Yes, I'm back after another long absence. I thought I'd start up my blogging again by talking about my experiences with publishing Exchange Server 2007 OWA in a DMZ with ISA Server 2006. This has been documented to some extent on TechNet and a few other places, but for my client's scenario I found a few gaps in the recommendations.

First, a brief outline of this client's environment; this is an upgrade from Exchange Server 2003 to Exchange Server 2007, with the primary goal pertinent to this blog post being improving their security posture and reducing the number of mailbox servers in the environment. They presently offer OWA service to their end users through Exchange Server 2003 front-end servers situated in their DMZ, a situation that is being addressed in the new design by implementing an ISA Server 2006 Enterprise array in the DMZ to publish the Exchange Server 2007 Client Access servers situated in the internal network. Traffic will be load-balanced across the CAS servers using ISA Server 2006 rather than Windows NLB or a hardware-based solution. As there are existing firewalls in place, however, ISA Server 2006 will be deployed between the existing firewalls and act just as a reverse proxy by publishing OWA as well as pre-authenticating users.

Publishing Exchange Server 2007 with ISA Server 2006 has been documented on TechNet here, but these procedures assume that the ISA Server 2006 server is acting as your internal firewall as well as publishing OWA, and that the ISA server is a member of your internal domain. Also, this TechNet article doesn't go into details on how to deploy a multiple-server ISA Server 2006 Enterprise array for this purpose- which I'm assuming most Exchange administrators won't know how to do. Overall, these procedures are well documented, so I'm not going to re-invent the wheel- just document the areas where I needed to modify or add to the procedures to get it to work for my scenario.

Installing a Certificate for Authentication over SSL

First, before starting I had to install two SSL certificates on the ISA server. The first certificate was for OWA in the name exchange.companyname.tld and was installed in the Personal certificate store for the local computer (NOT under the user account); the TechNet article describes how to install this certificate on the IIS server. As my 2-server ISA Server 2006 array is configured as a workgroup rather than a member of AD, I needed a second certificate to use for the ISA Configuration Storage authentication. All members of an ISA Server 2006 Enterprise array use the same configuration database, which in my case is installed on the first ISA server in the array. Other members of the array then obtain their configuration from this source, ensuring consistency across the array members. In the case of AD-joined ISA servers, they authenticate to the Configuration Storage server using Windows storage, but if your ISA servers are members of a workgroup they have to authenticate using a username/password you define over an SSL-encrypted channel. The certificate used for this needs to be in the FQDN of the ISA Configuration Storage server; typically, the certificate used for OWA is in a different name.

The SSL certificate for the Configuration Storage authentication needs to be installed using the ISACertTool, which you can download from Microsoft here. Once installed, the syntax is:

Install_path\ISACertTool.exe /st ISA_Server_SSL_cert.pfx /pswd password /keepcerts

Where

ISA_Server_SSL_cert.pfx is the SSL certificate in the FQDN of the ISA Server 2006 computer

and

password is the password for the ISA_Server_SSL_cert.pfx file

NOTE: You need to run this command from the "\Program Files\Microsoft ISA Server" directory, otherwise you'll get an error stating that msfpc.dll could not be found.

Configuring Authentication over SSL

Once the certificates are installed, install ISA Server 2006 and create your array. Once your array is created, you'll need to configure authentication over SSL for the Configuration Storage server as follows:

1. Start the ISA Server Management GUI from Start - All Programs - Microsoft ISA Server.
2. In the left-hand pane of the Microsoft Internet Security and Acceleration Server 2006 GUI, expand Arrays then right-click the server_name entry and select Properties from the context menu.
3. In the server_name Properties dialogue, select the Configuration Storage tab.
4. On the Configuration Storage tab, click Select… to open the Select Authentication Type dialogue. Select Authentication over SSL encrypted channel, then click OK to return to the server_name Properties dialogue.
5. Click OK to close the server_name Properties dialogue.
6. Back in the Microsoft Internet Security and Acceleration Server 2006 GUI, click Apply in the right-hand pane of the Microsoft Internet Security and Acceleration Server 2006 GUI, and then click OK in the dialogue advising that your changes have been saved.

Configuring Server Farm Connectivity Verification

The next issue I ran into was in defining a server farm in ISA consisting of my Client Access servers. Defining a server farm and adding your CAS servers to it allows you to load balance using ISA; traffic is distributed evenly across the server farm members. To ensure no traffic is directed to a CAS server that is down, I defined Connectivity monitoring for the server farm. The TechNet article simply states to select Send an HTTP/HTTPS GET request in the wizard while creating the server farm, but I found that this didn't work for me. This was because by default, this configures the GET request to use HTTP, while my CAS servers were configured to accept only SSL (HTTPS). I had to configure the connectivity verification as follows:

1. Access the Properties dialogue for the server farm
2. Select the Connectivity Verification tab and click Configure…
3. Change the verification URL from http://*/ to https://*/

Finally, when adding other servers to the ISA array, when you select to join an existing array since my ISA servers are in a workgroup I was prompted to select Configuration Storage options. In a workgroup deployment, you need to select the Authentication over SSL encrypted channel option; windows authentication can only be used for a domain-joined ISA array.

A final caveat regarding the ISA Configuration Storage; in an AD-joined ISA array, you can replicate the Configuration Storage across multiple array members, but this is not possible in a workgroup deployment.

So, these are some of the "gotchas" I found when deploying an ISA Server 2006 Enterprise array in a DMZ for publishing OWA. Another issue I encountered was how to configure my ISA web listener to authenticate the users to Active Directory using LDAPS, since my ISA servers were in a workgroup rather than joined to the forest, but that's going to be the topic of my next blog post.

Andy