Document ID: 283170
http://support.veritas.com/docs/283170 E-Mail Colleague IconE-Mail this document to a colleague

Configuring Microsoft ISA Server 2004 for use with Veritas Enterprise Vault (tm) Outlook Web Access (OWA) 2003 extensions
Details:
This TechNote describes how to configure Microsoft Internet Security and Acceleration (ISA) Server 2004 in a Veritas Enterprise Vault (tm) environment.

Figure 1: Overview
 
ISA Server 2004 can be used to secure access to OWA by using Web publishing rules (reverse proxy), to make front-end servers available on the Internet.
Instructions are given on how to configure ISA Server 2004 for the following configurations:
Configuring ISA Server 2004 for OWA Basic Authentication
Configuring ISA Server 2004 for basic authentication is relatively straightforward. The Mail Server Publishing Rule will reference the standard paths, which are the three virtual directories; / Exchange, /Public and /Exchweb. For Enterprise Vault support, the extra path of /EnterpriseVaultProxy needs to be added.
The process detailed in this TechNote assumes that you have installed a suitable Certification Authority (CA) certificate on the front-end OWA server, and imported that certificate onto the ISA Server 2004.
To enable access to archived items for OWA users who use basic authentication:
1. Logon to the ISA Server 2004 computer as a local administrator with permissions to configure the ISA Server.
2. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name.
Click the Firewall Policy node.
In the right-hand task pane, click the Tasks tab and then click Publish a Mail Server.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name box. For example, OWA Basic (External to Internal). Click Next.
4. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync.
Click Next.
5. On the Select Services page, select Outlook Web Access and click Next.
6. On the Bridging Mode page (see Figure 2), select Secure connection to clients and mail server, and click Next.

Figure 2: Bridging mode page
 

7. On the Specify the Web Mail Server page, enter the name of the front-end OWA server (as identified to the internal network) in the Web mail server box.
Alternatively, you can enter the common name of the CA certificate on the front-end OWA server. This is the Issued to name in the certificate.
Click Next.
8. On the Public Name Details page, enter the name that external users will use to access the OWA site in the Public name box. This must match what is specified in the external domain name server (DNS) entry.
Alternatively, select Accept requests for any domain name in the drop-down box.
Click Next.
9. On the Select Web Listener page, click New to create a new Web listener. (This step assumes that no Web listener exists yet).
10. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name box. For example, External443 (Basic).
Click Next.
11. On the IP Addresses page, select the External checkbox. Click Next.
12. On the Port Specification page, clear the Enable HTTP checkbox.
Select Enable SSL.
Click Select. In the Select Certificate dialog box, click the Web site certificate (front-end OWA server), and click OK.
Click Next on the Port Specification page.
13. Click Finish on the Completing the New Web Listener Wizard page.
14. Click Edit on the Select Web Listener page.
Select the Preferences tab. In the Web Listener dialog box, click Authentication.
In the Authentication dialog box, clear the Integrated checkbox.
Click OK in the prompt dialog.
Select the Basic checkbox.
Click Yes in the dialog box informing you that you should use SSL.
Click OK in the Authentication dialog box.
15. Click Apply and then click OK in the Web Listener dialog box.
16. Click Next on the Select Web Listener page.
17. On the User Sets page, accept the default setting, All Users, and click Next.
18. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
19. Right-click the newly created rule in the main Firewall Policy pane of the Microsoft Internet Security and Acceleration Server 2004 management console, and click Properties.
20. In the Properties dialog box, click the Paths tab.
On the Paths tab, click the Add button (see Figure 3).
In the Path mapping dialog box, enter the value /EnterpriseVaultProxy/* in the box, Specify the folder on the Web site that you want to publish.
(If you want to publish the entire Web site, leave this box blank).
Select Same as published folder.
Click OK.
21. Click Apply and then click OK in the Properties dialog box.
22. Click on Apply to save the changes and update the firewall policy.
23. Click on OK in the Apply New Configuration dialog box.
This completes the set up steps to support users accessing OWA using basic authentication.

Figure 3: Mapped paths
 

Configuring ISA Server 2004 for OWA forms-based authentication
The configuration steps for forms-based authentication are more complex. This is because a Web listener that is configured in ISA Server 2004 for forms-based authentication cannot support any other type of authentication. This is acceptable for standard OWA functionality, such as opening archived items. However, the /EnterpriseVaultProxy virtual directory supports only basic authentication, so any functionality that requires this virtual directory (Archive Explorer and the Search application) will fail when published using an ISA Server 2004 that has been configured for forms-based authentication.
The solution is to chain Web listeners together, so that requests for the /Exchange, /Public and /Exchweb virtual directories can be authenticated using forms-based authentication, and calls to the /Enterprisevaultproxy virtual directory can be authenticated using basic authentication.

Figure 4: Overview - How chained Web listeners work
 


1. The external host sends a request to http://webmail.ev.com/Exchange. The name webmail.ev.com resolves to the IP address on the external interface of the ISA Server 2004 firewall that the external Web listener is configured to use. This listener accepts the incoming request and does not prompt users for credentials, as it is configured for basic authentication.
The ISA Server 2004 firewall allows you to configure the listener to forward the user credentials to the Web site. This prevents unauthenticated users from connecting to the Web site. Secure sockets layer (SSL) encryption on the connection encrypts the user credentials when they are sent by the client to the server.
2. A Web Publishing Rule is created for the external listener that forwards incoming requests for the /Exchange virtual directory to localhost.
3. A second Web listener, created on the localhost network, is configured to use forms-based authentication. As the listener is configured to use forms-based authentication, it generates a form and sends this to the user.
4. The user fills in the username and password information in the form and sends it to the ISA Server 2004 firewall.
5. The firewall accepts the credentials on the external listener, and the Web Publishing Rule for the external listener forwards the credentials to the localhost listener.
6. As the localhost listener uses forms-based authentication, it forwards the user credentials to the OWA Web site. When the user is authenticated, the connection request is forwarded to the OWA Web site on the internal network.
7. User requests for Archive Explorer or the archive Search applications are directed to https://webmail.ev.com/EnterpriseVaultProxy, which requires basic authentication. These requests are serviced by the external listener, which is configured for basic authentication.
As there is a change in authentication at this point (from forms-based to basic), the user is prompted for username and password information.
8. The connection for /EnterpriseVaultProxy is forwarded to the OWA server, based on a Web Publishing Rule that is configured to forward the connection to the /EnterpriseVaultProxy virtual directory on the front-end OWA server on the internal network.

Steps to configure chained Web listeners
1. Exporting the Web site certificate from the OWA Web site and importing that certificate into the ISA Server 2004 firewall computer certificate store. This certificate will be used by the external listener. See Exporting the Web site certificate form the OWA Web site.
2. Requesting a Web site certificate that has the name localhost and installing this certificate in the certificate store on the ISA Server 2004 firewall computer. This certificate is used by the localhost Web listener. See Requesting a Web site certificate for the localhost listener.
3. Create the Web Publishing Rule that uses the external Web listener to accept the incoming requests for the OWA site and forwards these to the localhost Web listener. See Create a Web Publishing Rule that forwards incoming OWA requests to the localhost Web listener.
4. Create the Web Publishing Rule that uses the localhost Web listener to accept the incoming requests from the external Web listener, and forwards these to the OWA Web site on the internal network. See Create a Web Publishing Rule for the localhost listener that forwards requests to the OWA Web site.
5. Create the Web Publishing Rule that the external Web listener uses to forward requests for the /EnterpriseVaultProxy virtual directory directly to the internal network. See Create a Web Publishing Rule that forwards requests for the /EnterpriseVaultProxy virtual directory to the internal network.

Exporting the Web site certificate form the OWA Web site
To secure communications from end to end, you need to install a Web site certificate on the OWA Web site on the internal network. There are several ways you can get the certificate: the Web enrollment site, the Certificates mmc, or an offline request. After the Web site has a certificate, you can then export the certificate, along with its private key, to a file. You can then import that certificate into the ISA Server 2004 firewall computer's Personal certificate store. In addition, the CA certificate of the CA that issued the certificate must be installed in the Trusted Root Certification Authorities certificate store on the ISA Server 2004 firewall computer.
Details of how to request a Web site certificate for the OWA Web site, how to export it to a file, and how to import that file into the firewall computer's certificate store are beyond the scope of this technote. Instructions can be found at the following web site:  http://isaserver.org/news/exchangekit.html

Requesting a Web site certificate for the localhost listener
This section describes how to

Obtaining the Web site for the localhost listener
1. Logon to the ISA Server 2004 computer as a local administrator with permissions to configure the ISA Server.
2. Using the Microsoft Internet Security and Acceleration Server 2004 management console create an Access Rule that allows the firewall to connect to the CA Web enrollment site.
Expand the server name and then click the Firewall Policy node.
In the right-hand pane, click the Tasks tab and then click Create New Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name box. In this example, we will call the rule Firewall to CA. Click Next.
4. On the Rule Action page, select Allow and click Next.
5. On the Protocols page, select the Selected protocols option from This rule applies to list and click Add.
6. In the Add Protocols dialog box, click the Common Protocols folder and double click the HTTP protocol and then click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click Add.
In the Add Network Entities dialog box, click the Networks folder and then double-click the Local Host network. Click Close.
9. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add. If the domain controller is not in the Computers folder, click the New menu and then click Computer.
11. In the New Computer Rule Element dialog box, enter the name of your CA server computer in the Name box. In this example we will call it CA. Enter the IP address in the Computer IP Address box. In this example, the IP address is 10.0.0.2, so we enter that into the box. Click OK.
12. In the Add Network Entities dialog box, click the Computer folder and double-click the CA entry. Click Close.
13. Click Next on the Access Rule Destinations page.
14. On the User Sets page, accept the default entry, All Users, and click Next.
15. Click Finish on the Completing the New Access Rule Wizard page.
16. Click Apply to save the changes and update the firewall policy.
17. Click OK in the Apply New Configuration dialog box.

Requesting the certificate from the Enterprise CA on the internal network
1. On the ISA Server 2004 computer open Internet Explorer and enter the address of the CA into the Address bar. In this example, we will enter http://10.0.0.2/certsrv and press Enter.
2. Enter a valid user name and password into the authentication dialog box and click OK.
3. On the Welcome page, click Request a certificate.
4. On the Request a Certificate page, click Advanced certificate request.
5. On the Advanced Certificate Request page, click Create and submit a request to this CA.
6. For an Enterprise CA, on the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name box in the Identifying Information for Offline Template section, enter the common name that will be included in the certificate. In this example, we want the name to be localhost, so we enter localhost into the Name box. Select Store certificate in the local computer certificate store. Click Submit.
For a stand-alone CA, on the Advanced Certificate Request page, enter details for Identifying Information. In this example, we want the name to be localhost, so we enter localhost in the Name box.  Change Type of Certificate Needed to Server Authentication Certificate. Select Store certificate in the local computer certificate store. Click Submit.
7. A Potential Scripting Violation dialog box informs you that the Web site is requesting a certificate on your behalf. Click Yes.
8. The ID of the requested certificate is then displayed on the Certificate Pending page.
The CA then issues the requested certificate.

To install the certificate:
1. On the ISA Server 2004 computer open Internet Explorer and enter the address of the CA into the Address bar. In this example, we will enter http://10.0.0.2/certsrv and press Enter.
2. On home page, click View the status of a pending certificate request.
3. Click the requested certificate.
4. On the Certificate Issued page, click Install this certificate.
5. Click Yes to the prompt that informs you that the Web site is adding one or more certificates to the computer.
6. Close the browser after you see the Certificate Installed page.
At this point the certificate will be available for binding to the localhost Web listener, as described in the following sections.

Create a Web Publishing Rule that forwards incoming OWA requests to the localhost Web listener
The first Web Publishing Rule to create is for the external Web listener. This rule will accept the incoming requests for the front-end OWA server and forward them to the localhost listener.

Figure 5: External to localhost rule
 

To create the Web Publishing Rule and associated Web listener:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. In the right-hand pane, click the Tasks tab and then click Publish a Mail Server.
2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name box. In this example, we will call the rule OWA FBA (External to Localhost). Click Next.
3. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync. Click Next.
4. On the Select Services page, select Outlook Web Access and click Next.
5. On the Bridging Mode page, select Secure connection to clients and mail server and click Next.
6. On the Specify the Web Mail Server page, enter localhost in the Web mail server box. Click Next.
7. On the Public Name Details page, in the Public name box, enter the name that external users will use to connect to the OWA Web site. For example, owa.msfirewall.org. Alternatively, you can select Accept requests for any domain name. Click Next.
8. Now create the external Web listener. On the Select Web Listener page, click New to create a new Web listener.
9. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name box. In this example, we will call the listener External443 (basic) to indicate that the listener is listening on the external interface of the ISA Server 2004 firewall, and that it is configured to use basic authentication. Click Next.
10. On the IP Addresses page, select the External checkbox. Click Next.
11. On the Port Specification page, clear the Enable HTTP checkbox and select Enable SSL. Click Select.
In the Select Certificate dialog box, click the Web site certificate for the OWA front-end server and click OK. Click Next on the Port Specification page.
12. Click Finish on the Completing the New Web Listener Wizard page.
13. Click Edit on the Select Web Listener page. On the External443 (basic) dialog box, select Preferences tab and click Authentication (see Figure 6).

Figure 6: Port selection
 

14. In the Authentication dialog box, clear the Integrated checkbox. Click OK in the prompt dialog.
Select the Basic checkbox. Click Yes in the prompt box that tells you to should use SSL. Click OK in the Authentication dialog.
15. Click Apply and then click OK in the External443 (basic) dialog.
16. Click Next on the Select Web Listener page.
17. On the User Sets page, accept the default setting, All Users, and click Next.
18. Click Finish on the Completing the New mail Server Publishing Rule Wizard page.
19. Right-click the OWA FBA (External to Localhost) rule in the Firewall Policy pane of the Microsoft Internet Security and Acceleration Server 2004 management console and click Properties.
20. In the OWA FBA (External to Localhost) Properties dialog box, click the Paths tab (see Figure 7). Click Add.

Figure 7: Path mapping
 

21. In the Path mapping dialog, enter /cookieauth.dll in the box entitled Specify the folder on the Web site that you want to publish. (To publish the entire Web site, leave this box blank). Select Same as published folder. Click OK.
22. Click Apply and then click OK in the OWA FBA (External to Localhost) Properties dialog.
23. Click Apply to save the changes and update the firewall policy.
24. Click OK in the Apply New Configuration dialog.

Create a Web Publishing Rule for the localhost listener that forwards requests to the OWA Web site
The next Web Publishing Rule to create is for the localhost Web listener. This rule will accept the incoming requests for the front-end OWA server and forward them to the front-end OWA server.

Figure 8: Localhost to Exchange rule
 

To create the Web Publishing Rule and associated Web listener:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. In the right-hand pane, click the Tasks tab and then click Publish a Mail Server.
2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name box. In this example, we will call this rule OWA FBA (Localhost to Exchange). Click Next.
3. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync. Click Next.
4. On the Select Services page, select Outlook Web Access and click Next.
5. On the Bridging Mode page, select Secure connection to clients and mail server and click Next.
6. On the Specify the Web Mail Server page, enter the name of the front-end OWA server in the Web mail server box. Alternatively, you can enter the common name of the CA certificate on the front-end OWA server. This is the Issued to name in the certificate. In this example we enter owa.msfirewall.org. Click Next.
7. On the Public Name Details page, in the Public name box, enter the name that external users will use to connect to the OWA Web site. For example, owa.msfirewall.org. Alternatively, you can select Any domain name in the Accept requests for list. Click Next.
8. Now you create the localhost Web listener. On the Select Web Listener page, click New to create a new Web listener.
9. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will call this listener Localhost443 (FBA) to indicate that the listener is listening on the external interface of the ISA Server 2004 firewall. Click Next.
10. On the IP Addresses page, select the Local Host checkbox. Click Next.
11. On the Port Specification page, clear the Enable HTTP checkbox. Select the Enable SSL checkbox. Click Select.
In the Select Certificate dialog box, click the localhost certificate and click OK. Click Next on the Port Specification page.
12. Click Finish on the Completing the New Web Listener Wizard page.
13. Now you configure forms-based authentication for the localhost listener. On the Select Web Listener page, click Edit.
Select the Preferences tab.
Click Authentication. In the Authentication dialog, clear the Integrated checkbox. Click OK in the prompt dialog.
Select the OWA forms-based checkbox. Click OK.

Figure 9: Configuring forms-based authentication for the listener
 

14. Click Apply and then click OK on the Localhost443 (FBA) dialog.
15. Click Next on the Select Web Listener page.
16. On the User Sets page, accept the default setting, All Users, and click Next.
17. Click Finish on the Completing the New mail Server Publishing Rule Wizard page.
18. On the main page, right-click the OWA FBA (Localhost to Exchange) rule in the Firewall Policy pane of the console and click Properties.
19. In the OWA FBA (Localhost to Exchange) Properties dialog, click the Paths tab.
20. Remove all the paths displayed; hold down the Ctrl key, click each of the paths in the path list, click Remove.
21. Click Add. In the Path mapping dialog box, enter the path /* in Specify the folder on the Web site that you want to publish. (To publish the entire Web site, leave this box blank). Select Same as published folder. Click OK. (Refer to Figure 10.)

Figure 10: Path mapping
 

22. Click Apply and then click OK in the OWA FBA (Localhost to Exchange) Properties dialog.
23. Click Apply to save the changes and update the firewall policy.
24. Click on OK in the Apply New Configuration dialog.
25. Now order the rules in the main Firewall Policy window. Select the OWA FBA (External to Localhost) rule in the Firewall Policy window and then click the move up arrow in the management console button bar  to move the rule to the top of the list. (See Figure 11).
Click the OWA FBA (Localhost to Exchange) rule and click the move up arrow until it is second on the list.

Figure 11: Firewall Policy rules
 

26. Click Apply to save the changes and update the firewall policy.
27. Click OK in the Apply New Configuration dialog box.

Create a Web Publishing Rule that forwards requests for the /EnterpriseVaultProxy virtual directory to the internal network
The final Web Publishing Rule to create enables the external Web listener to forward incoming requests for the /EnterpriseVaultProxy virtual directory on the front-end OWA server. This virtual directory uses basic authentication.

Figure 12: EnterpriseVaultProxy rule
 

To configure the Web Publishing Rule for /EnterpriseVaultProxy requests:
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. In the right-hand pane, click the Tasks tab and then click Publish a Web Server.
2. On the Welcome to the New Web Publishing Rule Wizard page, enter a name for the rule in the Web Publishing Rule name box. In this example, we will call the rule EnterpriseVaultProxy (EnterpriseVaultProxy to Internal). Click Next.
3. On the Select Rule Type page, select Allow as action to take when rule conditions are met. Click Next.
4. On the Define Website to Publish page, enter the Computer name or IP address of the front-end OWA server (as known on the internal network). Alternatively, you can enter the common name of the CA certificate for the front-end OWA server.  
Select Forward the original host header instead of the actual one.  
Enter /EnterpriseVaultProxy/* in the Path text field and click Next.
5. On the Public Name Details page (see Figure 13), enter the site name that external users will use to access the OWA Web site in the Site box. (This must match the value specified in the external DNS entry). Alternatively, select Any domain name in the Accept requests for box and click Next.

Figure 13: Public Name Details page
 

6. Now associate this rule with the external Web listener. On the Select Web Listener page, in the Web listener box, select the External443 (basic) listener. Click Next.
7. On the User Sets page, accept the default value, All Users, and click Next.
8. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
9. Click on Apply to save the changes and update the firewall policy.
10. Click on OK in the Apply New Configuration dialog box.

Products Applied:
 Enterprise Vault for Microsoft Exchange 2007 7.5, 2007 7.5 SP1, 2007 7.5 SP2, 2007 7.5 SP3, 2007 7.5 SP4, 2007 7.5 SP5, 6.0, 6.0 SP1, 6.0 SP2, 6.0 SP3, 6.0 SP4, 6.0 SP5, 6.0 SP6, 7.0, 7.0 SP1, 7.0 SP2, 7.0 SP3, 7.0 SP4, 7.0 SP5, 8.0, 8.0 SP1
Last Updated: August 03 2009 02:59 PM GMT
Expires on: 365 days from publish date
Subscribe Via E-Mail IconSubscribe to receive critical updates about this document

Subjects:
 Enterprise Vault for Microsoft Exchange
   Owa: Advice, Configuration : Exchange 2003, Documentation

Languages:
 English (US)

Operating Systems:
Windows 2000

Advanced Server SP1, Advanced Server SP2, Advanced Server SP3, Advanced Server SP4, Datacenter Server SP1, Datacenter Server SP2, Datacenter Server SP3, Datacenter Server SP4, Server SP1, Server SP2, Server SP3, Server SP4

Windows Server 2003

Enterprise SP2, Enterprise Server, Enterprise ServerSP1, R2, Standard Server, Standard Server SP1, Standard Server SP2