Configuration of ISA 2006 for OWA (Exchange 2007 / 2003 mixed environment

)

Summary
This article walks through the various steps required to publish OWA for users whose mailboxes reside in a mixed Exchange Organization consisting of both Exchange 2003 and Exchange 2007 using ISA 2006. The following steps are described:
   

Pre-requisites Create listener / web publishing rule Configure HTTP to HTTPS redirection Configure redirection (from a "/" path to "/exchange" path)

Pre-requisites
a) Authentication option on CAS Make sure that the CAS server does not have Forms Based Authentication option selected. This is not supported if ISA is to use FBA. The CAS server could use Basic / Integrated Authentication as shown below based on the requirements. This scenario makes use of Basic Authentication:

b) SSL Certificate An appropriate SSL certificate is already installed on the CAS server and the same certificate is also imported into the computer certificate store on the ISA server. Exchange 2007 server is by default installed with a self signed SSL certificate. If this is being used, this certificate also needs to be added to the trusted store on ISA and the client workstation where users will initiate requests for OWA. c) ISA Hot-fix

Even though the hot-fix listed in the link below is not for this particular configuration but I would recommend installing this any way’s as there might be a need for the redirection using link path translation. http://support.microsoft.com/kb/925403/

Configure listener / Web client access publishing rule
On the ISA Administration Console, highlight firewall policy node / right click and select New / Exchange web client access publishing rule wizard as shown below

Type in a name for the rule. Example OWA

Select Exchange 2007 and Outlook Web Access. Note that when you select Exchange 2007 you can select only one web client mail service. Each client requires a separate rule.

Select to publish a single web site

Select the option to use "Use SSL ..."

Type the internal site name for the Exchange 2007 Client Access Server (CAS). In this example the CAS is being referenced as "webmail.domain1.local" even though its FQDN is "domain1w2k3.domain1.local". This is done by using a hosts file on the ISA server. Alternately check the option to "Use a computer name or IP address.." This configuration is useful to publish the same name for both internal and external interfaces so users on both sides of the network can use a similar name to access OWA. Of course this implies that this configuration will need to use some sort of Split DNS infrastructure to access the same name from two different networks.

Type in the publicly accessible name for the OWA site.

The next screen will prompt you to select a listener. Click on New to create a listener at this stage.

Type in appropriate name for the listener as shown below.

Select "Require SSL.."

In this example, the listener is configured to listen on both networks for the same OWA site name.

Select an appropriate SSL certificate. It is assumed that the SSL certificate was already imported into the computer store on the ISA server as per the pre-requisites.

Select HTML Form Authentication (Same as FBA).

Check "Enable SSO.." if desired. This is useful as it allows for SSO if there are other applications published.

This completes the listener configuration and you are returned to the web publishing rule wizard.

Select the "Authentication Delegation" method. In this case Basic Authentication is selected. There are some pros and cons of selecting other delegation methods.

Note - Some of the documentation and articles on web suggest leaving the default of "All Authenticated Users" user set for a web publishing rule but that has not worked for me. I use the "Require all users to Authenticate" option on the listener as the warning dialog box suggests below.

When you click on Finish the following dialog box is displayed warning you to choose the appropriate method on the CAS server.

This completes creation of the web rule and the listener. Do not forget to click on "Apply" to apply the configuration.

Configure HTTP to HTTPS redirection
To redirect http://webmail.domain1.local/exchange to httpS://webmail.domain1.local/exchange automatically, modify the listener configuration as shown below: Open the properties of the listener just created and select the "Connections" tab and check the options as shown below: Enable HTTP connection on port: 80 Redirect all traffic from HTTP to HTTPS

Make sure to apply the configuration.

Configure redirection (from a "/" path to "/exchange" path)
To redirect http://webmail.domain1.local to https://webmail.domain1.local/exchange automatically, a new deny web publishing rule can be created as shown below: Open the ISA Administration Console / Highlight the firewall policy node and follow the configuration as shown below:

Note the rule is being configured for "Deny". This is because we are denying all requests for any path other than the ones defined in the earlier OWA rule and redirecting requests to the exchange virtual directory.

We use the same listener which was created earlier for OWA.

Note - here the delegation methods needs to be the same as whatever was selected for the earlier rule.

This completes the rule creation. There are a few more steps required for redirections as shown below: Open the properties of the rule just created. In this case "Redirect" and select the "Action" tab. Select "Redirect HTTP..." and type in the appropriate URL. Note that we have used /exchange instead of owa. This is done to enable access to users whose mailbox could be on Exchange 2003 mailbox server. If owa virtual directory is used, users cannot

be redirected to an Exchange 2003 mailbox server. Only the exchange virtual directory will automatically redirect to the appropriate mailbox server based on where the mailbox resides. (Exchange 2003 or Exchange 2007).

Select the "Application Settings: tab and check the option "Use Customized HTML..." and type in "Exchange" as shown below (without quotes.

Also make sure that the redirect rule is above the OWA rule created earlier. This is required for successful redirection.

Make sure you apply the configuration. This completes the configuration for ISA. Hopefully OWA works like a charm. If it does not then check the pre-requisites again to make sure appropriate options are used. Happy OWAing !!