ISA Server is a great resource when it comes to publishing the internal resources out on the internet for external access. One of the most common scenarios is the publishing of Exchange OWA through ISA Server. ISA Server can publish the Exchange OWA for Exchange 2000/2003/2007 and so on.
There are few things which are required when publishing Exchange OWA through ISA. You may ask questions like Do you want to have users to authentication on ISA? Are you using any monitoring tool which needs to record the clients IP? What protocols do you want to publish? Are you going to have a DMZ network or not? What will be your Exchange architecture?
Once you have all the answers to the questions as above you can publish the Exchange OWA without any issues.
Let me tell you what needs to be done in some scenarios or questions like above.
Do you want to have users to authentication on ISA?
This question is important because ISA server can authenticate the users before getting them connected to the back-end servers. This provides another layer of defense in protecting your internal resources. When coming across this question, I would recommend you say "yes" as it makes sense to authenticate users on your firewall. If you are doing so, then you have to select "All Authenticated Users" or the AD groups you created in ISA while publishing the Exchange OWA. Also, while creating the web listener you have to select the appropriate Authentication mechanism. ISA supports
Active Directory: Windows Active Directory. ISA should be part of domain to use it
LDAP (Active Directory): Only Windows Active Directory is supported as to be used for LDAP queries. This is used when ISA is in workgroup
RADIUS: RADIUS is a standard and can be used in both scenarios if ISA is part of domain or not.
RADIUS OTP: RADIUS One Time Password provides a secure way of connecting to the resources (not covering in detail)
SecureID: (Not Covering)
Are you using any monitoring tool which needs to record the clients IP? What protocols do you want to publish?
ISA being a NAT device, it replaces the source with its own IP on the exiting interface and changes back when the response comes back. So, if you are using any monitoring utility then most of the time with default configuration, you will see only ISA’s internal/DMZ IP not the client IP. To make this work the way you want you have to select the option "the request should appear from the original client" under the "TO" tab of the published rule property page.
There can never be the set of questions which are applicable to all organizations/companies which they can go through the implement the technology. Every company has its own needs when it comes to securing their resources.
Now, that you have got a glimpse of what to ask before implementing the ISA Server lets see what are the things you need to keep in mind while implementing the OWA publishing. Again, the requirements might change depending on the scenario in which ISA is being deployed. But, most of the things would remain same for almost all scenarios.
When publishing OWA through ISA you have to take care of few things. Like:
- The public name which will be used to access OWA, the name of Server certificate on ISA and the name you put as public name in the OWA publishing rule should be same. Ex. If my public name is OWA.TEST.COM then you should have a server authentication certificate already installed on ISA with the name of OWA.TEST.COM or *.TEST.COM
- The Server authentication certificate on ISA should have a private key associated with it. Public key is always there.
- If you aren’t using the host headers on your exchange server then remove the check mark from the option "Forward the original host header in place of the original"
- When you authentication on ISA select "All Authenticated Users" or specific user set under the users tab. If you select "All Users" then your authentication will be bypassed whatever it may be. "All users" should be used when you are using "No Authentication" on ISA Server.
- Under the Listener select a specific IP address of the OWA.
- Under Authentication LDAP or RADIUS should be selected if your ISA is not a domain member
- Under Authentication Delegation tab select the appropriate authentication which you are using on the Exchange server
- One thing ISA cannot do is to delegate the credentials in a FBA to FBA scenario. If you are using Forms Based Authentication on your Exchange Servers then you have to change it to the Integrated Authentication or Basic Authentication
- You should always use Exchange Web Client Access Publishing rule when publishing OWA because of additional settings involved in this. Don’t use the normal web publishing rule.
Hope the points help you to configure Exchange OWA through ISA Server successfully
Cheers
Inderjeet 