Publishing Outlook Web Access with a Single NIC Caching Only ISA Servers

 

Many organizations already have an existing firewall infrastructure that includes a DMZ where they place bastion host machines. You do not need to remove your existing firewall infrastructure to leverage the high level of layer 7 security provided by an ISA Server machine. You can place a single NIC caching-only ISA Server in the DMZ, between an Internet edge firewall and an internal network firewall and protect inbound OWA connections from end to end using SSL.

 

This configuration works well for organizations that already have a large financial and educational investment in other firewalls but still want to take advantage of the unique layer 7 protection ISA Server 2000 provides for OWA site publishing. The caching-only ISA Server can perform SSL to SSL bridging.

 

The feature allows the caching-only ISA Server in the DMZ to protect the OWA communications from end to end and allow the ISA Server to inspect these communications moving through the tunnel. No other firewall in ISA Server’s class can provide this level of protection.

 

To make this work, you need to perform the following steps:

 

·         Configure the Internet edge firewall

·         Configure the internal network edge firewall

·         Configure Unihomed Web Proxy server

·         Install Windows Server 2003 on the Web caching server

·         Configure the network interface on the Web caching server

·         Install certificates on the Web Proxy server and Exchange Server

·         Install the ISA Server software in cache mode

·         Configure the Incoming Web Requests listener including binding the SSL certificate to the listener

·         Create the OWA Web Publishing Rule

·         Secure the Web caching server with TCP/IP Security

·         Install URLScan on the Web caching server

·         Run the Security Wizard?

·         Install the CA Certificate on the client

 

The remainder of this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit article covers the details of these procedures.

 

Configure the Internet Edge Firewall

 

The Internet edge firewall is typically a high performance packet filtering device. The firewall at the Internet edge must be able to move packets in and out of the corporate network as close to wire speed as possible. For this reason, the Internet edge firewall limits its firewall functionality to packet filtering.

 

The procedure for configuring the packet filters on a firewall to allow inbound HTTP and SSL connections to the single NIC, caching-only ISA Server in the DMZ varies with each firewall. For example, you may wish to put an ISA Server firewall on the Internet edge. ISA Server firewalls can perform stateful packet filtering between its external interface and a DMZ interface.

 

Figure A shows the Filter Type tab on such a packet filter. This packet filter allows inbound access to TCP port 80. The source port of the remote host is set to All ports and the destination port is TCP 80. The direction of the connection is inbound. You do not need to create an explicit packet filter to allow outbound access to all ports so that the reply can be sent; the ISA Server firewall will create a dynamic packet filter to allow the response to the requesting host.

 

Fig A

 

Figure B shows the Local Computer tab in the inbound TCP port 80 packet filter. The local computer is the DMZ host computer with the IP address 131.107.0.3.

 

Fig B

 

Figure C shows the ISA Server packet filter configuration allowing inbound access for SSL connections. Like the HTTP packet filter, you do not need to create an explicit outbound packet filter that allows the response to all ports on the external clients; the ISA Server firewall will create a dynamic packet filter to allow the response to the requesting host.

 

Fig C

 

Figure D shows the Local Computer tab for the SSL packet filter. The local computer is the DMZ host with the IP address 131.107.0.3.

 

FigD

 

You can use any firewall at the Internet edge. The examples above demonstrate how you would configure an ISA Server 2000 computer with stateful packet filters to allow inbound access at the highest velocity.

 

 

 

Configure the Internal Network Edge Firewall

 

In the event that a host in the DMZ has been compromised, the firewall at the edge of the internal network protects the internal network from attack. The OWA server is located behind the internal network firewall. The single NIC caching-only ISA Server forwards requests from external hosts to the OWA site on the internal network.

 

You never put a front end server or back end Exchange Server on a DMZ segment because the OWA server, even in a front end/back end configuration, must be a member of the user domain. Only machines designed to be bastion hosts should be placed on a DMZ segment.

 

There are two ways requests from the caching-only ISA Server can get to the internal network through the internal network firewall:

 

• The packets can be routed
• The packets can be NATed

 

The caching-only ISA Server forwards packets to the actual IP address of the OWA site when the packets are routed. On the other hand, you can publish the OWA site on the internal network by using some form of reverse NAT. An example of publishing the internal OWA site using reverse NAT is an ISA Server SSL Server Publishing Rule. Figure E shows the Action tab of an ISA Server 2000 SSL Server Publishing Rule.

 

When publishing the OWA site using reverse NAT on the internal firewall, the caching-only ISA Server will forward inbound connection requests to the OWA site to the IP address on the external interface of the internal firewall that is listening for the inbound SSL connection requests.

 

Figure E

 

 

Configure Unihomed Web Proxy Server

 

You’ re ready to configure the ISA Server to securely publish your OWA site after the internal and external firewalls are configured to allow the HTTP and SSL traffic from the Internet to the DMZ and to the internal network. You will carry out the following procedures on the the Web caching-only ISA Server computer:

 

• Install Windows Server 2003
• Install ISA Server 2000 in Cache mode
• Configure the Incoming Web Requests listener and bind the certificate to the listener
• Create the OWA Web Publishing Rule
• Install URLScan on the Web caching only ISA Server and use the OWA URLScan.ini file
• Secure the Web caching only ISA Server using TCP/IP Security filters
• Secure the Web caching only ISA Server using IPSec Policies
• Run the ISA Server 2000 Security Wizard to harden the operating system

 

Let’s go through the details of each of these procedures.

 

 

Install Windows Server 2003 on the Web Caching Server

 

The machine running Windows Server 2003 should meet the following minimum system requirements:

 

Requirement	Standard Edition	Enterprise Edition	Datacenter Edition	Web Edition
Minimum CPU Speed	133 MHz	133 MHz for x86-based computers 733 MHz for Itanium-based computers*	400 MHz for x86-based computers 733 MHz for Itanium-based computers*	133 MHz
Recommended CPU Speed	550 MHz	733 MHz	733 MHz	550 MHz
Minimum RAM	128 MB	128 MB	512 MB	128 MB
Recommended Minimum RAM	256 MB	256 MB	1 GB	256 MB
Maximum RAM	4 GB	32 GB for x86-based computers 512 GB for Itanium-based computers*	64 GB for x86-based computers 512 GB for Itanium-based computers*	2 GB
Multiprocessor Support **	Up to 4	Up to 8	Minimum 8 required Maximum 64	Up to 2
Disk Space for Setup	1.5 GB	1.5 GB for x86-based computers 2.0 GB for Itanium-based computers*	1.5 GB for x86-based computers 2.0 GB for Itanium-based computers*	1.5 GB

 

The ISA Server Web caching component can be very memory intensive. If you plan to use the ISA for both forward and reverse caching, you may wish to significantly increase the amount of RAM installed on the machine.

 

Please refer to ISA Server performance/scalability whitepaper for more information on creating the optimal configuration for your caching-only ISA Server on the DMZ.

 

 

 

Configure the Network Interface on the Web Caching Server

 

The Web caching only ISA Server has a single network interface because it does not perform standard firewall functions. However, that is not to say that the Web caching only ISA Server cannot provide security for your OWA clients and server. For example, when you force SSL between the clients and the ISA Server and the ISA Server to the OWA server, the data is protected from end to end.

 

The network interface card is configured with a valid IP address and subnet mask for the DMZ segment. A DNS server address is not required unless you want to use the Web caching ISA Server to perform forward Web Proxy. If you want the Web caching only ISA Sever to perform forward Web caching, you should configure the interface with a DNS server that can resolve Internet DNS host names.

 

If you only want to use the Web caching ISA Server to allow inbound access to the OWA server on the internal network, then you can configure a HOSTS file entry on the caching-only ISA Server that resolves the name of the OWA server to the appropriate address. We’ll cover this procedure later in this article.

 

The default gateway on the Web caching only ISA Server should be set for the address you’re using for your gateway to the Internet. In this article, we assume that the Internet edge firewall has an interface on the Internet and an interface on the DMZ segment. The Web caching only ISA Server uses Internet edge firewall’s DMZ interface address as its default gateway.

 

Note:
In the example we discuss in this document, the internal network edge firewall is using reverse NAT to publishing the HTTP and SSL ports for the OWA server on the internal network. If you are routing between the DMZ and the internal network, you will need to create an explicit routing table entry on the Web caching only ISA Server that instructs it how to reach the internal network ID.

 

A common error in configuring the caching-only ISA Server is to install two network interface cards and attempt to configure one card to accept the incoming connection and the second network interface card to forward the incoming OWA requests. This is not required, and it will not work. If you require greater throughput, upgrade the infrastructure to support gigbit Ethernet.

 

 

 

Install Certificates on the Outlook Web Access Server and the Web Caching Only ISA Server

 

In order to support an SSL connection between the ISA Server and the OWA Web site, you must install a Web site certificate on the OWA server and bind that certificate to the OWA Web site. You can use the IIS Web Site Certificate Request Wizard to request a certificate from either an online Microsoft enterprise CA or offline certificate server (either enterprise CA or standalone CA). Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Obtain a Web Site Certificate for details on how to request the Web site certificate and bind that certificate to the site.

 

After you bind the Web site certificate to the OWA web site, the next step is to export the Web site certificate. You then copy the exported certificate (with its private key) to the caching-only ISA Server and bind that certificate to ISA’s Incoming Web Requests listener.

 

Perform the following steps to export the Web site certificate from the OWA server:

 

1. Click Start, point to Administrative Tools and click on Internet Information Services. In the Internet Information Services (IIS) Manager console (figure 1), expand the Web Sites node and click on the Default Web Site entry. Right click on Default Web Site and click Properties.

 

Figure 1

 

2. Click on the Directory Security tab in the Default Web Site Properties dialog box (figure 2). Click on the View Certificate button.

 

Figure 2

 

3. In the Certificate dialog box, click on the Details tab (figure 3). Click on the Copy to File button.

 

Figure 3

 

4. Click Next on the Welcome to the Certificate Export Wizard page (figure 4).

 

Figure 4

 

5. Select the Yes, export the private key option on the Export Private Key page (figure 5). Click Next.

 

Figure 5

 

6. On the Export File Format page, select the Personal Information Exchange – PKCS #12 (.PFX) option. Put a checkmark in the Include all certificate in the certification path if possible checkbox. Remove the checkmarks from the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) and Delete the private key if the export is successful checkboxes.

 

The Enable strong protection option requires user intervention before the certificate can be used. The server on which the certificate is installed cannot perform the required actions. That is why you must not select this option. You do not want to delete the private key from the OWA site, because you want to keep the key there for backup.

 

Click Next.

 

Figure 6

 

7. On the Password page, type a password and then confirm the password. This password protects the private key from being stolen by anyone who might be able to obtain the exported file (figure 7).

 

Figure 7

 

8. On the File to Export page (figure 8), type in a path and file name for the certificate file. Remember where you store the file because you need to copy it to the ISA Server machine in the DMZ. Click Next.

 

Figure 8

 

9. Review your settings on the Completing the Certificate Export Wizard page (figure 9) and click Finish.

 

Figure 9

 

10. Click OK on the Certificate Export Wizard dialog box that informs you the export was successful (figure 10).

 

Figure 10

 

11. Close the Certificate dialog box (figure 11).

 

Figure 11

 

12. Close the Default Web Site Properties dialog box (figure 12).

 

Figure 12

 

Close the Internet Information Services (IIS) Manager console.

 

The next step is to import the Web site certificate into the caching-only ISA Server’s machine certificate store. You must first import the Web site certificate into the caching-only ISA Server’s machine certificate store before you bind the certificate to the ISA Server’s Incoming Web Requests listener. The certificate must be bound to the Incoming Web Requests listener so that the ISA Server caching-only server can impersonate the OWA Web site.

 

Perform the following steps to import the OWA server’s Web site certificate into the ISA Server’s machine certificate store:

 

1.       Click Start and click on the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 13).

 

Figure 13

 

2.       Click the Add button in the Add/Remove Snap-in dialog box (figure 14).

 

Figure 14

 

3.       Click on the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box (figure 15). Click Add.

 

Figure 15

 

4.       Select the Computer account option on the Certificates snap-in page (figure 16). Click Next.

 

Figure 16

 

5.       On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish (figure 17).

 

Figure 17

 

6.       Click Close on the Add Standalone Snap-in page (figure 18).

 

Figure 18

 

7.       Click OK on the Add/Remove Snap-in dialog box (figure 19).

 

Figure 19

 

8.       Right click on the Personal node in the left pane of the console, point to All Tasks and click Import (figure 20).

 

Figure 20

 

9.       Click Next on the Welcome to the Certificate Import Wizard (figure 21).

 

Figure 21

 

10.   Click the Browse button and locate the certificate file. Click Next after the file path and name appear in the File name text box (figure 22).

 

Figure 22

 

11.   On the Password page, type in the password for the file (figure 23). Do not put a checkmark in the Mark this key as exportable. This will allow you to back up or transport you keys at a late time checkbox. The reason is that this machine is a bastion host located in a DMZ and may be compromised. The compromiser may be able to steal the private key from this machine if it is marked as exportable.

 

Click Next.

 

Figure 23

 

12.   On the Certificate Store page (figure 24), confirm that the Place all certificate in the follow store option is select and that is says Personal in the Certificate store box. Click Next.

 

Figure 24

 

13.   Review the settings on the Completing the Certificate Import page and click Finish (figure 25).

 

Figure 25

 

14.   Click OK on the Certificate Import Wizard dialog box informing you the import was successful (figure 26).

 

Figure 26

 

15.   You will see the Web site certificate an the CA certificate in the right pane of the console. The Web site certificate has the FQDN that is assigned to the Web site. This is the name external users will use to access the OWA site. The CA certificate must be placed into the Trusted Root Certification Authorities\Certificates store so that this machine will trust the Web site certificate installed on it.

 

Double click on the Web site certificate in the right pane of the console (figure 27).

 

Figure 27

 

16.   Click on the Certification Path tab on the Certificate dialog box (figure 28). Notice the red “x” on the CA certificate node. This indicates that this machine does not trust the CA that issued the Web site certificate. In order to use this certificate to perform SSL to SSL bridging, this machine must trust the CA that issued the Web site certificate.

 

Close the Certificate dialog box.

 

Figure 28

 

17.   Right click on the CA certificate in the right pane of the console and click the Copy command (figure 29).

 

Figure 29

 

18.   Expand the Trusted Root Certification Authorities node and click the Certificates node (figure 30). Right click on the Certificates node and click the Paste command. This pastes the CA certificate into the Trusted Root Certificate Authorities\Certificates store and allows this machine to trust certificates issued by this CA.

 

Figure 30

 

19.   Press Refresh button to refresh the display. You should see the certificate appear in the right pane of the console (figure 31). If you do not see the CA certificate in the right pane of the console, repeat the procedure

 

Figure 31

 

20.   Return to the Personal\Certificates node in the left pane of the console and double click on the Web site certificate. In the Web site certificate’s Certificate dialog box, click on the Certification Path tab (figure 32). Notice that the red “x” no longer appears on the CA certificate. Click OK on the Certificate dialog box.

 

Figure 32

 

21.   Close the mmc console (figure 33). You may want to save this console with the name of certificates and store it in the Administrative Tools menu.

 

Figure 33

 

 

 

Install the ISA Server Software in Cache Mode

 

The single NIC caching-only ISA Server does not perform any tradition firewall functions. This ISA Server will proxy connection requests between external clients and the OWA site on the internal network. This caching-only ISA Server does provide security for the connections using SSL to SSL bridging. The connection between the client and the ISA Server is protected by SSL encryption, and the connection between the ISA Server and the OWA site is protected by SSL.

 

To install ISA Server 2000 in Cache only mode on a Windows Server 2003 Server, you need to perform the following procedures:

 

• Install the ISA Server 2000 software
• Install ISA Server 2000 Service Pack 1
• Install ISA Server Hotfix isahf255.exe
• Install ISA Server Feature Pack 1

 

The instructions for installing ISA Serve 2000 Service Pack 1, ISA Server hotfix isahf255.exe and ISA Server 2000 Feature Pack 1 are in ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Installing ISA Server 2000 on Windows Server 2003. Install the service pack, the hotfix and the feature pack after you have installed the ISA Server 2000 software on the Windows Server 2003 machine.

 

Perform the following steps to install ISA Server 2000 in Cache only mode:

 

1.       Double click on the isaautorun.exe file. Click the Install ISA Server entry on the Microsoft ISA Server Setup page (figure 34).

 

Figure 34

 

2.       An ISA 2000 warning dialog box appears informing you that ISA Server 2000 Service Pack 1 must be installed on the machine. Click Continue (figure 35).

 

Figure 35

 

3.       Click Continue on the Welcome to the Microsoft ISA Server installation program page (figure 36).

 

Figure 36

 

4.       Enter your CD key on the CD Key page (figure 37) and click OK.

 

Figure 37

 

5.       Write down your product ID on the Product ID page (figure 38). Click OK.

 

Figure 38

 

 

6.       Read the information  on the EULA page and click I Agree (figure 39).

 

Figure 39

 

7.       Click the Full Installation button on the installation page (figure 40).

 

Figure 40

 

8.       Click Yes on the dialog box that informs you that the installation program cannot find the ISA Server 2000 Active Directory objects (figure 41).

 

Figure 41

 

9.