Translated from Thomas W Shinder, Publishing Owa Sites Using ISA FireWall Web Publishing Rules (2004)
Remote users can connect to your Exchange server with OWA (Outlook Web Access) through the HTTP protocol. Safe Exchange RPC Release is higher than OWA with higher security, and the perfect line 7 feature provides secure connections between remote Outlook Mapi customers and Exchange servers. However, many customers after conventional package filtrate firewalls are banned from accessing MAPI of the external network because these packages filtrate firewall lacks filtration in the 7th floor of the ISA firewall.
OWA site release provides a perfect way, through the ISA firewall OWA release, you can let your remote customer access your Exchange server OWA site. Confirm that the techniques for securely connect between remote users and OWA Web sites:
SSL connections between OWA customers and ISA firewalls; SSL connections between ISA firewalls and OWA sites; impose the client certificate for the OWA directory, it requires ISA firewall (or other hosts) to show first when connecting to the OWA Web site directory A customer certificate; User Access License on ISA Firewall WEB Publishing Policy requires remote OWA customers to present user certificates, otherwise ISA firewall does not forward information to the OWA Web site; (Note: You can use all users to ignore it, in this case That is) OWA-based authentication allows ISA firewall to generate login forms, which prevents no authenticated connections to the OWA site. Basic authentication ensures that ISA firewall pre-authenticated users from sending a single packet from the OWA Web site without authentication hosts. Microsoft Enterprise CA allows you to control all access based on certificates so that there is no danger to initiate access from unspecified hosts. And access and sessions are controlled by ISA firewalls to control higher security.
In this article, we will install the following steps to implement the release of internal OWA Web sites:
Publish and bind a Web site certificate for the OWA Web site; export the certificate of the OWA Web site to a file (including the private key to the site); configure the OWA site to force the SSL encryption and basic authentication; the OWA Web site certificate Import into the ISA firewall computer; run the OWA publishing wizard, establish the corresponding item for the OWA Web site address in the hosts file; request the customer certificate (optional) on the entering web request listener; configure the public DNS server parsing OWA site Domain name; release certificate authority Web registration site; install the certificate authority on OWA customers; establish a corresponding item in the HOSTS file of the OWA client; establish a connection to the OWA Web site;
The figure below shows the experimental environment in this article:
Publish and bind a Web site certificate for the OWA Web site
In order to perform the bridge of SSL to SSL, the ISA firewall must establish two SSL connections:
The first is between the OWA customers and ISA firewalls; the second is between the ISA firewall and the internal OWA Web site;
In order to implement the SSL connection between the ISA firewall and the OWA Web site, we must request a web server certificate for the OWA Web site and bind this certificate.
Perform the following steps to request the Web server certificate for the OWA Web site:
On the Exchange2003BE computer, click Start, then point to Administrative Tools, click Internet Information Services (IIS) Manager; on the left panel of the Internet Information Services (IIS) Manager console, expand the Web Sites node, then click Default Web Site, right-click Default Web Site, and then click Properties; in the Default Web Site Properties dialog box, click the Directory Security label; the Directory Security tab, click the Server Certificate button under Secure communications; in Welcome to the Web Server Certificate Wizard page, click next; in the Server Certificate page, select Create a new certificate option and click Next; the Delayed or Immediate Request page, select Send the request immediately to an online certificate authority option, and then click Next; in the Name and Security settings page, accept the default settings, and then click Next In the Organization Information page, enter your organization name and organizational unit name in Organization and Organizational Unit text boxes, click Next; in your Site's Common name page, enter the public name of the site, this public name will be used inside and outside users. Access this site. For example, if the user uses https://owa.msfirewall.org to access this OWA site, the public name of the site is owa.msfirewall.org. In this case, we entered Owa.msfireWall.org. This is a very important setting. If you don't enter the correct public name, there will be an error when connecting the OWA site. Click Next; in the Geographical Information page, enter your country / region, state / province and city / locality, click Next; at the SSL PORT page, accept the default value 443, click Next; in the Choose a certification authority page, accept the default Select, then click Next; check the settings in the Certificate Request Submission page, then click Next; click Finish at the Completion The Web Server Certificate Wizard page; note that the View Certificate button is already available, indicating that the certificate of the Web site has been bound to OWA Web site and can be used to force SSL connections. Click OK in the DEFAULT Web Site Properties dialog.
Export the certificate of the OWA Web site to a file (including the private key to the site)
Configure the OWA site forcibly use SSL encryption and basic authentication
Import the certificate from the OWA Web site into the ISA firewall computer
The Certificate of the Web site must be imported into the ISA firewall computer before you can bind to the connection to the OWA site on the web listener. Perform the following steps to import the certificate:
On the ISA firewall computer, click Start, then click Run, enter MMC, then click OK. In the Console 1 console, click the File menu, click the add / remove snap-in command; click the Add / Remove Snap-in dialog box; in the Available Standalone Snap-in list, click Certificate, then click Add; in Certificate Snap -in Page Select Computer Account Options, click Next; in Select Computer page, select Local Computer: (The Computer this console is running on), then click Finish. Click Close in the Add Standalone Snap-in page. At the Add / Remove Snap-in dialog box, click OK. Right click on the Personal node of the left panel, point to All Tasks and click Import; in Welcome to the Certificate Import Wizard page Click Next; click the Browse button, locate the certificate file, then click Next;
In the Password page, enter the password of the file. Don't check Mark this key as exportable, so that other people cannot export the key again. Click Next; in the Certificate Store page, confirm that the Place All Certificate In The Follow Store is checked, then click Next; click Finish; click OK on the Certificate Import Wizard prompts you to import successful dialog box. At this point, you can see the imported certificate on the right panel. The certification authority must be placed in the Trusted Root Certification Authorities / Certificates storage area, so that ISA firewall computer can trust this computer certificate.
Expand the Trusted Root Certification Authorities left panel, scroll down, note that the corporate certificate authority has been added automatically because we use the company CA, and the ISA firewall belongs to the same domain as the company CA. If you use independent CA, or ISA firewall does not belong to the same domain as the business CA, then you need to copy this certificate to the Trusted Root Certification Authorities / Certificates node. This can click on the CA certificate and then click the COPY command, then click the / Trusted Root Certification Authorities / Certificate node, and then click the Paste button in the MMC menu bar. Run the OWA Publishing Wizard, establishing a corresponding item for the OWA Web site address in the hosts file, strongly recommending you to create an isolated DNS structure (Note: parsing the same domain name to the same domain name to the same domain name) for external and internal customers At the site), this can allow internal and external hosts to correctly parse the domain name of the OWA Web site. In this trial, we do not build a DNS server, just modify the HOSTS file on the ISA firewall computer to resolve the name of the OWA site. Note: At this point, the ISA firewall needs to use external customers to access the domain name of the OWA site to resolve the IP address of the internal OWA site, not the IP address of the external interface of the ISA firewall, although external customers are resolved. Perform the following steps to create the corresponding item in the HOSTS file: In the ISA firewall computer, open the% systemroot% / system32 / drivers / etc directory, then double-click Hosts; in the Open WITH dialog, select NotePad, then click OK; Hosts Open in Notepad At the bottom, the corresponding item of the IP address is added at the bottom. Add 10.0.0.2 Owa.msfireWall.org; "10.0.0.2" is the IP address of the internal OWA server. After confirming the input, you knocketed. Guaranteed with an empty line at the end of the file.
Close NotePad, then click Yes to save the file's modification. Now we can establish an OWA publishing rule, perform the following rules to publish the OWA site:
Open the ISA Server 2004 Management Console, expand the server, click FireWall Policy, then click the task tab of the Task panel, then click the Publish a mail server link; in Welcome to the New Mail Server Publishing Rule Wizard page, enter the rule name, here we name to Publish OWA Web Site, click Next; the select Access Type page, select Web client access (Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option, and then click Next; the select Services page, select Outlook Web Access Confirm that the enable high bit character sets is checked. This option allows OWA users to use non-English character sets, click Next; select the Secure Connection to Clients and Mail Server option, then click Next. This option creates an SSL connection that allows customers to go to the OWA Web site to ensure that end-to-end connections are safe. In the Specify The Web Mail Server page, in the Web Mail Server text box, enter the domain name of the internal OWA Web site. Here we Using Owa.msfireWall.org, pay attention to this name must be the same as the name of the certificate. If you use the IP address, you will block the ISA Server's internal interfaces from establishing an SSL connection between the OWA site. Click Next; in public name Details page, The Accept Requests for list checks this domain name (Type Below) In the public name text box, enter the external user to access the name of the OWA site. In this case, external users will use owa.msfirewall.org. Reformed again, this The name must be consistent with the name of the certificate, and external users resolve the external DNS to the external interface of ISA Server. Click Next;
In the Select Web Listener page, click the New button, in the Welcome to the New Web Listener Wizard page, in the web listner name page, enter the name of the listener, in this case, we use Owa SSL Listener, click Next; in IP Addresses Page, check External, then click the Address button; in the External Network Listener IP Selection dialog, select Specified IP Addresses on the ISA Server Computer In The Select Network, click on the external IP address you want to listen in the Available IP Addresses list . In this example, we will select 192.168.1.70, click Add, this IP will be displayed in the SELECTED IP Addresses list, click OK; click Next in the IP Addresses page; in the port specification page, uncheck the enable http, check Enable SSL, retain the SSL Port number is 443. This allows the listener to use the SSL connection. Click the SELECT button, in the Select Certificate dialog box, click the OWA Web site certificate you import ISA firewall computer, then click OK. Note that this certificate is only displayed after you install this certificate. In addition, the certificate must contain a private key, and if the private key is not included, the certificate will not be displayed. In the Port Specification page, click Next; in the Completing The New Web Listener page, click Finish; in the Select Web Listener page, the details of the Wen listener are displayed, click Edit;
In the OWA SSL Listener Properties dialog, click the Preferences tab, click the Authentication button;
In the Authentication dialog, unscheduled Integrated, in Microsoft Internet Security and Acceleration Server 2004 prompts you to click OK without selecting an authentication method; check Owa Forms-based authentication. Owa forms-based is very useful for OWA sites and enhances security. The ISA firewall generates a login form and forwards user information to the OWA site to authenticate users, and only when the user has successfully passed the authentication, the ISA firewall forwards the user's connection to the OWA site. Note that you cannot use a form-based authentication on the OWA site of the Exchange server, you smart to use Forms-based authentication on the ISA firewall, click the Configure button;
In the Owa Forms-Based Authentication dialog, check Clients on public Machines, Clients on Private Machines, and Log Off Owa When The User Leaves Owa Site, these settings have enhanced security for your OWA site. Note that you can set timeout for customers in public computers and private computers. Note that letters to determine the security level of the connection is wrong, you should force all the users to use the same policy, click OK. Click Apply on the Authentication dialog box; OWA SSL Listener Properties dialog Click Apply, then click OK;
In the Select Web Listener page, click Next; at the User Sets page, accept the default all users, then click Next. Note that this does not mean that all users can access the OWA site, and only by authenticated users can access the OWA site. The actual authentication is done through the OWA site, and the ISA firewall is used to forward user information. This means that you must allow all users to access unless the user can verify through the ISA firewall. Click Finish on the Completion The New Mail Server Publishing Rule Wizard page. Right-click on the OWA Web Site rule, click Properties; click on the TO tab in the OWA Web Site Properties dialog. In the TO tag, select Requests Appear to come from the original client. This option allows the OWA Web site to accept the actual IP information of external customers. This feature allows the web log plugin record address information on the OWA site. This TO tag is very important, because the name of the Server text box must be consistent with the name of the certificate. I encourage you to use the same name on the end, although it is not absolute.
Click Apply and click OK; click Apply to save the modification and update firewall policies;
By enforcing all SSLs that communicate to the OWA site, you can block the sniffer sniffing, while you need to configure the OWA directory to use basic authentication, which avoids the browser compatibility.
Perform the following steps to configure the OWA site forcibly use SSL connection and basic authentication:
In the Internet Information Services console, expand the server, then expand the DEFAULT web site node, the three Web virtual directories that need to be modified are: / Exchange / ExchWeb / Public We want the ISA firewall to always access these three sites for the OWA customer agent During negotiation SSL connection.
We started from the Exchange directory, right-click it, then click Properties;
Click the Directory Security tab, click the Edit button; in the Authentication Methods dialog box, uncheck all the options in the Basic Authentication (Password IS Sent In Clear Text), check the Basic Authentication. In prompted you should use SSL to protect your password's dialog box, click Yes. Enter your domain name in the Default Domain text box, in this case, MSFireWall, click OK.
Click Apply on the Exchange Properties dialog and click OK; repeat the above steps, set for the / ExchWeb and / Public Directory. The next step is to force the ISA firewall's web proxy filter to use SSL when connecting to the OWA directory. Perform the following steps:
In Internet Information Services (IIS) Manager, expand your server, then expand Default Web Site; Next, we need to force the following OWA site to use SSL connection: / Exchange / ExcHeb / public right-click the Exchange Node, then click Properties; Click Directory Security in the Exchange Properties dialog, then click Edit in the Secure Communications framework; check the Require Secure Channel (SSL) in the Secure Communications dialog, then check the Require 128-bit Encryption, click OK.
On the Exchange Properties dialog, click Apply and click OK; repeat the above procedure for / ExchWeb and / Public Directory, turn off the Internet Information Services (IIS) Manager console after completion.
Configure the public DNS server to resolve the domain name of the OWA site
The correct DNS domain name is critical when you design remote access. The perfect DNS configuration allows the user to resolve the domain name to the corresponding IP address when moving between the internal network and the external network, regardless of their position.
The perfect DNS configuration is the separated DNS configuration, and a separate DNS foundation consists of two DNS areas:
An internal area used by the internal network to parse; an external area parsed by external network users;
The host of the internal network queries the internal area and then parses the internal IP address of the host they want to access; and the host of the external network queries the outside area to get the common IP address they want to connect. For external and internal networks, the destination hosts are the same, but they arrived by different routes.
For example, the domain of your internal Exchange server is domain.com, you use ISA firewall to publish the OWA site, ISA firewall uses IP131.107.0.1 to listen for external requests, the IP address of the Exchange server in the internal network is 10.0.0.3 .
Your goal is to access the Exchange server using FQDN Owa.domain.com anywhere. You want the internal network to access the OWA site using IP address 10.0.0.3, and wants to access the host on the Internet to access the OWA site using IP address 131.107.0.1.
For DNS servers on the Internet, you need to resolve owa.domain.com on the IP address 131.107.0.1; in the internal network, you need to create a DNS area and resolve owa.domain.com to 10.0.0.3. For hosts of different networks, you need to configure different DNS servers.
Publish a certificate authority Web registration site
The external OWA customer needs to place the CA certificate of the published Web server certificate in its Trusted Root Certification Authorities storage area, which can be placed in the USER storage area, and is not necessary to place in the Machine certificate placement area. We can do very simple to complete through the web registration site connecting the CA. However, we need to release the web registration site to allow customers to connect to this site.
Perform the following steps: In the ISA Server 2004 console, expand the server name, then click the FireWall Policy node; click the Tasks tab, click the Publish a Web Server link; in Welcome to the New Web Publishing Rule Wizard page as a rule Enter a name, here we named the Publish Web Enrollment Site, click Next; in the Select Rule Action page Select Allow; in the Define Website to Publish page, enter the IP address of the internal CA in the Computer Name or IP Address bar, in this case The IP address is 10.0.0.2, in the path text box, input / certificaterv / *, click Next;
In the Public Name Details page, you select this Domain Name (Type Below) in the Accept Request for list. In the Public Name text box, enter the IP address of the external interface of the ISA firewall, in this example, in this example, enter / CERTSRV / * in the Path (Optional) text box, click Next;
In the Select Web Listener page, click the New button; in the Welcome to the New Web Listener page, enter the rule name in the Web Listener Name text box, in this case, we entered Listener70, click Next; in the IP Addresses page, check External Click Next; in the port sales page, accept the default settings, confirm that the enable http is checked, and the value of the http port is 80, click Next; click Finish at the Completion The New Web Listener Wizard page; in Select Web Listener Page Click Next;
In the User Sets page to accept the default settings All Users, click Next; click Finish in the Completing the New Web Publishing Rule Wizard page; right click Publish Web Enrollment Site Rules, then click Properties; dialog in the Publish Web Enrollment Site Properties, click on the tab Paths In the PATHS tag, click the Add button, in the path maping dialog, in the Specify The Folder on the Web Site That You Want to Publish.to Publish That Web Site, Leave this Field Blank Add / CERTCONTROL / *, click OK;
Click Apply in the Publish Web Enrollment Site dialog and click OK; click Apply to save the modification and update firewall policies; install the certificate authority on OWA customers now we must obtain CA certificates from the internal network. Perform the following steps on the OWA client computer:
On the OWA client computer, open the IE browser, enter http://192.168.1.70/CERTSRV, then enter the carriage return; enter the Administrator and the corresponding password in the User Name and the Password text box, click OK; in the Welcome page Microsoft Certificate Services site, click Download a CA certificate, certificate chain, or CRL link; at the Download a CA Certificate, Certificate Chain, or CRL page, click install this CA certificate chain link; asking that you want to install Microsoft Certificate Enrollment Control's Security Warning dialog box, click YES; in your Web site will add a certificate of the certificate to this machine, click Yes; ask you to add the Root Certificate Store dialog box that you add CA certificate. Click Yes. At the CA CERTIFICATE INSTALLATION page, the IE browser is turned off when you have the Ca Certificate Chain Has Been Success Installed. The establishment of the corresponding IWA client computer in the HOSTS file of the OWA customer computer must be able to parse the name of the OWA server through the name in the OWA Web server certificate. The name of this web server is Owa.msfirewall.org in this case. OWA customers must be able to resolve this name to the external interface of the ISA firewall for listening, in this example; in the commercial network, you should deploy DNS servers to parse domain names. In this example, we use the HOSTS file to resolve, perform the following steps on the OWA client computer: Locate the% systemroot% / system32 / drivers / etc, and then open hosts inside the Notepad; at the end of the Hosts file, add the following item: 192.168.1.70 Owa.msfirewall.org Make sure there is a space line. Otherwise, the newly added rows will not be recognized. Turn off the hosts file and save your modification. A connection to the OWA Web site performs the following steps on the OWA client computer to establish a connection to the OWA Web site:
Open Internet Explorer, enter https://owa.msfirewall.org/exchange in the address bar, then enter; in the Outlook Web Access login page, enter MSFireWall / Administrator in the Domain / User Name text box, then in the Password text box Enter your password, select Premium in Client, then select Private Computer under Security, click LOG ON;
3. In an SSL window, the OWA site is displayed. The lock flag of the IE status bar proves that it is now a secure connection.
4. Click Log Off to log out of the OWA Web site.
When the OWA customer establishes the first SSL connection between it and the ISA firewood, the ISA firewall simulates the OWA Web site. In order to make the ISA firewall do this, you must export the certificate of the OWA Web site, import it into the ISA firewall computer's certificate storage. When you export your certificate, the private key to export the Web site is very important. If you do not export a private key, you will not be able to bind the certificate to the web listener of the ISA firewall. Perform the following steps to export the certificate of the Web site and private key to a file:
In the Internet Information Services (IIS) Manager console, expand Web Sites, and then click the Default Web Site, right-click the Default Web Site, and then click Properties; in the Default Web Site Properties dialog box, click the Directory Security label; the Directory Security tab, click View certificate button; click the Details tab, click the Details tab, click the Copy to File button; in Welcome to the Certificate Export Wizard page, click Next; in the Export Private Key page, select Yes, Export the Private Key, then Click Next;
In the Export File Format page, select Personal Information Exchange PKCS # 12 (.PFX) option, check the Include all certificates in the certification path if possible, and then uncheck the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above), Click Next; enter and confirm your password, click Next; enter C: / Owacert in the file name text box, click Next; click Finish in the COMPLETINGTENTE; in the Certificate dialog Click OK; click OK in the DEFAULT Web Site Properties dialog; put Owacert.pfx from C: / copy to the ISA firewall computer;