Outlook Web Access Server Publishing Scenarios1
Outlook Web Access Server Publishing Scenarios
Microsoft ISA Server 2000
Feature Pack 1, Version 1
Overview
Microsoft® Internet Security and Acceleration (ISA) Server 2000 allows you to securely publish servers, thereby making internal resources accessible to external users. By configuring Web publishing rules or server publishing rules, you can determine which servers are made available.
Web publishing rules are configured to make available HTTP content on Web servers, such as Internet Information Services (IIS) servers. Server publishing rules are configured to make any other content type available.
With the advent and widespread use of Outlook® Web Access servers, many administrators are confronted with a new type of publishing paradigm. Outlook Web Access could be perceived as another Web publishing scenario. Alternatively, Outlook Web Access servers could be published as any other Exchange Server is published.
This document describes alternative methods of publishing Outlook Web Access servers. It overviews the methods, and provides step-by-step instructions on configuring the scenarios. The document focuses on these scenarios:
- Server Publishing: In this scenario a Web browser establishes a direct SSL connection through ISA server (SSL Tunneling) to the OWA server. For maximum browser compatibility OWA will authenticate users by using IIS basic authentication embedded within the encrypted SSL traffic.
- Web Publishing: In this scenario a Web browser establishes an SSL connection to the ISA server. If chosen ISA will authenticate the incoming request using basic authentication (embedded within the encrypted SSL traffic). In response, ISA will establish a new SSL connection to OWA and forward the request. OWA will authenticate the request for mailbox access using IIS basic authentication embedded within the encrypted SSL traffic.
If you are using a bridging configuration (and ISA Server is an SSL endpoint for the client accessing the OWA server), then you should use the OWA wizard to configure server publishing, as described in the ISA Server Feature Pack 1 documentation.
Server publishing and Web Publishing
You can use server publishing rules or Web publishing rules to make an Outlook Web Access server publicly available. Depending on your specific network needs, decide which method is preferable. This section describes some of the features pertinent to this decision.
Server publishing rules are easier to configure, and can be configured to restrict external communication to just the HTTPS protocol. Furthermore, external IP traffic that is destined for the OWA server is evaluated first at the ISA Server computer; this means that the ISA Server will protect against malicious attacks, such as attempts to construct malformed IP traffic attacks, for example, TCP SYN attacks.
Although Web publishing entails a somewhat more complex configuration process, it does include enhanced security features in addition to those provided by Server Publishing:
- Content Filtering, such as “URLscan” enables scanning for application–layer vulnerabilities.
- You can limit external access to specific areas within the Web site by specifying paths in the destination set.
- You can authenticate external user requests before forwarding them to the OWA server. This protects the internal Web server from malicious – malformed authentication sessions.
- External IP traffic designated for the OWA server is more rigorously evaluated at the ISA server computer. Only properly constructed HTTP requests will be allowed to pass to the internal OWA Web server.
- Public OWA resources (such as icons) are cached by ISA server which enables an enhanced performance boost
Setting up the Scenario
This section describes two configuration methods for publishing an OWA Server: server publishing and Web publishing. First, the network topology used in the scenario is described. Next, configuration steps common to both scenarios are presented. Finally, step-by-step instructions for both Web publishing and server publishing are detailed.
Note that the Lab Architecture and the Configuring the OWA Server sections are relevant to both server publishing and Web publishing scenarios.
Lab Architecture
This section describes the network topology used in the OWA publishing scenarios.
In order to present a step-by-step walkthrough for configuring either of the above two publishing methods, the following network configuration will be used throughout the document to illustrate a real-world deployment scenario. All of the internal servers run Windows 2000 with Service Pack 3 (SP3). The OWA server site will be referenced by the client browser as: mail.fabrikam.com/exchange.
Although a private IP addressing scheme is used through the document, any such private reference may be substituted for a real-world addressing scheme.
This walkthrough assumes a new, default installation of all components. ISA server with SP1 and with ISA Server Feature Pack 1 and Exchange/OWA are correctly installed on the appropriate servers. For detailed installation instructions, refer to the corresponding product documentation or see the references in the appendix at the end of this document.
Configuring the OWA Server
In order to provide maximum privacy and browser compatibility OWA will be configured to support basic authentication encrypted within SSL communication. Perform the configuration procedures on the OWA server.
To configure the OWA Server
1.Prepare and install a digital certificate as described in Appendix A – Installing a digital certificate
2.Configure IIS to support SSL-encrypted Basic Authentication, by performing the following steps:
a.Open the Internet Services Manager (or your custom MMC containing the IIS snap-in) and expand the server node, expand the Default Web Site node, select virtual path /Exchange and click Properties.
b.Click the Directory security tab and click on Edit authentication control.
c.Under the Authenticated access section select Basic Authentication and click edit to select the domain against which users should be authenticated. Disable Integrated Windows authentication if checked. (Disabling Integrated Authentication is required in order to force Internet Explorer browser to choose basic authentication as the preferred authentication scheme)
d.Click OK (A dialog box will indicate that basic authentication method is unsecured. You will encrypt this authentication protocol using SSL so you may safely click Yes to continue.
e.Click OK. A Dialog box may show-up prompting you to specify how the authentication setting should propagate to child nodes in the default site. Click Select All and click OK
f.Under the Secure Communications section, click Edit, select the Require secure channel (SSL) checkbox, and click OK twice.
g.Repeat the above steps from step 2.b for the virtual paths /public and /exchweb.
3.Configure the OWA server to route incoming client requests back to the ISA Server.
In a Web publishing scenario ISA server will automatically change the source IP address of every packet that comes from an external source to the IP address of the internal interface of the ISA server computer. In server publishing ISA server will keep the original source IP address as originally defined by the external client. Using a registry update (described in How to Enable Translating Client Source Address in Server Publishing { you can cause ISA Server to automatically change the source IP address of every packet that comes from an external source to the IP address of the internal interface of the ISA server computer in server publishing.
If you don’t use the registry update to handle the source IP addresses in server publishing as described, you will have to configure the default gateway for the OWA computer to reflect the IP address of the ISA server internal NIC address (in our example this is 10.0.0.1).
Choosing a Publishing Method
After you’ve set up the OWA server, you must configure the ISA Server computer using one of the following methods:
- To publish the OWA server using server publishing rules, see the
Configuring Server Publishing Rules topic. - To publish the OWA server using Web publishing rules, see the
Configuring Web Publishing rules topic.
Configuring Server Publishing Rules
In order to provide maximum privacy and browser compatibility configure OWA to support basic authentication encrypted within SSL communication. The configuration procedures should be performed on the ISA server computer.
To configure a server publishing rule:
1.Open the ISA Management console, and expand the Servers and Arrays node.
2.Expand the ISA server computer node. Then expand the Publishing node
3.Right-click on the Server Publishing Rules node, click the New command and then click Rule. The New Server Publishing Rule Wizard will appear.
4.Type a friendly name for the rule such as “OWA server publishing rule” and click Next.
5.Type in the IP of internal server field the IP address that corresponds to the OWA computer (in our example this is: 10.0.0.3) and the in the External IP address on ISA server field type the IP address that corresponds to ISA external interface. (in our example this is: 20.0.0.1) and click Next.
6.In the protocol settings page select HTTPSServer from the drop-down menu and click Next.
7.In the client type page leave the default Any request and click Next.
8.Click Finish to end the Wizard.
Testing the deployment
An external client can access the OWA server provided that it can resolve a fully qualified domain name to the external IP address of the ISA server computer. This would normally be achieved by registering a public Internet domain name with a public DNS server that maps the Web site name to the external IP address of ISA server. To test the deployment in a lab environment you can specify the Web site host name resolution information using notepad, in the client hosts file located under the following path: \system32\drivers\etc\hosts in the windows installation directory. In our example our hosts file includes the following entry: “20.0.0.1mail.fabrikam.com”.
To connect to the OWA site from the external client type the following Web address: Be certain to specify https in the URL.
Configuring Web Publishing rules
To configure Web publishing rules
1.Configure ISA server internal name resolution
Note
You can skip this step if you use your own DNS server for computer name resolution.
The hosts file is located at: \system32\drivers\etc\hosts under the windows installation directory and should contain a mapping between the each server fully qualified host name and its corresponding IP address: In our example the OWA URL address as seen by clients would be specified as: “20.0.0.1 mail.fabrikam.com”.
On the ISA server computer edit the hosts file to allow correct name resolution for the following host names:
- The internal OWA host name (in our example: owa.adatum.com)
- The URL address external clients will type in their browser to access the OWA site
(in our example: mail.fabrikam.com) - The internal domain controller host name (in our example: dc.adatum.com)
In order to verify correct name resolution on the internal network use the ping utility on the ISA server computer to resolve all the computer FQDN names.
2.Run the Outlook Web Access Wizard
The Outlook Web Access Wizard does the following tasks: Installs a listener to accept incoming requests, defines an OWA-specific destination set and creates a Web publishing rule.
a.Open the ISA Management console, and expand the Servers and Arrays node. Expand the ISA server computer node. Then expand the Publishing node. Right-click on the Server Publishing Rules node, click the New command and then click Publish Outlook Web Access server
b.Type-in a descriptive name for the rule (in our example “OWA Rule”) and Click Next
c.Type-in the fully qualified host name of the OWA server as specified in step2 (in our example this is mail.fabrikam.com)
d.Check the option Use an SSL connection from ISA Server to the OWA server and Click Next
e.Type-in the fully qualified host name which external clients will use to access the OWA Web site. In our example this is: mail.fabrikam.com. Then click Next.
f.Select the option Enable SSL and press the Select button. Choose the certificate that maps to the URL specified in the previous step. Click OK, then click Next
g.Review the summary and Click Finish.
h.Select Save changes and restart the services and click OK.
Modifying existing Web publishing rules
It is highly recommend that you use the Publish Outlook Web Access Server wizard to publish OWA servers. However, it is possible to modify existing Web publishing rules to publish an OWA Server.
To modify existing Web publishing rules
If you want to modify existing Web publishing rules to publish an OWA Server, perform the following steps:
1.Create a destination set with the following destinations:
- destination/exchange*
- destination/public*
- destination/exchweb
where destination represents the fully qualified domain name that will be resolved to the external IP address of the ISA Server computer
2.Modify the applicable Web publishing rule to apply to the destination set.
3.Modify the rule to be recognized by ISA as an OWA rule, using the VBScript provided here. This is important in a situation where ISA is configured to bridge SSL requests from clients as HTTP, rather than as HTTPS. If ISA Server recognizes that a Web publishing rule is an OWA rule, then links returned to the client will be returned as HTTPS links. Otherwise, the links will be returned as HTTP links, and the client will fail to connect using those links.
'Set a constant equal to the GUID for the publishing rules vendor parameters set object
const strOWAGUID = "{5e302ed5-f5d5-4fad-9b8a-01c72e1569f3}"
'Create the root object
Set FPC = WScript.CreateObject( "FPC.Root" )
'Get the rule. "RuleName" is an example, and should be replaced with the real name of the rule
Set wpRule = FPC.Arrays.GetContainingArray.Publishing.WebPublishingRules("RuleName")
'Get the FPCVendorParametersSet object for the rules
Set aSet = wpRule.VendorParametersSets.Add(strOWAGUID, False)
'Indicate that the rule is an OWA rule
aSet.Value("IsOWARule") = True
'Save the change
aSet.Save
4.Verify that there is an incoming Web request listener that listens for Web requests on the external IP address of the ISA Server computer.
Configuring ISA Authentication screening
It is possible to configure ISA Server to authenticate each incoming request prior to its arrival at the OWA server computer. This additional capability allows you to protect the Internal OWA server from malicious external authentication attempts that can result in incomplete logon session attacks. ISA authentication screening requires that the user provide credentials when a request arrives. Once a request is authenticated, the ISA server computer passes the request to the OWA server computer with the user-supplied credentials. This does not require the user to enter his password again. This new behavior is implemented by ISA Feature Pack and is called “basic delegation”.
Configuring ISA authentication screening
To configure ISA to authenticate each incoming Web request before forwarding the request to the OWA server, take the following steps:
1.Expand the Servers and Arrays icon, right-click the ISA Server-based server, and then click Properties.
2.Click the Incoming Web Requests tab, and then click Configure listeners individually per IP address.
3.Select the OWA Listener and click edit.
4.Under the authentication section enable onlyBasic with this domain and press the select button to choose the appropriate domain name. Note: the ISA server computer and the OWA server computer must have access to the same account database. It is recommended that the ISA server computer and the OWA server computer reside within the same domain. Click OK.
5.Click OK to return to the ISA Management console. You will be prompted with a dialog box, select Save the changes and restart the service and click OK.
6.Expand the Publishing node, and click on the Web Publishing Rules node.
7.On the right pane of the screen, double click the OWA rule you defined in the previous step (in our example: “OWA Rule”).
8.Select the Action tab and select Allow basic delegation option.
9.Select the Applies to tab and select Users and groups specified below. Click Add to select users/groups that have permissions to access the OWA server. Click OK to save and close the rule properties windows.
Testing the deployment
An external client can access the OWA server provided that it can resolve a fully qualified domain name to the external IP address of the ISA server computer. This would normally be achieved by registering a public Internet domain name at a public DNS server that maps the Web site name to the external IP address of ISA server. To test the deployment in a lab environment you can specify Web site name resolution information, using notepad, in the client “hosts” file located under the following path: \system32\drivers\etc\hosts under the windows installation directory. In our example our hosts file includes the following entry: “20.0.0.1mail.fabrikam.com”
To connect to the OWA site from the external client type the following Web address: Be certain to specify https in the URL.