Step1: The Exchange 2007 Part
In this article, I will explain the full configuration steps to take to publish your internal Exchange 2007 OWA (outlook web access – webmail) to the internet using ISA Server 2006.
Although this procedure talks about using private SSL-certificates, it is almost identical when using official SSL-certificates.
Here we go:
1) Start by creating a SSL-certificate request file from your Exchange Server Shell, by issuing the following powershell cmdlet (I will explain the details later in another post):
New-ExchangeCertificate –GenerateRequest –Path c:\webmail_pdt_be.csr –KeySize 1024 –SubjectName “c=BE, s=East-Flanders, l=Sint-Niklaas, o=PDT IT Services, ou=IT, cn=webmail.pdtit.be” –PrivateKeyExportable $True
2) The above cmdlet generated a Certificate Request File (CSR) which looks as the below image:
3) Next, we will upload this CSR to our internal Certificate Authority (if it is not installed already, install it to your internal server using the Control Panel Add/Remove Windows Components (2003) or Server Feature Roles (2008)), by using the Certificate Web Enrollment Services. You could also use the regular Certificate Authority MMC, but I love the webinterface for its ease of use J
4) Browse to https://<servername>/certsrv
5) Select Request a Certificate
6) Next, Select Advanced Certificate Request
7) Next, Choose Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file…
8) Then, Paste the contents from your CSR into the first field (include the first and list lines as well!!!); Choose Web Server as certificate template.
9) Click Submit
10) Select Base 64 Encoded + Save
11) If you open the CSR-file to check some property fields, you will notice the subject (cn) refers to the URL to be used for your webmail access.
12) Just for backup reasons, click copy to file to save a copy of the certificate file to disk.
13) Now the certificate file is saved to disk, we can import it back into Exchange 2007, by using powershell cmdlet again:
Import-ExchangeCertificate –path “c:\documents and settings\administrator\desktop\webmail.pdtit.be.cer”
14) We can validate the import by using the Certificate MMC (start / run / mmc / add certificate snap-in / select computer account / personal store)
As you can see in the image below, the “webmail.pdtit.be” certificate is shown; we can also see the PDT IT CA, which is the Root certificate of the CA that issued the certificate)
15) The next step involves “activating” our newly imported certificate for Exchange Web Services; first, we start by getting a list of the current imported Exchange related certificates, by issuing the following cmdlet:
The certificate of interest for us is the one with Subject “webmail.pdtit.be”
16) Next, we will “link” this certificate to the Exchange Web Services, by using the following cmdlet:
Enable-ExchangeCertificate –Thumbprint “1B19…” –Services “IIS, POP, IMAP”
Now, Exchange OWA will be linked to the SSL-certificate “webmail.pdtit”.be;
If we get the properties of the SSL-certificate in our Exchange OWA logon page (by clicking on the key-lock in the right below corner), the following information is shown:
Which means the OWA-service is indeed “listening” to the SSL-certificate with common name webmail.pdtit.be
Step 2: The ISA 2006 part
In the previous steps, you saw how we created a private SSL-certificate to be used for Exchange Outlook Web Access from our internal CA.
In the following steps, we will import this private SSL-certificate into our ISA 2006 server, and use this certificate for OWA Publishing on the ISA 2006 server.
1) Export the SSL-certificate from the Exchange Server to the ISA 2006 server; just for the reference, I included all steps and screenshots involved to do the export:
a) Start / Run / MMC / Add Snap-in / Select Certificates
b) Select Computer Account / Local Computer:
c) This will show the following list of certificates:
d) Open the “webmail.pdtit.be” certificate / Details / Copy To File
e) This will start the Certificate Export Wizard
f) Make sure you select “Yes, Export the Private Key” (only certificates with private key will be accepted in the ISA 2006 Web Listener wizard later on) + Next
g) Select Personal Information Exchange + mark Include all certificates in the certification path if possible; this will also export the Root CA certificate + Next
h) Enter a password for the certificate:
i) Save the SSL-certificate file in PFX-format somewhere on the local Exchange Server.
2) By default, the OWA website is configured for “Forms Based Authentication” out-of-the-box. As we want to ‘transfer” the logon form to the ISA 2006 server, a small modification is left on the Exchange server, before we jump over to the ISA 2006 configuration steps.
3) Open your Exchange Management Console, and browse to Server Configuration / Client Access; Select the Outlook Web Access and click owa (default web site) + properties
4) Go to the Authentication tab; Select “Use on or more standard authentication methods”, and make sure Integrated Windows Authentication and Basic Authentication are selected.
5) In order to make the modification active, we are prompted with a warning to “restart” our IIS Services, by running the command iisreset/noforce. This will be done next from a cmd-box.
6) Logon to the ISA 2006 Server, and browse to the Certificate PFX-file that was exported from the Exchange Server.
7) Import the PFX-certificate file by using the Certificate Import Wizard:
8) Make sure you enter the password correctly, and flag “enable strong private protection” as well as “mark this key as exportable”. + Next
9) To make sure the import is owkay, we will check again from within the Certificate MMC Snap-in on the ISA 2006 server itself:
10) We can see the webmail.pdtit.be certificate is correctly imported in the Personal Certificate store of the ISA 2006 server.
11) We can see the PDT IT CA Root certificate is correctly imported in the Trusted Root Certificate store of the ISA 2006 server.
12) Now all prerequirements are finished, we will go and create the OWA Publishing Rule from within the ISA Management Console
13) Browse to the Firewall Policy, right click / New Exchange Publishing Rule; this will fire up a wizard again:
a) Enter a descriptive name for the rule, eg. Webmail Publishing Rule
b) Select Exchange Server 2007 and mark “Outlook Web Access”; (Exchange 2007 is the first version that needs several rules for Outlook Anywhere and Outlook Mobile Access; Exchange 2003 publishing allows you to mark all options at once)
c) Select Publish a single website or load balancer in the next window
d) Choose Use SSL to connect to the published web server or web farm; this means, SSL will be used to connect to our webmail pages from the outside.
e) Give the name of the Internal Site Name; this makes it a bit unclear to me; The only way I have ever seen this work, is by entering the same name as in the common name field of the SSL-certificate. In order to make sure the ISA 2006 server “resolves” the internal site name correct, I make use of the ISA 2006 server’s hostfile, in which I enter the following:
<internal Ip-address of Exchange Server> webmail.pdtit.be
f) In the next window, you can “limit” traffic to the specific webmail url only, or to any domain name; just as an example, I will use any domain name as option. (If multiple sites are to be published with having only 1 official internet IP-address, you have to make a distinction on your ISA 2006 box by using different publishing rules, referring each to their own common name of the URL, eg. Webmail.pdtit.be; extranet.pdtit.be,…)
14) After clicking next, the Web Listener Wizard will pop up; the web listener defines all settings related to the “SSL-communication” on the outside interface of the ISA 2006 firewall/reverse proxy.
a) Select “new” in the next window
b) Give a clear name for the web listener (eg. PDT IT webmail listener)
c) Select Require SSL secured connections with clients; this means the ISA 2006 server only accepts SSL-requests from the outside to our Exchange OWA pages.
d) Select the Web listener interface and IP-address (if multiple exist).
e) In the next window, we will select the SSL-certificate that should be bound to the newly created Web Listener; this will be the imported PFX-certificate that came from the Exchange Server; (see previous steps in this article on how to import an Exchange-issued PFX-certificate into the ISA 2006 server Certificate Store).
f) If the previous import went owkay, the certificate should be visible here, and marked with a green button in front of it. If the certificate is not shown here, the import was not done correctly. You first have to solve that issue before continuing. Otherwise, your OWA webmail will never work.
g) In the next window, we will select how the user will be prompted for their OWA logon credentials. Favorably, this will be “HTML Form Authentication” + Windows (Active Directory); notice here other logon credentials are also possible here (eg. RSA or Vasco Token One-Time-Password,…) are also accepted. Elevating the authentication security to a higher level.
h) If more websites are being published by ISA 2006, Single Sign On options can be selected (allow the user to enter his credentials only once, and acting as a pass-through gateway to other internal websites that normally also would require authentication)
i) Click finish to close the Web Listener Wizard.
j) That’s all. Make sure you confirm the “Apply” button in the ISA 2006 console; from now on, your webmail should work from anywhere on the internet.
Just as a reference, I copied screenshots of all tabs involved in the Exchange Publishing / Web Listener configuration.
Voila, this completes our full configuration procedure to allow your internal Exchange Server Outlook Web Access functionalities to be available from the internet, by publishing them via a secure way by using Microsoft ISA 2006 Server.
If anyone should have questions or issues when following the above procedure, do not hesitate to leave me a comment or suggestions for updates to this article. If you are interested in receiving this procedure in a nice to read PDF or Word format, feel free to drop me a mail at <info at pdtit dot be>
sep 29 2008, 09:50
Peter De Tender