the bind returns an "allow" message, The ISA server passes the request and user credentials on to the MIS server. When the MIS ISA filter creates an LDAP bind, it may choose a different domain controller to contact depending on the request.

If the incoming request is for browsing Exchange 2000 data and you create MIS accounts in an auxiliary domain, the MIS ISA filter binds to the auxiliary domain controller on behalf of the user. Otherwise, the MIS ISA filter contacts the domain controller in the primary domain. Even if you are using the Access User topology, the user's account credentials supplied with the request are sent to the MIS server.

If the incoming request is for synchronization, the MIS ISA filter binds to the primary domain controller, the same way as it does for browse requests where the accounts are not in an auxiliary domain. If the bind is successful, the ISA server sends the user request to the Server ActiveSync component on the MIS server. The Server ActiveSync component then sends its own request to the Exchange server using Kerberos or NTLM (Integrated Authentication) depending on the Exchange server and what it supports. If the Exchange server is clustered, for example, NTLM is used because Kerberos is not supported on clusters.

Deploying ISA as a Gateway

When you deploy ISA as a mobile gateway for the MIS server, it does not matter if you deploy the ISA server first or if you deploy your MIS servers first. In both cases, the only requirement is that you know all of the Internet Protocol (IP) addresses of the servers that the ISA server will access.

Important: If you are installing an ISA server in a new topology, when you register your domain name, you must use the ISA server IP address. Also, when you are establishing a contract with a carrier, if the carrier requires a specific IP address, you must use the ISA server's address.

The following sections describe how to deploy ISA as part of a new MIS deployment:

  • Deploy MIS

  • Install the ISA server

  • Configure the ISA server

  • Install the MIS ISA filter on the ISA server

  • Configure the MIS server to send notifications through ISA

  • Configure ISA to secure notifications using IPSec

  • Use SSL certificates between the ISA and MIS servers

To add an ISA server to an existing topology, simply install an ISA server in the perimeter network, and then physically move the MIS server inside the intranet.

Note: You can choose to install Microsoft Internet Security and Acceleration (ISA) Server Standard Edition or Enterprise Edition. The Enterprise Edition includes the following features:

  • Multiple-server arrays for better scalability, performance, fault tolerance, and centralized management. The standard edition supports only stand-alone servers.

  • Two levels of policy management. You can apply enterprise array policies to an array of servers or all the arrays in the organization.

  • No restrictions on the number of processors on the ISA server. The Standard Edition is limited to four processors.

For more information about the differences between ISA Standard and Enterprise Editions, or for information about arrays, see the ISA documentation.

Important: The ISA array feature, available in the Enterprise Edition, is used for load balancing servers. To use arrays and load balance your ISA server, the ISA server will either have to be a member of the corporate Windows 2000 domain, or a member of a Windows 2000 forest that exists only in the perimeter network. If you make the ISA server a member of the corporate domain, you will be physically and logically exposing the data in that domain to the Internet, and you will have to open multiple ports to allow the ISA server to communicate with the domain. All instructions in this paper are written for ISA Server Standard Edition.

Deploy MIS

If you are deploying an MIS server for the first time and you know at this point that you will also install an ISA server, you can use the installation instructions provided with your MIS server with one change: you must place your MIS server inside the corporate domain. Because you are using ISA server, you do not need to deploy your MIS servers in a perimeter network. You can skip any step that is identified as a step for MIS deployments within a perimeter network, such as opening the relevant firewall ports.

For complete details about installing MIS, see Microsoft Mobile Information 2002 Enterprise EditionPlanning and Installation.

Install the ISA Server

You can install the ISA server into an existing topology, or you can make it the first server you install in a new topology. One advantage of installing ISA into an existing topology is that ISA Server Setup can automatically create the Local Address Table (LAT) if it can communicate with the existing network. If the ISA server is the first server installed in your network, you must know the IP addresses for the servers that ISA will communicate with, for example, the DNS and MIS servers IP addresses.

To install the ISA server, you must complete the following tasks:

  1. Physically install the server

  2. Uninstall IIS

  3. Install the ISA server

Important: You must install Internet Security and Acceleration Server, Service Pack 1 (SP1). If you are using a version of ISA Server prior to SP1, you must download and apply the ISA Server 2000 Security Patch for Web Proxy Service and H.323 ASN DLL. For more information, go to the ISA Server Downloads page at https://www.microsoft.com/Downloads/Release.asp?ReleaseID=32094. Microsoft does not support using versions of ISA earlier than SP1 with MIS unless you apply this patch.

Physically Install the Server

Before you install the ISA software, you need to consider where to deploy your ISA server. You can deploy the server on which you are installing ISA in a perimeter network, but it must not be a member server of the corporate domain.

To directly connect your network to the Internet, you must configure the server that will run ISA with two network interface cards (NICs). This configuration is shown in Figure 4.

Figure 4: ISA network interface card configuration

One NIC is used for internal communication and must be connected directly to the intranet or to routers that allow traffic to pass through to the intranet. The other NIC is used for external communication and must be connected directly to the Internet or to routers that allow traffic to pass through to the Internet.

When you set IP properties for the internal NIC, you must have the IP address for the DNS server to use in DNS name searches.

Note: When setting IP properties for the internal NIC, you must use a static IP address for the ISA server. You cannot use IP addresses assigned by Dynamic Host Configuration Protocol (DHCP) for the internal NIC, because the IP address generated by DHCP can be reset. To disable DHCP, go into the TCP/IP properties on the external NIC and assign it a static IP address.

If you have multiple domains that the ISA server will route traffic to, you must edit the TCP/IP properties of the external NIC and assign a static IP address for each domain. Then on the external DNS server, use those IP addresses that you just added to the external NIC and assign one IP address to each DNS name that you want the ISA server to access. Make sure to write down the IP address you assigned to each server.

Uninstall IIS

If IIS is installed on the server where you will install ISA, during installation ISA Setup stops the IIS Web service. This happens because the IIS Web service default port is 80, the HTTP standard. The ISA server uses this port to allow Web publishing and listens for Web requests from both internal and external clients after Web publishing rules are created. To make sure that ISA can receive and send HTTP requests, verify that IIS is not installed. If it is installed, remove IIS from the server before you run ISA Setup.

To uninstall IIS

  1. Click Start, click Settings, and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. In Add or Remove Programs, click Add/Remove Windows Components.

  4. Clear Internet Information Services (IIS).

  5. Click Next, and then complete the Windows Components Wizard.

Install the ISA Server

You can install ISA with both firewall and caching features. You can also install only firewall features or only caching features. This paper focuses on using the ISA server as a front-end firewall proxy for MIS, so you are instructed to choose the firewall mode installation. If you want to use the caching features in addition to firewall features, you can run the ISA installation again later to re-install ISA in integrated mode. For details about how to change the ISA installation mode, see the ISA Server Help.

When you install ISA, you must also create a LAT. The LAT is a table of all IP address ranges used by the internal network behind the ISA server. The ISA server uses the LAT to control how computers on the internal network communicate with external networks. The ISA server also uses the LAT to decide which network adapters—also known as network interface cards (NICs)—will be protected by loading the packet filter driver. Before you run ISA Setup, you must either make sure the server is connected to a routed internal network so that Setup can build the LAT automatically, or you must know the range or ranges of IP addresses used by your internal servers so that you can manually construct the LAT.

To install ISA

  1. Insert the Microsoft Internet Security and Acceleration Server 2000 CD in your CD-ROM drive.

  2. Click Install ISA Server.

  3. Read the information on the Welcome page, and then click Continue.

  4. On the CD-Key page, enter your CD Key, click OK, verify the key is correct on the Product ID page, and then click OK.

  5. Read the End User License Agreement, and then click I Agree.

  6. On the Installation page, select Typical Installation from the following three options:

    • Typical Installation This option installs the ISA Administrative Tool. This option does not install the add-in services for H.323 Gatekeeper or Message Screener. Do not select this option if you need the H.323 Gatekeeper service to secure the use of NetMeeting between the Internet and your intranet or if you need Message Screener to screen the content of incoming Simple Mail Transfer Protocol (SMTP) messages.

    • Custom Installation Select this option to install ISA and any combination of the H.323 Gatekeeper service features for securing NetMeeting and the SMTP Message Screener service features.

    • Full Installation Select this option if you want to use NetMeeting and screen the content of incoming SMTP messages in addition to installing ISA.

  7. On the Typical Installation page, verify the settings, and then click OK.

  8. On the Mode page, select Firewall Mode, and then click Continue.

  9. Next, you will have to construct the LAT. If your ISA server is not connected to the internal network, you can manually construct the table by entering the range of IP addresses that span your internal network space. If your server is connected to the internal network, to allow ISA to automatically construct the LAT, click Construct Table.

  10. On the Local Address Table page, select Add the ranges found by the ISA Server Setup wizard.

  11. Under Card, select the network adapters—also known as network interface cards (NICs)—found by the ISA Server Setup wizard.

  12. Verify that Add address ranges based on Windows 2000 Routing Table is selected, and then click OK (Figure 5).

    Figure 5: Network adapter options in Local Address Table

  13. On the Setup Message page, you are informed that the LAT was constructed. Click OK.

  14. On the IP ranges page, review the LAT table shown in Internal IP ranges (Figure 6).

    Important: Verify that either an IP address is listed for every intranet server, or that the LAT contains IP ranges that include all IP addresses for all of your intranet computers.

    Figure 6: Example of Internal IP ranges

  15. On the Launch ISA Management Tool page, verify that Start the ISA Server Getting Started Wizard is selected, and then click OK.

  16. On the final Setup page, you are informed that Setup was completed successfully. To complete the installation and run ISA Server Getting Started Wizard, click OK.

Configure the ISA Server

After you install ISA, you can manage all aspects of the firewall performance from the ISA Management tool. You can run the wizards from the tool as explained in this text. You can return to the wizards to adjust any settings, or you can also select an item in the console tree of the ISA Management tool to access property pages and create rules and actions. However you decide to access the settings for the ISA server, you must make sure that the server allows incoming traffic, the appropriate traffic is routed to the MIS server, and that the ISA server also allows outgoing traffic.

To configure the ISA server, you must complete the following tasks:

  1. Run ISA Server Getting Started Wizard

  2. Configure the ISA server for MIS

Run the Getting Started Wizard

ISA Server Getting Started Wizard is a component of the ISA Management tool and is always available from the ISA Management tool. If you follow the instructions in this paper for installing the ISA Server software, the ISA Management tool automatically opens and the Getting Started Wizard appears in the details pane. When you run the Getting Started Wizard, you are simply opening the ISA Management tool and selecting the top node in the console tree. You can exit the wizard at any time by clicking an object in the Server and Arrays node in the console tree of the ISA Management tool. This paper discusses only the settings associated with allowing the MIS server to send and receive messages to users with wireless devices. If you need to adjust settings for schedules, how clients behind the firewall access the Internet, dial-up entries, SecurNAT, or firewall chaining, you can access the Getting Started Wizard again after exiting.

To run Getting Started Wizard

  1. Click Start, and then point to Programs. Point to the folder that contains ISA, and then click ISA Server Management Tool.

  2. In the console tree, click the Internet Security and Acceleration Server node.

  3. In the details pane, double-click Getting Started Wizard.

You can also manually set all settings in Getting Started Wizard by selecting the appropriate object in the console tree of the ISA Management tool. However, you cannot configure some settings (such as Web publishing rules) in Getting Started Wizard—you must create them in the console tree of the ISA Management tool.

Configure the ISA Server for MIS

To allow MIS to send and receive traffic from users with wireless devices, you must allow both incoming traffic and outgoing traffic. Incoming traffic is configured with Web publishing rules, and outgoing traffic is configured with access policies.

To allow incoming traffic to access the MIS server, you must create a new Web publishing rule to redirect requests received by the ISA server to the MIS server. By default, there is a Web publishing rule that discards all requests so that no internal servers are accessible to external clients. You cannot modify this rule or delete it, but it has a priority setting called "Last," which means that any other publishing rule that has a higher priority is processed before this default rule. After you create a new Web publishing rule that identifies where to route traffic and assign that rule a higher priority, incoming traffic is allowed. However, before you create a Web publishing rule, you will need to have a destination set to identify where the ISA server will route traffic. A destination set is a server name, an IP address, or IP range (it can include a path), and it is applied to actions specified in rules.

Important: You must create destination sets using the same path in the URL that users browse to. If you do not want to change the URL that users currently browse to when you deploy an ISA server, you must use the address in the URL when you create the destination for the publishing rule. For example, if users currently browse to https://mis_server.com/OMA, when you create the destination set, you must use mis_server.com for the server name. If you want users to browse to the ISA server, you must use the name of the ISA server in the destination set and instruct your mobile users to browse to https://ISA_server.com/OMA, for example. However, you decide to create the destination set and URL, you must make sure that the external DNS entry for the server name you use in the destination set and URL points to the ISA server.

To allow the MIS server to send the requested data back through the ISA server to the wireless device, you must have a complete access policy, which consists of protocol rules and site and content rules. Because a default site and content rule named "Allow Rule" allows all clients access to all content on all sites always, you need only to configure a protocol rule to allow outgoing requests to flow.

To configure the ISA server to allow traffic to and from the MIS server

  1. Allow outgoing traffic.

    1. Configure a protocol rule.

    2. Configure the ISA server outgoing Web request properties.

  2. Allow incoming traffic.

    1. Configure destination sets.

    2. Configure a Web publishing rule.

    3. Configure the ISA server incoming request properties.

    Note: If you are using SSL certificates, see the instructions in the "Use SSL Certificates Between the ISA and MIS Servers" section later in this document.

An additional step that is recommended, but not required, is to identify your server as a dedicated, stand-alone firewall server. When you run the Secure Your Server Wizard from the Getting Started Wizard, you can identify the server as:

  • Dedicated (to firewall protection)

  • Limited services (for firewall protection which is used for servers that are also domain controllers)

  • Secure (servers which are database servers or application servers in addition to being a firewall server)

    Important: If you run the Secure Your Server Wizard on the server that will be exposed to the Internet and filter traffic to the MIS server, make sure that you select Dedicated. Any other setting decreases the amount of availability your server uses to secure Internet-to-intranet communication.

Allow outgoing traffic

To allow outgoing traffic, you must first configure a new protocol rule, and then configure the outgoing Web request properties for your ISA server.

To configure a protocol rule

  1. In Getting Started, under Welcome, click Configure Protocol Rules.

  2. In Configure Protocol Rules, click Create a Protocol Rule.

  3. On the Welcome page, in Protocol Rule Name, type a name that identifies the rule, such as "allow," and then click Next.

  4. On the Rule Action page, to allow the ISA server to respond to client requests, under Response to client requests to use protocol, select Allow, and then click Next.

  5. On the Protocols page, under Apply this rule to, select All IP traffic, and then click Next.

  6. On the Schedule page, to allow the MIS server to send responses to wireless devices at all times, select Always.

    Important: The schedule you choose is applied to all servers behind the ISA server. If you choose to set a limited schedule, any request—from the MIS server to send data or from a client behind the firewall to browse an Internet site—is allowed only during the scheduled times. For more information about setting schedules, see the ISA Help.

  7. On the Client Type page, to apply the rule to all outgoing requests, select Any request, and then click Next.

  8. On the Completing the New Protocol Wizard page, click Finish.

To configure ISA outgoing Web request properties

  1. In the console tree of the ISA Management Tool, right-click the name of your server, and then click Properties.

  2. Click the Outgoing Web Requests tab.

    • In the Identification settings, if you have only one internal network card, select Use the same listener configuration for all internal IP addresses.

    • If you have multiple internal NICs, you can select Configure listeners individually.

  3. Click Add to configure each internal NIC.

  4. On the Outgoing Web Requests tab, verify that the TCP port is set correctly.

Allow Incoming Traffic

To allow incoming traffic

  1. In Getting Started Wizard, click Configure Destination Sets.

  2. In the Configure Destination Sets dialog box, click Create a Destination Set.

  3. In the New Destination Set dialog box, enter the name of the MIS server or a name that indicates this destination set will be used to route traffic to the MIS server.

  4. In the New Destination Set dialog box, click Add.

  5. In the Add/Edit Destination dialog box, select Destination, and then type the fully qualified domain name (FQDN) of the ISA server's external DNS name.

    Note: The FQDN that you use here is the FQDN that users browse to on their phones from the Internet. Do not use the back-end server's FQDN, unless this is exactly where you are instructing your users to browse.

  6. In Path, type the path to an IIS virtual directory that corresponds to the features you are using in MIS.

    Important: You must type the path beginning with a forward slash (/) and ending with an asterisk (*) to include all items and subfolders. You must add an IIS virtual directory entry for each feature of MIS that you are using.

    Possible IIS virtual directories include:

    • /OMA* For browsing with a WAP-enabled phone

    • /Microsoft-Server-ActiveSync* For synchronization with Pocket PCs

    The path to the /IN* directory in Figure 7 is used for testing purposes. You do not need to add this directory, but you must add an entry for OMA (browsing), and if you are using it, one for Microsoft Server ActiveSync (Pocket PC synchronization).

  7. Repeat Step 5 to add an entry for each IIS virtual directory used in MIS. If you are using all features in MIS, your New Destination Set settings will look similar to Figure 7.

    Figure 7: Example of Include these destinations settings in New Destination Set

  8. When you are finished, in the New Destination dialog box, click OK.

  9. Verify that your destination set appears in the Destination Sets table.

  10. In the Getting Started dialog box, click Exit the Getting Started Wizard.

To configure a Web Publishing Rule

  1. In the console tree of the ISA Management Tool, double-click Servers and Arrays, double-click the name of your ISA server, double-click Publishing, and then click Web Publishing Rules.

  2. In the details pane, click Create a Web Publishing Rule.

  3. On the Welcome page, in Name, type a name for the rule, such as MIS_Incoming, and then click Next.

  4. On the Destination Sets page, select Specified destination set. In Name, select the MIS destination set you just created, and then click Next.

  5. On the Client Type page, to apply this rule to all incoming requests that are attempting to access the IIS virtual directories on the MIS server, select Any request.

    Note: If you want to specify that this rule be applied to requests for the MIS server on a per-user basis, you can select Specific users and groups. However, the user accounts must reside or be accessible from the ISA server. It is not recommended to provide this type of information on a server that is directly connected to the Internet.

  6. On the Rule Action page, under Response to client requests, select Redirect the request to this internal Web server (name or IP address), and then type the FQDN of the MIS server. Make sure the Send the original host header to the publishing server option is cleared, and verify that the HTTP, SSL, and FTP ports are correct. The Rule Action options will look similar to Figure 8.

    Important: Select the option to Send the original host header to the publishing server only if you are running multiple virtual servers on the same computer or you want to use the host headers of the internal MIS server without having to change them when you move an MIS server behind an ISA server.

    The Send the original host header to the publishing server option allows you to pass one of two possible host headers in the HTTP request when the ISA server redirects the request to the internal MIS server.

    • If this option is disabled, the ISA server changes the original host header with the external server name to a host header with the internal server name.

      • Original

      • Passed to MIS server

      • https://mobile.contoso.com

      • https://NA-mobile.contoso.com

    • If the option is enabled, the ISA server does not change the original host header.

      • Original

      • Passed to MIS server

      • https://mobile.contoso.com

      • https://mobile.contoso.com

    Figure 8: Rule Action options in New Web Publishing Rule Wizard

  7. On the Rule Action page, click Next, and then on the Completing the New Web Publishing Rule page, click Finish.

Note: If you use SSL certificates, you will edit this rule to add SSL information. For instructions about how to add SSL settings on the Bridging tab, see the "Use SSL Certificates Between the ISA and MIS Servers" section later in this document.

To configure incoming Web request properties

  1. In the console tree of the ISA Management Tool, right-click the name of your server, and then click Properties.

  2. Click the Incoming Web Requests tab. In Identification, to configure the ISA server to listen for incoming requests on only the external NIC, select Configure listeners individually per IP address, and then click Add.

  3. In the Add/Edit Listeners dialog box:

    1. In Server, select the ISA server.

    2. In IP address, select the IP address of the external NIC.

    3. In Display Name, type a name for the external NIC, and then click OK to return to the Incoming Web Requests tab.

  4. If you have multiple domains, repeat step 3 to add all IP addresses.

  5. On the Incoming Web Requests tab, verify that, in Connection Settings, the Ask unauthenticated users for identification check box is cleared. The MIS ISA filter will perform this authentication.

  6. If you use SSL certificates, you can select the Enable SSL listeners check box now, or you can select it when you follow the instructions in the "Use SSL Certificates Between the ISA and MIS Servers" section later in this document.

Install the MIS ISA Filter on the ISA Server

The MIS ISA filter is installed on the ISA server to pre-authenticate users requesting data from a wireless device. When you run the MIS ISA filter setup, a domain mapping tool is available for handling pre-authentication of requests from Pocket PC users to synchronize with their Inbox. If you have multiple domains, you can use this tool to map an external DNS address to an internal domain controller that performs the pre-authentication.

For example, contoso.com has offices in North America and London. Each region has its own external domain address and internal servers that authenticate users who want to synchronize. Normally, wireless users who want to synchronize to their Inbox browse to https://NA-mobile.contoso.com if they work in North America and https://LON-mobile.contoso.com if they work in London. After Contoso adds an ISA server to route all incoming traffic for both domains, the administrator must configure the MIS ISA filter so that wireless users authenticate in either location. To accomplish this, an administrator at Contoso uses the Server ActiveSync Domain Mapping tool to add one entry for the North America domain, mapping the external HTTP address to the DNS path of the North America domain (Figure 9).

Figure 9: Mapping an external address to an internal address in Add Mapping

Figure 9: Mapping an external address to an internal address in Add Mapping

Another entry is added for the London domain so that the one ISA server can route requests to both domains.

If you want to use one ISA server to support multiple domains, you must use the Domain Name Mapping tool. Otherwise, you will have to deploy an ISA server in each domain, which can become costly. You can use this mapping tool during the MIS ISA filter setup, or run the tool at any time from the Start menu after installing the filter. Domain Name Mapping tool allows you to add or update your support for multiple domains at any time; however, the only way to change the settings specified during installation for WAP browse is to uninstall and reinstall the MIS ISA filter.

To install the MIS ISA filter on the ISA server

  1. Insert the MIS CD on the ISA server.

  2. Click Start, click Run, and then click Browse. Browse to the MIS CD, double-click the Support folder, double-click the Tools folder, double-click the ISA Filter folder, double-click Setup.Exe, and then click OK.

  3. On the Welcome page, read the warning information, and then click Next.

  4. Click I Accept the terms of the license agreement, and then click Next.

  5. On the Select Filter Functionality page, click WAP Browse and/or Server Active Sync to select the types of traffic you use in your topology, and then click Next.

  6. On the Domain Address – WAP Access page, in Domain Name, type the FQDN where the wireless accounts reside, and then click Next.

    Important: This is the only way you can specify the domain name where the wireless accounts reside. Although the Domain Name Mapping tool allows you to specify multiple domains for synchronization after Setup is complete, there is no way to change the domain name for WAP browse accounts after Setup is complete.

  7. On the –W Auxiliary Account page, depending on whether you chose to append the account names with a –w suffix, select Yes or No, and then click Next.

  8. On the Ready To Install the Program page, click Install.

  9. To support synchronizing to single or multiple domains through a single ISA server, on the Server ActiveSync Domain Mapping Tool page, click Add. On the Add Mapping page, in External Address, type the external DNS address that wireless users browse to when synchronizing with their Inbox. In Internal Address, type the FQDN for the domain that performs authentication for the users in that domain. Click OK. Continue to add domains. Server ActiveSync options will look similar to Figure 10.

    Figure 10: Server ActiveSync options

  10. On the Server ActiveSync Domain Mapping Tool page, click OK to complete the MIS ISA filter setup.

  11. On the MIS ISA Filter Wizard Completed page, click Finish.

To verify that the MIS ISA filter is installed

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

  2. In the console tree of the ISA Management Tool, double-click Servers and Arrays, double-click the name of your ISA server, double-click Extensions, and then click Web Filters.

  3. Verify that the MIS ISA Filter is listed in the details pane.

    Note: If you think that the MIS ISA filter is not loaded properly, you can click Refresh in the ISA Management tool. If you want to change the WAP browse settings, use Add/Remove Programs in the Control Panel to uninstall the filter. Make sure your ISA server installs without errors and restarts correctly before reinstalling the MIS ISA filter.

Configure MIS to Send Notifications Through ISA

If you send notifications from a corporate MIS server through a carrier to a wireless device, and that carrier requires a specific IP address, you must make sure that the MIS server is configured to send notifications only through the ISA server. If you are not using notifications or you are not required to send notifications through a carrier with a specific IP address, then you do not have to complete this task. Installing the ISA firewall client software on the MIS server allows you to configure the MIS server so that notifications are always sent through the ISA server.

For ISA, a firewall client is any computer on which the ISA firewall client software is installed. An ISA firewall client uses a Winsock application to send information to a computer, the client checks its copy of the LAT to see if the specified computer is in the LAT. If the computer is not in the LAT, the request is sent to the ISA Server Firewall service. The ISA Server Firewall service handles the request, forwarding it to the appropriate destination, as permitted. The firewall client software can send Windows user information, which is required for authentication purposes, to the ISA server. For more information about ISA firewall clients, see the ISA Server Help.

To configure an MIS server to send notifications through ISA

  1. On the MIS server, click Start, click Run, and then type \\< ISAServerName >\mspclnt\setup.exe.

  2. On the Welcome page, click Next.

  3. To install the client files in the default folder, click Next.

  4. On the Ready to Install the Program page, click Install.

  5. To exit the wizard, on the Install Wizard Completed page, click Finish.

  6. On the desktop of the MIS server, on the right side of the taskbar, right-click the firewall client icon, and then click Configure.

  7. Verify that the server listed in Use this ISA Server is the ISA server that you want the MIS server to use, and then click Update Now.

  8. If the ISA server listed is incorrect, clear the Automatically detect ISA server check box, type the appropriate ISA server name, and then click Update Now.

Configure ISA to Secure Notifications Using IPSec

If you are using the MIS notifications feature and your carrier is using IP Security (IPSec) to secure the notifications, you need to add packet filters to the ISA server to allow the ISA server to send notifications through the carrier and out to the user's wireless device.

Packet filtering on the ISA server allows you to control the flow of IP packets to and from the ISA server. When you enable packet filtering, all packets on the external NIC are dropped unless they are explicitly allowed, either statically by IP packet filters or dynamically by access policy or publishing rules.

In most cases, it is preferable to open ports dynamically. Therefore, it is recommended that you create access policy rules to allow internal clients access to the Internet or publishing rules to allow external clients access to internal servers. This is because IP packet filters open the ports statically, but the access policy and publishing rules open the ports dynamically (as a request arrives).

However, in some scenarios, you must use IP packet filters. Configure IP packet filters if:

  • You publish servers that are located on a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet).

  • You run applications or other services on the ISA Server computer that need to listen to the Internet.

  • You want to allow access to protocols that are not based on User Datagram Protocol (UDP) or Transmission Control Protocol (TCP), which are IP protocols.

Because you are using IPSec, and you need to allow access to a set of protocols that support secure exchange of packets at the IP layer, you must create IP packet filters.

You can configure two types of static IP packet filters: allow filters and block filters. Allow filters are exception filters—all packet types are blocked except for those you specify. If you do not have a packet filter enabled for a specific port, then ISA cannot listen on that port unless the port is opened dynamically. Block filters close the specified ports. Because you need the ISA server to listen for push notifications from the MIS server and send the notifications to the wireless devices, you need to create an Allow filter. To configure packet filtering:

  1. Enable packet filtering.

  2. Create allow filters for port 1701 and 500.

To enable packet filtering

  1. In the console tree of ISA Management, double-click Internet Security and Acceleration Server, double-click Servers and Arrays, double-click the name of your server, and then double-click Access Policy.

  2. In the console tree, right-click IP Packet Filters.

  3. On the General tab, click Enable this filter.

To create allow filters for port 500 and 1701

  1. In the console tree of ISA Management, double-click Internet Security and Acceleration Server, double-click Servers and Arrays, double-click the name of your server, and then double-click Access Policy.

  2. In the console tree, right-click IP Packet Filters, click New, and then click Filter.

  3. On the Welcome page, in IP Packet Filter Name, type a name for the custom filter, and then click Next.

  4. On the Filter Mode page, select Allow packet transmission, and then click Next.

  5. On the Filter Type page, select Custom, and then click Next.

  6. On the Filter Settings page:

    1. In IP Protocol, select UDP.

    2. In Local port, select Fixed port, and then in Port number type 500.

    3. In Remote port, select Fixed port, and then in Port number, type 500.

  7. When your settings look similar to the filter settings in Figure 11, click Next.

    Figure 11: Filter Settings page

  8. On the Local Computer page, in Apply this packet filter to, select Default IP addresses for each external interface on the ISA server computer, and then click Next.

  9. On the Remote Computers page, in Apply this packet filter to, select All Remote computers, and then click Next.

  10. On the Completing the New IP Packet Wizard page, click Finish.

  11. In the details pane, right-click the new packet filter, and then click Properties.

  12. On the General tab, click Enable this filter, and then click OK.

  13. Repeat these steps to create another packet filter for port 1701. The only change you need to make is to type in 1701 wherever it says to type in 500.

Use SSL Certificates Between the ISA and MIS Servers

After the MIS ISA filter has pre-authenticated a user, the ISA server forwards the request to the MIS server. When the request is sent from the ISA server to the MIS server, the user's password is not encrypted. To secure communications between the ISA server and the MIS server, install an SSL certificate on your ISA server and require a secure connection between the two servers. The following procedures outline what you need to do to make sure the communications are secure. For detailed information about using SSL certificates, see IIS and Windows Help.

To install SSL certificates on the ISA and MIS servers

  1. On the MIS server, get an SSL certificate for the server's FQDN and install it. Make sure you apply it to the Default Web site.

    Note: The ISA server must trust the root certification authority (CA) that issues the certificate to the MIS server. This certificate must come from a CA that the MIS server can access for revocation lists and validation. Local private CAs are recommended.

  2. On the ISA server, request one certificate for each front-end DNS address to which you want the ISA server to publish. At a minimum, request one for the MIS server.

  3. Install all of these certificates into the local server's personal store.

To use certificates to authenticate Web clients

  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management Tool.

  2. In the console tree of the ISA Management Tool, double-click Servers and Arrays, right-click the name of your ISA server, and then click Properties.

  3. Click the Incoming Web Requests tab, and then click Configure listeners individually per IP address (Figure 12).

    Figure 12: Incoming Web Requests tab

  4. If you have not already done so, select the Enable SSL listeners check box.

  5. On the Incoming Web Requests tab, click Add.

  6. In the Add/Edit Listeners dialog box, in Server, select your ISA server name, and then in IP Address, select one of the IP addresses you added to the external NIC.

  7. Select the Use a server certificate to authenticate to web clients check box, and then select the certificate that is issued to the FQDN that corresponds to the IP you are configuring. To apply the settings, click OK. (Your settings will look similar to Figure 13.)

    Figure 13: Add/Edit Listeners settings

  8. In the console tree of the ISA Management Tool, double-click Servers and Arrays, double-click the name of your ISA server, double click Publishing, and then click Web Publishing Rules.

  9. In the details pane, right-click the name of your publishing rule, and then click Properties.

  10. Click the Bridging tab.

    Important: If you are going to terminate SSL at the ISA server, you can leave the default settings. In this case, you must configure the MSAS virtual directory on the MIS server. In the security settings, make sure that Require SSL is not selected. For more information about configuring the IIS directories used by MIS, see the MIS documentation.

  11. To use SSL from the ISA server to the MIS server, in Redirect SSL requests as, select SSL requests (establish a new channel to the site), as shown in Figure 14.

    Figure 14: The Bridging properties of the MIS server

Conclusion

To provide the most secure solution for wireless users who need to browse the intranet and synchronize wireless devices with Exchange mailboxes, deploy an ISA server with the MIS ISA filter in the perimeter network as a stand-alone server that will act as a mobile gateway to authenticate user requests sent to the MIS server. When requests come in from the Internet, the ISA server filters those requests based on routing and Web publishing rules that you specify. Then the MIS ISA filter pre-authenticates the users. This allows users to be authenticated before entering the corporate domain, and while they are outside of the corporate intranet and forest. After the ISA server is in place, any MIS server that you previously deployed in the perimeter network is now more secure because you moved it inside the corporate intranet.

Adding an ISA server to your topology will decrease the security risks to your organization. ISA deployment allows you to move MIS inside the intranet so that it can function securely without exposing a large number of open ports to the Internet to receive requests. ISA requires only the LDAP, HTTP (and HTTPS if you are using it), and DNS ports are open. Additionally, if you have multiple MIS servers, you can decrease the risks of unauthorized access from Internet users by reducing the number of servers in the perimeter network. Whether you are planning a new MIS topology, or want to secure an existing MIS topology, consider using an ISA server to secure all the traffic passing between your wireless users on the Internet and your private intranet.

Additional Resources

For more information

Did this paper help you? Please give us your feedback. On a scale of 1 (poor) to 5 (excellent), how would you rate this paper?

exchdocs@microsoft.com