Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Domain Controller and DNS

Domain Controller and DNS

Ratings: (0)|Views: 56 |Likes:
Published by micorina

More info:

Published by: micorina on Sep 20, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

10/21/2010

pdf

text

original

 
Publishing a Single Exchange 2003 OWA with ISA 2004 Firewall Forms BasedAuthentication
I decided to take the DIY approach for setting ISA firewall to securely publish Exchange 2003 Outlook Web Access usingforms-based authentication and SSL bridging to provide a higher level of security in web mail access. I believe this step-by-step article will take out some of the guess work that I went through when checking the configuration.The procedures in this article will not work for multiple Exchange server environments as the publishing rule can only redirectrequest to a single server. If implemented in a multiple server environment, users will only be able to access OWA mailboxeslocated on the published server. I presume that in a multiple server environment the procedure could be configured onlywhen the actual published server is an Exchange front-end server.The advantage of publishing Exchange Outlook Web Access (OWA) using the ISA firewall's Forms-Based authentication is theability to off load the authentication of web clients from the Exchange server to the ISA firewall, and to preventunauthenticated communication from reaching the Exchange server. The ISA firewall's Forms-Based authentication workswith Exchange 5.5, 2000 and 2003.This article will focus on Exchange 2003, where a web site certificate is used for two purposes:1.Provide SSL communication between the remote client and the ISA firewall.2.Provide SSL communication between the ISA firewall and the Exchange server.This will create an SSL to SSL bridge where the SSL communication from the remote client is terminated at the ISA firewall,and another SSL session is created between the ISA firewall and the exchange server. The remote client does not actuallyconnect directly to the Exchange server over SSL.Steps for deployment:
Preparing the Exchange server 2003 and certificates.
Decision point – Which certificates to useCreate your own certificatesGenerating the web site certificate requestFrom a request to a certificate
Importing the certificates to the ISA firewall.
Checking SSL connectivity between the ISA firewall and the OWA siteImporting the certificatesChecking Browser connectivity from ISA to the OWA site
Configure the ISA Web Listener and Publishing rule.Verify External connectivity.
Preparing the Exchange server 2003 and certificates.
NOTE! 
Do not enable forms-based authentication on the Exchange server itself.The first step to take is to configure your internal Exchange 2003 server to use a web site certificate for client connections.The clients may be internal or external network clients, as far as the Exchange server is concerned. Since in our case remoteclients will actually connect to the ISA firewall, the ISA firewall itself will act as a client to the OWA web site. The Exchangeserver OWA web site can be configured to require SSL communication only, but this article will not cover this issue as it isusually not necessary to encrypt OWA connections within the internal network.
Decision point – Which certificates to use?
The best way to approach the use of certificates for a publicly accessible web site is to acquire a certificate from a knownCertificate Authority such as Verisign.
 
The advantage of such certificate is that the issuer (the company which owns the certificate authority who generated thecertificate) is already trusted by Windows based computers. You can use Internet Explorer's
Internet Options
and
Content
tab to see the list of trusted certificate authorities. Another option is to open an
mmc
console and use the Certificates snap-in to view the list of 
Trusted Root Certificate Authorities
.If you cannot afford the purchase of a publicly signed certificate, you can issue your own certificates using a Windows2000/2003 server, with the free Certificate Authority services within those network operating systems.
Note!
 In some cases, such as when using the Exchange 2003 RPC over HTTP feature, you will be required to manually import thehome-brewed CA certificate to the client computers in order for those computers to trust the unfamiliar Certificate Authority.
Create your own certificates
To issue your own certificate from a Windows 2003 server, use the following steps to install the required components.Open
Add/Remove programs
, and select
Add/Remove Windows components
.To make the process to issuing certificates easier, you should install boththe IIS server and the
Certificate Services
which include both the Certificate Authority installation and the CertificateServices Web Enrolment support.
 
During the installation process you will be asked to select which type of Certificate Authority you would like to install. If thesole reason you install the CA is to generate a web site certificate, select a "Stand-Alone root CA". In a larger environmentwhen PKI infrastructure is deployed you should check if an Enterprise root CA is installed - which will be able to issue thecertificates.Continue the installation process; provide a
common name
for the CA. I suggest you enter the public domain that you areusing. In the following case I used my own registered domain name:
liran.org

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->