ISA Server 2004 Getting Started Guide: Publishing the Exchange Outlook Web Access, SMTP Server and POP3 Server Sites
Chapter 14
Published: February 2004
For the latest information, please see http://www.isaserver.org
Contents
ISA Server 2004 Getting Started Guide: Publishing the Exchange Outlook Web Access, SMTP Server and POP3 Server Sites
Chapter 14
Published: February 2004
For the latest information, please see http://www.isaserver.org
Contents
Create
the OWA Web Publishing Rule
Create
the SMTP Server Publishing Rule
Create
the POP3 Server Publishing Rule
One of the main reasons to deploy a ISA Server 2004 firewall is to protect Microsoft Exchange Servers. ISA Server 2004 includes a number of technologies focused on providing enhanced support for protecting Microsoft Exchange Services published to the Internet. This increased level of protection for remote access to Microsoft Exchange Server services put the ISA Server 2004 firewall in a unique position to be the firewall for Microsoft Exchange Server.
Providing secure remote access to Microsoft Exchange Server services can be a complex process. Fortunately, ISA Server 2004 includes a number of Wizards that simplify the process of providing secure remote access to Microsoft Exchange. ISA Server 2004 accomplishes this by providing a number of wizards that walk the firewall administrator through the process of providing secure remote to Microsoft Exchange.
In this ISA Server 2004 Getting Started Guide document we will discuss methods you can use to provide secure remote access to the Exchange Outlook Web Access (OWA) site, the Exchange SMTP service and the Exchange POP3 service. We will assume that you have issued a Web site certificate to the OWA site, exported the certificate to a file (including the private key), and imported the Web site certificate to the ISA Server 2004 firewall’s machine certificate store. In addition, we will assume that the external client that connects to the OWA Web site through the ISA Server 2004 firewall has the CA certificate of the CA that issued the OWA site’s Web site certificate imported into its Trusted Root Certification Authorities certificate store.
Note:
Certificate issuance and deployment is beyond the scope of this ISA Server 2004 Getting Started Guide
document. For detailed information on deploying Web site and root CA certificates,
please refer to the ISA Server
2004/Exchange Deployment Kit.
The following walkthrough discusses the basic methods used to provide remote access to the OWA, SMTP and POP3 services on the Exchange Server on the Internal network. In a production environment, remote access to the SMTP service would be secured using SSL and requiring use authentication. Similarly, remote access to the POP3 service would also require a secure SSL connection. We limit our discussion to non-SSL connections in the following walkthrough for demonstration purposes only.
In addition, there are a number of procedures that have been carried out on the Exchange Server to optimize it for secure remote access OWA connections. These procedures are outlined in the first chapter of this ISA Server 2004 Getting Started Guide. In addition, the Exchange POP3 service is disabled by default and must be manually enabled.
You will need to perform the following procedures to configure the ISA Server 2004 firewall to allow remote access connections to the Exchange Server service:
· Restore the system to its post-installation state
· Create the OWA Web Publishing Rule
· Create the SMTP Server Publishing Rule
· Create the POP3 Server Publishing Rule
· Test the connection
You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configured to support secure SSL connections. These procedures include forcing SSL on the OWA directories and allowing the directories to accept only basic authentication.
Perform the following steps to create the Outlook Web Access Web Publishing Rule:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.
2. Right click the Firewall Policy node, point to New and click Mail Server Publishing Rule.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we will call it OWA Web Site. Click Next.
4. On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
5. On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. Click Next.
6. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.
7. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example we will use the name owa.msfirewall.org. Click Next.
8. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Click Next.
9. On the Select Web Listener page, click the New button.
10. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we will use the name OWA SSL Listener. Click Next.
11. On the IP Addresses page, put a checkmark in the External checkbox. Click the Address button.
12. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click on the external IP address on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select the 192.168.1.70 entry. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
13. Click Next on the IP Addresses page.
14. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443.
15. Click the Select button. In the Select Certificate dialog box, click on the OWA Web site certificate that you imported into the ISA Server 2004 firewall’s machine certificate store and click OK.
16. Click Next on the Port Specification page.
17. Click Finish on the Completing the New Web Listener page.
18. The details of the Web listener now appear on the Select Web Listener page. Click Edit.
19. In the OWA SSL Listener Properties dialog box, click the Preferences tab.
20. On the Preferences tab, click the Authentication button.
21. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that the no authentication methods are currently configured.
22. Place a checkmark in the OWA Forms-Based authentication checkbox. Click OK.
23. Click Apply and then click OK in the OWA SSL Listener Properties dialog box.
24. Click Next on the Select Web Listener page.
25. On the User Sets page, accept the default entry, All Users, and then click Next.
26. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
27. Click Apply to save the changes and update the firewall policy.
28. Click OK in the Apply New Configuration dialog box.
The next step is to create a HOSTS file entry on the ISA Server 2004 firewall machine so that it resolves the name owa.msfirewall.org to the IP address of the Exchange Server on the Internal network.
1. Click Start and click Run. In the Run dialog box, enter notepad in the Open text box and click OK.
2. Click the File menu and then click Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
3. Add the following line to the HOSTS file:
10.0.0.2 owa.msfirewall.org
And press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to indicate that you wish to save the changes.
You can create an SMTP Server Publishing Rule to provide external users and servers access to the Microsoft Exchange SMTP service. In general, you will prefer to use the ISA Server 2004 firewall as a secure SMTP filtering relay to prevent external users and servers from directly connecting to the Exchange Server. The Server Publishing Rule discussed in the following walkthrough is best used to provide external SMTP servers access to the Exchange Server so that they can send mail to e-mail under your administrative control.
Perform the following steps to create the SMTP Server Publishing Rule:
2. Right click the Firewall Policy node and point to New. Click Server Publishing Rule.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule SMTP Server. Click Next.
4. On the Select Server page, enter the IP address of the Exchange Server on the Internal network. In our current example, the IP address is 10.0.0.2. Enter 10.0.0.2 into the text box. Click Next.
5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Click Next.
6. On the IP Addresses page, put a checkmark in the External checkbox and then click the Address button.
7. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
8. Click Next on the IP Addresses page.
9. Click Finish on the Completing the New Server Publishing Rule Wizard page.
Remote access to the Exchange Server POP3 service allows users located away from the office to download their mail from the Exchange Server to virtually any e-mail client application. Users must provide a user name and password when they connect to the POP3 service. They download e-mail into their e-mail client application after sending their credentials. These user credentials are sent in clear text. In a production environment you would require an SSL secured POP3 connection so that user name and password are not easily accessible to Internet intruders.
Perform the following steps to create the POP3 Server Publishing Rule:
2. Right click the Firewall Policy node and point to New. Click Server Publishing Rule.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule POP3 Server. Click Next.
4. On the Select Server page, enter the IP address of the Exchange Server on the Internal network. In our current example, the IP address is 10.0.0.2. Enter 10.0.0.2 into the text box. Click Next.
5. On the Select Protocol page, select the POP3 Server protocol from the Selected protocol list. Click Next.
6. On the IP Addresses page, put a checkmark in the External checkbox and then click the Address button.
7. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.
8. Click Next on the IP Addresses page.
9. Click Finish on the Completing the New Server Publishing Rule Wizard page.
We are now ready to test the OWA, SMTP and POP3 connections to the Exchange Server located behind the ISA Server 2004 firewall. The first step is to create a HOSTS file entry on the client so that it correct resolves the name of the OWA site. In a production environment, you would create a public DNS resource record that correctly resolves this name for external network clients.
Perform the following steps to test the Outlook Web Access connection:
1. The first step is to add a HOSTS file entry on the external client machine. Click Start and click Run. In the Run dialog box, enter notepad in the Open text box and click OK.
2. Click the File menu and then click Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.
3. Add the following line to the HOSTS file:
192.168.1.70 owa.msfirewall.org
And press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to indicate that you wish to save the changes.
4. Open Internet Explorer on the external client machine. Enter https://owa.msfirewall.org into the Address bar and press ENTER.
5. In the Outlook Web Access Log on form, enter the user name in the Domain\user name text box, and the password in the Password text box. Select the Premium client type and the Private computer Security type. In the current example, we will enter the user name MSFIREWALL\Administrator and the Administrator’s password. Click Log On.
Next, we will test the POP3 and SMTP functionality using Outlook Express:
1. On the external client machine, open Outlook Express. Click Tools and then click Accounts.
2. In the Internet Accounts dialog box, click the existing account and then click Remove. Click Yes in the Internet Accounts dialog box asking if you are sure you want to delete the account.
3. Click Add and then click Mail.
4. On the Your Name page, enter the name Administrator in the Display name text box. Click Next.
5. On the Internet E-mail Address page, enter the address administrator@msfirewall.org in the E-mail address text box. Click Next.
6. On the E-mail Server Names page, select the POP3 entry in the My incoming mail server is a x server list. Enter 192.168.1.70 in the Incoming mail (POP3, IMAP or HTTP) server text box. Enter 192.168.1.70 in the Outgoing mail (SMTP) server text box. Click Next.
7. On the Internet Mail Logon page, enter Administrator in the Account name text box and the administrator’s password in the Password text box. Click Next.
8. Click Finish on the Congratulations! page.
9. Click Close on the Internet Accounts dialog box.
10. Close Outlook Express and then open it again. Click the Create Mail button and address a message to administrator@msfirewall.org. Enter a subject and text and then click the Send button. To receive the mail from the POP3 server, click the Send/Recv button. The message you send appears in the Inbox.
11. Close Outlook Express.
In this ISA Server 2004 Getting Started Guide document we discussed how to make the ISA Server 2004 firewall your front line protection is an e-mail defense in depth plan. The ISA Server 2004 SMTP Message Screener can provide initial inspection and protection against dangerous and inappropriate e-mail messages. The Message Screener can perform initial evaluation of SMTP messages while also providing secure SMTP relay servers that protects the mail server on the internal network from direct connections from untrusted servers. In the next document in this ISA Server 2004 Getting Started Guide series, we will discuss how the firewall can be used to publish an array of Exchange Server services.