Things Required when publishing Exchange OWA using ISA Server 2006

ISA Server is a great resource when it comes to publishing the internal resources out on the internet for external access. One of the most common scenarios is the publishing of Exchange OWA through ISA Server. ISA Server can publish the Exchange OWA for Exchange 2000/2003/2007 and so on.

There are few things which are required when publishing Exchange OWA through ISA. You may ask questions like Do you want to have users to authentication on ISA? Are you using any monitoring tool which needs to record the clients IP? What protocols do you want to publish? Are you going to have a DMZ network or not? What will be your Exchange architecture?

Once you have all the answers to the questions as above you can publish the Exchange OWA without any issues.

Let me tell you what needs to be done in some scenarios or questions like above.

Do you want to have users to authentication on ISA?

    This question is important because ISA server can authenticate the users before getting them connected to the back-end servers. This provides another layer of defense in protecting your internal resources. When coming across this question, I would recommend you say "yes" as it makes sense to authenticate users on your firewall. If you are doing so, then you have to select "All Authenticated Users" or the AD groups you created in ISA while publishing the Exchange OWA. Also, while creating the web listener you have to select the appropriate Authentication mechanism. ISA supports

Active Directory: Windows Active Directory. ISA should be part of domain to use it
LDAP (Active Directory): Only Windows Active Directory is supported as to be used for LDAP queries. This is used when ISA is in workgroup
RADIUS: RADIUS is a standard and can be used in both scenarios if ISA is part of domain or not.
RADIUS OTP: RADIUS One Time Password provides a secure way of connecting to the resources (not covering in detail)
SecureID: (Not Covering)

Are you using any monitoring tool which needs to record the clients IP? What protocols do you want to publish?

ISA being a NAT device, it replaces the source with its own IP on the exiting interface and changes back when the response comes back. So, if you are using any monitoring utility then most of the time with default configuration, you will see only ISA’s internal/DMZ IP not the client IP. To make this work the way you want you have to select the option "the request should appear from the original client" under the "TO" tab of the published rule property page.

There can never be the set of questions which are applicable to all organizations/companies which they can go through the implement the technology. Every company has its own needs when it comes to securing their resources.

Now, that you have got a glimpse of what to ask before implementing the ISA Server lets see what are the things you need to keep in mind while implementing the OWA publishing. Again, the requirements might change depending on the scenario in which ISA is being deployed. But, most of the things would remain same for almost all scenarios.

When publishing OWA through ISA you have to take care of few things. Like:

1. The public name which will be used to access OWA, the name of Server certificate on ISA and the name you put as public name in the OWA publishing rule should be same. Ex. If my public name is OWA.TEST.COM then you should have a server authentication certificate already installed on ISA with the name of OWA.TEST.COM or *.TEST.COM
2. The Server authentication certificate on ISA should have a private key associated with it. Public key is always there.
3. If you aren’t using the host headers on your exchange server then remove the check mark from the option "Forward the original host header in place of the original"
4. When you authentication on ISA select "All Authenticated Users" or specific user set under the users tab. If you select "All Users" then your authentication will be bypassed whatever it may be. "All users" should be used when you are using "No Authentication" on ISA Server.
5. Under the Listener select a specific IP address of the OWA.
6. Under Authentication LDAP or RADIUS should be selected if your ISA is not a domain member
7. Under Authentication Delegation tab select the appropriate authentication which you are using on the Exchange server
8. One thing ISA cannot do is to delegate the credentials in a FBA to FBA scenario. If you are using Forms Based Authentication on your Exchange Servers then you have to change it to the Integrated Authentication or Basic Authentication
9. You should always use Exchange Web Client Access Publishing rule when publishing OWA because of additional settings involved in this. Don’t use the normal web publishing rule.

Hope the points help you to configure Exchange OWA through ISA Server successfully

 

Cheers

Publishing the TS Web Access and the TS Gateway Server using the ISA Server 2006

 

Great demand for publishing the TS Web Access and TS Gateway Server using ISA Server 2006. So, i thought of putting together a video configuration to show the steps involved in configuring the same. The below videos shows different parts of the configuration. I have assumed that TS Web Access and TS Gateway Servers are working properly in your internal network before you publish them on the internet.

 

 My Lab Architecture (Its Important to check this first as it tells you what name and configuration have i used)

 

 

 

 Changes required on the TS Remote APP manager (Optional, if you arent using any remote Apps)

 

 

 

 Publishing the TS Web Access using ISA Server 2006 with Form Based Authentication

 

 

  Publishing the TS Gateway Server using the ISA Server 2006 with No Authentication on ISA Server

 

 

 

Also, make the below change on the TS Web Server’s IIS. Go to the IIS > TS (virtual Directory) > ASP.NET > Application Settings. Make the following changes

 

DefaultTSGateway : <Enter the external public name of TS Gateway>

GatewyCredentialSource : < 0 for NTLM>

 

 

 

 

Cheers

 

RPC_OUT_DATA Error while publishing TS Gateway Server using ISA 2006

 Failed Connection Attempt ISASERVER 1/30/2009 4:26:53 AM
Log type: Web Proxy (Reverse)
Status: 10054 An existing connection was forcibly closed by the remote host. 
Rule: TS Gateway
Source: External (39.1.1.10)
Destination: (192.168.0.11:80)
Request: RPC_OUT_DATA http://ts.contoso.com/rpc/rpcproxy.dll?localhost:3388
Filter information: Req ID: 07a09551; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
 Additional information 
 
I had a hard time resolving the above error. ISA logs shows the RPC_IN_DATA allowed but denying the RPC_OUT_DATA.
 
RPC_OUT_DATA is the response packet sent from the RPC server to the RPC client. On the otherhand, RPC Client sends the request to the RPC server in the form of a RPC_IN_DATA. I came across a very nice article which talks about the same http://blogs.technet.com/isablog/archive/2007/08/13/testing-rpc-over-http-through-isa-server-2006-part-1-protocols-authentication-and-processing.aspx
 
Possible causes in case of TS Web Access scenario (These are not the only one)
 
1. You are using HTTPS from client to ISA and the HTTP from ISA to TS Gateway Server. If your SSL bridging is HTTPS to HTTP then you need to go into the TS Gateway Manager > Go to the Server Properties > Go to SSL Bridging tab and enable the setting which says HTTPS-HTTP Bridging
 
2. If there is a change in the default home directories of /TS and /RPC virtual directories of the default website
 
    /TS should have the default directory as C:WindowsWebTS
   /Rpc should have the default directory as C:WindowsSystem32RpcProxy

Publish TS Web Access With ISA Server 2006 using SSL Client Certificate Authentication

 

 I have seen a great demand of TS Web Access and being published through ISA Server. Moreover, people have been finding ways to publish if using the SSL Client Certificate Authentication on ISA Server. I have put together some configuration videos (without audio) which can help you configure the TS Web Access.

 

 Making Changes in the Active Directory for Kerberos Constraint Delegation

 http://cid-33ba27522c6ccddc.skydrive.live.com/self.aspx/Public/ISASERVER-COnfig/Active%20Directory%20changes%20for%20KCD%20to%20be%20used%20by%20ISA.wmv

 

 ISA Publishing the TS Web Access

 http://cid-33ba27522c6ccddc.skydrive.live.com/self.aspx/Public/ISASERVER-COnfig/Publish%20TS%20Web%20Access%20with%20ISA2006.wmv 

 

 Cheers

 

 

Migrating from ISA Server 2006 to Microsoft TMG

 

Below article lists the steps involved in migrating from Microsoft ISA 2006 to the next version of ISA now renamed to Forefront Threat Management Gateway

 

http://www.isaserver.org/tutorials/How-migrate-Microsoft-ISA-Server-2006-Microsoft-Forefront-TMG.html

 

 

ISA/TMG Lockdown Mode Theory

 

I cam across a nice article which explains the ISA and TMG Lockdown mode. Lockdown mode in ISA/TMG occurs when the Firewall service is stopped on the server. All access is allowed from ISA to All Networks but a very limited network is allowed from Internal network to ISA/TMG (Localhost)

 

The below article details the access as well as the reasons for ISA/TMG to go in lockdown mode.

 

http://www.isaserver.org/tutorials/Explaining-Microsoft-Forefront-TMG-Firewall-Lockdown-Mode.html

 

 

Application Compatibilities when upgrading your servers from Windows 2003 to Windows 2008

 

The reason I am coming up with this blog is because of my own experience when upgrading my existing Windows 2003 test lab from Windows 2003 to Windows 2008. I hit so many road blocks where I was forced not to upgrade to Windows 2008 rather to migrate to a new server with Window 2008.

I have put together few applications which faced few-issues/no-issues when upgrading to Windows 2008.

I have fairly simple architecture but yet a very common one. In my lab I have a Windows 2003 Domain controller, Windows 2003 based Exchange 2007, Windows 2003 based MOSS 2007 and Windows 2003 based SCCM 2007 server.

Active Directory Servers

1.       Active Directory servers can be migrated or upgraded to windows 2008. Before introducing the Windows Server 2008 in a Windows 2003 domain environment run the following commands on your Windows 2003 Domain Controllers

a.       Run Windows2008CD > Sources > ADPrep > adprep /forestprep command on your root DC

b.      Run Windows2008CD > Sources > ADPrep > adprep /domainprep command on each of your Windows 2003 Domain Controllers

c.       Run Windows 2008CD > Sources > ADPrep > adprep /domainprep /gprep  on the domain controller which issues group policies. You may also run it on all your windows 2003 domain controllers

Exchange 2007

In-Place Upgrade

1.       In-place upgrade of Exchange 2007 on Windows 2003 to Windows 2008 is not possible. This is due to number of reasons. When you try to run the setup on the Exchange 2007 with or without SP1, it is going to tell you to uninstall PowerShell which itself is a roadblock as it’s a required component for Exchange 2007. Now, Exchange 2007 can be installed fresh on a pre-installed Windows 2008. For doing so, you would need Exchange 2007 with SP1

Migration

2.       Migration can be done from Windows 2003-Exchange 2007 to Windows 2008-Exchange 2007 SP1

MOSS 2007

In-Place Upgrade

1.       In-place upgrade requires you follow an article http://support.microsoft.com/kb/943605 if you are using the SharePoint Services Search. You need to stop the service before you upgrade it to the Windows 2008 platform.