Create the Access Rules for Front-end/Back-end Traffic. 7

Create Access Rules for FE and BE for SMTP and DNS. 14

Join the Front-end Machine to the Domain. 16

Install Exchange Server on the FE Machine. 17

Configure the OWA, POP3 and IMAP Services on the Back-end Server 19

Create Registry Entry to Limit RPC Ports on the Back-end Server 24

Request a Web Site Certificate to be used by OWA/RPC/HTTP Web, POP3 and IMAP Services on the FE Server 26

Export the OWA/RPC/HTTP Web Site Certificate to a File and Copy it to the ISA Server 2004 Firewall 36

Configure the OWA, POP3 and IMAP Services on the Front-end Server 40

Import the OWA/RPC/HTTP Web Site Certificate into the ISA Server 2004 Firewall’s Machine Certificate Store 43

Create a HOSTS file Entry and Create the Server Publishing Rules Allowing Inbound Access for HTTP, POP3, SMTP and IMAP4 to the Front-end Server 46

Publish the Web Enrollment Site. 66

Issue a CA Certificate to the Web Client 73

Configure the Public DNS to Resolve the Names of the OWA, POP3 and IMAP4 Sites. 74

Create HOSTS File Entries on the External E-mail Client 76

Make the OWA, POP3 and IMAP4 connection. 77

Conclusion. 78

Introduction

The Exchange Server Front End/Back End configuration distributes Exchange related tasks between front-end and back end Exchange Servers. This task distribution has many advantages over the back-end only Exchange configuration. Some of these advantages include:

· A single namespace

The key advantage of a front-end and back-end server configuration is the ability to use a single namespace. You can define a namespace that users can use to connect to their mailboxes (for example, http://owa.internal.net for Outlook Web Access). Without a front-end/back-end configuration, each user must know the name of the server that stores their mailbox.

· Distribution of processing tasks among multiple servers

You can configure your OWA sites to use Secure Sockets Layer (SSL) traffic between the client and the server to protect the traffic from Internet intruders. However, encryption consumes a large number of processor cycles. The front-end and back-end server setup allows the front-end servers to handle all SSL encryption and decryption tasks. This offloads the encryption responsibilities from the back end Exchange Servers and improves overall performance

· Improved IMAP4 access to public folders

The IMAP4 protocol allows a server to refer IMAP4 client to another server. Exchange supports this referral functionality when a public folder store on specific particular server doesn’t contain the requested content. When a non referral-enabled IMAP4 client connects through a front-end server, the client can access to the entire public folder hierarchy. The front-end server automatically handles any referral response that is passed back when attempting to access a folder that is not available on the back-end server. These referrals are transparent to the client.

You can make secure Outlook Web Access (OWA), secure POP3 and secure IMAP4 services available to remote users by publishing the front-end Exchange Server. ISA Server Web and Server Publishing Rules allow remote users secure inbound access to these vital services. In addition, users will never need to change configuration settings on their email client computers when you correctly configure a split DNS infrastructure to support remote access clients.

In this ISA Server 2004/Exchange Server Deployment Kit document we will go over detailed procedures required to configure Microsoft Exchange Servers and the ISA Server 2004 firewall to support the front-end Exchange Server on a perimeter network and the back-end Exchange Server on the Internal network.

The following procedures are required to allow your remote users to access Exchange email services via the ISA Server 2000 firewall:

· Define the Perimeter Network

· Create the Network Rules

· Create the Access Rules for front-end/back-end Traffic

· Create Access Rules for FE and BE for SMTP and DNS

· Create the Server Publishing Rules Allowing Inbound Access for HTTP, POP3 and IMAP4 to the FE Server

· Join the Front-end Machine to the Domain

· Install Exchange Server on the FE Machine

· Configure the OWA, POP3 and IMAP Services on the Back-end Server

· Create a Registry Entry to Limit RPC Ports on the Back-end Server

· Request a Web Site Certificate to be used by OWA/RPC/HTTP Web, POP3 and IMAP Services on the FE Server

· Export the OWA/RPC/HTTP Web Site Certificate to a File and Copy it to the ISA Server 2004 Firewall

· Configure the OWA, POP3 and IMAP Services on the Back-end Server

· Import the OWA/RPC/HTTP Web Site Certificate into the ISA Server 2004 Firewall’s Machine Certificate Store

· Create a HOSTS File Entry and Create the Server Publishing Rule Allowing Inbound Access to the Front-end Exchange Server

· Publish the Web Enrollment Site

· Issue a CA Certificate to the Web Client

· Configure the Public DNS to Resolve the Names of the OWA, POP3 and IMAP4 Sites

· Create HOSTS File Entries on the External E-mail Client

· Make the OWA, POP3 and IMAP4 connection

Define the Perimeter Network

The first step is to create a perimeter network definition on the ISA Server 2004 firewall. The ISA Server 2004 firewall is configured with three network interfaces. The network interface on network ID 172.16.0.0/16 will be used as a perimeter network. You need to define this network as a Perimeter Network, otherwise the firewall will consider it as an External Network, as all networks that are not defined are considered External.

Perform the following steps on the ISA Server 2004 firewall machine to define the Perimeter Network:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node.

2. In the Details Pane, click the Networks tab. Click the Tasks tab on the Task Pane. Click the Create a New Network link.

3. On the Welcome to the New Network Wizard page, enter a name for the new network in the Network name text box. In this example, we will name the Network Perimeter. Click Next.

4. On the Network Type page, select the Perimeter Network option. Click Next.

5. On the Network Addresses page, click the Add Adapter button.

6. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the perimeter network adapter. In this example, the network adapter is named DMZ. Click OK.

7. Click Next on the Network Addresses page.

8. Click Finish on the Completing the New Network Wizard page.

Create the Network Rules

Network Rules define the routing relationship between two networks. You can define a Route relationship or a NAT relationship. The Route relationship simply routes packets between networks (if the connection is allowed by firewall policy). The NAT relationship performs network address translation between two networks. In this case, the source IP address is replaced with the IP address on the ISA Server adapter that the packet leaves. For example, the default relationship between the Internal and External network is NAT; When a connection from an Internal Network host is made to an External network host, the source IP address the External host sees is the primary IP address on the External interface of the ISA Server 2004 firewall.

In our current scenario, both the Perimeter Network and the Internal Network use private IP addresses. For this reason, we can use the Route network relationship between the Internal and Perimeter Networks. Note that you cannot use a Route relationship between public address networks and private address networks.

Perform the following steps to create the Route relationship between the Internal Network and the Perimeter Network:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.

2. On the Networks node, click the Network Rules node in the Details Pane.

3. On the Details Pane, click the Tasks tab on the Task Pane. Click the Create a New Network Rule link.

4. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. We will name the Internalß àPerimeter. Click Next.

5. On the Network Traffic Sources page, click the Add button.

6. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal entry. Click Close.

7. On the Network Traffic Sources page, click Next.

8. On the Network Traffic Destinations page, click the Add button.

9. In the Add Network Entities dialog box, click the Networks folder and then double click the Perimeter entry. Click Close.

10. Click Next on the Network Traffic Destinations page.

11. On the Network Relationship page, select the Route option. Click Next.

12. Click Finish on the Completing the New Network Rule Wizard page.

The next rule creates a NAT relationship between the Perimeter and External Networks:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Networks node.

2. On the Networks node, click the Network Rules node in the Details Pane.

3. On the Details Pane, click the Tasks tab on the Task Pane. Click the Create a New Network Rule link.

4. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. We will name the Externalß àPerimeter. Click Next.

5. On the Network Traffic Sources page, click the Add button.

6. In the Add Network Entities dialog box, click the Networks folder and then double click the Perimeter entry. Click Close.

7. On the Network Traffic Sources page, click Next.

8. On the Network Traffic Destinations page, click the Add button.

9. In the Add Network Entities dialog box, click the Networks folder and then double click the External entry. Click Close.

10. Click Next on the Network Traffic Destinations page.

11. On the Network Relationship page, select the NAT option. Click Next.

12. Click Finish on the Completing the New Network Rule Wizard page.

Create the Access Rules for Front-end/Back-end Traffic

Now that the Perimeter Network is created and there is a Network Rule that defines the routing relationship between the Internal and Perimeter Networks, we can create Access Rules that control the traffic between the Internal and Perimeter Networks. Table 1 below describes the Access Rule that allows the required traffic between the front-end Exchange Server in the perimeter network and the back-end Exchange Server on the Internal Network.

Table 1 FE/BE Exchange Access Rule

Name	FE->BE Connection
Action	Allow
Protocols	ADLogon/DirRep* FEBE/LinkState* Direct Access* DNS HTTP IMAP4 POP3 SMTP Kerberos-Adm(UDP) Kerberos-Sec(TCP) Kerberos-Sec(UDP) LDAP (TCP) LDAP (UDP) LDAP GC (Global Catalog) RPC (All Interfaces) NTP Ping
From	Front-end Exchange Back-end Exchange
To	Back-end Exchange Front-end Exchange
Users	All
Schedule	Always
Content Types	All content types

* User defined protocols

* User defined network objects

ADLogon/DirRep:

Primary Connection: 1600 TCP Outbound (requires RPC key set on the back-end Exchange Server)

Direct Access:

Primary Connection: 445 TCP Outbound

FEBE/LinkState:

Primary Connection 691 TCP Outbound

We also need to create an Access Rule that allows all traffic to move between the Perimeter Network and the Internal Network. This is a temporary rule that is required to issue Web site certificates to the Exchange Services on the Perimeter Network. We will disable this rule after the Web site certificates are bound to the front-end Exchange Server’s services.

Name	(Temp) All Open Perimeter<->Internal
Action	Allow
Protocols	All Network Traffic
From	Front-end Exchange Back-end Exchange
To	Back-end Exchange Front-end Exchange
Users	All
Schedule	Always
Content Types	All content types

** User defined Network Objects

Perform the following steps to create the Access Rule that controls traffic between the front-end and back-end Exchange Servers:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.

2. In the Firewall Policy node, click the Tasks tab on the Task Pane. Click the Create a New Access Rule link.

3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will call the rule FEßàBE Connection. Click Next.

4. On the Rule Action page, select the Allow option and click Next.

5. In the This rule applies to list, select the Selected protocols option. Click the Add button.

6. In the Add Protocols dialog box, click the All Protocols folder. Double click the following protocols:

DNS

HTTP

IMAP4

POP3

SMTP

Kerberos-Adm (UDP)

Kerberos-Sec (TCP)

Kerberos-Sec (UDP)

LDAP

LDAP (UDP)

LDAP GC (Global Catalog)

RPC (All Interfaces)

NTP (UDP)

Ping

7. Click the New menu and click Protocol.

8. On the Welcome to the New Protocol Definition Wizard page, enter ADLogon/DirRep in the Protocol Definition name text box. Click Next.

9. On the Primary Connection Information page, click New.

10. On the New/Edit Protocol Connection page, select TCP in the Protocol type list. Select Outbound in the Direction list. In the Port Range frame, enter 1600 in the From and To text boxes. Click OK.

11. Click Next on the Primary Connection Information page.

12. Select the No option on the Secondary Connections page.

13. Click Finish on the Completing the New Protocol Definition Wizard page.

14. Click the New menu and click Protocol.

15. On the Welcome to the New Protocol Definition Wizard page, enter Direct Access in the Protocol Definition name text box. Click Next.

16. On the Primary Connection Information page, click New.

17. On the New/Edit Protocol Connection page, select TCP in the Protocol type list. Select Outbound in the Direction list. In the Port Range frame, enter 445 in the From and To text boxes. Click OK.

18. Click Next on the Primary Connection Information page.

19. Select the No option on the Secondary Connections page.

20. Click Finish on the Completing the New Protocol Definition Wizard page.

21. Click the New menu and click Protocol.

22. On the Welcome to the New Protocol Definition Wizard page, enter FEBE/LinkState in the Protocol Definition name text box. Click Next.

23. On the Primary Connection Information page, click New.

24. On the New/Edit Protocol Connection page, select TCP in the Protocol type list. Select Outbound in the Direction list. In the Port Range frame, enter 691 in the From and To text boxes. Click OK.

25. Click Next on the Primary Connection Information page.

26. Select the No option on the Secondary Connections page.

27. Click Finish on the Completing the New Protocol Definition Wizard page.

28. In the Add Protocols dialog box, click the User-Defined folder. Double click on the ADLogon/DirRep, Direct Access and FEBE/LinkState protocols. Click Close.

29. Click Next on the Protocols page.

30. On the Access Rule Sources page, click Add.

31. In the Add Network Entities dialog box, click the New menu. Click Computer.

32. In the New Computer Rule Element dialog box, enter Front-end Exchange in the Name text box. Enter 172.16.0.2 in the Computer IP Address text box. Click OK.

33. In the Add Network Entities dialog box, click the New menu. Click Computer.

34. In the New Computer Rule Element dialog box, enter Back-end Exchange in the Name text box. Enter 10.0.0.2 in the Computer IP Address text box. Click OK.

35. In the Add Network Entities dialog box, click the Computers folder. Double click on the Back-end Exchange and Front-end Exchange entries. Click Close.

36. Click Next on the Access Rule Sources page.

37. On the Access Rule Destinations page, click Add.

38. In the Add Network Entities dialog box, click the Computers folder. Double click on the Back-end Exchange and Front-end Exchange entries. Click Close.

39. Click Next on the Access Rule Destinations page.

40. On the User Sets page, accept the default entry, All Users, and click Next.

41. Review the settings on the Completing the New Access Rule Wizard page and click Finish.

The next step is to create the “all open” rule that we will use for issuing certificates to the front-end Exchange Server. This rule will be disabled after the certificates are issued. Perform the following steps to create the rule:

1. Click the Create New Access Rule link on the Tasks tab.

2. On the Welcome to the New Access Rule Wizard page, enter (Temp) All Open Perimeter<->Internal in the Access Rule name text box. Click Next.

3. On the Rule Action page, select the Allow option and click Next.

4. On the Protocols page, accept the default selection, All outbound traffic, on the This rule applies to list and click Next.

5. On the Access Rule Sources page, click Add.

6. In the Add Network Entities dialog box, click the Computers folder. Double click on the Back-end Exchange and Front-end Exchange entries. Click Close.

7. Click Next on the Access Rule Sources page.

8. On the Access Rule Destinations page, click Add.

9. In the Add Network Entities dialog box, click the Computers folder. Double click on the Back-end Exchange and Front-end Exchange entries. Click Close.

10. Click Next on the Access Rule Destinations page.

11. On the User Sets page, select the default entry, All Users, and click Next.

12. Review the settings on the Completing the New Access Rule Wizard page and click Finish.

We now need to disable the RPC filter. Perform the following steps to disable the ISA Server 2004 RPC filter:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click the Add-ins node.

2. At the Add-ins node, right click the RPC Filter entry in the Details Pane and click Disable.

3. Click Apply to save the changes and update the firewall policy.

4. In the ISA Server Warning dialog box, select the Save the changes and restart the services option and click OK.

Create Access Rules for FE and BE for SMTP and DNS

Both the front-end and back-end Exchange Servers need to be able to send outbound SMTP messages. The front-end Exchange Server will need to be able to relay mail for authenticated users to domains that are not under your administrative control, and the back-end Exchange Server will need to be able to send mail to domains not under your administrative control it receives from Internal network users. In order to accomplish this, you need to create and Access Rule that allows these machines outbound access to the SMTP and DNS protocols.

Perform the following steps to create this Access Rule:

1. Click the Tasks tab while in the Firewall Policy node. Click the Create a New Access Rule link.

2. In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will name the rule FE/BE Outbound SMTP/DNS and click Next.

3. On the Rule Action page, select the Allow option and click Next.

4. On the Protocols page, select the Selected protocols option in the This rule applies to list. Click the Add button.

5. In the Add Protocols dialog box, click the Common Protocols folder. Double click on the DNS and SMTP protocols. Click Close.

6. Click Next on the Protocols page.

7. On the Access Rule Sources page, click the Add button.

8. In the Add Network Entities dialog box, click the Computers folder. Double click on the Back-end Exchange and Front-end Exchange entries. Click Close.

9. Click Next on the Access Rule Sources page.

10. On the Access Rule Destinations page, click the Add button.

11. In the Add Network Entities dialog box, click the Networks folder. Double click on the External entry. Click Close.

12. Click Next on the Access Rule Destinations page.

13. On the User Sets page, accept the default entry, All Users, and click Next.

14. On the Completing the New Access Rule Wizard page, review the settings and click Finish.

15. Click Apply to save the changes and update the firewall policy.

16. Click OK in the Apply New Configuration dialog box.

Join the Front-end Machine to the Domain

The Access Rules are now in place to provide the necessary communication channels required to join the front-end machine in the perimeter network to the domain. We will then install Microsoft Exchange 2003 on the front-end machine on the perimeter network after joining the domain.

Perform the following steps to join the front-end Exchange Server to the domain:

1. On the EXCHANGE2003FE machine, right click the My Computer icon on the desktop and click Properties.

2. In the System Properties dialog box, click the Computer Name tab.

3. On the Computer Name tab, click the Change button.

4. In the Computer Name Changes dialog box, select the Domain option and enter msfirewall.org in the text box underneath. Click OK.

5. In the Computer Name Changes dialog box, enter Administrator in the User name text box and the Administrator’s password in the Password text box. Click OK.

6. Click OK in the Computer Name Changes dialog box that welcomes you to the domain.

7. Click OK in the Computer Name Changes dialog box informing you that you must restart the computer for the change to take effect.

8. Click OK in the System Properties dialog box.

9. Click Yes in the System Settings Change dialog box.

10. Log on as Domain Administrator after the computer restarts. Make sure you log on to the domain, and not the local machine.

Install Exchange Server on the FE Machine

Now that the perimeter network machine is a member of the domain, Exchange Server 2003 can be installed on it. We will then configure the machine as a front-end Exchange Server after installation is complete. However, before installing Exchange Server 2003 on the front-end machine, we need to install the required IIS services.

Perform the following steps to install the required IIS services:

1. Click Start, point to Control Panel and click Add or Remove Programs.

2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.

3. On the Windows Components page, select the Application Server entry in the Components list and click Details.

4. In the Application Server dialog box, put a checkmark in the checkbox next to ASP.NET. Then, select the Internet Information Services (IIS) entry and click Details.

5. In the Internet Information Services (IIS) dialog box, put checkmarks in the checkboxes for NNTP Service, SMTP Service and World Wide Web service. Click OK.

6. Click OK in the Application Server dialog box.

7. On the Windows Components page, click the Networking Services entry in the Components list and click Details.

8. In the Networking Services dialog box, put a checkmark in the RPC over HTTP Proxy checkbox. Click OK.

9. Click Next on the Windows Components page.

10. Click OK in the Insert Disk dialog box.

11. Enter the path to the Windows Server 2003 i386 folder in the Copy files from text box on the Files Needed dialog box. Click OK.

12. Click Finish on the Completing the Windows Components Wizard page.

Perform the following steps to install Exchange Server 2003:

1. Place the Exchange Server 2003 CD into the CD-ROM drive. In the Exchange Server 2003 autorun menu, click the Exchange Deployment Tools link.

2. In the Exchange Deployment Tools window, click the Install Exchange 2003 on additional servers link.

3. Scroll down to the bottom of the Install Exchange 2003 on Additional Servers page. Click the Run Setup now link.

4. Click Next on the Welcome to the Microsoft Exchange Installation Wizard page.

5. Select the I agree option on the License Agreement page.

6. Click Next on the Component Selection page.

7. On the Licensing Agreement page, select the I agree that I have read and will be bound by the license agreements for this product option and click Next.

8. Click Next on the Installation Summary page.

9. Click Finish on the Completing the Microsoft Exchange Wizard page when installation is completed.

10. Click Exit on the Microsoft Exchange Server 2003 page.

11. Close the Exchange Server Deployment Tools window.

Perform the following steps to make the new Exchange Server a front-end Server:

1. Click Start, point to All Programs and point to Microsoft Exchange. Click System Manager.

2. In the Exchange System Manager, expand the Servers node and right click on the EXHCANGE2003FE entry in the left pane of the console. Click Properties.

3. In the EXCHANGE2003FE Properties dialog box, click the General tab.

4. On the General tab, put a checkmark in the This is a front-end server checkbox.

5. Click Apply and then click OK.

6. Restart the front-end server machine.

Configure the OWA, POP3 and IMAP Services on the Back-end Server

The back-end Exchange Server is configured to allow both non-SSL connections. The reason for this is that you cannot use SSL to connect the front-end Exchange Server to the back-end Exchange Server. If you wish to secure the connection between the front-end and back-end, then consider using IPSec to secure front-end to back-end communications. There are details on how to configure IPSec at the end of this document.

The first step is to enable the POP3 and IMAP4 services. Perform the following steps on the back-end Exchange Server to enable the POP3 and IMAP4 services:

1. Click Start and point to Administrative Tools. Click the Services entry.

2. In the Services window, find the Microsoft Exchange IMAP4 entry and double click on it.

3. In the Microsoft Exchange IMAP4 Properties (Local Computer) dialog box, change the startup type Automatic, and then click Apply.

4. Click the Start button to start the IMAP4 service.

5. Click OK in the Microsoft Exchange IMAP4 Properties (Local Computer) dialog box.

6. In the Services window, find the Microsoft Exchange POP3 entry and double click on it.

7. In the Microsoft Exchange POP3 Properties (Local Computer) dialog box, change the startup type Automatic, and then click Apply.

8. Click the Start button to start the IMAP4 service.

9. Click OK in the Microsoft Exchange POP3 Properties (Local Computer) dialog box.

10. Close the Services console.

We can now begin configuring the HTTP, POP3 and IMAP4 services on the back-end Exchange Server. We will being with the IMAP4 service. Perform the following steps to configure the back-end Exchange Server’s IMAP4 and POP3 services:

1. Click Start, point to All Programs and point to Microsoft Exchange. Click System Manager.

2. In the Exchange System Manager, expand the Servers node and then expand the EXCHANGE2003BE node. Expand the Protocols node and then expand the IMAP4 node.

3. Click the Default IMAP4 Virtual Server and then right click it. Click Properties.

4. On the General tab, select the IP address 10.0.0.2 from the IP address list. Click Apply.

5. Click the Access tab. On the Access tab, click the Authentication button.

6. In the Authentication dialog box, remove the checkmark from the Simple Authentication and Security Layer checkbox. Confirm that there is no checkmark in the Requires SSL/TLS encryption checkbox. Confirm that there is a checkmark in the Basic authentication (password is sent in clear text) checkbox. Click OK.

7. Click Apply and then click OK in the Default IMAP4 Virtual Server Properties dialog box.

8. Expand the POP3 node in the left pane of the console. Click on the Default POP3 Virtual Server and then right click it. Click Properties.

9. On the General tab, select the IP address 10.0.0.2 from the IP address list. Click Apply.

10. Click the Access tab. On the Access tab, click the Authentication button.

11. In the Authentication dialog box, remove the checkmark from the Simple Authentication and Security Layer checkbox. Confirm that there is no checkmark in the Requires SSL/TLS encryption checkbox. Confirm that there is a checkmark in the Basic authentication (password is sent in clear text) checkbox. Click OK.

12. Click Apply and then click OK in the Default POP3 Virtual Server Properties dialog box.

13. Close the Exchange System Manager.

Now we can configure the Outlook Web Access and RPC over HTTP Web folders. Perform the following steps to configure the Web site:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.

2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then expand the Default Web Site.

3. Click on the Exchange folder and then right click on it. Click Properties.

4. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

5. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

6. Click OK in the Exchange Properties dialog box.

7. Click on the ExchWeb folder and then right click on it. Click Properties.

8. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

9. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

10. Click OK in the ExchWeb Properties dialog box. Click Select All in the Inheritance Override dialog box and click OK.

11. Click OK in the ExchWeb Properties dialog box.

12. Click on the Public folder and then right click on it. Click Properties.

13. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

14. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

15. Click OK in the Public Properties dialog box.

16. Click on the RPC folder and then right click on it. Click Properties.

17. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

18. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

19. Click OK in the RPC Properties dialog box. Click Select All in the Inheritance Override dialog box and click OK.

20. Click OK in the RPC Properties dialog box.

21. Right click on the Default Web Site node in the left pane and click Properties.

22. On the Web Site tab, select 10.0.0.2 from the IP address list. Click Apply and then click OK.

Create Registry Entry to Limit RPC Ports on the Back-end Server

If you want the features that require RPCs, such as authentication or implicit logon, but do not want to open the wide range of ports above 1024, you can configure your domain controllers, global catalog servers, and all other back-end servers to use a single known port for all RPC traffic.

In order to authenticate clients, the registry key must be set on any server that the front-end server may contact with RPCs such as a global catalog server. Set the following registry key to a specific port, such as 1600:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port Value Type: REG_DWORD Value Data: (available port)

We will configure the back-end Exchange Server to use TCP port 1600 for RPC connections.

Perform the following steps to create the Registry value on the back-end Exchange Server:

1. Click Start and then click Run.

2. In the Run dialog box, enter regedit in the Open text box and click OK.

3. In the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

4. Click Edit, point to New and click DWORD Value.

5. Change the name of New Value #1 to TCP/IP Port and press ENTER.

6. Double click the TCP/IP Port value.

7. In the Edit DWORD Value dialog box, select the Decimal option. In the Value data text box, enter 1600. Click OK.

8. Close the Registry Editor.

9. Restart the back-end Exchange Server

Request a Web Site Certificate to be used by OWA/RPC/HTTP Web, POP3 and IMAP Services on the FE Server

Remote users will establish secure connections to the front-end Exchange Server using SSL/TLS encryption. In order to accomplish this, the front-end Web, POP3 and IMAP servers need Web site certificates bound to them. We can use the integrated Web Site Certificate Wizard that is included with IIS 6.0 to request these certificates directly from the online certificate authority on the Internal network.

In order to use the integrated Web site Certificate Request Wizard, we must use the “all open” Access Rule that we created earlier. We will disable this rule after we obtain the required certificates to increased the level of security between the Perimeter and Internal Networks.

Perform the following steps on the front-end Exchange Server to obtain the Web site certificate for the OWA service:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.

2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console. Click on the Default Web Site and then right click it. Click Properties.

3. In the Default Web Site Properties dialog box, click the Directory Security tab.

4. On the Directory Security tab, click the Server Certificate button.

5. On the Welcome to the Web Server Certificate Wizard page, click Next.

6. On the Server Certificate page, select the Create a new certificate option and click Next.

7. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option. Click Next.

8. On the Name and Security Settings page, accept the default values and click Next.

9. On the Organization name page, enter an Organization name and Organizational unit name in the text boxes. You can enter any value you like. Click Next.

10. On the Your Site’s Common Name page, enter a common name that will be included in the certificate. This is an extremely important setting. The name you included here is the name that the external client must use to connect to the POP3 server, and this name must resolve to the external address on the ISA Server 2004 firewall that is used by the Server Publishing Rules for the POP3 Server. In this example, we will use owa.msfirewall.org as the common name. This address will resolve (for external clients) to 192.168.1.70, which will be the address we use for the listener in the POP3 Server Publishing Rule. Click Next.

11. On the Geographical Information page, enter your State/province and City/locality in the text boxes. Click Next.

12. Accept the default SSL port on the SSL Port page. Click Next.

13. On the Choose a Certification Authority page, accept the default CA listed in the Certification authorities list. Click Next.

14. On the Certificate Request Submission page, review your settings and click Next.

15. Click Finish on the Completing the Web Server Certificate Wizard page.

16. Click OK in the Default Web Site Properties dialog box.

The next step is to enable the IMAP4 and POP3 services on the front-end Exchange Server. We must enable the services before we can request the certificate. Perform the following step to enable the IMAP4 and POP3 services on the front-end Exchange Server:

1. Click Start and point to Administrative Tools. Click the Services entry.

2. In the Services window, find the Microsoft Exchange IMAP4 entry and double click on it.

3. In the Microsoft Exchange IMAP4 Properties (Local Computer) dialog box, change the startup type Automatic, and then click Apply.

4. Click the Start button to start the IMAP4 service.

5. Click OK in the Microsoft Exchange IMAP4 Properties (Local Computer) dialog box.

6. In the Services window, find the Microsoft Exchange POP3 entry and double click on it.

7. In the Microsoft Exchange POP3 Properties (Local Computer) dialog box, change the startup type Automatic, and then click Apply.

8. Click the Start button to start the IMAP4 service.

9. Click OK in the Microsoft Exchange POP3 Properties (Local Computer) dialog box.

10. Close the Services console.

Perform the following steps to request a Web site certificate for the IMAP4 service:

1. Open the Exchange System Manager, expand the organization name and then expand the Servers node. Expand your server name and then expand the Protocols node. Expand the IMAP4 node and click on the Default IMAP4 Virtual Server node. Right click on the Default IMAP4 Virtual Server node and click the Properties command.

2. Click on the Access tab and click the Authentication button in the Access control frame.

3. Read the information on the Welcome to the Web Server Certificate Wizard page and click Next.

4. On the Server Certificate page, select the Create a new certificate option and click Next.

5. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option. You can use this option because you have an enterprise CA and the machine that you’re requesting the certificate from is a member of the same domain as the enterprise CA. If you did not have an enterprise CA, or if you used a standalone CA instead of an enterprise CA, you would have to use an offline request and send the request file to the CA later. Click Next.

6. On the Name and Security Settings page, accept the default options and click Next.

7. On the Organizational Information page, enter the name of your organization in the Organization text box and enter the name of your organizational unit in the Organizational Unit text box. In this example, we enter MSFirewall Org as the Organization and Texas as the Organizational Unit. Click Next.

8. On the Your Site’s Common Name page, enter the name of the site in the Common name text box. This is an extremely important setting! The name that you enter here must be the name that the internal and external hosts use to access the site. In our current example, we will use the common name mail.msfirewall.org. Internal hosts must be able to resolve this name to the Internal address of the Exchange Server using this certificate, and external hosts must be able to resolve this name to the IP address on the external interface of the ISA Server 2004 firewall that is listening for the incoming IMAP4 connections. This is why it’s critical that you create a split DNS infrastructure to support both your internal and your remote users. Enter mail.msfirewall.org into the Common name text box and click Next.

9. On the Geographical Information page, enter your Country/Region, State/province and City/locality. You can enter any valid information you like, or enter the information as seen in the figure below. Click Next.

10. On the Choose a Certification Authority page, accept the default enterprise CA that appears in the Certification authorities list. Click Next.

11. Review the information on the Certificate Request Submission page and click Next.

12. Click Finish on the Completing the Web Server Certificate Wizard page.

13. The Communication button in the Secure communication frame becomes available after the certificate is installed. You will use this button later to force TLS security on IMAP4 connections with this IMAP4 server

11. Click Apply and then click OK in the Default IMAP4 Virtual Server Properties dialog box.

Perform the following steps to bind a certificate to the POP3 service:

1. In the Exchange System Manager, expand the POP3 node in the left pane of the console. Click on the Default POP3 Server node and then right click it. Click Properties.

2. In the Default POP3 Virtual Server Properties dialog box, click the Access tab.

3. On the Access tab, click the Certificate button.

4. Click Next on the Welcome to the Web Server Certificate Wizard page.

5. On the Server Certificate page, select the Assign an existing certificate option and click Next.

6. On the Available Certificates page, select the mail.msfirewall.org certificate in the Select a certificate list. Click Next.

7. On the Certificate Summary page, click Next.

8. Click Finish on the Completing the Web Server Certificate Wizard page.

9. Click Apply and then click OK on the Default POP3 Virtual Server Properties dialog box.

We now need to enable the RPC filter and disable the (Temp) All Open Perimeter ßàInternal Access Rule. Perform the following steps on the ISA Server 2004 firewall machine to accomplish both these tasks:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Add-ins node.

2. At the Add-ins node, click the Application Filters tab in the Details Pane. Right click the RPC Filter and click Enable.

3. Click the Firewall Policy node in the left pane of the console.

4. At the Firewall Policy node, right click the (Temp) All Open Perimeter ßàInternal rule in the Details Pane. Click Disable.

5. Click Apply to save the changes and update the firewall policy.

6. In the ISA Server Warning dialog box, select the Save the changes and restart the services option and click OK.

7. Click OK in the Apply New Configuration dialog box.

Export the OWA/RPC/HTTP Web Site Certificate to a File and Copy it to the ISA Server 2004 Firewall

The ISA Server 2004 firewall impersonates the front-end Exchange Server when the remote OWA client connects to the ISA Server 2004 firewall to access the front-end Exchange Server. The mechanism of this impersonate is the Web site certificate that was installed on the Web site. The Web site certificate contains the common name of the Web site and the OWA client recognizes the ISA Server 2004 firewall as the Web server because this common name matches the server name included in the OWA clients request URL.

We must export the Web site certificate from the OWA Web site and then copy that certificate to the ISA Server 2004 firewall. Later, we will import this certificate into the ISA Server 2004 firewall’s machine certificate store and then bind it to the Web listener that accepts incoming requests for the front-end server.

Perform the following steps to export the Web site certificate with its private key to a file:

1. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then click the Default Web Site. Right click the Default Web Site and click Properties.

2. In the Default Web Site Properties dialog box, click the Directory Security tab.

3. On the Directory Security tab, click the View Certificate button in the Secure communications frame.

4. In the Certificate dialog box, click the Details tab. On the Details tab, click the Copy to File button.

5. Click Next on the Welcome to the Certificate Export Wizard page.

6. On the Export Private Key page, select the Yes, export the private key option and click Next.

7. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificates in the certification path if possible and remove the checkmark from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) option. Click Next.

8. On the Password page, enter a Password and Confirm Password. Click Next.

9. On the File to Export page, enter c:\owacert in the File name text box. Click Next.

10. Click Finish on the Completing the Certificate Export Wizard page.

11. Click OK on the Certificate dialog box.

12. Click OK on the Default Web Site Properties dialog box.

Copy the owacert.pfx file to the root of the C:\ drive on the ISA Server 2004 firewall machine.

Configure the OWA, POP3 and IMAP Services on the Front-end Server

The front-end Exchange Server will be configured to support secure SSL/TLS connections to the OWA/RPC/HTTP Web site and the POP3/IMAP4 server sites. SSL is required because these sites will be configured to use only Basic authentication. The SSL link encryption will protect the user credentials from being intercepted by intruders.

Perform the following steps to configure the front-end Exchange Server’s IMAP4 and POP3 services:

1. Click Start, point to All Programs and point to Microsoft Exchange. Click System Manager.

2. In the Exchange System Manager, expand the Servers node and then expand the EXCHANGE2003FE node. Expand the Protocols node and then expand the IMAP4 node.

3. Click the Default IMAP4 Virtual Server and then right click it. Click Properties.

4. On the General tab, select the IP address 172.16.0.2 from the IP address list. Click Apply.

5. Click the Access tab. On the Access tab, click the Authentication button.

6. In the Authentication dialog box, remove the checkmark from the Simple Authentication and Security Layer checkbox. Place a checkmark in the Requires SSL/TLS encryption checkbox. Confirm that there is a checkmark in the Basic authentication (password is sent in clear text) checkbox. Click OK.

7. On the Access tab, click the Communication button. In the Security dialog box, place a checkmark in the Require secure channel checkbox. Place a checkmark in the Require 128-encryption checkbox. Click OK.

8. Click Apply and then click OK in the Default IMAP4 Virtual Server Properties dialog box.

9. Expand the POP3 node in the left pane of the console. Click on the Default POP3 Virtual Server and then right click it. Click Properties.

10. On the General tab, select the IP address 172.16.0.2 from the IP address list. Click Apply.

11. Click the Access tab. On the Access tab, click the Authentication button.

12. In the Authentication dialog box, remove the checkmark from the Simple Authentication and Security Layer checkbox. Place a checkmark in the Requires SSL/TLS encryption checkbox. Confirm that there is a checkmark in the Basic authentication (password is sent in clear text) checkbox. Click OK.

13. On the Access tab, click the Communication button. In the Security dialog box, place a checkmark in the Require secure channel checkbox. Place a checkmark in the Require 128-encryption checkbox. Click OK.

14. Click Apply and then click OK in the Default POP3 Virtual Server Properties dialog box.

15. Close the Exchange System Manager.

Now we can configure the Outlook Web Access and RPC over HTTP Web folders. Perform the following steps to configure the Web site:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.

2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node in the left pane of the console and then expand the Default Web Site.

3. Click on the Exchange folder and then right click on it. Click Properties.

4. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

6. In the Exchange Properties dialog box, click the Edit button in the Secure Communications frame.

7. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

8. Click Apply and then click OK in the Exchange Properties dialog box.

9. Click on the ExchWeb folder and then right click on it. Click Properties.

10. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

11. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

12. In the ExchWeb Properties dialog box, click the Edit button in the Secure Communications frame.

13. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

14. Click Apply in the ExchWeb Properties dialog box. Click Select All in the Inheritance Override dialog box and click OK.

15. Click OK in the ExchWeb Properties dialog box.

16. Click on the Public folder and then right click on it. Click Properties.

17. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

19. In the Public Properties dialog box, click the Edit button in the Secure Communications frame.

20. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

21. Click Apply and OK in the Public Properties dialog box.

22. Click on the RPC folder and then right click on it. Click Properties.

23. Click on the Directory Security tab. On the Directory Security tab, click the Edit button in the Authentication and access control frame.

24. In the Authentication Methods dialog box, remove checkmarks from all checkboxes except for the Basic authentication (password is sent in clear text) checkbox. If this is not already enabled, enable it now. Click Yes in the IIS Manager dialog box that informs you that the passwords are sent in clear text. Enter MSFIREWALL in the Default domain text box. Click OK.

25. In the RPC Properties dialog box, click the Edit button in the Secure Communications frame.

26. In the Secure Communications dialog box, put a checkmark in the Require secure channel (SSL) checkbox. Put a checkmark in the Require 128-bit encryption checkbox. Click OK.

27. Click OK in the RPC Properties dialog box. Click Select All in the Inheritance Override dialog box and click OK.

28. Click OK in the RPC Properties dialog box.

29. Right click on the Default Web Site node in the left pane and click Properties.

On the Web Site tab, select 172.16.0.2 from the IP address list. Click Apply and then click OK.

Import the OWA/RPC/HTTP Web Site Certificate into the ISA Server 2004 Firewall’s Machine Certificate Store

The Web site certificate must be imported into the ISA Server 2004 firewall’s machine certificate store before it can be bound to the Web Listener. Only after the Web site certificate (along with its private key) is imported into the firewall’s machine certificate store will the certificate be available for binding.

Perform the following steps to import the OWA server’s Web site certificate into the ISA Server’s machine certificate store:

1. At the ISA Server 2004 firewall machine, click Start and click on the Run command. Enter mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command.

2. Click the Add button in the Add/Remove Snap-in dialog box.

3. Click on the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box. Click Add.

4. Select the Computer account option on the Certificates snap-in page. Click Next.

5. On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish.

6. Click Close on the Add Standalone Snap-in page.

7. Click OK on the Add/Remove Snap-in dialog box.

8. Right click on the Personal node in the left pane of the console, point to All Tasks and click Import.

9. Click Next on the Welcome to the Certificate Import Wizard.

10. Click the Browse button and locate the certificate file. Click Next after the file path and name appear in the File name text box.

11. On the Password page, enter the password for the file. Do not put a checkmark in the Mark this key as exportable. This will allow you to back up or transport you keys at a late time checkbox. The reason is that this machine is a bastion host with an interface in a perimeter network or on the Internet and may be compromised. The compromiser may be able to steal the private key from this machine if it is marked as exportable. Click Next.

12. On the Certificate Store page, confirm that the Place all certificate in the follow store option is select and that is says Personal in the Certificate store box. Click Next.

13. Review the settings on the Completing the Certificate Import page and click Finish.

14. Click OK on the Certificate Import Wizard dialog box informing you the import was successful.

15. You will see the Web site certificate and the CA certificate in the right pane of the console. The Web site certificate has the FQDN assigned to the Web site. This is the name external users use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it. Double click on the Web site certificate in the right pane of the console.

16. Expand the Trusted Root Certification Authorities node in the left pane of the console and scroll down to the CA certificate of the enterprise CA that issued the Web site certificate. Note that the enterprise CA certificate automatically appears in the Trusted Root Certification Authorities because we have an enterprise CA and the ISA Server 2004 firewall belongs to the same domain as the enterprise CA machine. If you used a standalone CA, or if the ISA Server 2004 firewall did not belong to the same domain as the enterprise CA, then you would need to copy the enterprise CA’s certificate into the Trusted Root Certification Authorities\Certificates node.

Create a HOSTS file Entry and Create the Server Publishing Rules Allowing Inbound Access for HTTP, POP3, SMTP and IMAP4 to the Front-end Server

In a production environment you would create a split DNS infrastructure that enables hosts on the Internal and External networks to properly resolve the name of the OWA Web site. We have not configured a split DNS infrastructure in our current example, so we will use a HOSTS file on the ISA Server 2004 firewall machine that enables the firewall to resolve the name of the OWA and RPC over HTTP Web site to the site’s Internal IP address.

Perform the following steps to create the HOSTS file entry mapping the OWA site to its Internal address on the ISA Server 2004 firewall machine:

1. Open Windows Explorer and navigate to \WINDOWS\system32\drivers\etc directory and open the hosts file.

2. In the Open With dialog box, select the Notepad entry and click OK.

3. The HOSTS file is opened in Notepad. Put a line at the end of the hosts file that resolves the name in the redirect to the IP address that can reach the OWA server on the internal network. For example, if the firewall in front of the OWA server on the internal network is performing reverse NAT to publish the internal OWA site, and the redirect is owa.msfirewall.org, then you would put in the following entry:

172.16.0.2 owa.msfirewall.org

172.16.0.3 mail.msfirewall.org

Where “172.16.0.2” is the IP address of the front-end Exchange server machine on the perimeter network. Make sure you press ENTER after you put this line into the hosts file so that there is an empty line at the end of the file.

4. Close Notepad and click Yes to save the changes made to the file.

Note we’re ready to create the OWA and RPC over HTTP Web Publishing Rule on the ISA Server 2004 firewall machine. Perform the following steps to securely publish the Exchange OWA Web site:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Click the Tasks tab in the Task Pane. Click the Publish a Mail Server link.

2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we will call it Publish OWA and RPC/HTTP Web Site. Click Next.

3. On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.

4. On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. This option allows OWA users to access mail using non-English character sets. Click Next.

5. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next. This option creates a Web Publishing Rule that insures a secure SSL connection from the client to the OWA Web site. This prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information. The external client made an SSL connection and expects that traffic to be secure from end to end.

6. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example we will use the name owa.msfirewall.org. Note that this is the name used for the Exchange Server site on the internal network and this is the common name on the OWA Web site’s certificate. You could use an IP address, but that would create problems with the SSL connection between the internal interface of the ISA Server 2004 firewall and the Exchange OWA site. You can use either a split DNS or a HOSTS file entry on the ISA Server 2004 firewall machine to resolve this name to the IP address used by the Exchange Server on the internal network. This is required in order for the name in the request that the ISA Server 2004 firewall sends to the Exchange Server on the internal network is the same name as that on the certificate installed on the OWA Web site. Click Next.

7. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Again, this is the name the external uses when accessing the Web site, and this is also the common name on the Web site certificate. This is the name the user enters into his browser in the browser’s Address bar. Click Next.

8. On the Select Web Listener page, click the New button. The Web listener works the same way as the Web listener did in ISA Server 2000, but with ISA Server 2004, you have more options. For example, you can create a separate Web listener for SSL and non-SSL connections on the same IP address. In addition, the Web listener settings are no longer global, and you can configure separate settings for each listener based on the number of addresses bound to the external interface of the ISA Server 2004 firewall.

9. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we will use the name OWA/RPC SSL Listener. Click Next.

10. On the IP Addresses page, put a checkmark in the External checkbox. Click the Address button.

11. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click on the external IP address on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select the 192.168.1.70 entry. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.

12. Click Next on the IP Addresses page.

13. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443. By configuring this listener to use only SSL, you can configure a second listener with different settings that is dedicated for non-SSL connections.

14. Click the Select button. In the Select Certificate dialog box, click on the OWA Web site certificate that you imported into the ISA Server 2004 firewall’s machine certificate store and click OK. Note that this certificate will appear in this dialog box only on after you have installed the Web site certificate into the ISA Server 2004 firewall’s machine certificate store. In addition, the certificate must contain the private key. If the private key was not included, it will not appear in this list.

15. Click Next on the Port Specification page.

16. Click Finish on the Completing the New Web Listener page.

17. The details of the Web listener now appear on the Select Web Listener page. Click Edit.

18. In the OWA SSL Listener Properties dialog box, click the Preferences tab.

19. On the Preferences tab, click the Authentication button.

20. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that the no authentication methods are currently configured.

21. Place a checkmark in the OWA Forms-Based authentication checkbox. The OWA Forms-based authentication feature is very useful and enhances the security the ISA Server 2004 firewall provides for your OWA site. The firewall generates the log on form and then forwards the credentials sent by the user to the OWA site for authentication. Only after the user is successfully authentication is the connection request forwarded to the OWA site. This prevents unauthenticated users from connecting to the OWA site and eliminates the risks inherent in unauthenticated users accessing the OWA site. Note that you must not enable forms-based authentication at the Exchange Server’s OWA site. Forms-based authentication is enabled only at the ISA Server 2004 firewall. Note that this option does not have any influence over the RPC over HTTP connection. Click the Configure button.

22. On the OWA Forms-Based Authentication dialog box, put checkmarks in the Clients on public machines, Clients on private machines and Log off OWA when the user leaves OWA site checkboxes. These settings enhance security for your OWA site. Note that you also have the option to set the session times-outs for clients on both public and private machines. It is important to note that the user decides if the machine should be recognized as public or private. Because it is not good security policy to let the user determine the level of security applied to a connection, you should force the same policy on all users. Click OK.

23. Click OK in the Authentication dialog box.

24. Click Apply and then click OK in the OWA/RPC SSL Listener Properties dialog box.

25. Click Next on the Select Web Listener page.

26. On the User Sets page, accept the default entry, All Users, and then click Next. Note that this does not mean that all users will be able to access the OWA site. Only users that can authenticate successfully will be able to access the site. The actual authentication is done by the OWA site using the credentials that the ISA Server 2004 firewall forwards to it. You cannot have the ISA Server 2004 firewall itself and the OWA or RPC over HTTP site authenticate the user. This means you must allow All Users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 firewall itself using client certificate authentication.

27. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

28. Right click on the Publish OWA and RPC/HTTP Web site rule in the Details pane of the console and click Properties.

29. In the Publish OWA and RPC/HTTP Web Site Properties dialog box, click the Paths tab. On the Paths tab, click the Add button.

30. In the Path mapping dialog box, enter /rpc/* in the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank text box. Click OK.

31. The new path now appears on the Path mapping dialog box.

32. In the OWA Web site Properties dialog box, click the To tab. On the To tab, select the Requests appear to come from the original client option. This option allows the OWA Web and RPC over HTTP Web site to receive the actual IP address of the external client. This feature enables Web logging add-ons installed on the OWA Web site to be use this information when creating reports.

33. Click Apply and then click OK.

34. Click Apply to save the changes and update the firewall policy.

35. Click OK in the Apply New Configuration dialog box.

The POP3, IMAP4 and SMTP services can all be published using the Mail Server Publishing Wizard. The saves time as we do not need to publish these services separately. Perform the following steps to publish these three services:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click on the Firewall Policy node.

2. In the Firewall Policy node, click the Tasks tab in the Task Pane. Click the Publish a Mail Server link.

3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter Publish POP3/IMAP4/SMTP in the Mail Server Publishing Rule name text box. Click Next.

4. On the Select Access Type page, select the Client access: RPC, IMAP, POP3, SMTP option. Click Next.

5. On the Select Services page, put checkmarks in the Secure ports column for the POP3 and IMAP4 options. Put a checkmark in the Standard ports column for the SMTP option. Note that Microsoft Exchange Server receives both secure and non-secure connections on the same port (TCP port 25). Click Next.

6. On the Select Server page, enter 172.16.0.2 into the Server IP Address text box. Click Next.

7. On the IP Addresses page, put a checkmark in the External checkbox and click the Address button.

8. On the External Network Listener IP Selection page, select the Specified IP addresses on the ISA Server computer in the selected network option. Click on 192.168.1.70 in the Available IP Addresses list. Click Add. The address is moved to the Selected IP Addresses section. Click OK.

9. Click Next on the IP Addresses page.

10. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

11. Click Apply to save the changes and update the firewall policy.

12. Click OK in the Apply New Configuration dialog box.

Publish the Web Enrollment Site

The OWA and RPC over HTTP client needs the CA certificate of the enterprise CA that issued the Web site certificate to the RPC over HTTP Web site. This allows the OWA and RPC over HTTP client to trust the Web site, which is required for the connection to be established. The RPC over HTTP, POP3, IMAP4 and SMTP clients do not provide an mechanism where the user can choose to proceed when the local host computer does not trust that CA that issued the Web site certificate.

Perform the following steps to publish the enterprise CA’s Web enrollment site:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.

2. In the Task Pane, click the Tasks tab. On the Tasks tab, click the Publish a Web Server link.

3. Enter a name for the Web Publishing Rule the Welcome to the New Web Publishing Rule Wizard page. In this example, we will enter the name Publish Web Enrollment Site in the Web publishing rule name text box. Click Next.

4. Select the Allow option on the Select Rule Action page.

5. On the Define Website to Publish page, enter the IP address of the enterprise CA’s Web site in the Computer name or IP address text box. In this example, the IP address is 10.0.0.2, so we will enter that value into the text box. In the Path text box, enter /certsrv/*. Click Next.

6. On the Public Name Details page, select the This domain name (type below) option in the Accept request for list box. In the Public name text box, enter the IP address on the external interface of the firewall. In this example, the main office ISA Server 2004 firewall’s external address is 192.168.1.70, so we will enter that value into the text box. Enter /certsrv/* into the Path (optional) text box. Click Next.

7. On the Select Web Listener page, click the New button.

8. On the Welcome to the New Web Listener page, enter a name for the rule in the Web listener name text box. In this example, we will name the listener Listener70, to indicate the IP address that the listener is listening on. Click Next.

9. On the IP addresses page, put a checkmark in the External checkbox and click Next.

10. On the Port Specification page, accept the default settings. Confirm that there is a checkmark in the Enable HTTP checkbox and that the value 80 is in the HTTP port text box. Click Next.

11. Click Finish on the Completing the New Web Listener Wizard page.

12. Click Next on the Select Web Listener page.

13. Accept the default setting, All Users, on the User Sets page and click Next.

14. Click Finish on the Completing the New Web Publishing Rule Wizard page.

15. Right click on the Publish Web Enrollment Site rule and click Properties.

16. In the Publish Web Enrollment Site Properties dialog box, click the Paths tab.

17. On the Paths tab, click Add.

18. In the Path mapping dialog box, enter /CertControl/* in the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank. Click OK.

19. Click Apply and then OK in the Publish Web Enrollment Site Properties dialog box.

20. Click Apply to save the changes and update the firewall policy.

21. Click OK in the Apply New Configuration dialog box.

Issue a CA Certificate to the Web Client

We now need to obtain the CA certificate from the enterprise CA on the internal network. We can connect to the Web enrollment site to obtain the CA. Perform the following steps to obtain the CA certificate an install it on the Outlook Express client computer:

1. On the Outlook e-mail client computer, enter http://192.168.1.70/certsv in the Address bar and press ENTER.

2. In the Connect to dialog box, enter Administrator in the User name text box and the Administrator’s password in the Password text box. Click OK.

3. On the Welcome page of the Microsoft Certificate Services site, click the Download a CA certificate, certificate chain, or CRL link.

4. On the Download a CA Certificate, Certificate Chain, or CRL page, click the Install this CA certificate chain link.

5. Click Yes in the Security Warning dialog box asking if you want to install the Microsoft Certificate Enrollment Control.

6. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site will add a certificate to the machine.

7. Click Yes in the Root Certificate Store dialog box asking if you want to add the CA certificate.

Close the browser after you see the CA Certificate Installation page that informs you that The CA certificate chain has been successfully installed.

Configure the Public DNS to Resolve the Names of the OWA, POP3 and IMAP4 Sites

Correct DNS host name resolution is critical when designing a remote access solution. The ideal DNS configuration allows users who move between the internal and external network to be able to resolve host names to the correct address regardless of where they are currently located.

The ideal DNS configuration is the split DNS. A split DNS infrastructure consists of two zones that serve the zone domain and subdomains:

· An internal zone that is used only by internal network hosts

· An external zone that is used only by external network hosts

Internal network hosts who need to resolve names queries an internal network zone and receive the internal network IP address of the host they want to connect to. External network hosts query the external network zone and receive a public IP address they can connect to. The destination machine may be the same for the external and internal hosts; they just take different routes to arrive at their common destination.

For example, your internal network domain to which the Exchange Servers belong to is domain.com. Your publish the POP3, IMAP4 and OWA sites of the front-end server to the Internet using ISA Server 2000 and the ISA Server is using the IP address 131.107.0.1 to listen for incoming requests for those services. The front-end Exchange Server on the internal network has the IP address 10.0.0.3.

Your goal is to allow all hosts, regardless of their location, to access the front-end Exchange Server using the FQDNs owa.domain.com, pop3.domain.com and imap4.domain.com. You want hosts on the internal network to connect directly to the front-end Exchange Server using the IP address 10.0.0.3 and remote hosts connecting from the Internet to use IP address 131.107.0.1 to access the front-end Exchange server.

The solution is to create a entries on a publicly available DNS server for the domain.com domain. You can have a third party host your DNS services, or you can host them yourself. Regardless of who hosts these addresses, the DNS resource records for the domain.com domain on this publicly available DNS server contain the public addresses your want users to use to access resources. In the case of the published resources on the front-end Exchange Server, you would create three Host (A) records: one for owa.domain.com, one for pop3.domain.com and the last one for imap4.domain.com and all three of these map to the IP address 131.107.0.1.

You then create a second DNS server, this one being on the internal network behind the ISA Server firewall. The internal network DNS server also hosts a zone for the domain.com domain. You create three Host (A) resource records on the internal network DNS server within the domain.com zone: one for owa.domain.com, one for pop3.domain.com and the last one for imap4.domain.com. The difference is that this time you map these three entries to 10.0.0.3.

External network hosts are assigned a DNS server address that allows them to resolve names to public addresses. How these external hosts are assigned an IP address depends on where they are located. You usually have no control over the specific DNS server address that’s assigned to your remote hosts. However, this is not a problem if you have registered your domain.com with an Internet Registrar and indicated the correct address for the publicly available authoritative DNS server for your domain, then external hosts will have no problems resolving your public addresses correctly.

Internal network hosts can be assigned a correct DNS server address using DHCP. When a remote host moves into the internal network, it will receive new IP addressing information, including a DNS server address, from your DHCP server. When the host receives the IP address of your internal DNS server, then it will be able to resolve the names associated with the front-end Exchange Server to its internal address.

Create HOSTS File Entries on the External E-mail Client

The external e-mail client machine must be able to resolve the name of the front-end Exchange server to the name that is on the server’s Web site certificates.. Recall that the name we assigned to the Web site certificate on the Web server is owa.msfirewall.org and the name on the POP3 and IMAP4 servers is mail.msfirewall.org. The e-mail client must be able to resolve these names to the IP address on the external interface of the ISA Server 2004 firewall that listens for incoming requests to the front-end Exchange server. In our current example, this is 192.168.1.70.

In a production environment, you would have a split DNS infrastructure that correctly resolves names for both internal and external network clients. We have not created a split DNS infrastructure in our example setup, therefore we will use a HOSTS file to resolve owa.msfirewall.org and mail.msfirewall.org to the correct IP address.

Perform the following steps to create the HOSTS file entry on the e-mail client machine:

1. Right click Start and click Explore.

2. Navigate to <system_root>\system32\drivers\etc and open the HOSTS file in Notepad.

3. In the HOSTS file, enter the following lines under the localhost entry:

192.168.1.70 owa.msfirewall.org

192.168.1.70 exchange2003be.msfirewall.org

Make sure the you press ENTER after you complete the line so that the insertion point is under the new line. Otherwise, the new entry won’t be recognized.

Close the HOSTS file and save the change

Make the OWA, POP3 and IMAP4 connection

At this point you are ready to configure the e-mail client to connect to the OWA Web site, and the Exchange Server’s POP3, IMAP4 and SMTP services. In each cases except for the SMTP service connection, you will be able to create an SSL secured link. The SMTP connection can also be secured using SSL; however, we did not go through those procedures in this walkthrough.

You can obtain detailed step by step instructions on how to configure the Outlook Express E-mail clients by reviewing the client configuration information in each of the following chapters of this ISA Server 2004/Exchange Server Deployment Kit Kit:

Chapter 7 – Publishing the Exchange Server POP3 Server Service

Chapter 8 – Publishing the Exchange Server IMAP4 Server Service

Chapter 10 – Publishing Secure Microsoft Outlook Web Access Sites

Chapter 11 – Secure RPC over HTTP Publishing – Single Server Configuration

Conclusion

In this ISA Server 2004/Exchange Server Deployment Kit document we discussed the procedures required to publish a secure Microsoft Exchange RPC over HTTP Web site and provision the RPC over HTTP Web client for a secure connection. We also examined issues related to a split DNS infrastructure and how a split DNS infrastructure supports RPC over HTTP clients who move between the Internal and External networks. In the next document in this ISA Server 2004/Exchange Server Deployment Kit series, we will examine how to publish a secure RPC over HTTP site.