Publishing Exchange 2007 Server with ISA Server 2006 - Part 2 (Accessing OWA externally through ISA 2006 Firewall)
Publishing Exchange 2007 Server with ISA Server 2006
Accessing OWA externally through ISA 2006 Firewall
Preparing your ISA 2006 to allow OWA Access - Part 2
As per the part-1 I believe everyone is clear on how to create a certificate and issue the certificate for having secure connection. Now it’s the time for creating a secure link for exchange server through ISA firewall. As I told you earlier when we install ISA Application it will break all the link from the external world so it is very important to keep in mind to know which are the ports require to enable because at the time of installation itself it will create one default enterprise deny policy due to which it will break the connection.
I have selected Edge Firewall mode as per my topology I have and Internet Access relation I have selected is ‘Route” (for getting this edge firewall selection : IMC console => Arrays => configuration => Nework
Figure 1: 
Figure 2: Once I choose edge firewall see the firewall policy
Here the important point is that inorder to have access to pop3 or owa or outlook anywhere we need to have certificate to be created here so inoroder to that we need to have go this url link : http://dc.smile.com/certsrv from ISA but if you try to access this url it won’t allow you to access. Inorder to access the http://dc.smile.com/certsrv url we need to create a http rule for this http link.
First we need to create URL set for dc.smile.com/certsrv.
Click on Firewall Policy
Toolbox => Url Sets => New Url Set and give the following information (note : It will only take http not https , that is the reason in the part 1 I selected only exchange, exchweb, exadmin, public and owa for 128 bit encryption.
Figure 3:
Note in the above figure : url I set is : http://dc.smile.com/certsrv/* and the name is http://dc.smile.com/certsrv
Now we need to create a access rule to access the link via http. So right click Firewall Policy and click on new Access Rule
It will open a welcome screen: Name it as: HTTP Access through Firewall for DC
Figure 4: 
Then select Allow option and click on next: Figure 5
Under selected protocols => click on Add => Common protocol and select HTTP
Figure 6:
In the source protocol select local host and hit next : Figure 7:
In the Destination Protocol select http://dc.smile.com/certsrv url set which we have created – Figure 8:
Then click on next: User sets let it be the default one and click finish.
Now lets try to open the url : http://dc.smile.com/certsrv see the figure 9:
Then click on request a certificate as like we did in part-1
Then click on Advance Certificate as like we did in part-1
Then click on Create and submit a request to this CA.
Under Advance Certificate Request
o Certificate Template : Web Server
o Name : mail.smile.com
o Store it in the local computer and hit submit
o Then install the certificate.
Now we installed the certificate but when you try to access the pop3 or owa you won’t get connection because there is no link between your certificate in ISA and Exchange so we need a chain to have the access . Inorder to do this we require browse : http://dc.smile.com/certsrv
Select Download a CA Certificate, Certificate chain or CRL see the figure 9
Then it will show the CA certificate server name, just click on install this CA certificate chain – Figure 10
Once you install it you, it will be stored in “intermediate Certificate Authorities => certificates : Figure 11
We need to move this certificate to Trusted Root Certification Authorities => just select the dc.smile.com => drag it to Trusted Root Certication Authorities => Certificate
Creating a Web Listener:
Now it’s a time to publish OWA rule so inorder to do that we need to create a web listener rule
So inorder to do that => click on Firewall policy => right end Toolbox => web listerner => New
Figure 1 :
In the Client Connection Security select Https
Figure 2:
Under Web Listerner Ip Address – Select External Ip Address
Figure 3:
Listener SSL certificate : select the certificate which we have created for this ISA server i.e mail.smile.com
Figure 4:
Authentication Setting : select HTML Form Authentication
Figure 5:
under Single sign on setting : type “.smile.com”
Figure 6:
Then click on Finish : Figure 7:
Publishing Rule for OWA
Now we need to create a publishing rule for owa so inorder to do that click on Task and select the option Publish Exchange Web Client Access
Figure1:
then select Exchange 2007 and option need to select OWA 2007
Figure 2:
Publishing Type : select “publish a single web site or load balancer
Figure3
Server Connectivity Security : select “Use SSL to connect to the published Web server or server farm
Figure 4:
In internal publishing Details, type the owa access url which is access internally and it should match the certificate we have for internal access, that is the reason I created my certificate which includes my FQDN
Figure 5:
Public name Details : give the name of your ISA certificate i.e mail.smile.com
Figure 6:
Select Web Listener : Select the one which you have created i.e External Access
Figure 7:
Authentication Delegation – Select Basic Authentication
Figure 8:
User Sets => Authenticated users or all users
Figure 9:
Then click on next to finish
Now lets test our client machine with the following url : https://mail.smile.com/owa
Figure 10
Figure 11:
I hope that this article is being very informative for you all. And hope that now you come to how to create a secure connection for owa.
Thank you for sharing your time in this matter
Related Articles:
Configuring SSL Certificate for Exchange 2007 - Part-1
Preparing your ISA 2006 to allow OWA Access - Part-2
Reference Link:
SSL Enabling OWA 2003 using your own Certificate Authority
Outlook Anywhere 2007 with ISA Server 2006
Books on ISA server
Good One. And Great iniative
Keep on publishing such type of article
Reply to this