How can I publish OWA 2003 with ISA Server 2004?
Publishing OWA 2003 with an internal certificate (issued by an unknown/un-trusted CA)
Internet Security and Acceleration Server 2004 has made a significant breakthrough in publishing Secured web-sites in general and Outlook Web Accesses specifically. We don’t need another exchange server for use as a front-end server if the only job we need it for is protecting our internal exchange server which holds our mailboxes.
Before we begin the publishing process, we need to make sure we already have Form-Based OWA, already working with SSL (See Configuring OWA 2003 with SSL).
- In case the ISA server is not part of the domain, the first stage should be installing CA-Root certificate of the Enterprise CA on the trusted root certificates on the ISA server. If the ISA server is a part of the domain (which is not recommended for security reasons), you can skip to the next stage.
- Open the Certificates snap-in (Start > Run > MMC) on the Certificate Authority Server for the local computer, and under “Trusted Root Certification Authorities, click certificates.
- Right click your Enterprise CA Certificate and click export.
- On the Welcome screen, click Next.
- On the Export File format window, choose DER encoded binary x.509, and on the next screen, save the file to a specified location.
- Copy the exported certificate to the ISA server, and open Certificates snap-in on the local machine (ISA server).
- Go to Trusted root certification authorities, right click the certificates container and choose All Tasks -> Import.
- Specify the location of the saved certificate, and under the certificate store window, choose place all certificates in the following store: Trusted Root Certification Authorities.
- The next stage would be installing a web certificate for use of the listener in the ISA server. The easiest way of doing that is by accessing the CA server via HTTP to the following path: http://CAServerName/certsrv (there are other ways of installing the certificate, but this is the easiest and we will discuss only this way in the article).
- In the next page choose advanced certificate request.
- In the advanced certificate request page, you should choose create and submit a certificate request to this CA.
- In the advanced certificate Request Next page, there are some details that needs to be defined:
- Under Certificate template, choose web server.
- Under name, specify the legal FQDN that the ISA server will use to publish the OWA to the internet (for example: owa.mycompany.com).
- The rest of details are the details that will appear on the certificate that people will get when to surf into the OWA website through the ISA server.
- Under Key Options, Check the box of “Store certificate in the local computer certificate store”.
- Under Additional Options, do not change anything.
- Click submit.
- When clicking submit, you might encounter the following message:
- On the Certificate Issued page, click install this certificate. When the warning pop-up window pops-up, click yes.
- The certificate is now installed on the ISA and we are ready to begin the ISA configuration.
- Open the ISA management console and move to the Firewall policy container.
- On the Tasks Bar on the right, click Publish a Mail server.
- Type the rule name and click Next.
- On the Select Access Type page, select Web Client Access: OWA, OMA, ActiveSync.
- On the Select Services page, you can choose which services you wish to publish.
Notice that although all of these services are published in the same way, there are little differences and tweaks that needs to be configured for each of them, and therefore we will only deal with Outlook Web Access for now. Make sure only OWA is check, and click next.
- On the bridging mode page, select secured connection to clients and mail server.
- On the specify mail server page, enter the internal FQDN for the Internal Exchange server Note: in that stage, you must assure that the ISA server will know how to translate the FQDN into IP – either by setting a DNS server, or adding a record in the ISA server’s HOSTS file. DO NOT enter IP address as the mail servers address, this will not work well with SSL in the picture.
- On the public details page, choose accept request for this domain name, and type below the legal FQDN for which the ISA is suppose to receive external requests for the OWA service. Note: this address should be identical to the address written as the name on the certificate issued earlier.
- On the web listener page click new. under the listener name, type HTTPS Listener and click next.
- Choose the which networks should the ISA server listen in for requests for the OWA service. The default choice should be external, unless you wish to access OWA for the internal network, or from other networks you configured in your ISA Earlier.
In case you have multiple addresses for the ISA in any network, you can click the addresses button, and choose a specific address in that network you wish the ISA would listen in for OWA requests.
- On the port specification page, uncheck the Enable HTTP, and Check the Enable SSL Check-box. Leave the default port, and click the select button. In this window choose the previously created certificate, and click next, and finish.
- When returning to the Port web Listener page, click Next, then finish.
- Now you can see the new rule created in the firewall policy, but there a few more tweaks we need to configure before we can finish.
- Double-Click on the Listener Part of the rule, and the next window should open up:
- On the preferences tab, click the authentication button, and the next window will pop-up:
- Make sure, only the Basic method for authentication is check and remove all other checked-boxes. Then, click OK, and OK again , the listener window.
- Double-Click the Name part of the rule, and the next window will open:
- On the users tab, mark the check-box at the bottom of the window for Forward basic authentication. Then, click OK.
- Now click apply the the top of the console to install the new rule.
Congratulations! You are done.
Publishing OWA 2003 with a trusted certificate (such as Verisign/Thawte)
The idea of Publishing OWA with a Trusted Certificate is basically the same, and steps 3-5 are the same as the above installation. The different stage is the certificate installation.
- Open Certificates MMC on the ISA server.
- Go to Personal Container, right click the certificates container, and choose all tasks -> import. Choose the location of the certificate you received from Thawte/Verisign/any other Known Trusted CA, and install the certificate into the personal Store.
The next phases are identical and should be done the same way.
About the author:
Yaniv Feldman is a MCT/MCSE and works as an Infrastructure and Information Security consultant with Integrity Systems (www.integrity-sys.com), an Israel-Based Microsoft Partner. Integrity Systems design, migrate, implement and support Microsoft Server solutions (Such as Active Directory, Exchange, ISA, MOM, SMS etc) for SMB and enterprise organizations. Yaniv Has been in the industry for the past 5 years as an IT specialist for Microsoft Technologies and Instructor for various IT related subjects.