ISA Server 2004: Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener (v1.1)

by [Published on 11 March 2004 / Last Updated on 20 May 2013]

one problem with the OWA forms-based authentication mechanism as implemented in ISA Server 2004 is that forms-based authentication and other forms of authentication are mutually exclusive on the same listener. This means if you enable forms-based authentication on a Web listener accepting incoming Web connections, then no other authentication method can be used. This is problematic for users who have only a single IP address bound to the external interface of the ISA Server 2004 firewall and need to publish both the OWA and Exchange Mobile Access sites (such as OMA, Active-Sync and Exchange RPC/HTTP. This article provides you with a powerful workaround.

ISA Server 2004: Supporting Both Basic and Forms-based Authentication
with a Single External IP Address and Web Listener (v1.1)


By Thomas W Shinder, MD, MVP
and Kai Wilke, MVP

ISA Server 2004 firewalls use the listener concept to represent a socket that is ready to accept an incoming connection for either a Web or Server Publishing Rule. A socket is a combination of an IP address and a port number. For example, if you had a single IP address bound to the external interface of the ISA Server 2004 firewall, and you created a Web listener that accepted incoming connections for non-encrypted Web requests, the socket listening for the connection would the combination of that IP address and TCP port 80.

WARNING:
This solution has not been tested in enterprise environments and has not undergone thorough regression testing. We have deployed this in small office environments with the understanding that it is a proof of concept exercise. This is not an officially supported configuration and use it at your own risk.

Web listeners can also be configured to support a variety of authentication methods. Web Publishing Rule listeners differ from Server Publishing Rule listeners because the Web Publishing Rule listeners are able to authenticate users at the firewall computer before the connection is forwarded to the published Web server.

One important advance in ISA Server 2004 is its Forms-based authentication mechanism. Forms-based authentication is used in Outlook Web Access (OWA) Web Publishing Rules to present a form to the user in which user credentials are entered. In addition, OWA forms-based authentication allows you to prevent reuse of credentials on the client machine and block the reading of attachments from OWA clients.

The ISA Server 2004 forms-based authentication page looks like the form generated by the Exchange 2003 OWA Web site. However, the form is generated by the firewall instead of the OWA Web site. This confers a significant security advantage because unauthenticated connections are never forwarded to the OWA Web server. The ISA Server 2004 firewall only forwards authenticated connections to the OWA Web site. These authenticated connections represent a much lower security risk than unauthenticated connections.

Another advantage of the ISA Server 2004 forms-based authentication mechanism is that it extends the advantages of the Exchange 2003 forms-based authentication to all Exchange OWA sites. All versions of Microsoft Exchange, including Exchange 5.5, Exchange 2000 and Exchange 2003 can benefit from the additional security provided by the ISA Server 2004 forms-based authentication method.

However, one problem with the OWA forms-based authentication mechanism as implemented in ISA Server 2004 is that forms-based authentication and other forms of authentication are mutually exclusive on the same listener. This means if you enable forms-based authentication on a Web listener accepting incoming Web connections, then no other authentication method can be used. This is problematic for users who have only a single IP address bound to the external interface of the ISA Server 2004 firewall and need to publish both the OWA and Exchange Mobile Access sites (such as OMA, Active-Sync and Exchange RPC/HTTP).

The figure below shows the basic problem. The "ear" on the top of the graphic shows a listener that is listening on socket 192.168.1.70 TCP 443 and is configured to use Forms-based authentication. The "ear" on the bottom of graphic represents a listener configured to listen on the same socket, 192.168.1.70 TCP 443, but this time using Basic authentication. This configuration cannot work, because you can only configure a single listener per socket, and you cannot configure the same listener to use both forms-based and basic authentication.

One solution to this problem is to bind a second IP address to the external interface of the ISA Server 2004 firewall machine. The second IP address provides a second socket that you can make available to a second Web listener. In the figure below, the "ear" on top is listening on socket 192.168.1.70 TCP 443 and is using forms-based authentication for incoming requests. The listener represented by the "ear" on the bottom of the figure is listening on socket 192.168.1.71 TCP 443 and is configured to use Basic authentication. You can use the first listener for publishing the OWA Web site on the Internal network, and you can use the second listener to publish other Web sites, such as the Exchange Mobile sites, or other non-Exchange Server related sites.

Note that you can still obtain a high level of security for authentication even when you use only Basic authentication on the Web listener. The ISA Server 2004 firewall allows you to configure the listener to forward the user credentials to the Web site in the same way the forms-based authentication mechanism works. This prevents unauthenticated users from connecting to the Web site. You also do not need to worry about the Basic authentication credentials from moving in the "clear" and being captured by hackers. The SSL encryption on the connection encrypts the user credentials when they are sent by the client to the server.

However, the above example does not solve the problem of using both forms-based authentication and basic authentication when you only have a single IP address bound to the external interface of the firewall. In fact, there is no solution to this problem. However, there is a very clever workaround that Kai Wilke came up with!

Kai Wilke’s solution accepts the fact that you can’t use both forms-based authentication and basic authentication on the same listener. There’s no way around that, but what Kai realized is that he could "chain" listeners, much in the same way you do with back to back firewall configurations when you’re publishing OWA sites behind the back-end ISA Server 2004 firewall. What Kai discovered is that you can create a second listener on the ISA Server 2004 firewall that listens on the locahost network. You configure the listener on the localhost network to use forms-based authentication!

The figure below shows how it works. Let’s walk through the steps:

  1. The external host sends a request to http://owa.msfirewall.org/exchange. The name owa.msfirewall.org resolves to the IP address on the external interface of the ISA Server 2004 firewall that the Web listener is configured to use. In this example, the External listener is listening on socket 192.168.1.70 TCP 443. This listener does not require users to authenticate and does not prompt users for credentials. This listener accepts the incoming request.
  2. A Web Publishing Rule is created that uses the External listener. The Web Publishing Rule is configured to forward incoming requests to owa.msfirewall.org to localhost. The connection is forwarded to the localhost and the listener configured on the localhost network is configured to use forms-based authentication. Because the listener is configured to use forms-based authentication, it generates a form and sends that form to the user.
  3. The user fills in the username and password information in the form and sends it to the ISA Server 2004 firewall. The firewall accepts the credentials on the External listener, and then Web Publishing Rule using the External listener forwards the credentials to the localhost listener. Because the localhost listener uses forms-based authentication, it forwards the user credentials to the OWA Web site. When the user is authenticated, the connection request is forwarded to the OWA Web site on the internal network.
  4. Users who need to access Web sites that are not the OWA Web site can also connect to the External listeners. For example, suppose the user wants to connect to the site, https://owa.msfirewall.org/oma. In this case, the External listener is configured with Basic authentication.
  5. The connection for the owa.msfirewall.org/oma is forwarded to the Exchange Server based on a Web Publishing Rule that is configured to forward the connection to the OMA Web site on the Exchange Server on the Internal network. This Web Publishing Rule can also be configured to delegate authentication, so that the connection request is authenticated before it is forwarded to the OMA site on the internal network. Note in this example, the Web Publishing Rule used for the OMA site does not forward the request to the listener configured on the localhost network because OMA clients cannot use the forms-based authentication method.

The genius in Kai Wilke’s approach is that he realized the localhost network is considered as just another network by the ISA Server 2004 firewall. Because of that, he was able to create a logical back to back firewall configuration using the External listener as the logical front-end firewall and the localhost listener as the back-end firewall. Great!

As always, the devil’s in the details. So now we’ll go over the details required to make this work. The procedures required include:

  • Exporting the Web site certificate from the OWA Web site and importing that certificate into the ISA Server 2004 firewall’s machine certificate store. This certificate will be used by the External listener.
  • Requesting a Web site certificate that has the name localhost and installing this certificate into the machine certificate store on the ISA Server 2004 firewall computer. This certificate is used by the localhost network listener
  • Create the Web Publishing Rule that uses the External listener to accept the incoming requests for the OWA site and forward those requests to the localhost listener.
  • Create the Web Publishing Rule that uses the localhost listener to accept the incoming requests from the External listener, and forward those requests to the OWA site on the internal network.
  • Create the Web Publishing Rule that forwards requests to other Web sites (such as the Exchange Mobile Web sites) that uses only the External listener.

Exporting the Web Site Certificate form the OWA Web Site

In order to insure secure communications from end to end, you need to install a Web site certificate on the OWA Web site on the internal network. There are several ways you can get the certificate: the Web enrollment site, the Certificates mmc, or an offline request. After the Web site has a certificate, you can then export the certificate, along with its private key, to a file.

After the certificate and its private key are exported to a file, you can then import that certificate into the ISA Server 2004 firewall machine’s Personal certificate store. In addition, the CA certificate of the CA that issued the certificate must be installed in the Trusted Root Certification Authorities certificate store on the ISA Server 2004 firewall machine.

The details of how to request a Web site certificate for the OWA Web site, how to export it to a file, and how to import that file into the firewall’s machine’s certificate store have been discussed in detail in the ISA Server 2000 Exchange 2000/2003 Deployment Kit. Please check out the kit over at http://isaserver.org/news/exchangekit.html.

Requesting a Web Site Certificate for the Localhost Listener

The next step is to obtain a certificate for the localhost listener. The easiest way to do this is to use the enterprise CA’s Web enrollment site to obtain the certificate. In the example network used in this article, the domain controller on the internal network is an enterprise CA and the Web enrollment site is enabled. This certificate will be installed into the firewall’s machine certificate store. We will not need to install the CA certificate into the Trusted Root Certification Authorities store because that should have been done when the Web site certificate was installed on the ISA Server 2004 firewall machine.

Perform the following steps to obtain the Web site for the localhost listener:

  1. We first need to create an Access Rule that allows the firewall to connect to the CA Web enrollment site. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node. In the Task Pane, click the Tasks tab and then click Create New Access Rule.
  2. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we will name the rule Firewall to CA. Click Next.
  3. On the Rule Action page, select the Allow option and click Next.
  4. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
  5. In the Add Protocols dialog box, click the Common Protocols folder and double click the HTTP protocol and then click Close.
  6. Click Next on the Protocols page.
  7. On the Access Rule Sources page, click Add. In the Add Network Entities dialog box, click the Networks folder and then double click on the Local Host network. Click Close.
  8. Click Next on the Access Rule Sources page.
  9. On the Access Rule Destinations page, click the Add button. Click the New menu and then click Computer.
  10. In the New Computer Rule Element dialog box, enter a name for the computer in the Name text box. In this example we will call it CA. Enter the IP address in the Computer IP Address text box. In this example, the IP address is 10.0.0.2, so we will enter that into the text box. Click OK.
  11. In the Add Network Entities dialog box, click the Computer folder and double click on the CA entry. Click Close.
  12. Click Next on the Access Rule Destinations page.
  13. On the User Sets page, accept the default entry, All Users, and click Next.
  14. Click Finish on the Completing the New Access Rule Wizard page.
  15. Click Apply to save the changes and update the firewall policy.
  16. Click OK in the Apply New Configuration dialog box.

Now we’re ready to request the certificate form the enterprise CA on the Internal network:

  1. Open Internet Explorer and enter the address of the CA into the Address bar. In this example we will enter http://10.0.0.2/certsrv and press ENTER.
  2. Enter a valid user name and password into the authentication dialog box and click OK.
  3. On the Welcome page, click the Request a certificate link.
  4. On the Request a Certificate page, click the advanced certificate request link.
  5. On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
  6. On the Advanced Certificate Request page, select the Web Server certificate from the Certificate Template list. In the Name text box in the Identifying Information for Offline Template section, enter the common name that will be included in the certificate. In this example, we want the name to be localhost. We will enter localhost into the Name text box. Put a checkmark in the Store certificate in the local computer certificate store checkbox. Click the Submit button.
  7. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site is requesting a certificate on your behalf.
  8. On the Certificate Issued page, click the Install this certificate link.
  9. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site is adding one or more certificates to the computer.
  10. Close the browser after you see the Certificate Installed page.

At this point the certificate will be available for binding to the localhost listener.

Create a Web Publishing Rule that Forwards Incoming OWA Requests to the Localhost Web Listener

The first Web Publishing Rule we’ll create will accept the incoming requests for owa.msfirewall.org and forward them to the localhost listener. This listener will be configured to use basic authentication and use the original Web site certificate to impersonate the OWA Web site on the Internal network.

Perform the following steps to create the Web Publishing Rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. In the Task Pane, click the Tasks tab and then click the Publish a Mail Server link.
  2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we will name the rule OWA FBA (External to Localhost). Click Next.
  3. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option. Click Next.
  4. On the Select Services page, select the Outlook Web Access option and click Next.
  5. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.

  1. On the Specify the Web Mail Server page, enter localhost in the Web mail server text box. Click Next.
  2. On the Public Name Details page, enter the name that external users will use to access the site in the Public name text box. In this example, external users will use the name owa.msfirewall.org to connect to the OWA Web site, so we will enter that name into the text box. Click Next.
  3. On the Select Web Listener page, click New to create a new Web listener.
  4. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will name the listener External443 (basic) to denote that the listener is listening on the external interface of the ISA Server 2004 firewall and that its configured to use Basic authentication. Click Next.
  5. On the IP Addresses page, put a checkmark in the External checkbox. Click Next.
  6. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Click Select. In the Select Certificate dialog box, click the Web site certificate and click OK. Click Next on the Port Specification page.

  1. Click Finish on the Completing the New Web Listener Wizard page.
  2. Click Edit on the Select Web Listener page. On the External443 (basic) dialog box, click the Authentication button. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box. Place a checkmark in the Basic checkbox. Click Yes in the ISA Server Configuration dialog box informing you that you should use SSL. Click OK in the Authentication dialog box.
  3. Click Apply and then click OK in the External443 (basic) dialog box.
  4. Click Next on the Select Web Listener page.
  5. On the User Sets page, accept the default setting, All Users, and click Next.
  6. Click Finish on the Completing the New mail Server Publishing Rule Wizard page.
  7. Right click on the OWA FBA (External to Localhost) rule in the Details pane of the Microsoft Internet Security and Acceleration Server 2004 management console and click Properties.
  8. In the OWA FBA (External to Localhost) Properties dialog box, click on the Paths tab. On the Paths tab, click the Add button. In the Path mapping dialog box, enter the value /cookieauth.dll into the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank text box. Select the Same as published folder option. Click OK.

  1. Click Apply and then click OK in the OWA FBA (External to Localhost) Properties dialog box.

     

Create a Web Publishing Rule that Forwards Incoming Requests to the Localhost Listener to the OWA Web Site

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. In the Task Pane, click the Tasks tab and then click the Publish a Mail Server link.
  2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we will name the rule OWA FBA (Localhost to Exchange). Click Next.
  3. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option. Click Next.
  4. On the Select Services page, select the Outlook Web Access option and click Next.
  5. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.

  1. On the Specify the Web Mail Server page, enter owa.msfirewall.org in the Web mail server text box. Click Next.
  2. On the Public Name Details page, select the Any domain name option in the Accept requests for list. Click Next.
  3. On the Select Web Listener page, click New to create a new Web listener.
  4. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example, we will name the listener Localhost443 (FBA) to denote that the listener is listening on the external interface of the ISA Server 2004 firewall and that its configured to use Basic authentication. Click Next.
  5. On the IP Addresses page, put a checkmark in the Local Host checkbox. Click Next.
  6. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Place a checkmark in the Enable SSL checkbox. Click Select. In the Select Certificate dialog box, click the localhost certificate and click OK. Click Next on the Port Specification page.
  7. Click Finish on the Completing the New Web Listener Wizard page.
  8. Click Edit on the Select Web Listener page. On the Localhost443 (FBA) dialog box, click the Authentication button. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box. Place a checkmark in the OWA Forms-based checkbox. Click OK in the Authentication dialog box.

  1. Click Apply and then click OK in the External443 (basic) dialog box.
  2. Click Next on the Select Web Listener page.
  3. On the User Sets page, accept the default setting, All Users, and click Next.
  4. Click Finish on the Completing the New mail Server Publishing Rule Wizard page.
  5. Right click on the OWA FBA (Localhost to Exchange) rule in the Details pane of the console and click Properties.
  6. On the OWA FBA (Localhost to Exchange) Properties dialog box, click the Paths tab. Hold down the CTRL key on the keyboard and click on each of the paths in the path list. Click the Remove button. Click Add. In the Path mapping dialog box, enter the path /* in the Specify the folder on the Web site that you want to publish. To publish the entire Web site, leave this field blank text box. Select the Same as published folder option. Click OK.

  1. Click Apply and then click OK in the OWA FBA (Localhost to Exchange) Properties dialog box.

Create a Web Publishing Rule for Secure, Non-OWA Web Site Connections

The final Web Publishing rule is used to publish secure Web sites that do not support forms-based authentication. In this example, we’ll create a rule that supports Exchange Mobile services:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node. In the Task Pane, click the Tasks tab and then click the Publish a Mail Server link.
  2. In the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example we’ll name the rule Exchange Mobile Services and click Next.
  3. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync and click Next.

  1. On the Select Services page, remove the checkmark from Outlook Web Access checkbox and place checkmarks in the Outlook Mobile Access and Exchange ActiveSync checkboxes. Click Next.
  2. On the Bridging Mode page, select the Secure connection to clients and mail server option and click Next.
  3. On the Specify the Web Mail Server page, select the This domain name (type below) option in the Accept request for list and then enter the name for the internal Web site in the Web mail server text box. In this example, the mobile site is located on the same server as the OWA site, so we will enter owa.msfirewall.org in the text box. Click Next.
  4. On the Select Web Listener page, select the External443 (basic) option from the Web listener list. Click Next.
  5. On the User Sets page, accept the default value, All Users, and click Next.
  6. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.
  7. Select the OWA FBA (External to Localhost) Rule in the Details pane and then click the move up arrow in the Microsoft Internet Security and Acceleration Server 2004 management console button bar to move the rule to the top of the list. Click the OWA FBA (Localhost to Exchange) rule and click the move up arrow until it is second on the list.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

At this point the all three Web Publishing Rules will work correctly. You do not need to restart the machine or the ISA Server 2004 services. Connections to the OWA site will return a log on form to users, and connections to the OMA site will not generate a form. And because of Kai Wilke’s smart thinking, we can do it with a single IP address!

Summary

In this article we discussed the problem of publishing Web sites behind the ISA Server 2004 firewall that do and do not support OWA forms-based authentication when you have only a single IP address bound to the external interface of the ISA Server 2004 firewall. The solution to the problem was so create a second Web listener on the localhost network and configure the listetner on the localhost network to use FBA while configuring the Web listener that listens on the external interface to use only Basic authentication.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000024 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

Advertisement

Featured Links