Shijaz.com: Articles | Windows Server | Exchange Server | ISA Server |
How to publish Outlook Web Access (OWA) on ISA 2006
|
|
Shijaz Abdulla, MVP |
Overview
This article describes how to publish
Outlook Web Access over HTTPS so that your users can have access to their email
from outside the office network through the internet. This article explains how
to employ SSL certificates and ISA 2006 Forms Based Authentication with OWA.
Pre-requisites and Assumptions
The following assumptions have been
made while writing this article
·
You
already have Exchange 2003 deployed in your organization and OWA works fine
internally when you type http://mailserver/exchange in the browser of
any workstation connected to your network.
·
You
have set up ISA 2006 successfully and your users are able to access the
internet.
·
You
already have a Certification Authority (CA) set up in your internal Windows Server
infrastructure or you have procured a third-party certificate from an SSL
vendor (like Verisign, Entrust, etc).
·
You
have already notified your internet domain name provider/ISP to create an A
record for the URL that you will use to access your OWA site from the
internet. For the purposes of this article, we will use mail.shijaz.com.
You will have to create an A record for this domain name so that it resolves to
your company’s pubic IP address that is connected to the ISA external
interface.
·
You
have already configured any firewall/NAT device that sits in front of the ISA
computer, facing the internet in such a way that it forwards all 443 (SSL)
traffic to the external interface of the ISA Server.
Procedure 1: Obtain an SSL certificate
1. If you are using
your own Certification Authority (CA) installed on Windows Server, see this
article: How to configure SSL on OWA.
2. If you are
procuring a third-party commercial SSL certificate, contact your SSL vendor for
details on procuring the certificate. The certificate request will have to be
made from the IIS of the Exchange 2003 computer hosting the OWA service.
So what
certificate should I choose anyway?
You can choose
to use your own CA if you want to cut down on cost because the CA comes free
with Windows Server. The certificates that you use on your OWA web site will be
issued from your own internal CA. Your internal CA is “trusted” only within
your enterprise. Each client machine has its own Certificates store which contains
a list of certificates that particular client trusts. This list will contain
all the commercial CAs by default but it will not contain your own internal CA
unless you manually add your CA certificate on to each clients Trusted CA
Certificates store.
In such a
case, If your users attempt to access your OWA site from the internet using
their home PCs (or any machine that does not have your CA certificate
installed), they will get a browser warning:
This warning
does not appear if you use a commercial certificate (from third parties like
VeriSign) because these certificates are already present in every client
certificate store and are trusted by default.
Procedure 2: Import the certificate
into the ISA Server computer
1. Open Certificates
console on the computer hosting the OWA. Start à Run à type mmc
and press ENTER.
2. Choose File
à
Add/Remove Snap-in à Add à Certificates.
Choose Local Computer (this is important).
3. In the Certificates
console, open the Personal à Certificates folder and find
the OWA certificate.
4. Right click on
the certificate and choose All Tasks à Export.
5. In the Certificate
Export Wizard, choose Yes, export the private key and click Next.
6. On the Export File
Format page, select Personal Information Exchange. Keep all other
settings default.
7. On the Password
page, assign a password and click Next.
8. Obtain the PFX
file and transfer it to the ISA Server computer.
9. On the ISA
Server computer, open the Certificates console by following steps 1-3
above on the ISA computer.
10. Choose All
Tasks à Import. Import it to
the Personal certificates folder. Enter the same password you entered in
step 7 when prompted.
11. Verify if the
certificate is listed once the import is complete.
Procedure 3: Create a HOSTS file entry
for split-DNS style resolution
1. Find the
HOSTS file on the ISA Server computer. You can find the file under %systemroot%\system32\drivers\etc
folder.
2. Open the file
using Notepad.
3. Add an entry
for your public domain name to resolve to the internal (private) IP of the
Exchange Server computer.
Procedure 4: Create the HTTPS Listener
1. On the ISA
computer, open the ISA Server Management console.
2. Open the Toolbox
(usually on the right side), under Network Objects, expand Web
Listeners and choose New to create a new Web listener.
3. The New Web
Listener Wizard opens. Give a name for the Web Listener.
4. Choose Require
secured SSL Connection with clients option.
5. Select the External
network for the web listener to listen requests on.
6. Choose Select
Certificate and select the certificate you imported to the ISA computer in
Procedure 2 above.
7. Choose HTML
Form Authentication to enable ISA 2006 Forms Based Authentication.
8. Choose not to
enable SSO and click Next and Finish. Your Web listener for OWA
is now created.
Procedure 5: Create the Exchange Web
Client Access Publishing Rule
1. On the ISA
computer, open the ISA Server Management console.
2. Right click on
Firewall Policy, and choose New à Exchange
Web Client Access Publishing Rule.
3. The Exchange
Publishing Wizard opens. Give a descriptive name for your publishing rule.
4. Choose your
Exchange version, select Outlook Web Access and click Next.
5. Choose Publish
a single website or Load Balancer option. Click Next.
6. Choose the
option Use SSL to connect to the pubished Website. Click Next.
7. Type the
internal site name as the hostname of your Exchange server. In the Computer
name or IP address box, type the public domain name for OWA. (If you
enter your internal server name your users will receive an error “Target
principal name is incorrect” because of the mismatch of the server name in the
certificate. What happens under the hood is that ISA resolves mail.shijaz.com
to the internal mail server private IP using the HOSTS file entry we configured
in Procedure 3.) Click Next.
8. Enter the
public domain name that you will be using for OWA in the next page. Click Next.
9. Select the web
listener that you created earlier. Click Next.
10. Choose Basic
Authentication. Click Next.
11. In the User
sets page, click Next.
12. Click Finish.
Click Apply on the ISA console to apply your changes.
Procedure 5: Testing &
Troubleshooting
1. From a
computer on the internet, type the public URL for OWA (in our case http://mail.shijaz.com/exchange)
2. If you have
published Exchange 2003 Outlook Web Access (OWA) successfully ISA 2006 you will
see the OWA logon page similar to the one below.
OWA logon page
for Exchange 2003 published behind ISA 2006
Troubleshooting
Checking IIS permissions
See the following Microsoft KB
Articles:
http://support.microsoft.com/kb/301428
http://support.microsoft.com/kb/327843
The dreaded “Target Principal
Name is Incorrect” – 500 Internal Server Error
This error normally occurs when there
is a mismatch between the requested URL and the actual host name mentioned in
the certificate. Check the following:
·
On
the ISA Server, you should add a HOSTS file entry that resolves the public domain
name for OWA (exactly as it appears on the certificate) to the internal
(PRIVATE) IP address of the mail server on your LAN.
· In the Publishing Wizard, you should type the public name for your OWA exactly as it appears on your certificate (procedure 5, steps 7 and 8 above).
Was
this Article Useful?
|
Reader Comments |
Disclaimer
The steps mentioned in this are results of testing in a lab environment. The
procedure might require additional testing before being deployed on a production
environment. I assume no responsibility for damage(s) occurring due to following
this procedure or any other procedure listed on this site. Use it at your own
risk!