TryCatch.be
but it worked in the staging environment...

HowTo: Publishing Exchange 2007 OWA using ISA Server 2006

PDT IT Services Blog Posts

 

Step1: The Exchange 2007 Part

Hello Readers,

In this article, I will explain the full configuration steps to take to publish your internal Exchange 2007 OWA (outlook web access – webmail) to the internet using ISA Server 2006.

Although this procedure talks about using private SSL-certificates, it is almost identical when using official SSL-certificates.

Here we go:

1)     Start by creating a SSL-certificate request file from your Exchange Server Shell, by issuing the following powershell cmdlet (I will explain the details later in another post):

 

New-ExchangeCertificate –GenerateRequest –Path c:\webmail_pdt_be.csr –KeySize 1024 –SubjectName “c=BE, s=East-Flanders, l=Sint-Niklaas, o=PDT IT Services, ou=IT, cn=webmail.pdtit.be” –PrivateKeyExportable $True

 

clip_image002

 

2)     The above cmdlet generated a Certificate Request File (CSR) which looks as the below image:

 

clip_image004

 

3)     Next, we will upload this CSR to our internal Certificate Authority (if it is not installed already, install it to your internal server using the Control Panel Add/Remove Windows Components (2003) or Server Feature Roles (2008)), by using the Certificate Web Enrollment Services. You could also use the regular Certificate Authority MMC, but I love the webinterface for its ease of use J

 

4)     Browse to https://<servername>/certsrv

 

5)     Select Request a Certificate

 

clip_image006

 

6)     Next, Select Advanced Certificate Request

 

clip_image008

 

7)     Next, Choose Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file…

 

clip_image010

 

8)     Then, Paste the contents from your CSR into the first field (include the first and list lines as well!!!); Choose Web Server as certificate template.

 

clip_image012

 

9)     Click Submit

 

clip_image014

 

10)  Select Base 64 Encoded + Save

 

clip_image016

 

11)  If you open the CSR-file to check some property fields, you will notice the subject (cn) refers to the URL to be used for your webmail access.

 

clip_image018

 

12)  Just for backup reasons, click copy to file to save a copy of the certificate file to disk.

clip_image020

 

 

clip_image022

 

13)  Now the certificate file is saved to disk, we can import it back into Exchange 2007, by using powershell cmdlet again:

 

Import-ExchangeCertificate –path “c:\documents and settings\administrator\desktop\webmail.pdtit.be.cer”

 

clip_image024

 

14)  We can validate the import by using the Certificate MMC (start / run / mmc / add certificate snap-in / select computer account / personal store)

 

As you can see in the image below, the “webmail.pdtit.be” certificate is shown; we can also see the PDT IT CA, which is the Root certificate of the CA that issued the certificate)

clip_image026

 

15)  The next step involves “activating” our newly imported certificate for Exchange Web Services; first, we start by getting a list of the current imported Exchange related certificates, by issuing the following cmdlet:

 

Get-ExchangeCertificate

 

The certificate of interest for us is the one with Subject “webmail.pdtit.be”

 

clip_image028

 

16)  Next, we will “link” this certificate to the Exchange Web Services, by using the following cmdlet:

 

Enable-ExchangeCertificate –Thumbprint “1B19…” –Services “IIS, POP, IMAP”

 

clip_image030

                        Now, Exchange OWA will be linked to the SSL-certificate “webmail.pdtit”.be;

 

clip_image032

 

If we get the properties of the SSL-certificate in our Exchange OWA logon page (by clicking on the key-lock in the right below corner), the following information is shown:

 

clip_image034

 

Which means the OWA-service is indeed “listening” to the SSL-certificate with common name webmail.pdtit.be

 

 

Step 2: The ISA 2006 part

In the previous steps, you saw how we created a private SSL-certificate to be used for Exchange Outlook Web Access from our internal CA.

In the following steps, we will import this private SSL-certificate into our ISA 2006 server, and use this certificate for OWA Publishing on the ISA 2006 server.

1)      Export the SSL-certificate from the Exchange Server to the ISA 2006 server; just for the reference, I included all steps and screenshots involved to do the export:

 

a)     Start / Run / MMC / Add Snap-in / Select Certificates

 

clip_image036

 

b)    Select Computer Account / Local Computer:

 

clip_image038

 

clip_image040

 

 

c)     This will show the following list of certificates:

 

clip_image042

 

d)    Open the “webmail.pdtit.be” certificate / Details / Copy To File

 

clip_image044

 

e)     This will start the Certificate Export Wizard

 

clip_image046

 

f)     Make sure you select “Yes, Export the Private Key” (only certificates with private key will be accepted in the ISA 2006 Web Listener wizard later on) + Next

 

clip_image048

 

g)    Select Personal Information Exchange + mark Include all certificates in the certification path if possible; this will also export the Root CA certificate + Next

 

clip_image050

 

h)     Enter a password for the certificate:

 

clip_image052

 

i)      Save the SSL-certificate file in PFX-format somewhere on the local Exchange Server.

 

clip_image054

 

 

clip_image056

 

clip_image058

 

2)     By default, the OWA website is configured for “Forms Based Authentication” out-of-the-box. As we want to ‘transfer” the logon form to the ISA 2006 server, a small modification is left on the Exchange server, before we jump over to the ISA 2006 configuration steps.

 

3)     Open your Exchange Management Console, and browse to Server Configuration / Client Access; Select the Outlook Web Access and click owa (default web site) + properties

 

clip_image060

 

4)     Go to the Authentication tab; Select “Use on or more standard authentication methods”, and make sure Integrated Windows Authentication and Basic Authentication are selected.

clip_image062

 

5)     In order to make the modification active, we are prompted with a warning to “restart” our IIS Services, by running the command iisreset/noforce. This will be done next from a cmd-box.

 

clip_image064

 

clip_image066

 

 


 

6)     Logon to the ISA 2006 Server, and browse to the Certificate PFX-file that was exported from the Exchange Server.

 

clip_image068

 

7)     Import the PFX-certificate file by using the Certificate Import Wizard:

 

clip_image070

 

clip_image072

 


 

8)     Make sure you enter the password correctly, and flag “enable strong private protection” as well as “mark this key as exportable”. + Next

 

clip_image074

+ Next

clip_image076

+ Finish

clip_image078


 

9)     To make sure the import is owkay, we will check again from within the Certificate MMC Snap-in on the ISA 2006 server itself:

 

10)  We can see the webmail.pdtit.be certificate is correctly imported in the Personal Certificate store of the ISA 2006 server.

 

clip_image080

 

11)  We can see the PDT IT CA Root certificate is correctly imported in the Trusted Root Certificate store of the ISA 2006 server.

 

clip_image082

 

12)  Now all prerequirements are finished, we will go and create the OWA Publishing Rule from within the ISA Management Console

13)  Browse to the Firewall Policy, right click / New Exchange Publishing Rule; this will fire up a wizard again:

a)     Enter a descriptive name for the rule, eg. Webmail Publishing Rule

clip_image084

 

b)    Select Exchange Server 2007 and mark “Outlook Web Access”; (Exchange 2007 is the first version that needs several rules for Outlook Anywhere and Outlook Mobile Access; Exchange 2003 publishing allows you to mark all options at once)

 

clip_image086

 

c)     Select Publish a single website or load balancer in the next window

clip_image088

 

d)    Choose Use SSL to connect to the published web server or web farm; this means, SSL will be used to connect to our webmail pages from the outside.

 

clip_image090

 

e)     Give the name of the Internal Site Name; this makes it a bit unclear to me; The only way I have ever seen this work, is by entering the same name as in the common name field of the SSL-certificate. In order to make sure the ISA 2006 server “resolves” the internal site name correct, I make use of the ISA 2006 server’s hostfile, in which I enter the following:

 

<internal Ip-address of Exchange Server>         webmail.pdtit.be

clip_image092

 

f)     In the next window, you can “limit” traffic to the specific webmail url only, or to any domain name; just as an example, I will use any domain name as option. (If multiple sites are to be published with having only 1 official internet IP-address, you have to make a distinction on your ISA 2006 box by using different publishing rules, referring each to their own common name of the URL, eg. Webmail.pdtit.be; extranet.pdtit.be,…)

 

clip_image094

 

14)  After clicking next, the Web Listener Wizard will pop up; the web listener defines all settings related to the “SSL-communication” on the outside interface of the ISA 2006 firewall/reverse proxy.

 

a)     Select “new” in the next window

clip_image096

 

b)    Give a clear name for the web listener (eg. PDT IT webmail listener)

 

clip_image098

 

c)     Select Require SSL secured connections with clients; this means the ISA 2006 server only accepts SSL-requests from the outside to our Exchange OWA pages.

clip_image100

 

d)    Select the Web listener interface and IP-address (if multiple exist).

 

clip_image102

 

e)     In the next window, we will select the SSL-certificate that should be bound to the newly created Web Listener; this will be the imported PFX-certificate that came from the Exchange Server; (see previous steps in this article on how to import an Exchange-issued PFX-certificate into the ISA 2006 server Certificate Store).

clip_image104

 

f)     If the previous import went owkay, the certificate should be visible here, and marked with a green button in front of it. If the certificate is not shown here, the import was not done correctly. You first have to solve that issue before continuing. Otherwise, your OWA webmail will never work.

 

clip_image106

 

g)    In the next window, we will select how the user will be prompted for their OWA logon credentials. Favorably, this will be “HTML Form Authentication” + Windows (Active Directory); notice here other logon credentials are also possible here (eg. RSA or Vasco Token One-Time-Password,…) are also accepted. Elevating the authentication security to a higher level.

 

clip_image108

 

h)     If more websites are being published by ISA 2006, Single Sign On options can be selected (allow the user to enter his credentials only once, and acting as a pass-through gateway to other internal websites that normally also would require authentication)

 

clip_image110

 

i)      Click finish to close the Web Listener Wizard.

clip_image112

 

j)      That’s all. Make sure you confirm the “Apply” button in the ISA 2006 console; from now on, your webmail should work from anywhere on the internet.

 

Just as a reference, I copied screenshots of all tabs involved in the Exchange Publishing / Web Listener configuration.

 

 

 

clip_image114

 

clip_image116

 

clip_image118

 

clip_image120

 

clip_image122

 

clip_image124

 

clip_image126

 

clip_image128

 

clip_image130

 

clip_image132

 

clip_image134

 

clip_image136

 

clip_image138

 

clip_image140

 

clip_image142

 

clip_image144

 

clip_image146

 

clip_image148

 

clip_image150

 

clip_image152

 

clip_image154

 

 

Voila, this completes our full configuration procedure to allow your internal Exchange Server Outlook Web Access functionalities to be available from the internet, by publishing them via a secure way by using Microsoft ISA 2006 Server.

 

If anyone should have questions or issues when following the above procedure, do not hesitate to leave me a comment or suggestions for updates to this article. If you are interested in receiving this procedure in a nice to read PDF or Word format, feel free to drop me a mail at <info at pdtit dot be>

 

Kind regards,

 

Peter

 

 

 

 


Posted sep 29 2008, 09:50 by Peter De Tender

Comments

subject: exchange wrote Weekend reading
on 10-03-2008 20:43

Why Google Should Enable Exchange Support for Android Is virtualizing Microsoft Exchange Server a good

ISA 2006 & OWA Strange DNS issue | keyongtech wrote ISA 2006 &amp; OWA Strange DNS issue | keyongtech
on 01-18-2009 17:43

Pingback from  ISA 2006 & OWA Strange DNS issue | keyongtech

PDT IT Services Blog Posts wrote Win2008 – Exchange 2007 move to new hardware – Part 4
on 02-14-2009 17:15

  In this part 4 of the move operation, we will tackle the modifications we have to do on our ISA

All content (c) its respective blog author.
Powered by Community Server (Commercial Edition), by Telligent Systems