332 CHAPTER 12 Securing Outlook Web Access (OWA) Traffic 11. Type and confirm a password and click Next to continue. 12. Enter a file location and name for the file and click Next. 13. Click Finish. After the .pfx file has been exported from the OWA server, it can then be imported to the ISA server via the following procedure: CAUTION It is important to securely transmit this .pfx file to the ISA server and to maintain high security over its location. The certificate’s security could be compromised if it were to fall into the wrong hands. 1. From the ISA server, open the MMC console (Start, Run, mmc.exe, OK). 2. Click File, Add/Remove Snap-in. 3. Click the Add button. 4. From the list shown in Figure 12.14, choose the Certificates snap-in and click Add. 5. Choose Computer Account from the list when asked what certificates the snap-in will manage and click Next to continue. 6. From the subsequent list in the Select Computer dialog box, choose Local Computer (the Computer This Console Is Running On) and click Finish. 7. Click Close and OK. FIGURE 12.14 Customizing an MMC Certificates snap-in console for import of the OWA certificate. 333 12 Securing Exchange Outlook Web Access with ISA Server 2006 After the custom MMC console has been created, the certificate that was exported from the OWA server can be imported directly from the console via the following procedure: 1. From the MMC Console root, navigate to Certificates (Local Computer), Personal. 2. Right-click the Personal folder and choose All Tasks, Import. 3. At the wizard welcome screen, click Next to continue. 4. Browse for and locate the .pfx file that was exported from the OWA server. The loca- tion can also be typed into the file name field. Click Next when located. 5. Enter the password that was created when the certificate was exported, as illustrated in Figure 12.15. Do not check to mark the key as exportable. Click Next to continue. 6. Choose Automatically Select the Certificate Store Based on the Type of Certificate, and click Next to continue. 7. Click Finish to complete the import. After it is in the certificates store of the ISA server, the OWA SSL certificate can be used as part of publishing rules. NOTE If a rule that makes use of a specific SSL certificate is exported from an ISA server, either for backup purposes or to transfer it to another ISA server, then the certificate must also be saved and imported to the destination server, or that particular rule will be broken. FIGURE 12.15 Installing the OWA certificate on the ISA server. 334 CHAPTER 12 Securing Outlook Web Access (OWA) Traffic Creating an Outlook Web Access Publishing Rule After the OWA SSL has been installed onto the ISA server, the actual ISA mail publishing rule can be generated to secure OWA via the following procedure: NOTE The procedure outlined here illustrates an ISA OWA publishing rule that uses forms- based authentication (FBA) for the site, which allows for a landing page to be generat- ed on the ISA server to preauthenticate user connections to Exchange. This forms-based authentication page can be set only on ISA, and must be turned off on the Exchange server itself to work properly. Therefore, this particular rule does not config- ure the ancillary services of OMA, ActiveSync, and RPC over HTTP. If FBA is not used, these services can be installed as part of the same rule. See Chapter 13 on OMA, ActiveSync, and RPC over HTTP for more info on how to do this. 1. From the ISA Management Console, click once on the Firewall Policy node from the console tree. 2. From the Tasks tab in the Task pane, click on the link titled Publish Exchange Web Client Access. 3. Enter a name for the rule (such as OWA) and click Next to continue. 4. From the Select Services dialog box, shown in Figure 12.16, select the version of Exchange from the drop-down box, then check the box for Outlook Web Access. In this example, Exchange Server 2007 OWA is being secured. Click Next to continue. 5. At the Publishing Type dialog box, choose whether to publish a single OWA server or multiple servers (load balancing). If a single server, choose the first option and click Next. FIGURE 12.16 Selecting an Exchange OWA version to publish. 335 12 Securing Exchange Outlook Web Access with ISA Server 2006 6. From the Server Connection Security dialog box, shown in Figure 12.17, choose whether there will be SSL from the ISA server to the OWA server. Because end-to-end SSL is recommended, it is preferred to select the first option, to use SSL. Click Next to continue. 7. Enter the Fully Qualified Domain Name (FQDN) of the OWA server on the next dialog box. This should match the external name referenced by the client (for example, mail.companyabc.com). Click Next to continue. CAUTION For an SSL-based OWA rule to work, the FQDN entered in this dialog box must exactly match what the clients will be entering into their web browsers. If it does not match, the host header for the SSL traffic from the ISA server to the Exchange OWA server changes, which causes an upstream chaining error when the site is accessed. It is also very important that the ISA server is able to resolve the FQDN to the internal OWA server, and not to an outside interface. This may involve creating a hosts file to redirect the ISA server to the proper address or by using a different internal DNS zone (split- brain DNS). 8. Under the Public Name Details dialog box, select to Accept Request for This Domain Name (Type Below) and enter the FQDN of the server into the Public Name field (for example, mail.companyabc.com). Click Next to continue. 9. Under the Web Listener dialog box, click the New button, which invokes the New Web Listener Wizard. FIGURE 12.17 Selecting to secure traffic between ISA and the OWA server using SSL. 336 CHAPTER 12 Securing Outlook Web Access (OWA) Traffic 10. In the welcome dialog box, enter a descriptive name for the web listener (for example, OWA SSL Listener with FBA) and click Next. 11. Under Client Connection Security, select to require SSL connections with clients. This is highly recommended to secure usernames, passwords, and communications from others on the Internet. A certificate installed on the ISA server per the proce- dure listed previously is needed. Click Next to continue. 12. Under the IP Addresses dialog box, check the box to listen from the external network, and then click Next to continue. 13. At the Port Specification dialog box, uncheck Enable HTTP, then check Enable SSL. 14. Click on the Select Certificate button to locate the certificate installed in the previ- ous steps, select it from the list displayed, and click OK to save the settings. 15. Click Next to continue. 16. Under the Authentication Settings dialog box, shown in Figure 12.18, select what type of authentication to use. For this example, HTML Form Authentication (FBA) is chosen. 17. Under the Single Sign On Settings, you have the option to have this listener used for access to multiple sites, using SSO to logon only once. To enable SSO (you don’t have to use it right away), enter the authentication domain name in the form of “.companyabc.com” (without the quotes; don’t forget the preceding dot). Click Next to continue. 18. Click Finish to complete the Listener Wizard. 19. While still on the Select Web Listener dialog box, with the new listener selected, click the Edit button. 20. Select the Connections tab. FIGURE 12.18 Enabling FBA on the OWA listener. 337 12 Securing Exchange Outlook Web Access with ISA Server 2006 21. Under the Connections tab, shown in Figure 12.19, check the box for HTTP, and select to redirect all HTTP connections to HTTPS. This will allow all HTTP requests to be automatically redirected to HTTPS. 22. Click on the Forms tab. If deciding to allow users to change their passwords through OWA, check the boxes under the Password Management section. Note that password change through OWA must still be enabled in OWA for this to work. 23. Click OK to save the settings to the listener. Click Next when back at the Select Web Listener page. 24. Under Authentication Delegation, choose Basic Authentication from the drop-down box, since we are using Basic over SSL to the OWA server. Click Next to continue. 25. Under the User Sets dialog box, accept the default of All Authenticated Users, and click Next to continue. 26. Click Finish to complete the wizard. 27. Click OK to confirm that further publishing steps may be required. 28. Click the Apply button at the top of the Details pane. 29. Click OK to acknowledge that the changes are complete. At this point, the ISA server is set up to reverse proxy the OWA traffic and scan it for Application-layer exploits. Note that with ISA Server 2004, the automatic HTTP to HTTPS FIGURE 12.19 Automatically redirecting from HTTP to HTTPS. 338 CHAPTER 12 Securing Outlook Web Access (OWA) Traffic redirection was not possible, and additional rules needed to be created to handle the redi- rection. Fortunately, this is not the case in 2006, and automatic redirection is a new and highly useful feature. Double-click on the newly created rule in the Details pane, and look through the tabs to see the options created in the rule. Check each of the tabs, and be careful about making changes as one small error can make the rule not work. CAUTION It is important not to be confused by some of the options listed under the tabs of the individual publishing rule itself. Some of the options may seem to be necessary, but end up breaking the rule itself. If testing a different scenario, be sure to export it out to an XML file for backup purposes before making changes. ISA publishing rules need to be set up “just so,” and minor changes to the rules can break the rules, so it is useful to save the specific rule so that it can be restored in the event of a problem. See Chapter 18, “Backing Up, Restoring, and Recovering an ISA Server 2006 Environment,” for step-by step instructions on exporting individual rules. To double-check, the following is a standard rule for publishing OWA that is known to work. Some of your specifics may vary, but use this list as a guide for troubleshooting any issues (see Table 12.2). Applying Strict HTTP Filter Settings on the OWA Rule By default, any new rule that is created only restricts the traffic using that rule to the global settings on the server. For each publishing rule, however, it is recommended to apply more strict HTTP filtering settings to match the type of traffic that will be used. For Exchange Outlook Web Access and other Exchange Services, see the table published at the following Microsoft URL: http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx Note that while the article was written for ISA 2004, the filtering settings apply to 2006 as well. Enabling the Change Password Feature in OWA Through an ISA Publishing Rule If publishing OWA using Exchange Server 2003, by default, Exchange does not display the Change Password button in Outlook Web Access. This option was previously made avail- able by default in Exchange 2000 OWA, so many administrators may be looking to provide for this same functionality. 339 12 Securing Exchange Outlook Web Access with ISA Server 2006 TABLE 12.2 Sample ISA Rule for OWA Rule Tab Settings General tab Defaults (Enable) Action tab Defaults (Allow) From tab Defaults (from anywhere) To tab Server field=mail.companyabc.com (hosts file points this to OWA server; make sure virtual server is set to Basic Auth) Forward original host header (checked) Requests come from ISA Server Traffic tab Defaults (128-bit grayed-out) Public Name tab Websites and IP addresses=mail.companyabc.com Paths tab External Path=<same as internal> Internal=/public/* External Path=<same as internal> Internal=/Exchweb/* External Path=<same as internal> Internal=/Exchange/* External Path=<same as internal> Internal=/OWA/* Bridging tab Redirect requests to SSL port (checked), 443 entered Users tab Defaults (All authenticated users) Schedule tab Defaults (Always) Link translation Defaults (Apply link translation to this rule) Listener tab General=OWA listener name Networks=External (if inline or edge firewall; if unihomed in DMZ, choose internal network) Connections= (HTTP=Enabled-80, HTTPS=Enabled-443, Redirect all traffic from HTTP to HTTPS) Certificates=mail.companyabc.com (this has to be installed in the local machine cert store) Authentication=HTML Form Authentication, Windows (Active Directory) Forms=Defaults SSO=Enabled, .companyabc.com The Change Password button was removed to provide for a higher degree of default secu- rity in Exchange Server 2003, particularly because the Exchange 2000 Change Password feature was highly insecure in its original implementations. Fortunately, however, the Exchange Server 2003 Change Password option in OWA was recoded to operate at a much lower security context, and is subsequently much safer. Despite this fact, however, this functionality must still be enabled, first on the Exchange server, and then on the ISA server itself. 340 CHAPTER 12 Securing Outlook Web Access (OWA) Traffic Enabling the Change Password Feature on the OWA Server Enabling the Change Password feature on the Exchange OWA server involves a three-step process: creating a virtual direc- tory for the password reset, configuring the virtual directory, and modifying the Exchange server registry to support the change. To start the process and create the virtual directory, perform the following steps: 1. From the OWA server, open IIS Manager (Start, All Programs, Administrative Tools, Internet Information Services [IIS] Manager). 2. Right-click the OWA virtual server (typically named Default Web Site) and choose New, Virtual Directory. 3. At the welcome dialog box, click Next. 4. Under Alias, enter iisadmpwd and click Next. 5. Enter C:\windows\system32\inetsrv\iisadmpwd into the path field, as shown in Figure 12.20 (where C:\ is the system drive), and click Next to continue. 6. Check the boxes for Read and Run Scripts permissions and click Next. 7. Click Finish. After it is created, the IISADMPWD virtual directory needs to be configured to use the Exchange Application pool, and also be forced to use basic authentication with SSL (highly recommended for security reasons). To do so, perform the following steps: 1. In IIS Manager, under the OWA virtual server, right-click the newly created iisadmpwd virtual directory and choose Properties. FIGURE 12.20 Creating the IISADMPWD virtual directory. 341 12 Securing Exchange Outlook Web Access with ISA Server 2006 2. Under the Virtual Directory tab, in the Application Settings field, choose ExchangeApplicationPool from the drop-down box labeled Application Pool, as shown in Figure 12.21. 3. Choose the Directory Security tab, and click Edit under Authentication and Access Control. 4. Uncheck Enable Anonymous Access, and check Basic Authentication. 5. Click Yes to acknowledge the warning (SSL will be used, so this warning is moot). 6. Click OK to save the authentication methods changes. 7. Under Secure Communications, click the Edit button. 8. Check the boxes for Require Secure Channel (SSL) and Require 128-bit Encryption and click OK twice to save the changes. After the virtual directory has been created, a registry change must be made to allow pass- word resets to take place. To do this, perform the following steps: 1. Click Start, Run, type in regedit.exe, and click OK. 2. Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MSExchangeWEB\OWA. FIGURE 12.21 Modifying the IISADMPWD virtual directory. [...]... Feature After the Change Password feature has been enabled on the OWA server, the existing ISA OWA publishing rule must be modified to support the change, if it hasn’t been already To enable this, do the following from the ISA console: 1 From the ISA server, open the ISA Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management) 2 Navigate to the Firewall Policy node in the console... \exchange Client Exchange OWA/ Mailbox Server OWA Virtual Server SSL \public SSL SS \oma SSL \Microsoft ServerActiveSync SSL DAV Logon SUCCESS https://mail.companyabc.com/oma Mailbox store \exchange Client Exchange OWA/ Front-end Server OWA Virtual Server SSL ual OWA Virtual Exchange Mailbox Server \public \public SSL \oma SSL \oma \Microsoft ServerActiveSync SSL \Microsoft ServerActiveSync FIGURE 13.3 Understanding... development of ISA Server 2006 s security capabilities These capabilities enable many organizations to provide for secured, auditable access to their messaging environments This helps to satisfy the governmental and industry compliance concerns that plagued some of the past messaging access methods Outlining ISA Server 2006 s Messaging Security Mechanisms As a backdrop to these developments, ISA Server 2006. .. OWA Server Configured as a Back-End Mailbox Server. ” After the certificate is installed, it must be exported and imported to the ISA server, via the same procedure described in Chapter 12, in the section “Exporting and Importing the OWA Certificate to the ISA Server. ” Only then can an additional ISA rule be configured with a separate listener for non-FBA traffic Assigning a New IP Address on the ISA Server. .. publish a server farm In this example, a single server is published 6 Select to use SSL to connect to the server, as shown in Figure 13.10 Click Next to continue 7 Enter the mail server name (that is, mail2.companyabc.com) Make sure the host name is addressable from the ISA server and that it points to the secondary IP of the OWA server Click Next to continue FIGURE 13.9 Setting up an OMA-EAS ISA publishing... for the Additional Web Listener The first step to enabling support for OMA and ActiveSync on an ISA server that supports OWA with FBA is to add an additional IP address to the ISA server for the additional listener to attach itself to To do this, perform the following steps on the ISA server: NOTE If the ISA server is directly connected to the Internet, an additional public IP address needs to be obtained... and restart IIS from IIS Manager (right-click the Servername and choose All Tasks, Restart IIS, OK) FIGURE 13.6 Configuring the Registry settings for the ExchDAV changes NOTE For more information on this particular solution, reference Microsoft KB Article #8 173 79 at the URL: http://support .microsoft. com/kb/8 173 79/EN-US/ Supporting Mobile Services in ISA When Using Forms-Based Authentication for OWA... service Configuring ISA Server to Secure RPC over HTTP(S) Traffic 363 Configuring RPC over HTTPS on an Exchange Back-End Server After the networking service for RPC over HTTP has been installed, the Exchange server must be configured to act as an RPC over HTTP back-end server In the case of the all-inone Exchange server, where there is no unique front-end server and a single Exchange server acts as the... the Edit String field, under Value Data, type in the following and click OK, as shown in Figure 13.14: SERVERNAME:6001-6002 ;server. companyabc.com:6001-6002; SERVERNAME:6004 ;server. companyabc.com:6004; (Where SERVERNAME is the NetBIOS name of the server and server. companyabc.com is the FQDN of the server as it will appear for RPC services.) 5 Close Registry Editor CAUTION It is critical to match the... virtual server again and choose New, Virtual Directory 7 Enter a name of oma in the Name field and choose Outlook Mobile Access under Exchange Path This time, authentication does not need to be changed because it is inherited from the root Click OK 8 Right-click the virtual server again and choose New, Virtual Directory Configuring ISA Server 2006 to Support OMA and ActiveSync Access to Exchange 3 57 9 . Virtual Server Server OWA Virtual Server OWA Virtual OWA VirtualOWA VirtualOWA Virtual public oma Microsoft Server- ActiveSync Microsoft Server- ActiveSync Exchange OWA/ Front-end Server exchange exchange exchange OWA. Server exchange exchange exchange OWA Virtual OWA Virtual Server Server OWA Virtual Server OWA Virtual OWA Virtual Server Server OWA Virtual Server public oma Microsoft Server- ActiveSync SSL SSL SSL SSL ual SSL FIGURE. following from the ISA console: 1. From the ISA server, open the ISA Management Console (Start, All Programs, Microsoft ISA Server, ISA Server Management). 2. Navigate to the Firewall Policy node