Introducing the Beta 1 release of the ISA Server 2000 Exchange 2000/2003 Secure Remote Email Deployment Kit

Is your company interested in providing secure remote access to your Exchange Server? Do your remote users need to connect to the Exchange Server's SMTP/POP3/IMAP4/NNTP services? How about secure remote connections to Outlook Web Access? Are you ready to roll out RPC over HTTP connections? If you're considering a secure remote access solution to your Exchange Server, then check out this beta 1 version of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit. Everything you ever wanted to know but were afraid to ask is included in this kit. Check it out!
Thomas Shinder photo

Introducing the Beta 1 release of the
ISA Server 2000 Exchange 2000/2003 Secure Remote Email Deployment Kit


by
Thomas W Shinder, M.D.

One of the questions I get asked a lot is "why should I use ISA Server 2000" instead of some other firewall"? That’s a good question. ISA Server 2000 is relatively new compared to the standard firewall offerings out there. There certainly must be some good reasons to use ISA Server 2000 over any other firewall to protect your network, otherwise I would move on to some other firewall extol it's virtues!


Read the ISA Server 2000
Exchange Server 2000/2003 Deployment Kit

What are some of the major reasons for using ISA Server 2000 over another firewall?

  • Secure remote access to Exchange using the full Outlook MAPI client without having to make Swiss cheese out of the firewall. The ISA Server 2000 Exchange RPC Application Filter protects the Exchange Server from RPC exploits while at the same time allow Outlook MAPI clients at remote locations full access to the entire array of Exchange Server services
  • Secure outbound access to Exchange Servers on the Internet via the RPC filter that allows only legitimate outbound RPC connections and prevents clients on the internal network behind the ISA Server from sending exploit code to servers on the Internet
  • Secure remote access to Outlook Web Access using SSL to SSL bridging. The OWA site is protected from HTTP exploits because exploits can’t hide inside the SSL tunnel; URLScan 2.5 is installed on the ISA Server and examines the packets moving through the firewall before being encrypted and forwarded to the OWA site.
  • Secure remote access to the Outlook Web Access site using delegation of basic authentication. Delegation of basic authentication allows you to force the remote OWA client to authenticate at the ISA Server firewall before the client is allowed to communicate with the OWA site. This prevents all non-authenticated connections from ever reaching the OWA server.
  • Client certificate authentication can be used to provide two factor authentication without requiring an add-on hardware piece (such as a smartcard or biometric device). One factor is the user’s user name and password, and the second factor is the user certificate on the OWA client machine. Even if the someone were to gain access to the user’s credentials, he would not be able to access the OWA site because a client certificate is required too
  • The ability to force the ISA firewall to present a client certificate to the OWA Web site before the OWA site accepts the user credentials. This prevents compromised hosts in a DMZ segment or other location from connecting to the OWA site, even if the hacker had access to user credentials. Without the proper certificate, the hacked server would not be able to access the site
  • The SMTP Message Screener can run on the firewall and works with the IIS SMTP service that is also running on the ISA Server firewall. The SMTP service allows secure authenticating inbound SMTP relay, and also allow for anonymous relay to domains under your administrative control. The SMTP Message Screener works together with the SMTP Filter to block spam and malicious mail content using source domain, source user account, key words and attachments as filtering determinants. The SMTP filter itself protects against SMTP exploits
    •


    Read the ISA Server 2000
    Exchange Server 2000/2003 Deployment Kit

    Notice that all of these reasons relate to secure Exchange Server Publishing. OK, there are a lot of other reasons to use ISA Server 2000 as your firewall of choice for protecting a Microsoft network, but this article is meant to be an introduction to the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit, so I’ll stick with the stuff that deals with Exchange.

    That’s right! I want to take this opportunity to announce the first beta of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit. This kit was designed to help ISA Server 2000 administrators set up secure remote access to their Exchange Server located on the internal network behind the ISA Server firewall. The content of the kit was determined by what I saw to be the most common problems appearing in the ISASever.org Web boards and mailing list, as well as the ISA Server newsgroups over at msnews.microsoft.com.

    I felt that ISA Server 2000 Exchange Server 2000/2003 Deployment Kit would be well received because of the great success people have had getting their ISA Server firewall/VPN servers up and running using the recently released ISA Server 2000 VPN Deployment Kit. The VPN kit had over 25,000 downloads and has generated millions on hits in the month since it was released and it indicated to me that there is a big demand for the type of information, and the style of presentation, that was provided by the ISA Server 2000 VPN Deployment Kit.

    The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents use the same style and presentation as the VPN kit docs. All the docs provided detailed step by step procedures and screenshots of almost each step so that you never had to guess at what I’m telling you to do. The steps also contain explanations of confusing dialog boxes or options so that you don’t have to guess at what might be the right option; the explanations allow you to choose the correct option with confidence.

    At this point I need your help to make the kit better. I need input from the ISAServer.org community. Feedback for the following issues is especially important:

  • Are there procedures or concepts that aren’t clear in the docs?
  • Are there subjects you need information about that aren’t included in the docs?
  • Are there procedures that just don’t work they way they claim to do?
  • Is there anything that can be done to enhance the readability or utility of the docs?
  • Anything else you want to let me know!
    •

    The goal of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit is to make it as easy as possible to put together a secure remote access email solution that allows your offsite users secure access to their mailboxes on your internal network Exchange Server. These docs should walk you through ever ISA Server related step required to allow inbound access to all the Exchange Server services.


    Read the ISA Server 2000
    Exchange Server 2000/2003 Deployment Kit

    One thing the kit does not contain is detailed information on the installation and configuration of the Exchange Server. The reason for this is the kit is already quite large with the focus being the ISA Server firewall configuration. There is some information on how to configure aspects of the Exchange Server, such as how to bind a Web site certificate to an Exchange Server service and how to request the Web site certificate. But, there is no detailed discussion of the specifics of Exchange Server configuration that do not bear a direct relationship with ISA Server Exchange Server services publishing.

    At this time I only have the HTML online versions of the kit available. The final version of the kit will include Microsoft Word format docs so that you can take notes in the doc itself, or customize the doc to serve your specific needs. The goal of these docs is to make remote access to your ISA Server firewall protected Exchange Servers.

    You can find the Table of Contents for the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit at www.tacteam.net/isaserverorg/exchangekit/default.htm. If you have any suggestions on how to improve these docs, send me an email at tshinder@tacteam.net.


    Read the ISA Server 2000
    Exchange Server 2000/2003 Deployment Kit

    If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!

    About Thomas Shinder

    Thomas Shinder photo Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

    Click here for Thomas Shinder's section.

    Receive all the latest articles by email!

    Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



    Receive all the latest articles by email!

    Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
    Click for Real-Time sample & Monthly sample

    Become an ISAserver.org member!

    Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

    Readers' Choice

    Which is your favorite Access Control solution?

    Follow TechGenix on Twitter