You can greatly increase Exchange Server security by creating an Outlook Web Access (OWA) front-end/back-end configuration. Doing so isn’t as difficult as it sounds. All you have to do is break down the process into two parts—securing traffic to and from the front-end server and the Internet, then securing the traffic between the Exchange server and the OWA server. In this article, I’ll show you how to secure the traffic that flows from your OWA front-end server and the Internet.
This article outlines how to secure the traffic between the Internet and the OWA server. For a general discussion of the concept of securing OWA, see the Daily Drill Down “Prevent Outlook Web Access from adding to your Exchange security headaches”.
Securing OWA traffic
Initially, when someone attaches to your OWA server, they are actually using an HTTP session to pass through your firewall and communicate with your ISA server. However, you must remember that the user will be sending and receiving potentially sensitive e-mail through this connection, so HTTP is probably not the protocol of choice. Therefore, I recommend implementing an SSL connection between the client and the ISA server.
There are several different ways that ISA Server can be configured to implement SSL communications. For this particular arrangement, the most effective technique is to configure ISA Server in a way that decrypts the inbound SSL packets, inspects the packet contents, and then re-encrypts the packets prior to sending them to the OWA Server. To configure ISA in this manner, you must have ISA Server Service Pack 1 or higher installed.
Creating a certificate
After installing Service Pack 1, there are a couple of things that you must do to get ready to configure ISA Server. First, you must create an ISA Server certificate for OWA. This certificate must have a friendly name that matches the FQDN of the OWA server. For example, if the normal OWA FQDN is http://mail.brienposey.com/exchange, then the certificate’s friendly name must be mail.brienposey.com.
After creating such a certificate, you must import it into the ISA server’s personal computer store. When importing the certificate, you must make sure that the certificate’s private key is exportable.
The actual procedure for setting up a certificate varies depending on what type of certificate authority you’re using. Assuming that you’ve configured one of your Windows 2000 Servers to act as a certificate authority, you can use the procedure that I’m about to describe.
Begin by entering the MMC command at the Run prompt to open an empty Microsoft Management Console session. When the console opens, select the Add/Remove Snapin command from the Console menu. When you do, you’ll see the Add/Remove Snapin properties sheet. Click the Add button found on the Standalone tab, then select the Certificates option from the list of available snapins. Click the Add button and you’ll be prompted to identify which certificates the snapin should manage. Select the Computer Account option and click Next. On the following screen, make sure that the Local Computer radio button is selected, then click Finish. Finally, click Close and OK.
At this point, the Certificates snapin is loaded in the console. Expand the Certificates container to reveal the Personal container. Right click on the Personal container and select the All Tasks | Request New Certificate commands from the resulting shortcut menus. This will launch the Certificate Request Wizard.
Click Next to skip the wizard’s Welcome screen. You’ll be asked to select a certificate template for your request. Unless you have another template that you want to use, select the default option and click Next. You must now enter a friendly name and description for the certificate. Remember that the friendly name must match the OWA server’s URL. For example, my certificate’s friendly name will be mail.brienposey.com. Click Next and you’ll see a summary of the certificate’s configuration information. Click Finish to accept the configuration and create the certificate. The newly created certificate will be displayed in the Certificates\Personal\Certificates container, as shown in Figure A.
|You must create a certificate that matches your OWA FQDN.|
Configuring ISA Server
ISA Server makes OWA available to external clients via Web Publishing Rules. Before you can implement any Web Publishing Rules, however, you must lay the groundwork for Web Publishing. Begin by opening the ISA Management Console and navigating through the console tree to Internet Security And Acceleration Server | Servers And Arrays | servername. Right click on your ISA Server and select Properties. When you do, you’ll see the server’s properties sheet.
Select the Incoming Web Requests tab and verify that the Configure Listeners Individually Per IP Address radio button is selected. Now, click the Add button. Doing so will reveal the Add/Edit Listeners dialog box. Select the name of your ISA Server from the Server drop-down list. Next, select the ISA Server’s external IP address from the IP Address drop-down list. Select the Use A Server Certificate To Authenticate Web Clients check box. Click the Select button, then select the certificate that you created earlier and click OK. Click OK again to close the dialog box. Finally, select the Enable SSL Listeners check box and click OK twice, select the Save Changes And Restart The Services radio button, and click OK one last time.
Now that you’ve configured a listener for inbound Web requests, it’s time to configure ISA to handle outbound Web requests. Don’t perform this procedure if the ISA Server you’re configuring is your only link to the Internet. Performing this procedure will prevent internal users from being able to use the ISA Server as a proxy server and a gateway to the Internet. Technically, this procedure isn’t really required for OWA, but it does increase security.
Right click on your ISA Server and select Properties. When you see the server’s properties sheet, select the Outgoing Web Requests tab. Select the Configure Listeners Individually Per IP Address radio button. Insure that no IP addresses are listed and then click OK. When prompted, select the Save The Changes And Restart The Services radio button and click OK.
Configuring Web Publishing
Now that you’ve laid the groundwork, you’re ready to create the OWA Web publishing rules. From within the ISA Management console, expand your server and then expand the Publishing container. Right click on the Web Publishing Rules container and select New | Rules. This will launch the New Web Publishing Rules wizard. The first step in creating the rule is to assign it a name. I recommend giving it a meaningful name that includes the FQDN. For example, I called my rule OWA MAIL.BRIENPOSEY.COM.
Click Next. On the following screen, verify that the All Destinations option is selected, then click Next again. You’ll see the Client Type screen. Select the Any Request option and click Next. You’ll be presented with the Rule Action screen.
On the Rule Action screen, select the radio button corresponding to the Redirect The Request To This Internal Web Server (Name Or IP Address) option. Click the Browse button and select your OWA front-end server from the list of available servers. Now, click Next and Finish.
The Web publishing rule that you created is now added to the list of rules. At this point, double click on the rule you just created to reveal its properties sheet. Select the properties sheet’s Bridging tab, then select the Require Secure Channel (SSL) For Published Site check box and the Require 128 Bit Encryption check box, and click OK.
Encrypting traffic flowing between the ISA server and the OWA front-end server
The last step in the process is to encrypt the traffic that’s flowing between the ISA server and the OWA front-end server. Doing so involves installing an SSL certificate onto your OWA front-end server. You can request this certificate from your root-level certificate authority or any of its subordinate certificate authorities.
Begin the process by going to your OWA front-end server and opening the Internet Services Manager. When the Internet Services Manager console opens, right click the default Web site and then select Properties. When you do, you’ll see the Default Web Site Properties sheet. Select the properties sheet’s Directory Security tab and then click the Server Certificate button. Doing so will launch the Web Server Certificate Wizard.
Click Next to skip the Welcome screen. On the following screen, select the Create A Certificate radio button and click Next. When the next screen appears, select the Send The Request Immediately To An Online Certificate Authority radio button, then click Next. When prompted, enter a name and bit length for the certificate and click Next. You’ll now be prompted for the name of the organization and for the OU that the certificate will apply to. You can usually accept the defaults and click Next. The next screen that you’ll see asks for a common name for the certificate. It’s very important that you enter the FQDN name of your OWA server (for example mail.brienposey.com).
The next step in the process is to enter your city, state, and country. After doing so, click Next and you’ll be prompted for which certificate authority you want to send the request to. Your enterprise certificate authority should be automatically selected, but make sure before clicking Next. You’ll see a summary screen. Verify the information on this screen, then click Next and Finish.
At this point, you’ll be returned to the Directory Security screen. In the Secure Communications section, click the Edit button to reveal the Secure Communications dialog box. Select the Require Secure Channel (SSL) and the Require 128 Bit Encryption check boxes, then click OK.
The next step in the process is to click the Edit button that’s found in the Directory Security tab’s Anonymous Access and Authorization Control section. When you do, you’ll see the Authentication Methods dialog box. Now, clear all of the check boxes, but select the Basic Authentication check box. Click Yes to acknowledge the warnings and then click OK three times to close all remaining dialog boxes.
Somewhat safe and sound
As you can see, it’s not hard to create a secure front-end/back-end environment and encrypt traffic flowing between the ISA Server and the OWA front-end server. To fully secure OWA, however, you must also encrypt traffic flowing between the OWA front end-server and a back-end server. We’ll cover this in an upcoming Daily Drill Down.