Wrapping up our sample configuration
"Rev Up Security with ISA Server 2004," November 2004, InstantDoc ID 44068, introduces an example that shows you how you can use Microsoft Internet and Security Acceleration (ISA) Server 2004 to increase security for Internet-facing applications and services such as Microsoft Exchange Server. In that article, I began walking you through a configuration that uses an ISA Server firewall (which I refer to as the ISA firewall) to enhance the security of a front-end/back-end Exchange setup in which the front-end Exchange server publishes a Microsoft Outlook Web Access (OWA) site that remote users can access across the Internet. "Rev Up Security with ISA Server 2004" includes a detailed description of the sample setup and the first five steps in publishing the OWA site. Let's continue with the remaining steps (6 through 13).
6. Create a User Account for the ISA Firewall
You need to create a user account for the ISA Server firewall service so that you can request a client certificate for that service. The ISA firewall presents this certificate to the front-end Exchange server's OWA Web site. The account has no special requirements, and you don't need to create an Exchange mailbox for the account.
Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and create the user account. For this example, I created the domain account webproxy.
7. Request a Client Certificate for the ISA Firewall's Web Proxy
Next, you need to request the client certificate and install it in the ISA Server's machine certificate store. Later, you'll move the certificate to the firewall service's personal certificate store.
Before you can request the certificate, you need to change the ISA firewall's system policy so that the firewall can use HTTP to connect to the Certification Authority (CA). You can leave this rule enabled or you can disable the rule after obtaining the certificate. If you leave the rule enabled, the ISA firewall can check certificate revocation lists (CRLs).
Open the ISA Server Management console (under All Programs, Microsoft ISA Server). Expand the ISA Server system's node and click Firewall Policy in the left-hand pane. Go to the Tasks tab and click Show System Policy Rules to expose the firewall's system policy rules. Scroll through the list of revealed system policy rules and double-click rule 26, Allow HTTP from ISA Server to all networks for CRL downloads. On the To tab, select the CA's network. Select the Enable check box on the rule's General tab. Click OK, then click Apply to save the changes to the system policy.
Open Microsoft Internet Explorer (IE) and enter the URL for the enterprise CA Web enrollment site, using the format http://CA_IP_address/certsrv. Enter the firewall service account name and password in the logon dialog box. These credentials will be used to generate the client certificate.
Click Request a certificate on the Web enrollment site's Welcome page, then click Advanced Certificate Req-uest on the Request a Certificate page. Click Create and submit a request to this CA on the Advanced Certificate Request page. On the same page, select User from the Certificate Template drop-down list, as Figure 1 shows. Select the Store certificate in the local computer certificate store check box. Leave all other options at their defaults and click Submit.
Click Yes in the dialog box that informs you that a certificate request is being made, then click Install this certificate on the Certificate Issued page. Click Yes in the dialog box that asks whether you want to add the certificate to the ISA firewall's machine store. Close the browser after you see the Certificate Installed page. Hide the system policy by clicking Hide System Policy Rules on the Tasks tab.
8. Import the Web Site Certificate
Now you can place the Web site certificate and the firewall service's client certificate into the appropriate locations (i.e., the ISA firewall's machine certificate store and the firewall service's personal certificate store, respectively). First, copy to the ISA firewall the Web site certificate file that you generated on the OWA server. You can copy the file to the ISA firewall's local hard disk or insert the removable media that holds the file into the ISA server, then import the file from that location. The latter option is more secure.
Open an empty MMC console and add a standalone Certificates snap-in. On the Certificates snap-in page, select the Computer account option; on the Select Computer page, select the Local computer option.
Add another Certificates snap-in, but this time on the Certificates snap-in page, select the Service account option. Select the Local computer option on the Select Computer page, then select the Microsoft Firewall service account on the Service Ac-count page. Two snap-ins will now be visible in the console's left-hand pane, as Figure 2 shows.
Expand the Certificates (Local Computer) node, then expand the Personal node. Right-click the Certificates node (under Personal), then select All Tasks, Import from the context menu to open the Certificate Import Wizard. This wizard walks you through the process of importing the Web site certificate from the certificate file you created on the OWA Web server machine.
When you get to the Password page, enter the password you assigned to the certificate file. Don't mark the private key as exportable or an intruder who manages to access the ISA firewall (remotely or physically) could steal the OWA Web site's private key.
After completing the wizard, you'll see the CA certificate, the OWA Web site certificate, and the machine certificate in the console's right-hand pane. You can remove the CA certificate if it's already included in the ISA firewall's Trusted Root Certification Authorities certificate store. In our example, we don't need to copy the CA certificate because we're using an enterprise CA belonging to the same domain as the ISA firewall.
9. Import the Client Certificate
You need to move the ISA firewall's client certificate from the ISA Server's machine certificate store to the ISA firewall service's personal certificate store. Right-click the firewall service's client certificate and select Cut from the context menu. Expand the Certificates - Service (Microsoft Firewall) on Local Computer node and right-click the fwsrv\Personal node. Click Paste. (If the Paste command isn't available, repeat the cutting process.) The ISA firewall service's client certificate will appear in the fwsrv\Personal folder.
10. Create the OWA Web Publishing Rule
Now that all the certificates are in place, you can create the Web Publishing Rule on the ISA firewall. In the ISA Server Management console, click the Firewall Policy node. Go to the Tasks tab and click Publish a Mail Server. Name the rule on the Welcome to the New Mail Server Wizard page.
On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option. On the Select Services page, select the Outlook Web Access option; leave the Enable high bit characters used by non-English character sets option selected if you want users to be able to read email messages that use non-English characters.
On the Bridging Mode page, select the Secure connection to clients and mail server option. This option forces the remote Web browser to establish a Secure Sockets Layer (SSL) connection to the external interface of the ISA firewall and forces the ISA firewall's internal interface to establish a secure SSL link to the OWA site.
On the Specify the Web Mail Server page, enter the name that external users use to access the OWA site. For example, if remote users access the site through https://owa.domain .com/exchange, enter the name owa.domain.com. The name must match the name on the Web site certificate that's bound to the OWA Web site. In addition, the ISA firewall must be able to resolve the name to the IP address of the OWA server's internal network. To make this possible, you can use split DNS or a HOSTS file entry on the ISA firewall, as I explain in step 12.
Enter the same name on the Public Name Details page. Confirm that the This domain name (type below) option is selected and that you've entered the same name (e.g., owa.domain.com) that you entered in the wizard's previous page.
On the Select Web Listener page, you need to create an SSL listener to accept incoming SSL connection requests. Click New to begin the listener-creation process. Enter a name for the listener on the Welcome to the New Web Listener page. In this example, we'll use the name SSL Listener. On the IP Addresses page, select the External check box. If you have multiple IP addresses bound to the external interface of the ISA firewall, you can use the Address button to select the specific IP address that the rule's Web listener will use to accept incoming connections.
Clear the Enable HTTP check box on the Port Specification page. Select the Enable SSL check box. Click Select to bind the OWA Web site certificate to the listener. Select the OWA Web site certificate from the list in the Select Certificate dialog box. If you don't see the Web site certificate in this list, the certificate hasn't been imported to the proper location in the ISA firewall's machine certificate store or the private key wasn't included in the certificate file you created on the OWA Web server. You'll need to determine the problem, then restart the Web Publishing Rule Wizard.
On the User Sets page, click All Users, then click Remove. Click Add, then double-click the All Authenticated Users option. If you want to limit OWA access to a specific group of users, you can create a custom firewall group by clicking the New menu in the Add Users dialog box.
When you get to the last page of the wizard, review your settings and click Finish. To enhance security, you'll need to customize the OWA Web publishing rule. Double-click the rule, go to the Traffic tab, and select the Require 128-bit encryption for HTTPS traffic check box. Go to the Users tab and select the Forward Basic authentication credentials (Basic delegation) check box.
Go to the Bridging tab and select the Use a certificate to authenticate to the SSL Web server check box. Click Select, then select the firewall service account certificate from the Select Certificate dialog box. (If you don't see the certificate, either it wasn't imported into the proper location in the ISA firewall's certificate store or you requested the wrong type of certificate.) Select the certificate, then click OK.
Go to the Listener tab and click Properties. Go to the Preferences tab in the SSL Listener Properties dialog box, then click Authentication. Clear the Integrated check box and click OK to dismiss the warning dialog box. Select the OWA Forms-based check box. You can customize OWA forms-based authentication by clicking Configure. When you use ISA forms-based authentication, you can customize idle session timeouts and attachment blocking. Click OK to save the listener properties, then click OK to save the Web publishing rule's properties.
11. Harden the OWA Web Publishing Rule
The ISA firewall's HTTP security filter inspects every aspect of an HTTP communication. You should configure the filter to permit only valid connections to the OWA Web site. The filter enforces exceptional stateful application-layer (layer 7) inspection rules on incoming OWA connections and significantly enhances security for remote-access OWA connections. (The HTTP security filter provides—and enhances—the HTTP inspection features of URLScan.)
Right-click the Web publishing rule and select Configure HTTP. The Configure HTTP policy for rule dialog box contains five tabs: General, Methods, Extensions, Headers, and Signatures. Use the entries that Table 1 shows to configure the options on each of these tabs. Click OK to save the changes, then click Apply to save the firewall policy.
12. Create a HOSTS File on the ISA Firewall
As I explained earlier, the ISA firewall must be able to resolve the OWA site's Fully Qualified Domain Name (FQDN) to the internal address of the OWA server rather than to the external address that remote OWA clients use to access the OWA server. Locate the HOSTS file (in the \systemroot\system32\drivers\etc folder). In the bottom line of the HOSTS file, enter the OWA site's FQDN and internal IP address, for example
Be sure you press the Enter key at the end of that line so that the cursor is below the HOSTS file's last entry. This information is automatically placed in the ISA firewall's DNS cache; you can see the name mapping by opening a command prompt and typing
13. Request and Install the Root CA Certificate on the Web Browser Client
This optional step is necessary only when you use noncommercial certificates. The root CA's certificate must be in users' Trusted Root Certificate Authorities certificate store if you want to avoid a warning dialog box when users connect to the OWA site. The warning informs users that the CA that issued the Web site's certificate is not trusted. Users can easily dismiss the warning, but it often causes confusion and generates Help desk calls.
All domain users can obtain a CA certificate by using the enterprise CA's Web enrollment site. If a user's machine is a member of the same domain as the enterprise CA, this step is unnecessary: All domain members already have the enterprise CA's certificate in their Trusted Root Certification Authorities store. Nondomain users will need to request the certificate. To do so, a user can connect directly to the Web enrollment site when connected to the internal network. (You can publish the Web enrollment site for users who never work on the internal network, but I don't cover that scenario in this article.)
Users need to open IE and enter the address of the Web enrollment site, using the URL format http://CA_IP_address/certsrv. They need to log on to the Web enrollment site, using their domain credentials. On the Welcome page, they need to click Download a CA certificate, certificate chain, or CRL. On the Download a CA Certificate, Certificate Chain, or CRL page, they need to click Install this CA certificate chain. Finally, they need to click Yes on the dialog box that asks whether they want to add a new certificate, then close the browser after the certificate is installed.
Revved Up and Ready
The ISA firewall is now ready to receive incoming requests for Exchange resources, via OWA. You can test the configuration by going to a machine on the external network (don't test from a machine on the corporate network), entering the URL for the OWA site (e.g., https://owa.domain.com/exchange), and logging on.