Outlook Web Access Walk-through for ISA Server 2004

  • Article

Microsoft® Internet Security and Acceleration (ISA) Server 2004 and Microsoft Outlook® Web Access work together, to enhance security for e-mail messages. This document walks you through all of the procedures for publishing Outlook Web Access through ISA Server, including the configuration of digital certificates.

The procedures in this document are appropriate for both Standard Edition and Enterprise Edition. Note that where this document refers to the ISA Server computer, this would be an array member running ISA Server services in Enterprise Edition.

For background information about Outlook Web Access, see Outlook Web Access Server Publishing in ISA Server 2004 (https://www.microsoft.com).

Scenario

Using Internet Security and Acceleration (ISA) Server 2004, you want to publish an Outlook Web Access server so that users can access their e-mail messages from home computers and from Internet kiosks. You want the connection to the Outlook Web Access server to be secure, and you do not want credentials or proprietary information stored on the client computers.

This document assumes that you are publishing Exchange Server 2003, and that you will use forms-based authentication on ISA Server, rather than on Exchange. The document Outlook Web Access Server Publishing in ISA Server 2004 (https://www.microsoft.com) describes how to publish Outlook Web Access using older releases of Exchange, and the differences between Exchange Server 2003 forms-based authentication and that provided by ISA Server.

Solution

The prescribed solution is to publish the Outlook Web Access server through Internet Security and Acceleration (ISA) Server 2004 using a mail server publishing rule. Communication from external clients to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server will be encrypted using Secure Sockets Layer (SSL). Forms-based authentication will be enabled on the Web listener that listens for Outlook Web Access requests, and attachment availability may be controlled.

Publishing Outlook Web Access in ISA Server consists of these general steps:

  1. Set up a Certification Authority
  2. Configure the Outlook Web Access server, including installation of digital certificates.
  3. Configure ISA Server, including installation of digital certificates, and creation of a mail server publishing rule to publish the Outlook Web Access server.
  4. Configure caching.
  5. Set Outlook Web Access options, such as forms-based authentication and blocking of attachments for public (shared) or private computers.

Network Topology

Four computers are necessary to deploy this solution:

  • A computer to host the certification authority (CA). This computer must run Windows Server 2003 or Windows 2000 Server
  • A computer to serve as the Outlook Web Access server on the Internal network. The Outlook Web Access server should run Microsoft Windows Server™ 2003 or Windows® 2000 Server Service Pack 3. It is assumed in this scenario that the Outlook Web Access server provides access to Exchange Server 2003.
  • The ISA Server 2004 computer. For Enterprise Edition, in a laboratory environment, one computer can host the Configuration Storage server and ISA Server services. In production, we recommend that wherever possible, the Configuration Storage server be placed behind the computer running ISA Server services. If you would like to test a Network Load Balancing (NLB) configuration using Enterprise Edition, you will require more than one computer in the ISA Server array.
  • A computer on the External network, to test the solution.

Outlook Web Access Server Publishing—Walk-through

This walk-through contains the following procedures:

  • Back Up your Current Configuration
  • Set Up the Certification Authority
  • Configure the Outlook Web Access Server
  • Configure the ISA Server Computer
  • Secure Outlook Web Access through the Listener
  • Configure the HTTP Filter
  • Require the Saving of Attachments in Exchange
  • Test the Deployment
  • View Outlook Web Access Session Information in the ISA Server Logs

Procedure 1: Back Up your Current Configuration

We recommend that you back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can revert to the previous, backup configuration.

To back up the complete configuration of your ISA Server computer:

  1. Expand Microsoft ISA Server Management.

  2. Right-click the name of the array for Enterprise Edition or the name of the ISA Server computer for Standard Edition, and then click Export (Back Up) for Enterprise Edition or Back Up for Standard Edition.

  3. For Enterprise Edition, follow the on-screen instructions in the Export Wizard.

  4. For Standard Edition, in Backup Configuration, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2005.

  5. For Standard Edition, click Backup. Because you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.

  6. When the export operation has completed, click OK.

Note

Because the .xml file is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Procedure 2: Set Up the Certification Authority

This procedure is performed on a computer running Windows Server 2003 or Windows 2000 Server. For a stand-alone root certification authority (CA), this can be any computer. We recommend that this not be the ISA Server computer or Configuration Storage server (Enterprise Edition). An enterprise root CA must be installed on a server that is a member of a domain.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure. Follow these steps:

To set up the Certification Authority:

  1. Open the Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Double-click Application Server.

  5. Double-click Internet Information Services (IIS).

  6. Double-click World Wide Web Service.

  7. Select Active Server Pages.

  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.

  10. On the CA Type page, choose one of the following, and then click Next:

    • Enterprise-root CA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).
    • Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.

  11. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

  12. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

  13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

Configuring a stand-alone root CA to issue certificates automatically (optional)

You can configure a stand-alone root CA to issue certificates automatically (all enterprise root CAs do so). Follow these steps:

To configure a stand-alone root CA to issue certificates automatically:

  1. From the Start menu, click Run. Type MMC, and then click OK.

  2. In MMC, click File, and then click Add/Remove Snap-in.

  3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certification Authority, and then click Add.

  4. In Certification Authority, select Local computer, and then click Finish. Click Close, and then click OK.

  5. Right-click the CAName certificates node, where CAName is the name of your certification authority, and select Properties.

  6. On the Policy Module tab, click Properties.

  7. On the Request Handling tab, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.

  8. Click OK to close the Policy Module properties, and then click OK to close the CA properties.

  9. You will receive a message that you must restart Certificate Services. Right-click the name of your CA, point to All Tasks, and select Stop Service. After the service has stopped, right-click the name of your CA, point to All Tasks, and select Start Service.

    Note

    This scenario assumes that your Outlook Web Access server and your CA are in the same network. If they are on different networks separated by ISA Server, you would have to publish the CA Web site to allow access to it. For more information about Web publishing, see the document Publishing Web Servers Using ISA Server 2004 (https://www.microsoft.com).

Procedure 3: Configure the Outlook Web Access Server

Follow these steps to configure the Outlook Web Access server.

Installing a digital certificate on the Outlook Web Access server

You will obtain a certificate from your CA for your Outlook Web Access server For the certificate to be trusted by the ISA Server computer, you must also install the associated root certificate on the ISA Server computer.

Note

The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server. This is because the credential information used in the authentication process must be protected, and should not be exposed even within the Internal network. For this reason, you must install digital certificates on both the ISA Server computer and the Outlook Web Access server.ISA Server does not support Outlook Web Access publishing rules that forward HTTP requests from the external client to the Outlook Web Access server as HTTPS.

To install a digital certificate on the Outlook Web Access server, follow these steps:

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and in Select a Web content zone to specify its security settings, click Trusted sites.

  4. Click the Sites button to open the Trusted sites dialog box.

  5. In Add this Web site to the zone, provide the certificate server Web site name (https://IP address of certification authority server/certsrvname) and click Add.

  6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.

  7. Browse to: https://IP address of certification authority server/certsrv.

  8. Request a certificate.

  9. Select Advanced Certificate Request.

  10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).

  11. Complete the form and select Server Authentication Certificate from the Type drop-down list. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the published server name. The common name for the certificate you are installing on the Outlook Web Access server is the name that the ISA Server computer uses to access the Outlook Web Access server through the Web publishing rule. This should be the fully qualified domain name (FQDN) of the Outlook Web Access server, such as owaserver1.adatum.com.

    Note

    For an explanation of the options available on the Advanced Certificate Request page, see one of the following articles for Windows Server 2003 or Windows 2000 Server:

  12. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

  13. If you installed a stand-alone root CA and did not automate certification issuing, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA:

    1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in. (Click Start, point to All Programs, point to Administrative tools, and then select Certification Authority.)
    2. Expand the CAName certificates node, where CAName is the name of your certification authority.
    3. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.

  14. On the ISA Server computer, return to the Web page https://IP address of certification authority server/certsrv, and then click View status of a pending request.

  15. Click your request and choose Install this certificate.

  16. Verify that the server certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Personal node, click Certificates, and double-click the new server certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK.

    Note

    On the Outlook Web Access server, the server certificate obtained from a CA must be stored in the Personal Certificate store. The root certificate from the CA must be stored in the Trusted Root Certificate Authorities store of the ISA Server computer.

Associate the certificate with the Outlook Web Access server

On the Outlook Web Access Server, run the wizard provided by IIS to associate the certificate with the Outlook Web Access site:

  1. Open Internet Information Services (IIS) Manager.

  2. Expand Web sites. Right-click the Outlook Web Access site, and click Properties.

  3. On the Directory Security tab, under Secure communications, click Server Certificate to open the Web Server Certificate Wizard. On the Welcome page, click Next.

  4. On the Server Certificate page, select Assign an existing certificate, and then click Next.

  5. On the Available Certificates page, the certificate you previously acquired is listed. If the certificate is not listed, verify that it was installed in the in the local certificate store. Select the certificate and then click Next. On the SSL Port page, select the SSL port that you are using to publish Outlook Web Access. The default port is 443, which you should not change unless you have a specific reason to do so.

  6. On the Certificate Summary page, review the summary and click Next.

  7. On the final page of the wizard, click Finish.

Install the root certificate on the ISA Server computer

For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. In this scenario, the ISA Server computer is the client of the Outlook Web Access server. Follow this procedure on the ISA Server computers (each array member, for Enterprise Edition). Note that you can also transfer the root certificate on a medium such as a disk, and then install it on the appropriate computer. Follow these steps:

The procedure title

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down list box to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

    Note

    Certificate installation is not possible when the security setting is set to High.

  4. Browse to: https://IP address of certification authority server/certsrv.

  5. Click Download a CA Certificate, Certificate Chain, or CRL (the text used by Windows Server 2003) or Retrieve the CA certificate or certificate revocation list (the text used by Windows 2000 Server). On the next page, click Download CA Certificate. This is the trusted root certificate that must be installed on the ISA Server computer. In the File Download dialog box, click Open.

  6. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

  7. On the Welcome page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next.

  8. On the summary page, review the details and click Finish.

  9. Optional. Verify that the root certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

    Note

    You can also install certificates on a computer from the MMC Certificates (Local Computer) snap-in. This only provides access to CAs on the same domain.

Configuring IIS to support SSL-encrypted Basic authentication on the Outlook Web Access server

This procedure takes place on the Outlook Web Access server:

To Configure IIS to support SSL-encrypted Basic authentication on the Outlook Web Access server:

  1. Open the Internet Services Manager or your custom Microsoft Management Console (MMC) containing the Internet Information Services (IIS) snap-in, and expand the server node, expand the Default Web Site node, select virtual path /Exchange, and then click Properties.

  2. Click the Directory security tab and under Authentication and Access Control, click Edit.

  3. Under Authenticated access, select Basic Authentication, and then provide the domain against which users should be authenticated. Clear Integrated Windows authentication if it is selected, because Basic authentication is the preferred authentication scheme.

  4. Click OK. A dialog box will indicate that Basic authentication method is unsecured. Because you will encrypt this authentication protocol using SSL, you may click Yes to continue.

  5. Click OK. A dialog box may appear, prompting you to specify how the authentication setting should propagate to child nodes in the default site. Click Select All and click OK.

  6. Under Secure Communications, click Edit, select the Require secure channel (SSL) check box, and then click OK twice.

  7. Repeat the preceding steps from step 3 for the virtual path /public.

  8. Repeat the preceding steps from step 3 for the virtual path /exchweb, but select Enable anonymous access and disable all other authenticated access check boxes.

    Important

    Exchange Server 2003 provides an option of enabling forms-based authentication. Do not select that option, because it will not work with ISA Server mail publishing rules. Forms-based authentication should be configured on the ISA Server computer.

Procedure 4: Configure the ISA Server Computer

The steps required to configure the ISA Server computer are:

  • Installing a digital certificate on the ISA Server computer. You must also distribute the associated root certificate to the computers that are to trust the certificate.
  • For enterprise edition, you can configure NLB.
  • Creating a mail server publishing rule
  • Creating a cache rule
Installing a digital certificate on the ISA Server computer

This procedure is performed on the ISA Server computer. If you installed a stand-alone root CA and did not automate the issuing of certificates, there are also actions that take place on the certification authority.

Note

The recommended configuration for Outlook Web Access publishing is to use SSL-encrypted communication (HTTPS) both from the external client to the ISA Server computer and from the ISA Server computer to the Outlook Web Access server. For this reason, you must install digital certificates on both the ISA Server computer and the Outlook Web Access server.

To install a digital certificate on the ISA Server computer, follow these steps:

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and in Select a Web content zone to specify its security settings, click Trusted sites.

  4. Click the Sites button to open the Trusted sites dialog box.

  5. In Add this Web site to the zone, provide the certificate server Web site name (https://IP address of certification authority server/certsrvname) and click Add.

  6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.

  7. Browse to: https://IP address of certification authority server/certsrv.

  8. Request a certificate.

  9. Select Advanced Certificate Request.

  10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).

  11. Complete the form and select Server Authentication Certificate from the Type drop-down list. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the fully qualified host name or URL that external clients will type in their Web browser to access Outlook Web Access, for example www.adatum.com/mail.

    Note

    For an explanation of the options available on the Advanced Certificate Request page, see one of the following articles for Windows Server 2003 or Windows 2000 Server:

  12. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

  13. If you installed a stand-alone root CA, and did not automate the issuing of certificates, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA:

    1. Go to the Microsoft Management Console (MMC) Certification Authority snap-in. (Click Start, point to All Programs, point to Administrative tools, and then select Certification Authority.)
    2. Expand the CAName certificates node, where CAName is the name of your certification authority.
    3. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.

  14. On the ISA Server computer, return to the Web page https://IP address of certification authority server/certsrv, and then click View status of a pending request.

  15. Click your request and choose Install this certificate.

  16. Verify that the server certificate was properly installed. On the ISA Server computer, open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Personal node, click Certificates, and double-click the new server certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK.

    Note

    On an ISA Server 2004 computer, the server certificate obtained from a CA must be stored in the Personal Certificate store of the ISA Server computer. The root certificate for the Outlook Web Access server from which the connection will be established must be stored in the Trusted Root Certificate Authorities store of the ISA Server computer. Clients that connect to the ISA Server computer will also require a root certificate.

Distributing the root CA certificate

For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. In this scenario, the clients on the Internet are the clients, and each one must have the root certificate installed.

A root CA certificate can be distributed automatically in the following ways:

  • Add a root CA certificate to the Active Directory® directory service forest configuration so that it is deployed on every computer in the forest using group policies. (Multiple forest directories should add a root CA certificate to each forest.) Root certificate distribution through Active Directory enables a trust with the root CA at a forest level. Organizations that have deployed Active Directory should prefer this method of distributing the organization’s root certificates.
  • Add the CA to the domain security Group Policy. This is preferable if the Active Directory forest consists of several domains and the root trust should be limited to only a few domains. The drawback of this method is that additional management would be needed if the root certificate has to be added to multiple domains.
  • Deploy the root CA certificate as part of the Internet Explorer administration kit.
  • Deploy the root CA certificate with a script that writes the root certificate as a binary large object into the registry or uses CAPICOM.
  • Deploy the root CA certificate through a file. This might be an acceptable method for clients that are not Active Directory-aware. With administrator permissions, the root CA certificate can be manually added to the local root CA certificate store. Heterogeneous environments might consider this method of deploying root CA certificates.

You can also distribute certificates manually. Where certificates are distributed manually, the certificate user must decide if a root certificate is trustworthy or not. When a certificate that chains to an untrusted root is used, the user receives a warning that lets the user decide whether to trust the root certificate. When the root certificate is distributed automatically, the administrator is responsible for thinking about and determining trust levels.

Based on default permissions, a user can only add a root CA certificate into the user’s certificate store. Root trust is then limited to this user’s account. However, administrators can add root CA certificates into a computer’s certificate store, which is then inherited by all users.

For more information, see the document Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure (https://www.microsoft.com).

Two options for installing the root certificate are described:

  • Root trust using Group Policy
  • Manual installation of root certificates on each client computer

Note that there are other means of installing the root certificate, or of creating root trust. For example, you can transfer the root certificate on a medium such as a disk, and then install it on the appropriate computer.

Using Group Policy

To establish a trusted root certification authority using Group Policy, the Group Policy object (GPO) that you create must have access to the root certificate. This requires that you import a copy of the root certification authority certificate. For a root certification authority certificate to be imported, the root certificate must be in a PKCS #12 file, in a PKCS #7 file, or in a binary-encoded X.509 v3 certificate file. For more information about using these file formats, see Importing and Exporting Certificates (www.microsoft.com).

Follow this procedure to establish a trusted root certification using Group Policy:

  1. Open the Group Policy object (GPO) that you want to edit.

  2. In the console tree, click Trusted Root Certification Authorities.

  3. On the Action menu, point to All Tasks, and then click Import.

This starts the Certificate Import Wizard, which guides you through the process of importing a root certificate and installing it as a trusted root certification authority (CA) for this GPO.

Notes

  • To perform this procedure you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory, or you must have been delegated the proper authority. As a security best practice, consider using Run as to perform this procedure.
  • To open a GPO, see Group Policy (https://www.microsoft.com).
  • This procedure does not apply to Local Policy objects.

Manual installation on each client computer

Follow this procedure on each client computer:

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down list box to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

    Note

    Certificate installation through the CA Web site is not possible when the security setting is set to High.

  4. Browse to: https://IP address of certification authority server/certsrv.

  5. Click Download a CA Certificate, Certificate Chain, or CRL (the text used by Windows Server 2003) or Retrieve the CA certificate or certificate revocation list (the text used by Windows 2000 Server). On the next page, click Download CA Certificate. This is the trusted root certificate that must be installed on the ISA Server computer. In the File Download dialog box, click Open.

  6. On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

  7. On the Welcome page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next.

  8. On the summary page, review the details and click Finish.

  9. Optional. Verify that the root certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

    Note

    You can also install certificates on a computer from the MMC Certificates (Local Computer) snap-in. This only provides access to CAs on the same domain.

Enterprise Edition: Configure NLB on the ISA Server array

This step is only for the Enterprise Edition.

You may want to publish Outlook Web Access using Network Load Balancing (NLB) in your ISA Server array. We recommend that you enable NLB on the Outlook Web Access server’s network, and on the External network (the network on which ISA Server will listen for Outlook Web Access requests). For the most effective use of NLB, your Web listener should listen on the NLB virtual IP address for the External network. If you configure your Web listener to listen on all of the IP addresses for the network adapters, it will listen on the virtual IP address, which will distribute requests using NLB, and on the dedicated IP addresses of the network adapters, which will not make use of NLB. The procedure for selecting the virtual IP address in a Web listener is described in Creating a mail server publishing rule in this document.

Follow this procedure to configure NLB for an array. NLB will be automatically configured in unicast mode and single affinity. Single affinity ensures that all network traffic from a particular client be directed to the same host. This procedure takes place on a computer in an ISA Server array. You must be logged on as an array or enterprise administrator.

To configure NLB on an ISA Server array, follow these steps:

  1. On one of the ISA Server array members, expand Arrays, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, verify that the Networks tab is selected.

  3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration to start the Network Load Balancing Integration Wizard. On the Welcome page, click Next.

  4. On the Select Load Balanced Networks page, select the networks for which NLB will be enabled. We recommend that you enable NLB on the Outlook Web Access servers network, and on the External network. Select those networks. Do not click Next.

  5. Before you click Next, you must set the virtual IP address for each network. To set the virtual IP address, after you select the network, click Set Virtual IP. In the Set Virtual IP Address dialog box, provide the IP address and subnet mask for the virtual IP address you will use. Note that this IP address must be a valid static IP address (that cannot be assigned by your DHCP server), and must belong to the network you are configuring. Click OK, and then click Next.

  6. On the summary page, click Finish.

  7. In the details pane, click Apply.

Creating a mail server publishing rule

Create a new mail publishing rule using the New Mail Server Publishing Rule Wizard:

  1. Expand Microsoft ISA Server Management and click Firewall Policy.

  2. In the Firewall Policy task pane, on the Tasks tab, select Publish a Mail Server to start the New Mail Server Publishing Rule Wizard.

  3. On the Welcome page of the wizard, provide a name for the rule, and then click Next.

  4. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync, and then click Next.

  5. On the Select Services page, select Outlook Web Access. You may also select Outlook Mobile Access and Exchange ActiveSync. Click Next.

  6. On the Bridging Mode page, select which parts of the communication path will be secured by digital certificates and therefore take place using the HTTPS protocol. This can be the communication from the client to the ISA Server computer, the communication from the ISA Server computer to the Outlook Web Access server, both types of communication, or neither. We recommend that you select the default Secure connection to clients and mail server, so that both portions of the communications pathway are secured by digital certificates. This will require that a digital certificate be installed on the Outlook Web Access server and on the ISA Server computer. Click Next.

  7. On the Specify the Web Mail Server page, enter the name or IP address of the Outlook Web Access server. This name must match the name on the Outlook Web Access server digital certificate. Click Next.

  8. On the Public Name Details page, provide information regarding what requests will be received by the ISA Server computer and forwarded to the Outlook Web Access server. In Accept requests for, if you select Any domain name, any request that is resolved to the IP address of the external Web listener of the ISA Server computer will be forwarded to your Outlook Web Access server. If you select This domain name and provide a specific domain name, such as mail.fabrikam.com, then, assuming that domain is resolved to the IP address of the external Web listener of the ISA Server computer, only requests for https://mail.fabrikam.com will be forwarded to the Outlook Web Access server. Click Next.

  9. On the Select Web Listener page, specify the Web listener that will listen for Web page requests that should be redirected to your Web server, and then click Next. If you have not defined a Web listener, click New and follow these steps to create a new listener:

    1. On the Welcome page of the New Web Listener Wizard, type the name of the new listener, such as Listener on External network for Outlook Web Access publishing, and then click Next.

    2. On the IP Addresses page, select the network that will listen for Web requests. Because you want ISA Server to receive requests from the External network (the Internet), the listener should be one or more IP addresses on the External network adapter of ISA Server. For Enterprise Edition, see the next step. In Standard Edition, you can select External, and then click Next.

    3. This step applies to Enterprise Edition, where NLB is being used. Before you click Next on the IP Addresses page, select specific addresses on which you will listen. Click the Address button. The default selection is to listen on all IP addresses on the network. This will include both dedicated IP addresses and virtual IP addresses on the External network, where NLB is enabled. We recommend that you select Default IP address(es) for network adapter(s) on this network. This will select the default virtual IP address if NLB is enabled, and will select the default IP addresses on the network adapters of the ISA Server array if NLB is not enabled. If you have enabled NLB, and have created more than one virtual IP address, you should select Specified IP addresses on the ISA Server computer in the selected network, and then select the specific virtual IP address in the Available IP Addresses list. Click OK, and on the IP Addresses page, click Next.

    4. On the Port Specification page, because you plan to listen only for SSL requests (as recommended), you should clear Enable HTTP, and select Enable SSL. Make sure the SSL port is set to 443 (default setting), and provide the certificate name in the Certificate field. For more information about SSL, see Digital Certificates for ISA Server 2004(https://www.microsoft.com). Click Next.

      Important

      For secure Outlook Web Access publication, we recommend that you listen only for SSL requests. Use only the standard port numbers, which are the default settings, for Outlook Web Access publishing.

    5. On the Completing the New Web Listener Wizard page, review the settings, and click Finish.

  10. On the Select Web Listener page, click Next.

    Note

    For security purposes, you should consider using forms-based authentication and limiting attachment access from public computers. These features are part of the listener used in the mail server publishing rule, and can be configured in the listener properties after completing the New Web Listener Wizard. For more information, see Secure Outlook Web Access through the Listener in this document.

  11. On the User Sets page, the default, All Users, is displayed. This will allow any authenticated user in the External network to access the Outlook Web Access server. To restrict the access to specific users, use the Remove button to remove All Users, and the Add button to access the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.

  12. On the Completing the New Mail Server Publishing Rule Wizard page, scroll through the rule configuration to make sure that you have configured the rule correctly, and then click Finish.

  13. In the ISA Server details pane, click Apply to apply the changes you have made. It will take a few moments for the changes to be applied.

Create a cache rule

When you use ISA Server forms-based authentication as recommended, no objects are cached from the Outlook Web Access server. To take advantage of the ISA Server caching feature, you can create a cache rule to enable caching of the images served by Outlook Web Access. Do not enable caching of other objects, because this can lead to unexpected logging off of users.

The cache rule will refer to a URL set containing your Outlook Web Access servers.

To create a URL set:

  1. Expand Microsoft ISA Server Management, expand the node of the ISA Server computer or array, and click Firewall Policy.

  2. In the task pane, on the Toolbox tab, select Network Objects. Click New, and from the drop-down menu, select URL Set.

  3. Provide a name for the URL set, such as Outlook Web Access servers.

  4. Click New, and provide the URL for the Outlook Web Access server, such as https://nameofowaserver/exchweb/img/*. If you have more than one Outlook Web Access server, repeat this step for the URL of each server. When you are done, click OK.

Ensure that caching is enabled on the ISA Server.

To enable caching:

  1. Expand Microsoft ISA Server Management, expand the node of the ISA Server computer or array, expand Configuration and click Cache.

  2. In the details pane, click the Cache Drives tab and select the applicable drive.

  3. On the Tasks tab, click Define Cache Drives (enable caching).

  4. Select one of the drives listed.

  5. In Maximum cache size (MB), type the amount of space on the selected drive to allocate for caching.

  6. Click OK.

To create a cache rule:

  1. In ISA Server Management, expand Configuration and click Cache.

  2. In the details pane, select the Cache Rules tab.

  3. In the task pane, on the Tasks tab, select Create a Cache Rule to start the New Cache Rule Wizard.

  4. On the Welcome page of the wizard, provide a name for the rule, and then click Next.

  5. On the Cache Rule Destination page, click Add to open the Add Network Entities dialog box, select the URL set you created, click Add, and then click Close. On the Access Rule Destination page, click Next.

  6. On the Content Retrieval page, leave the default selection Only if a valid version of the object exists in the cache, and then click Next.

  7. On the Cache Content page, select If source and request headers indicate to cache and Content requiring user authentication for retrieval. Click Next. You will receive a warning, which you should review before clicking Yes.

  8. You can use the default selections on the remaining wizard pages. Information about cache rule properties is provided in ISA Server Help. Review the information on the wizard summary page, and then click Finish.

  9. In the details pane, click Apply to apply your changes.

Procedure 5: Secure Outlook Web Access through the Listener

The listener that listens for Outlook Web Access server requests (created in Procedure 3) provides these important features for securing your Outlook Web Access server:

  • Forms-based authentication
  • Control of attachment availability

These features cannot be configured in the New Web Listener Wizard. After you have created a new Web listener in the New Web Listener Wizard, use the following steps to configure the listener to use forms-based authentication and to limit attachment availability:

  1. In ISA Server Management, select the Firewall Policy node. In the task pane, select the Toolbox tab and the Network Objects header.
  2. In the Network Objects header, expand Web Listeners. Double-click the Web listener you created for Outlook Web Access publishing to open its properties.
  3. On the Preferences tab, under Configure allowed authentication methods, click Authentication.
  4. In the list of authentication methods, clear any authentication method that is selected (the default is Integrated), and then select OWA Forms-Based. This establishes forms-based authentication for the Outlook Web Access Web listener, and for the mail server publishing rule that uses this listener. You use the steps that follow to configure idle session time-out and attachment control options.
  5. Next to Configure OWA forms-based authentication, click Configure to open the OWA Forms-Based Authentication dialog box.
  6. Under Idle Session Timeout, configure the maximum time that clients can remain idle without being disconnected. Typically, you would configure clients on public machines to have a shorter allowed idle time than clients on private machines, to reduce the risk that someone will access e-mail if the user leaves the public machine and forgets to log off. Note that this is a global setting for all Web listeners.
  7. Under E-mail Attachments, you can select to block e-mail attachments for public and private computers.
  8. You can select Log off OWA when the user leaves OWA site if you want users to be automatically logged off when they close the Internet Explorer window, refresh the window, or navigate to another Web site.
  9. Click OK to close the Web listener properties. In the Firewall Policy details pane, click Apply to apply the changes that you made.

Procedure 6: Configure the HTTP Filter

ISA Server 2004 provides granular control over Hypertext Transfer Protocol (HTTP) communication. This control is provided in the form of an HTTP filter, an application-layer filter that examines HTTP commands and data, through which you set HTTP policy. The HTTP filter screens all HTTP traffic that passes through the ISA Server computer, and only allows compliant requests to pass through. This significantly improves the security of your Outlook Web Access servers, by helping ensure that they only respond to valid requests.

Access the HTTP policy properties

HTTP policy is applied on a per-rule basis. You access the policy through each rule for which you want to apply an HTTP policy.

Important

The Maximum headers length setting on the General tab of the Configure HTTP policy for rule dialog box is applied to all rules globally. This setting configures the number of bytes allowed in a request header before a request is blocked.The remaining settings on the General tab and on the other tabs are applied on a per-rule basis.

To access the dialog box to configure HTTP policy for an access rule or a Web publishing rule, follow this procedure:

  1. Open Microsoft ISA Server Management, expand the ISA Server computer node, and click Firewall Policy.

  2. In the details pane, right-click the rule and select Configure HTTP. The HTTP policy properties are accessed through the five tabs on the properties dialog box.

Baseline Mail Server Publishing HTTP Policy

You should create an HTTP policy based on your corporate policy and security needs. The policy provided here is a baseline, example HTTP policy for Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync.

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync

General tab

 

 

 

Maximum headers length

32768

32768

32768

Maximum payload length

10485760

10485760

65536

Maximum URL length

16384

319

1024

Maximum query length

4096

13

512

Verify normalization

Yes

Yes

Yes

Block high bit characters

No

Yes

Yes

Block responses containing Windows executable content

Yes (Note 1)

Yes

Yes

Methods tab

 

 

 

Allow only specified methods

BCOPYBDELETEBMOVEBPROPPATCHDELETEGETMKCOLMOVEPOLLPOSTPROPFINDPROPPATCHSEARCHSUBSCRIBE

GETHEADPOST

OPTIONSPOST

Extensions tab

 

 

 

Action taken for file extensions

Block specified extensions (allow all others)

Allow only specified extensions

Allow only specified extensions

Extension list

.asax.ascs.bat.cmd.com.config.cs.csproj.dat.dll (Note 2).exe (Note 1).htr.htw.ida.idc.idq.ini.licx.log.pdb.polv.printer.resources.resx.shtm.shtml.stm.vb.vbproj.vsdisco.webinfo.xsd.xsx

. (dot).aspx

. (dot)

Block requests containing ambiguous extensions

No

Yes

Yes

Headers Tab

 

 

 

Blocked headers

None

None

None

Signatures Tab

 

 

 

Blocked signatures: Request URL

./\.. (Note 3)% (Note 3)& (Note 3)

./\..%&:

./\..%:

Note 1Blocking .exe file extensions and enabling Block responses containing Windows executable content for Outlook Web Access will block access to the S/MIME control. If the S/MIME control is required for Outlook Web Access on Exchange Server 2003, do not include .exe in the blocked extensions list or enable Block responses containing Windows executable content.

Note 2Blocking .dll file extensions for Outlook Web Access will block access to the online spelling checker that is built into Outlook Web Access.

Note 3Including the strings "..", "%", and "&" can prevent certain types of potential attacks but it will also reduce access to certain e-mail messages. An e-mail message subject line forms part of the URL to access the message and thus any e-mail message containing one of these characters will be blocked. A balance must be found between extra security and functionality. Do not include the ":" character in this list because this will block access to the majority of e-mail messages. Many message subject lines contains RE: and FW: if they are replies or forwards.

Note

You can also use scripting to add an HTTP policy to a rule. For more information, see HTTP Filtering in ISA Server 2004 (https://www.microsoft.com).

Procedure 7: Require the Saving of Attachments in Exchange

You can completely block attachments received through Outlook Web Access, so that the user cannot open or save any attachments. The procedure for blocking e-mail attachments is provided in Secure Outlook Web Access through the Listener in this document.

If you do not block attachments, note that some attachments, such as Windows Media® files and Microsoft Office Excel spreadsheets, cannot be opened directly by a client connected remotely to an Outlook Web Access server. An attempt to open such a file will result in a failure of the application associated with the file. Those files must be saved locally and can then be opened. You can avoid this problem by configuring Exchange Server 2003 and Exchange 2000 Server to force users to save attachments. This feature is not available on Exchange Server 5.5.

To force users to save attachments, configure the following registry key on the Exchange Server computer:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA\Level2FileTypes

This registry value specifies a set of file extensions that are potentially dangerous as attachments. Attachments matching these types will not be opened automatically. Instead, users will be prompted to save the attachments locally on their computers.

Note

You cannot configure Exchange Server 5.5 to require the saving of attachments.

Procedure 8: Test the Deployment

After you complete the configuration, you should test the features you configured.

Testing Outlook Web Access

An external client can access the Outlook Web Access server provided that it can resolve a fully qualified domain name to the external IP address of the ISA Server computer. This would usually be achieved by registering a public Internet domain name with a public DNS server that maps the Web site name to the external IP address of ISA Server. To test the deployment in a lab environment, you can specify the Web site host name resolution information using Notepad, in the client Hosts file located under the following path: \system32\drivers\etc\hosts in the Windows installation directory.

To connect to the Outlook Web Access site from the external client, type the Web address, such as https://mail.fabrikam.com/exchange. Be certain to specify https in the URL, as shown.

When you connect, you should see a logon page requesting credentials and the session type (public or private). You must provide this information before you can access your mailbox.

If you have set time-outs or blocked attachments, you can test those features by leaving the browser inactive for a period of time and then trying to access mail, and by trying to open or save attachments.

Testing Outlook Mobile Access

From a computer with Internet access, use Internet Explorer to connect to your Outlook Mobile Access DNS address and make sure that Outlook Mobile Access is working properly.

Note

Although Internet Explorer is not a supported client for Outlook Mobile Access, it is useful to test whether you can communicate with your Exchange front-end server.After you successfully connect to your Exchange server using Outlook Mobile Access, verify that you can connect to your Exchange server using a supported mobile device with Internet connectivity.

Testing Exchange ActiveSync

Configure a mobile device to connect to your Exchange server using Exchange ActiveSync®, and make sure that ISA Server and Exchange ActiveSync are working properly.

Note

You can also test Exchange ActiveSync using Internet Explorer. Open Internet Explorer, and in Address, type the URL https://published_server_name/Microsoft-Server-Activesync, where published_server_name is the published name of the Outlook Web Access server (the name a user would use to access Outlook Web Access). After you authenticate yourself, if you receive an Error 501/505 – Not implemented or not supported, ISA Server and Exchange ActiveSync are working together properly.

Procedure 9: View Outlook Web Access Session Information in the ISA Server Logs

ISA Server will log the requests that match the mail server publishing rule, if Log requests matching this rule is selected on the Action tab of the rule properties. (This is the default condition.)

Checking the logging property of the rule

To check the logging property of the rule, follow these steps:

  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

  2. In the details pane, double-click the mail server publishing rule to open its properties dialog box.

  3. Select the Action tab and confirm that Log requests matching this rule is selected.

  4. Click OK to close the properties dialog box.

Viewing the information in the log

To view the information in the log, follow these steps:

  1. In the Microsoft ISA Server Management console tree, select Monitoring.

  2. In the Monitoring details pane, select Logging.

  3. Create a filter so that you receive only the log information regarding Outlook Web Access access attempts. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. The filter has three default conditions, specifying that the log time is Live, that log information from both the firewall and the Web Proxy should be provided, and that connection status should not be provided. You can edit these conditions, and add additional conditions to limit the information retrieved during the query.

  4. Select Log Time. From the Condition drop-down list box, select Last 24 Hours, and then click Update.

  5. Select Log Record Type. From the Value drop-down list box, select Firewall, and then click Update.

  6. In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box. Add another expression by selecting an item in the Filter by drop-down list box, and then provide a Condition and Value. For example, to limit the log to display access to your published Web servers, you can add the expressions Filter by: Log Record Type, Condition: Equals, Value: Web Proxy Filter, and Filter by:Service, Condition: Equals, Value: Reverse Proxy. This will limit the log to items that match Web publishing rules, including the Outlook Web Access publishing rule.

  7. After you have created an expression, click Add to List to add it to the query list, and then click Start Query to start the query. The Start Query command is also available in the task pane on the Tasks tab.

References

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).

For information about how to deploy Outlook Web Access in Exchange Server 2003, see the Exchange Server 2003 Deployment Guide(www.microsoft.com).

For information about how to deploy Outlook Web Access in Exchange 2000 Server, see the document Outlook Web Access in Exchange 2000 Server (www.microsoft.com), and Customizing Microsoft Outlook Web Access(www.microsoft.com).

Do you have comments about this document? Send feedback.