Publishing Exchange 2007 Server with ISA Server 2006 - Part 1(Accessing OWA externally through ISA 2006 Firewall)

                                            Publishing Exchange 2007 Server with ISA Server 2006
                                            Accessing OWA externally through ISA 2006 Firewall
                                            Configuring SSL Certificate for Exchange 2007 - Part-1

Note: It is purely a lab experiment where I am focusing on ISA Server 2006. All the inputs which I took to configure ISA 2006 are purely from Microsoft TechNet, Msexchange.org, perti.com & virtual lab setup. In real time it might not be the same…

Accessing the OWA is one of the requirements which we need to enable for the client. In Exchange 2007 as like we had in previous version it is enabled by default.

Securing the server is the need which all the business requires in today’s environment. So that’s why we need to take care about certain things before we could implement or deploy. So when we think about secure keeping the Microsoft Technology in our mind, the first thing comes into my mind is Firewall and one of the best application is ISA (Internet Security Acceleration).

Well, what is an ISA, it is a proxy server which will break all our connection to external world and we need to allow access only to certain protocols which we require to access externally, isn’t it sounds good and secure, yes, it will sound good. Trust me guys I have been working on my lab from last 23 days and I gained only 50% but I thought that whatever I gained let me share with you and latterly if I get success I will update.

This document which I am publishing is not only stressed my mind but also took assistance from Microsoft TechNet articles regarding ISA, msexchange.org – configuring SSL certification and Perti website from where I got to know how to configure Exchange 2003 for RPC over https which is being great helpful for me to understand the basic concepts. Thanks to each and every one – Microsoft, Henrik and Petri for sharing the knowledge.

My Lab Setup:
Let me start off right now:

I have one computer called as: DC.smile.com
Role of this server :     DC\GC\DNS\Exchange 2007 with all roles
                                      Ip address : 10.1.1.1
                                      Configured the host record for ISA server and One external XP client.
                                      127.0.0.1        localhost
                                     40.1.1.1 client.happy.com
                                     40.1.1.2 mail.smile.com

2nd Computer : Edge Server (workgroup)
Role : ISA Server
Ip Address : 10.1.1.2 & 40.1.1.2
Description : Edge server is sitting in the DMZ network having two nic card
                                    Nic1 : Internal access :  10.1.1.2
                                    Nic2 : External Access : 40.1.1.2
                                    Host file:
                                    127.0.0.1        localhost
                                    10.1.1.1 dc.smile.com   
                                    40.1.1.1 client.happy.com  
                                    10.1.1.1 dc.smile.com/certsrv

3rd Computer : Client.happy.com
Ip Address : 40.1.1.1
Role : Client Machine having Outlook 2007 Installed
                                    Host Entry :
                                    127.0.0.1        localhost
                                    40.1.1.2 www.smile.com
                                    40.1.1.2 public.smile.com
                                    40.1.1.2 mail.smile.com  
                                    40.1.1.2 dc.smile.com

Note: if you have old network card please make sure that Enable TCPA, Chimney and RSS set to 0.

Exchange 2007 overview:
 By default when we install Exchange 2007 it will install a certificate on the name of the server itself for having a secure network. Second thing by default it won’t create a send connector. Third thing for pop3 and imap4 the services are set to stop and stopped by default. See the figure below
Figure 1:


Figure 2:
There is no smtp connector by default

 
Figure 3:
Showing POP3 and IMAP4 stopped


So it is very important to have send connector, services to be set to automatic if you require pop3 and imap4 access as well and configuring proper certificate.

Right now I am focusing on Publishing OWA through ISA latterly I will show how to configure POP3 as well in my upcoming articles.

Configuring OWA :
 First basic thing I did is I created a send connector
 Then set the OWA authentication as Basic Authentication.

Publishing your own certificate:
 First of all I will remove my existing certificate for my exchange 2007 server, so inorder to do that –
 Open IIS Management Console
 Default Web Site => Properties
 Directory Security Tab
 Click on Server Certificate
 Click on Next and select remove existing certificate
 Uncheck 128 bit encryption key from the default web site.

ow we have removed the certificate it’s the time to create a new certificate
 For creating the certificate I referred one of the msexchange article : SSL Enabling OWA 2003 using your own Certificate Authority. I am not going to follow completely as per the article in msexchange.org but I will follow half the way just to have the certificate to be issued by my own authority. Let me explain you, if you see the figure 1 : the certificate is issued by my server called DC but I want a certificate to be issued by servername.domainname.com. So inorder to achieve this goal I need to have Certificate Service Enable and inorder enable it
 Control panel
 Add\Remove Program
 Windows Component
 Select Certificate Server and hit next, once you select the certificate it will prompt you with a warning message select yes
Figure 4:

 Select Enterprise root CA and hit next : Figure 5

 Now the next thing we need to give a CA identifying information, you can give your existing FQDN : figure 6

 
 Next it will create cryptographic key generation : Figure 7
 

Figure 8: Location for storing certificated database and log file – click next


After you hit next it will prompt you for restarting the IIS service and then will configure it and it will enable ASP.net if you haven’t enabled it. And then it will finish up the process.

Now we got certificate authorizer. If you see in the IIS console you will see the certsrv virtual directory for generating the certificate, see the figure 9:


We have removed the old certificate and created a authorizer for issuing new certificate, now it’s a time to create a Server Authorization Certificate. Now here I will set the certificate name as dc.smile.com. The reason I need to create a FQDN certificate is I want my ISA server should have the FQDN of the Exchange Server matching to authorizing mode. I will show later… let see how to create our own certificate

 Open the internet Explorer
 Type : http://dc/certsrv and press enter & you will get the information something like in the figure 10:
 

Click on the Request a certificate and then click on Advance certificate request: Figure 11

Then click on “create and submit a request to this CA – Figure 12

After this it will open Page “Advance Certificate Request : in this Certificate Template – set it to Web Server, Name – FQDN i.e dc.smile.com and then select the option “store the certificate in the local computer” and hit submit but in real world you need to give all the possible information.
See the Figure 13:
 

When you hit submit it will give you the following message click on yes:
Figure 14:
 

Once you click on Yes it will take you to the option to install the certificate click on install the certificate and again you will get “potential scripting violation” click on yes and finish the installation part – Figure 15


After this you can confirm the certificate is stored
 Click on Run => MMC => Add\remove snap-in => certificate => Expand personal certificate => certificate Figure 16:

Now we have installed the certificate.. after this we need to Assign this certificate to our Server so open the IIS => Default Website => Properties => Directory Security Tab => server Certificate => Now it will open a welcome screen hit next
Figure 17:

Select Assign an existing Certificate : Figure 18


Then select the new certificate which we created – Figure 19
 

Then it will select the ssl port 443 for this secure connection Figure 20 

It give you the summary of your newly create certificate – figure 21 and the click next and then click on finish

Now we need to enable 128 bit encryption key, enable the encryption for Exchange, Exchweb, Exadmin, OWA and Public
Reason: why I need to enable secure channel only for the above just I need to give http://FQDN/certsrv to be running for ISA configuration however in real time it is as per your need you can set it out

In the next part I will show how to configure your ISA 2006 firewall for allowig OWA access externally.

Related Article:
Configuring SSL Certificate for Exchange 2007 - Part-1
Preparing your ISA 2006 to allow OWA Access - Part-2

Reference Link for this article:

SSL Enabling OWA 2003 using your own Certificate Authority
Outlook Anywhere 2007 with ISA Server 2006


 

 del.icio.us  Stumbleupon  Technorati  Digg 

Posted by Ismail Mohammed at Thursday, January 24. 2008
Categories: Exchange 2007

Previous Entry
Next Entry

 

What did you think of this article?




Trackbacks
Trackback specific URL for this entry
  • Trackbacks are closed for this entry.
Comments
  • No comments exist for this entry.
Leave a comment

Comments are closed.