Create the SMTP Server Publishing Rule. 7

Create the POP3 Server Publishing Rule. 7

Introduction

One of the main reasons to deploy a ISA Server 2004 firewall is to protect Microsoft Exchange Servers. ISA Server 2004 includes a number of technologies focused on providing enhanced support for protecting Microsoft Exchange Services published to the Internet. This increased level of protection for remote access to Microsoft Exchange Server services put the ISA Server 2004 firewall in a unique position to be the firewall for Microsoft Exchange Server.

Providing secure remote access to Microsoft Exchange Server services can be a complex process. Fortunately, ISA Server 2004 includes a number of Wizards that simplify the process of providing secure remote access to Microsoft Exchange. ISA Server 2004 accomplishes this by providing a number of wizards that walk the firewall administrator through the process of providing secure remote to Microsoft Exchange.

In this ISA Server 2004 Getting Started Guide document we will discuss methods you can use to provide secure remote access to the Exchange Outlook Web Access (OWA) site, the Exchange SMTP service and the Exchange POP3 service. We will assume that you have issued a Web site certificate to the OWA site, exported the certificate to a file (including the private key), and imported the Web site certificate to the ISA Server 2004 firewall’s machine certificate store. In addition, we will assume that the external client that connects to the OWA Web site through the ISA Server 2004 firewall has the CA certificate of the CA that issued the OWA site’s Web site certificate imported into its Trusted Root Certification Authorities certificate store.

Note:
Certificate issuance and deployment is beyond the scope of this ISA Server 2004 Getting Started Guide document. For detailed information on deploying Web site and root CA certificates, please refer to the ISA Server 2004/Exchange Deployment Kit.

The following walkthrough discusses the basic methods used to provide remote access to the OWA, SMTP and POP3 services on the Exchange Server on the Internal network. In a production environment, remote access to the SMTP service would be secured using SSL and requiring use authentication. Similarly, remote access to the POP3 service would also require a secure SSL connection. We limit our discussion to non-SSL connections in the following walkthrough for demonstration purposes only.

In addition, there are a number of procedures that have been carried out on the Exchange Server to optimize it for secure remote access OWA connections. These procedures are outlined in the first chapter of this ISA Server 2004 Getting Started Guide. In addition, the Exchange POP3 service is disabled by default and must be manually enabled.

You will need to perform the following procedures to configure the ISA Server 2004 firewall to allow remote access connections to the Exchange Server service:

· Restore the system to its post-installation state

· Create the OWA Web Publishing Rule

· Create the SMTP Server Publishing Rule

· Create the POP3 Server Publishing Rule

· Test the connection

Create the OWA Web Publishing Rule

You can publish the Microsoft Exchange Outlook Web Access site using ISA Server 2004 Web Publishing after the site is configured to support secure SSL connections. These procedures include forcing SSL on the OWA directories and allowing the directories to accept only basic authentication.

Perform the following steps to create the Outlook Web Access Web Publishing Rule:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node.

2. Right click the Firewall Policy node, point to New and click Mail Server Publishing Rule.

3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we will call it OWA Web Site. Click Next.

4. On the Select Access Type page, select the Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.

5. On the Select Services page, put a checkmark in the Outlook Web Access checkbox. Confirm that there is a checkmark in the Enable high bit characters used by non-English character sets. Click Next.

6. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.

7. On the Specify the Web Mail Server page, enter the name for the Internal OWA Web site in the Web mail server text box. In this example we will use the name owa.msfirewall.org. Click Next.

8. On the Public Name Details page, select the This domain name (type below) option in the Accept requests for list. Enter the name external users will use to access the OWA Web site in the Public name text box. In this example, the external users will use the name owa.msfirewall.org. Click Next.

9. On the Select Web Listener page, click the New button.

10. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we will use the name OWA SSL Listener. Click Next.

11. On the IP Addresses page, put a checkmark in the External checkbox. Click the Address button.

12. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the select network option. Click on the external IP address on the ISA Server 2004 firewall that you want to listen for incoming requests to the OWA site in the Available IP Addresses list. In this example, we will select the 192.168.1.70 entry. Click Add. The IP address now appears in the Selected IP Addresses list. Click OK.

13. Click Next on the IP Addresses page.

14. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Leave the SSL port number at 443.

15. Click the Select button. In the Select Certificate dialog box, click on the OWA Web site certificate that you imported into the ISA Server 2004 firewall’s machine certificate store and click OK.

16. Click Next on the Port Specification page.

17. Click Finish on the Completing the New Web Listener page.

18. The details of the Web listener now appear on the Select Web Listener page. Click Edit.

19. In the OWA SSL Listener Properties dialog box, click the Preferences tab.

20. On the Preferences tab, click the Authentication button.

21. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box warning that the no authentication methods are currently configured.

22. Place a checkmark in the OWA Forms-Based authentication checkbox. Click OK.

23. Click Apply and then click OK in the OWA SSL Listener Properties dialog box.

24. Click Next on the Select Web Listener page.

25. On the User Sets page, accept the default entry, All Users, and then click Next.

26. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

27. Click Apply to save the changes and update the firewall policy.

28. Click OK in the Apply New Configuration dialog box.

The next step is to create a HOSTS file entry on the ISA Server 2004 firewall machine so that it resolves the name owa.msfirewall.org to the IP address of the Exchange Server on the Internal network.

1. Click Start and click Run. In the Run dialog box, enter notepad in the Open text box and click OK.

2. Click the File menu and then click Open. In the Open dialog box, enter c:\windows\system32\drivers\etc\hosts in the File name text box and click Open.

3. Add the following line to the HOSTS file:

10.0.0.2 owa.msfirewall.org

And press ENTER at the end of the line so that the insertion point sits on the next line. Click File and then click Exit. In the Notepad dialog box, click Yes to indicate that you wish to save the changes.

Create the SMTP Server Publishing Rule

You can create an SMTP Server Publishing Rule to provide external users and servers access to the Microsoft Exchange SMTP service. In general, you will prefer to use the ISA Server 2004 firewall as a secure SMTP filtering relay to prevent external users and servers from directly connecting to the Exchange Server. The Server Publishing Rule discussed in the following walkthrough is best used to provide external SMTP servers access to the Exchange Server so that they can send mail to e-mail under your administrative control.

Perform the following steps to create the SMTP Server Publishing Rule:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name in the left pane of the console. Click on the Firewall Policy node.

2. Right click the Firewall Policy node and point to New. Click Server Publishing Rule.

3. On the Welcome to the New Server Publishing Rule Wizard page, enter the name for the rule in the Server publishing rule name text box. In this example, we will name the rule SMTP Server. Click Next.

4. On the Select Server page, enter the IP address of the Exchange Server on the Internal network. In our current example, the IP address is 10.0.0.2. Enter 10.0.0.2 into the text box. Click Next.

5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Click Next.

6. On the IP Addresses page, put a checkmark in the External checkbox and then click the Address button.

7. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Server computer in the selected network option. Click the IP address on the external interface you want to use in the rule. In this example, the IP address is 192.168.1.70, then click Add. The IP address now appears in the Selected IP Addresses list. Click OK.