Configuring ISA Server to accommodate MIS 2002

Mobile Information Server 2002 opens up your network to traveling users, but it also increases the risk of attacks. In this Daily Feature, Jim Boyce shows you how to use ISA server along with MIS to maximize security and minimize attacks.

To maximize security on your network when deploying Mobile Information Server, it’s almost mandatory that you use Microsoft’s Internet Security And Acceleration (ISA) Server. However, this begs the question: Exactly how do you go about properly configuring ISA Server to accommodate MIS 2002? In this Daily Feature, I’ll show you.

Read more about it
To read more about organizing a well-thought-out MIS installation, check out my latest Daily Drill Down, “Consider these issues before installing Mobile Information Server 2002.”

Creating traffic patterns
To begin the configuration process, you need to enable incoming and outgoing traffic for MIS through ISA Server. You enable incoming traffic using a new Web publishing rule and control outgoing traffic with access policies. To enable incoming traffic, you first need to create a destination set for the Web publish rule. Open the ISA Console by clicking Start | Programs | Microsoft ISA Server | ISA Management. Expand the Policy Elements branch, right-click Destination Sets, and choose New and then Set. In the New Destination Set dialog box, enter a name for the destination set in the Name field. The name isn’t associated with the MIS server’s fully qualified domain name (FQDN) in any way, but choose a name that will help you recognize the destination set’s function.

Next, click Add to open the Add/Edit Destination dialog box. Select Destination and enter the MIS server’s external FQDN (the one remote users enter on their wireless devices to access the server). In the Path field, enter the path to the IIS virtual directory that is the target for this destination.

For example, enter /OMA* to allow incoming traffic to the OMA and OMA55 virtual directories. Click OK and then click Add again to add the destinations for the other virtual directories. Click OK in the New Destination Set dialog box after you add all of the necessary destinations.

Creating rules for MIS
Now, you’re ready to create the rule. In the MIS console, expand the Publishing | Web Publishing Rules branch. Right-click the branch and choose New and then Rule. This will cause the New Web Publishing Rule Wizard to appear. Enter a descriptive name such as MIS Incoming in the Web Publishing Rule Name field and click Next. Select Specific Destination Set from the drop-down list and then select the MIS Incoming set you created in the previous step. Click Next and decide how you want to handle the incoming traffic. Choose Any Request to allow all traffic destined for the MIS server to pass through. Alternatively, you can choose Specific Users And Groups, but this requires that the accounts you specify for the rule are accessible from the ISA server. The MIS server will authenticate the requests for wireless access anyway, so you can simplify the setup process by using Any Request instead.

Next, on the Rule Action page, select the option to redirect the request. Enter the FQDN of the MIS server. If you are running multiple virtual servers on the MIS server, or the internal host name matches the external name used by the wireless clients to access the MIS server, select the option Send The Original Host Header. If the internal server name for the MIS server is different from the external name that clients use, clear this option.

Last, make sure the ports specified for HTTP, SSL, and FTP match the ports on the MIS server. Then, click Next and Finish to create the rule.

Now, you need to decide if you’ll use SSL between the ISA server and the MIS server. Using SSL provides greater security, and it’s the approach I recommend. If you choose not to use SSL between the ISA and MIS servers, make sure you configure the Microsoft Server ActiveSync (MSAS) virtual directory so that it does not require SSL.

If you do want to use SSL, you’ll need to obtain a certificate for the MIS server. Make sure to specify the FQDN of the server when requesting the certificate or the SSL connection will fail. Install the certificate on the Default Web Site, which is where the MIS virtual directories reside.

Next, on the ISA server, request a certificate for each front-end DNS address to which the ISA server must publish for MIS. If you use only one MIS server/address, you only need one certificate. Install these certificates to the ISA server’s personal store. You also need to make sure that the ISA server trusts the root certificate authority (CA) that issued the certificate to the MIS server and can access it for validating the certificate and accessing the certificate revocation list. Having your own Windows 2000 Server configured as a CA is a big help here.

Now, pop open the ISA console, right-click the server, and choose Properties. Click the Incoming Web Requests tab and select Configure Listeners Individually Per IP Address. Select the option Enable SSL Listeners and then click Add. In the Add/Edit Listeners dialog box, select the ISA server from the Server drop-down list. Select an IP address of the external NIC from the IP Address drop-down list. Select Use A Server Certificate To Authenticate To Web Clients; then, click Select and choose the previously installed certificate. Choose the appropriate authentication methods and click OK. Close the server property sheet.

Next, in the ISA console, open the Publishing | Web Publishing Rules branch. Double-click the publishing rule you created previously for MIS to open its properties and then click the Bridging tab. Make sure the Redirect SSL Requests As option is set to SSL and then close the property sheet. Finally, make sure you configure the MSAS virtual directory on the MIS server to require SSL.

Installing the MIS filter
Next, let’s take a stab at installing the MIS filter on the ISA server. The MIS filter enables the ISA server to preauthenticate wireless users and ensure that only authorized users’ requests ever reach the MIS server.

The MIS filter is included on the MIS CD (or Eval folder, if you’re using the evaluation edition) in the \Support\Tools\ISA Filter folder. Open the appropriate language folder under the ISA Filter folder from the ISA server and run Setup. The Setup wizard will prompt you a number of times for information, including the types of access to support, which can include WAP device-originated browse requests and Server ActiveSync requests. Setup will also prompt you for the domain in which the MIS server resides. It checks connectivity to the domain and, if successful, then prompts you to specify whether or not you configured MIS to append -W to the account names. When you install MIS, you can configure it to create user accounts appended with -W to identify wireless users. Choose No if MIS is using existing accounts in the corporate domain or auxiliary domain/forest. Choose Yes if you configured MIS to create the -W appended accounts. Then, click Install to install the filter.

The Domain Mapping Tool for Server ActiveSync is the next tool to pop up on Setup. This tool lets you map different external DNS addresses to specific internal domains, allowing a single ISA server to act as a gateway for synchronizing multiple domains. If you need to add domain mappings, click Add and create the map by specifying the external name and the internal name to which it maps. Click OK on the Domain Mapping Tool dialog box and then click Finish to complete the filter installation. If you later need to add or change domain mapping, you’ll find the Domain Mapping Tool in the Administrative Tools/MMIS folder.

You can’t modify the browse options for the ISA filter dynamically. To change the configuration, open Add/Remove Programs and remove the MIS filter. Then, run Setup again to reinstall it with the desired options.

Combining MIS 2002 with ISA Server can result in a powerful, yet secure way for your remote users to get the benefits of MIS 2002 without opening your network up to attacks from hackers. Using ISA’s publishing wizards and MIS’s filters you can configure ISA server to handle the added traffic that MIS will create. After you’ve prepared ISA server to control MIS access, you can move on to installing and configuring MIS for your organization.

Editor's Picks